[JSC] Add SameValue DFG node
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 May 2018 05:51:33 +0000 (05:51 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 May 2018 05:51:33 +0000 (05:51 +0000)
commitcb2135481ab995da06aee7e254ff39c22fd440fc
tree42b77fd49e9a4eeed0b56a17a0c4abcb438abf6b
parent2f9053265ff44547ba35184871fa9044e3993b7e
[JSC] Add SameValue DFG node
https://bugs.webkit.org/show_bug.cgi?id=185065

Reviewed by Saam Barati.

JSTests:

* microbenchmarks/object-is.js: Added.
(incognito):
(sameValue):
(test1):
(test2):
(test3):
(test4):
(test5):
(test6):
* stress/object-is.js: Added.
(shouldBe):
(is1):
(is2):
(is3):
(is4):
(is5):
(is6):
(is7):
(is8):
(is9):
(is10):
(is11):
(is12):
(is13):
(is14):
(is15):

Source/JavaScriptCore:

This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
implementations for these SameValue nodes.

This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.

Added microbenchmark shows performance improvement.

    object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster

* assembler/MacroAssembler.h:
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::compareDouble):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::compareDouble): Deleted.
* assembler/testmasm.cpp:
(JSC::doubleOperands):
(JSC::testCompareDouble):
(JSC::run):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSameValue):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/ObjectConstructor.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231224 268f45cc-cd09-0410-ab3c-d52691b4dbfc
29 files changed:
JSTests/ChangeLog
JSTests/microbenchmarks/object-is.js [new file with mode: 0644]
JSTests/stress/object-is.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssembler.h
Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h
Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
Source/JavaScriptCore/assembler/testmasm.cpp
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/dfg/DFGValidate.cpp
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/Intrinsic.cpp
Source/JavaScriptCore/runtime/Intrinsic.h
Source/JavaScriptCore/runtime/ObjectConstructor.cpp