[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Jun 2016 15:26:47 +0000 (15:26 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Jun 2016 15:26:47 +0000 (15:26 +0000)
commitceb87da78fb784e72d3e115f490cb0de9a223f01
tree40fc8b8fdee2a5542e02154a506fc70f5e82ddbf
parentf038d6ee9a0796c50c51570a542f9ce861b1af6c
[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
https://bugs.webkit.org/show_bug.cgi?id=154022

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We aim at optimizing @toInteger operation.
While it still has an unoptimized part[1], this patch should be a first step.

We introduce the @toNumber builtin intrinsic operation.
This converts the given value to the JS number by emitting op_to_number bytecode.
Previously @toInteger called C++ @Number constructor for that purpose.

And in DFG, op_to_number is converted to DFG ToNumber node.
During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
we just fall back to calling the C++ function.

To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
to ToNumber DFG nodes. This conversion is useful because `Number(value)` is used to convert a value to a number in JS.

Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
But emitting ToNumber is useful, because in the case of `Number(value)`, considering `value` may not be a number is reasonable.

By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.

ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
This value profiling is provided from either NumberConstructor's call operation or op_to_number.

The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
And ASMBench/n-body.c also shows stable ~2% progression.

[1]: https://bugs.webkit.org/show_bug.cgi?id=153738

* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinNames.h:
* builtins/GlobalObject.js:
(globalPrivate.isFinite):
(globalPrivate.isNaN):
(globalPrivate.toInteger): Deleted.
(globalPrivate.toLength): Deleted.
(globalPrivate.isDictionary): Deleted.
(globalPrivate.speciesGetter): Deleted.
(globalPrivate.speciesConstructor): Deleted.
* builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.
(globalPrivate.toInteger):
(globalPrivate.toLength):
(globalPrivate.isDictionary):
(globalPrivate.speciesGetter):
(globalPrivate.speciesConstructor):
* builtins/NumberConstructor.js: Added.
(isFinite):
(isNaN):
* bytecode/BytecodeIntrinsicRegistry.cpp:
(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitUnaryOp):
(JSC::BytecodeGenerator::emitUnaryOpProfiled):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitToNumber):
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
(JSC::UnaryPlusNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):
We use `getPrediction()` to retrieve the heap prediction from the to_number bytecode.
According to the benchmark results, choosing `getPredictionWithoutOSRExit()` causes performance regression (1.5%) in kraken stanford-crypto-aes.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToNumber):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
Always on the heap prediction.

* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
`branchIfNotNumber()` requires the temporary register. We should not use the result registers for that since
it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
Currently, we allocate the additional temporary register for that scratch register.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
the spills to call the operation. The example of the actually emitted code is the following.

76:<!2:loc11>     ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48)  predicting DoubleimpurenanTopEmpty
    0x7f986d5fe693: test %rax, %r14
    0x7f986d5fe696: jz 0x7f986d5fe6a1
    0x7f986d5fe69c: jmp 0x7f986d5fe6d1
    0x7f986d5fe6a1: mov %rax, %rsi
    0x7f986d5fe6a4: mov %rbp, %rdi
    0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
    0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
    0x7f986d5fe6b8: call *%r11
    0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
    0x7f986d5fe6c5: mov (%r11), %r11
    0x7f986d5fe6c8: test %r11, %r11
    0x7f986d5fe6cb: jnz 0x7f986d5fe88c

It effectively removes the unnecessary spill to call the operation!

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_to_number):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_to_number):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/Nodes.h:
(JSC::UnaryOpNode::opcodeID):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncIsNaN): Deleted.
(JSC::globalFuncIsFinite): Deleted.
* runtime/JSGlobalObjectFunctions.h:
* runtime/MathCommon.h:
(JSC::maxSafeInteger):
(JSC::minSafeInteger):
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
(JSC::numberConstructorFuncIsFinite): Deleted.
(JSC::numberConstructorFuncIsNaN): Deleted.
* runtime/NumberConstructor.h:
* tests/stress/Number-isNaN-basics.js: Added.
(numberIsNaNOnInteger):
(testNumberIsNaNOnIntegers):
(verifyNumberIsNaNOnIntegerWithOtherTypes):
(numberIsNaNOnDouble):
(testNumberIsNaNOnDoubles):
(verifyNumberIsNaNOnDoublesWithOtherTypes):
(numberIsNaNNoArguments):
(numberIsNaNTooManyArguments):
(testNumberIsNaNOnConstants):
(numberIsNaNStructTransition):
(Number.isNaN):
* tests/stress/global-is-finite.js: Added.
(shouldBe):
* tests/stress/global-is-nan.js: Added.
(shouldBe):
* tests/stress/global-isNaN-basics.js: Added.
(isNaNOnInteger):
(testIsNaNOnIntegers):
(verifyIsNaNOnIntegerWithOtherTypes):
(isNaNOnDouble):
(testIsNaNOnDoubles):
(verifyIsNaNOnDoublesWithOtherTypes):
(verifyIsNaNOnCoercedTypes):
(isNaNNoArguments):
(isNaNTooManyArguments):
(testIsNaNOnConstants):
(isNaNTypeCoercionSideEffects):
(i.value.isNaNTypeCoercionSideEffects.valueOf):
(isNaNStructTransition):
(isNaN):
* tests/stress/number-is-finite.js: Added.
(shouldBe):
(test2):
(test3):
* tests/stress/number-is-nan.js: Added.
(shouldBe):
(test2):
(test3):
* tests/stress/to-number-basics.js: Added.
(shouldBe):
* tests/stress/to-number-convert-identity-without-execution.js: Added.
(shouldBe):
(object.valueOf):
(valueOf):
* tests/stress/to-number-int52.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.
(shouldBe):
(object.valueOf):
(valueOf):
* tests/stress/to-number-intrinsic-int52.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-intrinsic-object-without-execution.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-intrinsic-value-profiling.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-object-without-execution.js: Added.
(shouldBe):
(object.valueOf):
* tests/stress/to-number-object.js: Added.
(shouldBe):
(test12):
(object1.valueOf):
(test2):
(test22):
(object2.valueOf):
(test3):
(test32):
(object3.valueOf):
* tests/stress/to-number-value-profiling.js: Added.
(shouldBe):
(object.valueOf):

LayoutTests:

* js/regress/Number-isNaN-expected.txt: Added.
* js/regress/Number-isNaN.html: Added.
* js/regress/global-isNaN-expected.txt: Added.
* js/regress/global-isNaN.html: Added.
* js/regress/script-tests/Number-isNaN.js: Added.
* js/regress/script-tests/global-isNaN.js: Added.
* js/regress/script-tests/many-foreach-calls.js:
(i.4.forEach):
(i.array.forEach): Deleted.
* js/regress/script-tests/to-number-constructor-number-string-number-string.js: Added.
(test):
* js/regress/script-tests/to-number-constructor-only-number.js: Added.
(test):
* js/regress/script-tests/to-number-constructor-only-string.js: Added.
(test):
* js/regress/script-tests/to-number-constructor-string-number-string-number.js: Added.
(test):
* js/regress/script-tests/to-number-number-string-number-string.js: Added.
(test):
* js/regress/script-tests/to-number-only-number.js: Added.
(test):
* js/regress/script-tests/to-number-only-string.js: Added.
(test):
* js/regress/script-tests/to-number-string-number-string-number.js: Added.
(test):
* js/regress/to-number-constructor-number-string-number-string-expected.txt: Added.
* js/regress/to-number-constructor-number-string-number-string.html: Added.
* js/regress/to-number-constructor-only-number-expected.txt: Added.
* js/regress/to-number-constructor-only-number.html: Added.
* js/regress/to-number-constructor-only-string-expected.txt: Added.
* js/regress/to-number-constructor-only-string.html: Added.
* js/regress/to-number-constructor-string-number-string-number-expected.txt: Added.
* js/regress/to-number-constructor-string-number-string-number.html: Added.
* js/regress/to-number-number-string-number-string-expected.txt: Added.
* js/regress/to-number-number-string-number-string.html: Added.
* js/regress/to-number-only-number-expected.txt: Added.
* js/regress/to-number-only-number.html: Added.
* js/regress/to-number-only-string-expected.txt: Added.
* js/regress/to-number-only-string.html: Added.
* js/regress/to-number-string-number-string-number-expected.txt: Added.
* js/regress/to-number-string-number-string-number.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202680 268f45cc-cd09-0410-ab3c-d52691b4dbfc
93 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress/Number-isNaN-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/Number-isNaN.html [new file with mode: 0644]
LayoutTests/js/regress/global-isNaN-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/global-isNaN.html [new file with mode: 0644]
LayoutTests/js/regress/script-tests/Number-isNaN.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/global-isNaN.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/many-foreach-calls.js
LayoutTests/js/regress/script-tests/to-number-constructor-number-string-number-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-constructor-only-number.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-constructor-only-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-constructor-string-number-string-number.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-number-string-number-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-only-number.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-only-string.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/to-number-string-number-string-number.js [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-number-string-number-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-number-string-number-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-number.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-only-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-string-number-string-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-constructor-string-number-string-number.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-number-string-number-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-number-string-number-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-number.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-string-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-only-string.html [new file with mode: 0644]
LayoutTests/js/regress/to-number-string-number-string-number-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/to-number-string-number-string-number.html [new file with mode: 0644]
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/DerivedSources.make
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/builtins/BuiltinNames.h
Source/JavaScriptCore/builtins/GlobalObject.js
Source/JavaScriptCore/builtins/GlobalOperations.js [new file with mode: 0644]
Source/JavaScriptCore/builtins/NumberConstructor.js [new file with mode: 0644]
Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp
Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
Source/JavaScriptCore/bytecode/BytecodeList.json
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNode.h
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/parser/Nodes.h
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h
Source/JavaScriptCore/runtime/MathCommon.h
Source/JavaScriptCore/runtime/NumberConstructor.cpp
Source/JavaScriptCore/runtime/NumberConstructor.h
Source/JavaScriptCore/tests/stress/Number-isNaN-basics.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/global-is-finite.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/global-is-nan.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/global-isNaN-basics.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/number-is-finite.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/number-is-nan.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-basics.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-convert-identity-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-int52.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-int52.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-object-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-intrinsic-value-profiling.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-object-without-execution.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-object.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-number-value-profiling.js [new file with mode: 0644]