Google Git
Sign in
webkit / WebKit / 1ffdcff17ce8997ac57bc5307e5c5c6d168ba7c8^! / . / Source / JavaScriptCore / dfg / DFGAbstractState.cpp
commit1ffdcff17ce8997ac57bc5307e5c5c6d168ba7c8[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Jul 19 00:30:34 2012 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Jul 19 00:30:34 2012 +0000
tree9cb4f2dede57a95211efa424bb1ff3eac20cab0a
parent013243d1fe34278c17ccee825fe522347fe1adb2 [diff] [blame]
DFG should emit inline code for property storage (re)allocation
https://bugs.webkit.org/show_bug.cgi?id=91597

Reviewed by Oliver Hunt.

This adds two new ops to the DFG IR: AllocatePropertyStorage and
ReallocatePropertyStorage. It enables these to interact properly with
CSE so that a GetPropertyStorage on something for which we have
obviously done a (Re)AllocatePropertyStorage will result in the
GetPropertyStorage being eliminated. Other than that, the code
emitted for these ops is identical to the code we were emitting in
the corresponding PutById stub.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasStructureTransitionData):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(DFG):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* runtime/Structure.cpp:
(JSC::nextOutOfLineStorageCapacity):
* runtime/Structure.h:
(JSC):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@123052 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index e4561da..4f2b403 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1437,6 +1437,8 @@
         m_haveStructures = true;
         break;
     case GetPropertyStorage:
+    case AllocatePropertyStorage:
+    case ReallocatePropertyStorage:
         node.setCanExit(false);
         forNode(node.child1()).filter(SpecCell);
         forNode(nodeIndex).clear(); // The result is not a JS value.