[DFG][FTL] Support Array::DirectArguments with OutOfBounds
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Nov 2017 17:35:33 +0000 (17:35 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Nov 2017 17:35:33 +0000 (17:35 +0000)
commit39a57e56ffb4da2f756621c67371fc4aac391e3e
tree74fb3049f6a605c5490efc486ef3a2c6cfacfade
parent47ae65df09289a43df31b4ca64b73f08e06390f0
[DFG][FTL] Support Array::DirectArguments with OutOfBounds
https://bugs.webkit.org/show_bug.cgi?id=179594

Reviewed by Saam Barati.

JSTests:

* stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
(shouldBe):
(args):
* stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
(shouldBe):
(args):

Source/JavaScriptCore:

Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
`arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.

This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
accept this type, and emit optimized code compared to Array::Generic case.

We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
exit instead of ExoticObjectMode.

This change significantly improves SixSpeed rest.es5 since it uses OOB access.
Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.

    rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster

* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224818 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/direct-arguments-in-bounds-to-out-of-bounds.js [new file with mode: 0644]
JSTests/stress/direct-arguments-out-of-bounds-watchpoint.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
Source/JavaScriptCore/dfg/DFGArrayMode.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp