[DOMJIT] Use DOMJIT::Patchpoint in IC
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Oct 2016 20:43:43 +0000 (20:43 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Oct 2016 20:43:43 +0000 (20:43 +0000)
commit47192648ceb8d5aeb9ced9299a143c22454443f8
tree2ae35ad8233d722471f4b8c13d6d29b9832f53cf
parent16ff9e2b9c56afb1b66cea62d3fd3bead22274ee
[DOMJIT] Use DOMJIT::Patchpoint in IC
https://bugs.webkit.org/show_bug.cgi?id=163223

Reviewed by Saam Barati.

JSTests:

* stress/domjit-exception-ic.js: Added.
(shouldBe):
(access):
* stress/domjit-exception.js: Added.
(shouldBe):
(access):
* stress/domjit-getter-complex-with-incorrect-object.js: Added.
(shouldThrow):
(access):
(i.shouldThrow):
* stress/domjit-getter-complex.js: Added.
(shouldBe):
(access):
* stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js: Added.
(assert):
(bar):
(foo):

Source/JavaScriptCore:

This patch uses DOMJIT::Patchpoint to inline DOM accesses even in IC!
It is useful for Baseline JIT cases and GetById cases in DFG and FTL.
In AccessCase, we construct the environment that allows DOMJIT::Patchpoint
to emit code and make DOMJIT accessors inlined in IC.

To allow DOMJIT::Patchpoint to emit code, we create a mechanism to emit calls
required in DOMJIT::Patchpoint. This system is useful when we create the super-
polymorphic support[1] later. And inlining mechanism is useful even after
introducing super-polymorphic support since it can work even after we fire the
watchpoint for super-polymorphic handling.

This patch improves Dromaeo dom-traverse 8% (263.95 runs/s v.s. 244.07 runs/s).

[1]: https://bugs.webkit.org/show_bug.cgi?id=163226

* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/DOMJITAccessCasePatchpointParams.cpp: Added.
(JSC::SlowPathCallGeneratorWithArguments::SlowPathCallGeneratorWithArguments):
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
(JSC::DOMJITAccessCasePatchpointParams::emitSlowPathCalls):
* bytecode/DOMJITAccessCasePatchpointParams.h: Copied from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
(JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
(JSC::DOMJITAccessCasePatchpointParams::SlowPathCallGenerator::~SlowPathCallGenerator):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::liveRegistersForCall):
(JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
(JSC::calleeSaveRegisters):
(JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
(JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
(JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
(JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
(JSC::AccessGenerationState::originalExceptionHandler):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::emitDOMJITGetter):
(JSC::PolymorphicAccess::regenerate):
(JSC::AccessGenerationState::preserveLiveRegistersToStackForCall): Deleted.
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationState::SpillState::isEmpty):
(JSC::AccessGenerationState::setSpillStateForJSGetterSetter):
(JSC::AccessGenerationState::spillStateForJSGetterSetter):
(JSC::AccessGenerationState::liveRegistersForCall): Deleted.
(JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation): Deleted.
(JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite): Deleted.
* dfg/DFGDOMJITPatchpointParams.cpp:
* dfg/DFGDOMJITPatchpointParams.h:
* domjit/DOMJITPatchpoint.h:
* domjit/DOMJITPatchpointParams.h:
(JSC::DOMJIT::PatchpointParams::addSlowPathCall):
* ftl/FTLDOMJITPatchpointParams.cpp:
* ftl/FTLDOMJITPatchpointParams.h:
* jsc.cpp:
(WTF::DOMJITNode::checkDOMJITNode):
(WTF::DOMJITGetterComplex::DOMJITGetterComplex):
(WTF::DOMJITGetterComplex::createStructure):
(WTF::DOMJITGetterComplex::create):
(WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
(WTF::DOMJITGetterComplex::domJITNodeGetterSetter):
(WTF::DOMJITGetterComplex::finishCreation):
(WTF::DOMJITGetterComplex::functionEnableException):
(WTF::DOMJITGetterComplex::customGetter):
(GlobalObject::finishCreation):
(functionCreateDOMJITGetterComplexObject):

Source/WebCore:

Make DOMJITPatchpointParams non-const.

* domjit/DOMJITHelpers.h:
(WebCore::DOMJITHelpers::toWrapper):
* domjit/JSNodeDOMJIT.cpp:
(WebCore::createCallDOMForOffsetAccess):
(WebCore::checkNode):
(WebCore::NodeNodeTypeDOMJIT::callDOM):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@207427 268f45cc-cd09-0410-ab3c-d52691b4dbfc
23 files changed:
JSTests/ChangeLog
JSTests/stress/domjit-exception-ic.js [new file with mode: 0644]
JSTests/stress/domjit-exception.js [new file with mode: 0644]
JSTests/stress/domjit-getter-complex-with-incorrect-object.js [new file with mode: 0644]
JSTests/stress/domjit-getter-complex.js [new file with mode: 0644]
JSTests/stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js [new file with mode: 0644]
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp [new file with mode: 0644]
Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h [new file with mode: 0644]
Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
Source/JavaScriptCore/bytecode/PolymorphicAccess.h
Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp
Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h
Source/JavaScriptCore/domjit/DOMJITPatchpoint.h
Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h
Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp
Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h
Source/JavaScriptCore/jsc.cpp
Source/WebCore/ChangeLog
Source/WebCore/domjit/DOMJITHelpers.h
Source/WebCore/domjit/JSNodeDOMJIT.cpp