[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Jun 2016 03:41:52 +0000 (03:41 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Jun 2016 03:41:52 +0000 (03:41 +0000)
commit2dac7a2a3086250b440d907229c7164b26eadf70
tree278493a9f0af16c12b046dda4712cd3a030764b5
parent6be8b0aa72464a0cee2186d4497221f6f0896b84
[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
https://bugs.webkit.org/show_bug.cgi?id=154022

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We aim at optimizing @toInteger operation.
While it still has an unoptimized part[1], this patch should be a first step.

We introduce the @toNumber builtin intrinsic operation.
This converts the given value to the JS number by emitting op_to_number bytecode.
Previously @toInteger called C++ @Number constructor for that purpose.

And in DFG, op_to_number is converted to DFG ToNumber node.
During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
we just fall back to calling the C++ function.

To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
to ToNumber DFG nodes. This conversion is useful because `Number(value)` is used to convert a value to a number in JS.

Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
But emitting ToNumber is useful, because in the case of `Number(value)`, considering `value` may not be a number is reasonable.

By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.

ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
This value profiling is provided from either NumberConstructor's call operation or op_to_number.

The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
And ASMBench/n-body.c also shows stable ~2% progression.

[1]: https://bugs.webkit.org/show_bug.cgi?id=153738

* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinNames.h:
* builtins/GlobalObject.js:
(globalPrivate.isFinite):
(globalPrivate.isNaN):
(globalPrivate.toInteger): Deleted.
(globalPrivate.toLength): Deleted.
(globalPrivate.isDictionary): Deleted.
(globalPrivate.speciesGetter): Deleted.
(globalPrivate.speciesConstructor): Deleted.
* builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.
(globalPrivate.toInteger):
(globalPrivate.toLength):
(globalPrivate.isDictionary):
(globalPrivate.speciesGetter):
(globalPrivate.speciesConstructor):
* builtins/NumberConstructor.js: Added.
(isFinite):
(isNaN):
* bytecode/BytecodeIntrinsicRegistry.cpp:
(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitUnaryOp):
(JSC::BytecodeGenerator::emitUnaryOpProfiled):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitToNumber):
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
(JSC::UnaryPlusNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):
We use `getPrediction()` to retrieve the heap prediction from the to_number bytecode.
According to the benchmark results, choosing `getPredictionWithoutOSRExit()` causes performance regression (1.5%) in kraken stanford-crypto-aes.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToNumber):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
Alway rely on the heap prediction.

* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
`branchIfNotNumber()` requires the temporary register. We should not use the result registers for that since
it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
Currently, we allocate the additional temporary register for that scratch register.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
the spills to call the operation. The example of the actually emitted code is the following.

76:<!2:loc11>     ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48)  predicting DoubleimpurenanTopEmpty
    0x7f986d5fe693: test %rax, %r14
    0x7f986d5fe696: jz 0x7f986d5fe6a1
    0x7f986d5fe69c: jmp 0x7f986d5fe6d1
    0x7f986d5fe6a1: mov %rax, %rsi
    0x7f986d5fe6a4: mov %rbp, %rdi
    0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
    0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
    0x7f986d5fe6b8: call *%r11
    0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
    0x7f986d5fe6c5: mov (%r11), %r11
    0x7f986d5fe6c8: test %r11, %r11
    0x7f986d5fe6cb: jnz 0x7f986d5fe88c

It effectively removes the unnecessary spill to call the operation!

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_to_number):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_to_number):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/Nodes.h:
(JSC::UnaryOpNode::opcodeID):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncIsNaN): Deleted.
(JSC::globalFuncIsFinite): Deleted.
* runtime/JSGlobalObjectFunctions.h:
* runtime/MathCommon.h:
(JSC::maxSafeInteger):
(JSC::minSafeInteger):
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
(JSC::numberConstructorFuncIsFinite): Deleted.
(JSC::numberConstructorFuncIsNaN): Deleted.
* runtime/NumberConstructor.h:
* tests/stress/Number-isNaN-basics.js: Added.
(numberIsNaNOnInteger):
(testNumberIsNaNOnIntegers):
(verifyNumberIsNaNOnIntegerWithOtherTypes):
(numberIsNaNOnDouble):
(testNumberIsNaNOnDoubles):
(verifyNumberIsNaNOnDoublesWithOtherTypes):
(numberIsNaNNoArguments):
(numberIsNaNTooManyArguments):
(testNumberIsNaNOnConstants):
(numberIsNaNStructTransition):
(Number.isNaN):
* tests/stress/global-is-finite.js: Added.
(shouldBe):
* tests/stress/global-is-nan.js: Added.
(shouldBe):
* tests/stress/global-isNaN-basics.js: Added.
(isNaNOnInteger):
(testIsNaNOnIntegers):
(verifyIsNaNOnIntegerWithOtherTypes):
(isNaNOnDouble):
(testIsNaNOnDoubles):
(verifyIsNaNOnDoublesWithOtherTypes):
(verifyIsNaNOnCoercedTypes):
(isNaNNoArguments):
(isNaNTooManyArguments):
(testIsNaNOnConstants):
(isNaNTypeCoercionSideEffects):
(i.value.isNaNTypeCoercionSideEffects.valueOf):
(isNaNStructTransition):
(isNaN):
* tests/stress/number-is-finite.js: Added.
(shouldBe):
(test2):
(test3):
* tests/stress/number-is-nan.js: Added.
(shouldBe):
(test2):
(test3):
* tests/stress/to-number-basics.js: Added.
(shouldBe):
* tests/stress/to-number-convert-identity-without-execution.js: Added.
(shouldBe):
(object.valueOf):
(valueOf):
* tests/stress/to-number-int52.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.
(shouldBe):
(object.valueOf):
(valueOf):
* tests/stress/to-number-intrinsic-int52.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-intrinsic-object-without-execution.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-intrinsic-value-profiling.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-object-without-execution.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-object.js: Added.
(shouldBe):
(test12):
(object1.valueOf):
(test2):
(test22):
(object2.valueOf):
(test3):
(test32):
(object3.valueOf):
* tests/stress/to-number-value-profiling.js: Added.
(shouldBe):
(object.valueOf):

LayoutTests:

* js/regress/Number-isNaN-expected.txt: Added.
* js/regress/Number-isNaN.html: Added.
* js/regress/global-isNaN-expected.txt: Added.
* js/regress/global-isNaN.html: Added.
* js/regress/script-tests/Number-isNaN.js: Added.
* js/regress/script-tests/global-isNaN.js: Added.
* js/regress/script-tests/many-foreach-calls.js:
(i.4.forEach):
(i.array.forEach): Deleted.
* js/regress/script-tests/to-number-constructor-number-string-number-string.js: Added.
(test):
* js/regress/script-tests/to-number-constructor-only-number.js: Added.
(test):
* js/regress/script-tests/to-number-constructor-only-string.js: Added.
(test):
* js/regress/script-tests/to-number-constructor-string-number-string-number.js: Added.
(test):
* js/regress/script-tests/to-number-number-string-number-string.js: Added.
(test):
* js/regress/script-tests/to-number-only-number.js: Added.
(test):
* js/regress/script-tests/to-number-only-string.js: Added.
(test):
* js/regress/script-tests/to-number-string-number-string-number.js: Added.
(test):
* js/regress/to-number-constructor-number-string-number-string-expected.txt: Added.
* js/regress/to-number-constructor-number-string-number-string.html: Added.
* js/regress/to-number-constructor-only-number-expected.txt: Added.
* js/regress/to-number-constructor-only-number.html: Added.
* js/regress/to-number-constructor-only-string-expected.txt: Added.
* js/regress/to-number-constructor-only-string.html: Added.
* js/regress/to-number-constructor-string-number-string-number-expected.txt: Added.
* js/regress/to-number-constructor-string-number-string-number.html: Added.
* js/regress/to-number-number-string-number-string-expected.txt: Added.
* js/regress/to-number-number-string-number-string.html: Added.
* js/regress/to-number-only-number-expected.txt: Added.
* js/regress/to-number-only-number.html: Added.
* js/regress/to-number-only-string-expected.txt: Added.
* js/regress/to-number-only-string.html: Added.
* js/regress/to-number-string-number-string-number-expected.txt: Added.
* js/regress/to-number-string-number-string-number.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202413 268f45cc-cd09-0410-ab3c-d52691b4dbfc
92 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress/Number-isNaN-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/Number-isNaN.html [new file with mode: 0644]
LayoutTests/js/regress/global-isNaN-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/global-isNaN.html [new file with mode: 0644]
LayoutTests/js/regress/script-tests/Number-isNaN.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/global-isNaN.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/many-foreach-calls.js
LayoutTests/js/regress/script-tests/to-number-constructor-number-string-number-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-constructor-only-number.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-constructor-only-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-constructor-string-number-string-number.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-number-string-number-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-only-number.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-only-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-string-number-string-number.js [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-number-string-number-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-number-string-number-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-number.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-string-number-string-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-string-number-string-number.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-number-string-number-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-number-string-number-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-number.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-string-number-string-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-string-number-string-number.html [new file with mode: 0644]
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/DerivedSources.make
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/builtins/BuiltinNames.h
Source/JavaScriptCore/builtins/GlobalObject.js
Source/JavaScriptCore/builtins/GlobalOperations.js [new file with mode: 0644]
Source/JavaScriptCore/builtins/NumberConstructor.js [new file with mode: 0644]
Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp
Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
Source/JavaScriptCore/bytecode/BytecodeList.json
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNode.h
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/parser/Nodes.h
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h
Source/JavaScriptCore/runtime/MathCommon.h
Source/JavaScriptCore/runtime/NumberConstructor.cpp
Source/JavaScriptCore/runtime/NumberConstructor.h
Source/JavaScriptCore/tests/stress/Number-isNaN-basics.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/global-is-finite.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/global-is-nan.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/global-isNaN-basics.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/number-is-finite.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/number-is-nan.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-basics.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-convert-identity-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-int52.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-int52.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-object-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-value-profiling.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-object-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-object.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-value-profiling.js [new file with mode: 0644]