Google Git
Sign in
webkit / WebKit / 409f5be22bf912bde1d0b4ad2869a67cecf3f557^! / . / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
commit409f5be22bf912bde1d0b4ad2869a67cecf3f557[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Mar 04 02:43:53 2016 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Mar 04 02:43:53 2016 +0000
tree207d97661a71f02eb4fffe0d02657d931970103c
parent1802d72525988ffd2f11caca6e6d4d2577cbda48 [diff] [blame]
Octane/regexp's Exec function should benefit from array length accessor inlining
https://bugs.webkit.org/show_bug.cgi?id=154994

Reviewed by Benjamin Poulain.

It does:

    var thingy = blahbitty.blah;
    if (thingy)
        foo = thingy.length;

So, 'thingy' is SpecArray | SpecOther, which prevents the array length accessor inlining from
kicking in. Our strategy for this elsewhere in the DFG is to allow a one-time speculation that
we won't see SpecOther, since *usually* we see SpecOther mixed with other stuff in cases like
this where there is some null check guarding the code.

This gives another slight speed-up on Octane/regexp.

* bytecode/SpeculatedType.h:
(JSC::isCellSpeculation):
(JSC::isCellOrOtherSpeculation):
(JSC::isNotCellSpeculation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateCell):
(JSC::DFG::Node::shouldSpeculateCellOrOther):
(JSC::DFG::Node::shouldSpeculateNotCell):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@197542 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 6b83dcb..fe495e2 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1064,12 +1064,12 @@
 
         case GetById:
         case GetByIdFlush: {
-            if (!node->child1()->shouldSpeculateCell())
-                break;
-
-            // If we hadn't exited because of BadCache, BadIndexingType, or ExoticObjectMode, then
-            // leave this as a GetById.
-            if (!m_graph.hasExitSite(node->origin.semantic, BadCache)
+            // FIXME: This should be done in the ByteCodeParser based on reading the
+            // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
+            // https://bugs.webkit.org/show_bug.cgi?id=154990
+            if (node->child1()->shouldSpeculateCellOrOther()
+                && !m_graph.hasExitSite(node->origin.semantic, BadType)
+                && !m_graph.hasExitSite(node->origin.semantic, BadCache)
                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
                 auto uid = m_graph.identifiers()[node->identifierNumber()];
@@ -1078,7 +1078,9 @@
                     break;
                 }
             }
-            fixEdge<CellUse>(node->child1());
+
+            if (node->child1()->shouldSpeculateCell())
+                fixEdge<CellUse>(node->child1());
             break;
         }