Array accesses should remember what kind of array they are predicted to access
https://bugs.webkit.org/show_bug.cgi?id=94448
Reviewed by Gavin Barraclough.
Introduced the notion of DFG::Array::Mode, stored in node.arrayMode(), which allows nodes
to remember how they decided to access arrays. This permits the bytecode parser to "lock in"
the mode of access if it has profiling at its disposal, and it also allows the prediction
propagator to do a fixup of the array mode later in the optimization fixpoint.
This patch adds a healthy amount of new capability (specifically the ability of the parser
to lock in an array mode regardless of type predictions) and it also blows away a lot of
messy code.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGArrayMode.cpp: Added.
(DFG):
(JSC::DFG::fromObserved):
(JSC::DFG::refineArrayMode):
(JSC::DFG::modeAlreadyChecked):
(JSC::DFG::modeToString):
* dfg/DFGArrayMode.h: Added.
(DFG):
(JSC::DFG::canCSEStorage):
(JSC::DFG::modeForPut):
(JSC::DFG::modesCompatibleForStorageLoad):
(JSC::DFG::modeSupportsLength):
* dfg/DFGByteCodeParser.cpp:
(ByteCodeParser):
(JSC::DFG::ByteCodeParser::getArrayModeWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getArrayMode):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::checkStructureLoadElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::putByOffsetStoreElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::byValIsPure):
(JSC::DFG::Graph::clobbersWorld):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
(Node):
(JSC::DFG::Node::arrayMode):
(JSC::DFG::Node::setArrayMode):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
(DFG):
(JSC::DFG::SpeculativeJIT::speculateArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureCheckHoistingPhase.cpp:
(JSC::DFG::StructureCheckHoistingPhase::run):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@126387 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt
index 15de77a..2689bce 100644
--- a/Source/JavaScriptCore/CMakeLists.txt
+++ b/Source/JavaScriptCore/CMakeLists.txt
@@ -66,6 +66,7 @@
dfg/DFGAbstractState.cpp
dfg/DFGArgumentsSimplificationPhase.cpp
+ dfg/DFGArrayMode.cpp
dfg/DFGAssemblyHelpers.cpp
dfg/DFGByteCodeParser.cpp
dfg/DFGCapabilities.cpp
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d4ea36b..987ca8e 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,89 @@
+2012-08-22 Filip Pizlo <fpizlo@apple.com>
+
+ Array accesses should remember what kind of array they are predicted to access
+ https://bugs.webkit.org/show_bug.cgi?id=94448
+
+ Reviewed by Gavin Barraclough.
+
+ Introduced the notion of DFG::Array::Mode, stored in node.arrayMode(), which allows nodes
+ to remember how they decided to access arrays. This permits the bytecode parser to "lock in"
+ the mode of access if it has profiling at its disposal, and it also allows the prediction
+ propagator to do a fixup of the array mode later in the optimization fixpoint.
+
+ This patch adds a healthy amount of new capability (specifically the ability of the parser
+ to lock in an array mode regardless of type predictions) and it also blows away a lot of
+ messy code.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGArrayMode.cpp: Added.
+ (DFG):
+ (JSC::DFG::fromObserved):
+ (JSC::DFG::refineArrayMode):
+ (JSC::DFG::modeAlreadyChecked):
+ (JSC::DFG::modeToString):
+ * dfg/DFGArrayMode.h: Added.
+ (DFG):
+ (JSC::DFG::canCSEStorage):
+ (JSC::DFG::modeForPut):
+ (JSC::DFG::modesCompatibleForStorageLoad):
+ (JSC::DFG::modeSupportsLength):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::getArrayModeWithoutOSRExit):
+ (JSC::DFG::ByteCodeParser::getArrayMode):
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::getByValLoadElimination):
+ (JSC::DFG::CSEPhase::checkStructureLoadElimination):
+ (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+ (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
+ (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
+ (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::byValIsPure):
+ (JSC::DFG::Graph::clobbersWorld):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasArrayMode):
+ (Node):
+ (JSC::DFG::Node::arrayMode):
+ (JSC::DFG::Node::setArrayMode):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::speculateArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+
2012-08-22 Geoffrey Garen <ggaren@apple.com>
ThreadRestrictionVerifier should be opt-in, not opt-out
diff --git a/Source/JavaScriptCore/GNUmakefile.list.am b/Source/JavaScriptCore/GNUmakefile.list.am
index bcfcb68..b0c3159 100644
--- a/Source/JavaScriptCore/GNUmakefile.list.am
+++ b/Source/JavaScriptCore/GNUmakefile.list.am
@@ -155,6 +155,8 @@
Source/JavaScriptCore/dfg/DFGArgumentPosition.h \
Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp \
Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.h \
+ Source/JavaScriptCore/dfg/DFGArrayMode.cpp \
+ Source/JavaScriptCore/dfg/DFGArrayMode.h \
Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp \
Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h \
Source/JavaScriptCore/dfg/DFGBasicBlock.h \
diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
index f229d2d..da029cc 100644
--- a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+++ b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -142,6 +142,8 @@
0F63944015C75F1D006A597C /* DFGStructureCheckHoistingPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F63943C15C75F14006A597C /* DFGStructureCheckHoistingPhase.cpp */; };
0F63945415D07055006A597C /* ArrayProfile.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F63945115D07051006A597C /* ArrayProfile.cpp */; };
0F63945515D07057006A597C /* ArrayProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F63945215D07051006A597C /* ArrayProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F63948415E48118006A597C /* DFGArrayMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F63948115E48114006A597C /* DFGArrayMode.cpp */; };
+ 0F63948515E4811B006A597C /* DFGArrayMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F63948215E48114006A597C /* DFGArrayMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F63947815DCE34B006A597C /* DFGStructureAbstractValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F63947615DCE347006A597C /* DFGStructureAbstractValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F66E16B14DF3F1600B7B2E4 /* DFGAdjacencyList.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F66E16C14DF3F1600B7B2E4 /* DFGEdge.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F66E16914DF3F1300B7B2E4 /* DFGEdge.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -899,6 +901,8 @@
0F63943D15C75F14006A597C /* DFGStructureCheckHoistingPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStructureCheckHoistingPhase.h; path = dfg/DFGStructureCheckHoistingPhase.h; sourceTree = "<group>"; };
0F63945115D07051006A597C /* ArrayProfile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArrayProfile.cpp; sourceTree = "<group>"; };
0F63945215D07051006A597C /* ArrayProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArrayProfile.h; sourceTree = "<group>"; };
+ 0F63948115E48114006A597C /* DFGArrayMode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGArrayMode.cpp; path = dfg/DFGArrayMode.cpp; sourceTree = "<group>"; };
+ 0F63948215E48114006A597C /* DFGArrayMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGArrayMode.h; path = dfg/DFGArrayMode.h; sourceTree = "<group>"; };
0F63947615DCE347006A597C /* DFGStructureAbstractValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStructureAbstractValue.h; path = dfg/DFGStructureAbstractValue.h; sourceTree = "<group>"; };
0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAdjacencyList.h; path = dfg/DFGAdjacencyList.h; sourceTree = "<group>"; };
0F66E16914DF3F1300B7B2E4 /* DFGEdge.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGEdge.h; path = dfg/DFGEdge.h; sourceTree = "<group>"; };
@@ -2266,12 +2270,15 @@
86EC9DB31328DF44002B2AD7 /* dfg */ = {
isa = PBXGroup;
children = (
- 0F1E3A431534CBAD000F9456 /* DFGArgumentPosition.h */,
- 0F16015A156198BF00C2587C /* DFGArgumentsSimplificationPhase.cpp */,
- 0F16015B156198BF00C2587C /* DFGArgumentsSimplificationPhase.h */,
0F62016D143FCD2F0068B77C /* DFGAbstractState.cpp */,
0F62016E143FCD2F0068B77C /* DFGAbstractState.h */,
0F62016F143FCD2F0068B77C /* DFGAbstractValue.h */,
+ 0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */,
+ 0F1E3A431534CBAD000F9456 /* DFGArgumentPosition.h */,
+ 0F16015A156198BF00C2587C /* DFGArgumentsSimplificationPhase.cpp */,
+ 0F16015B156198BF00C2587C /* DFGArgumentsSimplificationPhase.h */,
+ 0F63948115E48114006A597C /* DFGArrayMode.cpp */,
+ 0F63948215E48114006A597C /* DFGArrayMode.h */,
0FC0976B1468AB4A00CF2442 /* DFGAssemblyHelpers.cpp */,
0FC0976C1468AB4A00CF2442 /* DFGAssemblyHelpers.h */,
0F620170143FCD2F0068B77C /* DFGBasicBlock.h */,
@@ -2315,7 +2322,6 @@
86ECA3E9132DEF1C002B2AD7 /* DFGNode.h */,
0FA581B7150E952A00B9A2D9 /* DFGNodeFlags.cpp */,
0FA581B8150E952A00B9A2D9 /* DFGNodeFlags.h */,
- 0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */,
0FA581B9150E952A00B9A2D9 /* DFGNodeType.h */,
0F66E16914DF3F1300B7B2E4 /* DFGEdge.h */,
86EC9DBF1328DF82002B2AD7 /* DFGOperations.cpp */,
@@ -2895,6 +2901,7 @@
FE4A332015BD2E07006F54F3 /* VMInspector.h in Headers */,
0F63943F15C75F19006A597C /* DFGStructureCheckHoistingPhase.h in Headers */,
0F63945515D07057006A597C /* ArrayProfile.h in Headers */,
+ 0F63948515E4811B006A597C /* DFGArrayMode.h in Headers */,
0F63947815DCE34B006A597C /* DFGStructureAbstractValue.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -3496,6 +3503,7 @@
FE4A331F15BD2E07006F54F3 /* VMInspector.cpp in Sources */,
0F63944015C75F1D006A597C /* DFGStructureCheckHoistingPhase.cpp in Sources */,
0F63945415D07055006A597C /* ArrayProfile.cpp in Sources */,
+ 0F63948415E48118006A597C /* DFGArrayMode.cpp in Sources */,
C21122E115DD9AB300790E3A /* GCThreadSharedData.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
diff --git a/Source/JavaScriptCore/Target.pri b/Source/JavaScriptCore/Target.pri
index f565c74..c7e41ab 100644
--- a/Source/JavaScriptCore/Target.pri
+++ b/Source/JavaScriptCore/Target.pri
@@ -96,6 +96,7 @@
debugger/Debugger.cpp \
dfg/DFGAbstractState.cpp \
dfg/DFGArgumentsSimplificationPhase.cpp \
+ dfg/DFGArrayMode.cpp \
dfg/DFGAssemblyHelpers.cpp \
dfg/DFGByteCodeParser.cpp \
dfg/DFGCapabilities.cpp \
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index 5c53f6d..cfe9159 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
@@ -868,65 +868,66 @@
case GetByVal: {
node.setCanExit(true);
- if (!node.prediction() || !m_graph[node.child1()].prediction() || !m_graph[node.child2()].prediction()) {
+ switch (node.arrayMode()) {
+ case Array::Undecided:
+ ASSERT_NOT_REACHED();
+ break;
+ case Array::ForceExit:
m_isValid = false;
break;
- }
- if (!m_graph[node.child2()].shouldSpeculateInteger() || (!node.child3() && !m_graph[node.child1()].shouldSpeculateArguments())) {
+ case Array::Generic:
clobberWorld(node.codeOrigin, indexInBlock);
forNode(nodeIndex).makeTop();
break;
- }
- if (m_graph[node.child1()].shouldSpeculateArguments()) {
- forNode(node.child1()).filter(SpecArguments);
- forNode(node.child2()).filter(SpecInt32);
- forNode(nodeIndex).makeTop();
- break;
- }
- if (m_graph[node.child1()].prediction() == SpecString) {
+ case Array::String:
forNode(node.child1()).filter(SpecString);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecString);
break;
- }
-
- if (m_graph[node.child1()].shouldSpeculateInt8Array()) {
+ case Array::Arguments:
+ forNode(node.child1()).filter(SpecArguments);
+ forNode(node.child2()).filter(SpecInt32);
+ forNode(nodeIndex).makeTop();
+ break;
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds:
+ // FIXME: We should have more conservative handling of the out-of-bounds
+ // case.
+ forNode(node.child1()).filter(SpecCell);
+ forNode(node.child2()).filter(SpecInt32);
+ forNode(nodeIndex).makeTop();
+ break;
+ case Array::Int8Array:
forNode(node.child1()).filter(SpecInt8Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecInt32);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateInt16Array()) {
+ case Array::Int16Array:
forNode(node.child1()).filter(SpecInt16Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecInt32);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateInt32Array()) {
+ case Array::Int32Array:
forNode(node.child1()).filter(SpecInt32Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecInt32);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint8Array()) {
+ case Array::Uint8Array:
forNode(node.child1()).filter(SpecUint8Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecInt32);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint8ClampedArray()) {
+ case Array::Uint8ClampedArray:
forNode(node.child1()).filter(SpecUint8ClampedArray);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecInt32);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint16Array()) {
+ case Array::Uint16Array:
forNode(node.child1()).filter(SpecUint16Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecInt32);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint32Array()) {
+ case Array::Uint32Array:
forNode(node.child1()).filter(SpecUint32Array);
forNode(node.child2()).filter(SpecInt32);
if (node.shouldSpeculateInteger())
@@ -934,55 +935,47 @@
else
forNode(nodeIndex).set(SpecDouble);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateFloat32Array()) {
+ case Array::Float32Array:
forNode(node.child1()).filter(SpecFloat32Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecDouble);
break;
- }
- if (m_graph[node.child1()].shouldSpeculateFloat64Array()) {
+ case Array::Float64Array:
forNode(node.child1()).filter(SpecFloat64Array);
forNode(node.child2()).filter(SpecInt32);
forNode(nodeIndex).set(SpecDouble);
break;
}
- forNode(node.child1()).filter(SpecCell);
- forNode(node.child2()).filter(SpecInt32);
- forNode(nodeIndex).makeTop();
break;
}
case PutByVal:
- case PutByValAlias:
- case PutByValSafe: {
+ case PutByValAlias: {
node.setCanExit(true);
-
Edge child1 = m_graph.varArgChild(node, 0);
Edge child2 = m_graph.varArgChild(node, 1);
Edge child3 = m_graph.varArgChild(node, 2);
-
- if (!m_graph[child1].prediction() || !m_graph[child2].prediction()) {
+ switch (modeForPut(node.arrayMode())) {
+ case Array::ForceExit:
m_isValid = false;
break;
- }
- if (!m_graph[child2].shouldSpeculateInteger()
-#if USE(JSVALUE32_64)
- || m_graph[child1].shouldSpeculateArguments()
-#endif
- ) {
- ASSERT(node.op() == PutByVal || node.op() == PutByValSafe);
+ case Array::Generic:
clobberWorld(node.codeOrigin, indexInBlock);
- forNode(nodeIndex).makeTop();
break;
- }
-
- if (m_graph[child1].shouldSpeculateArguments()) {
+ case Array::JSArray:
+ forNode(child1).filter(SpecCell);
+ forNode(child2).filter(SpecInt32);
+ break;
+ case Array::JSArrayOutOfBounds:
+ forNode(child1).filter(SpecCell);
+ forNode(child2).filter(SpecInt32);
+ clobberWorld(node.codeOrigin, indexInBlock);
+ break;
+ case Array::Arguments:
forNode(child1).filter(SpecArguments);
forNode(child2).filter(SpecInt32);
break;
- }
- if (m_graph[child1].shouldSpeculateInt8Array()) {
+ case Array::Int8Array:
forNode(child1).filter(SpecInt8Array);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -990,8 +983,7 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateInt16Array()) {
+ case Array::Int16Array:
forNode(child1).filter(SpecInt16Array);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -999,8 +991,7 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateInt32Array()) {
+ case Array::Int32Array:
forNode(child1).filter(SpecInt32Array);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -1008,8 +999,7 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateUint8Array()) {
+ case Array::Uint8Array:
forNode(child1).filter(SpecUint8Array);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -1017,8 +1007,7 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateUint8ClampedArray()) {
+ case Array::Uint8ClampedArray:
forNode(child1).filter(SpecUint8ClampedArray);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -1026,8 +1015,7 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateUint16Array()) {
+ case Array::Uint16Array:
forNode(child1).filter(SpecUint16Array);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -1035,8 +1023,7 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateUint32Array()) {
+ case Array::Uint32Array:
forNode(child1).filter(SpecUint32Array);
forNode(child2).filter(SpecInt32);
if (m_graph[child3].shouldSpeculateInteger())
@@ -1044,23 +1031,20 @@
else
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateFloat32Array()) {
+ case Array::Float32Array:
forNode(child1).filter(SpecFloat32Array);
forNode(child2).filter(SpecInt32);
forNode(child3).filter(SpecNumber);
break;
- }
- if (m_graph[child1].shouldSpeculateFloat64Array()) {
+ case Array::Float64Array:
forNode(child1).filter(SpecFloat64Array);
forNode(child2).filter(SpecInt32);
forNode(child3).filter(SpecNumber);
break;
+ default:
+ ASSERT_NOT_REACHED();
+ break;
}
- forNode(child1).filter(SpecCell);
- forNode(child2).filter(SpecInt32);
- if (node.op() == PutByValSafe)
- clobberWorld(node.codeOrigin, indexInBlock);
break;
}
@@ -1356,69 +1340,82 @@
break;
case GetArrayLength:
- node.setCanExit(true);
- forNode(node.child1()).filter(SpecCell);
- forNode(nodeIndex).set(SpecInt32);
+ switch (node.arrayMode()) {
+ case Array::Undecided:
+ ASSERT_NOT_REACHED();
+ break;
+ case Array::ForceExit:
+ m_isValid = false;
+ break;
+ case Array::Generic:
+ ASSERT_NOT_REACHED();
+ break;
+ case Array::String:
+ node.setCanExit(!isStringSpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecString);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::JSArray:
+ node.setCanExit(true);
+ forNode(node.child1()).filter(SpecCell);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::JSArrayOutOfBounds:
+ ASSERT_NOT_REACHED();
+ break;
+ case Array::Arguments:
+ node.setCanExit(true);
+ forNode(node.child1()).filter(SpecArguments);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Int8Array:
+ node.setCanExit(!isInt8ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecInt8Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Int16Array:
+ node.setCanExit(!isInt16ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecInt16Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Int32Array:
+ node.setCanExit(!isInt32ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecInt32Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Uint8Array:
+ node.setCanExit(!isUint8ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecUint8Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Uint8ClampedArray:
+ node.setCanExit(!isUint8ClampedArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecUint8ClampedArray);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Uint16Array:
+ node.setCanExit(!isUint16ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecUint16Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Uint32Array:
+ node.setCanExit(!isUint32ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecUint32Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Float32Array:
+ node.setCanExit(!isFloat32ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecFloat32Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ case Array::Float64Array:
+ node.setCanExit(!isFloat64ArraySpeculation(forNode(node.child1()).m_type));
+ forNode(node.child1()).filter(SpecFloat64Array);
+ forNode(nodeIndex).set(SpecInt32);
+ break;
+ }
break;
- case GetArgumentsLength:
- node.setCanExit(true);
- forNode(node.child1()).filter(SpecArguments);
- forNode(nodeIndex).set(SpecInt32);
- break;
-
- case GetStringLength:
- node.setCanExit(!isStringSpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecString);
- forNode(nodeIndex).set(SpecInt32);
- break;
-
- case GetInt8ArrayLength:
- node.setCanExit(!isInt8ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecInt8Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetInt16ArrayLength:
- node.setCanExit(!isInt16ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecInt16Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetInt32ArrayLength:
- node.setCanExit(!isInt32ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecInt32Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetUint8ArrayLength:
- node.setCanExit(!isUint8ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecUint8Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetUint8ClampedArrayLength:
- node.setCanExit(!isUint8ClampedArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecUint8ClampedArray);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetUint16ArrayLength:
- node.setCanExit(!isUint16ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecUint16Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetUint32ArrayLength:
- node.setCanExit(!isUint32ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecUint32Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetFloat32ArrayLength:
- node.setCanExit(!isFloat32ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecFloat32Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
- case GetFloat64ArrayLength:
- node.setCanExit(!isFloat64ArraySpeculation(forNode(node.child1()).m_type));
- forNode(node.child1()).filter(SpecFloat64Array);
- forNode(nodeIndex).set(SpecInt32);
- break;
-
case CheckStructure:
case ForwardCheckStructure: {
// FIXME: We should be able to propagate the structure sets of constants (i.e. prototypes).
@@ -1489,65 +1486,48 @@
forNode(nodeIndex).clear(); // The result is not a JS value.
break;
case GetIndexedPropertyStorage: {
- ASSERT(m_graph[node.child1()].prediction());
- ASSERT(m_graph[node.child2()].shouldSpeculateInteger());
node.setCanExit(true); // Lies, but this is (almost) always followed by GetByVal, which does exit. So no point in trying to be more precise.
- if (m_graph[node.child1()].shouldSpeculateArguments()) {
+ switch (node.arrayMode()) {
+ case Array::String:
+ forNode(node.child1()).filter(SpecString);
+ break;
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds:
+ // This doesn't filter anything meaningful right now. We may want to add
+ // CFA tracking of array mode speculations, but we don't have that, yet.
+ forNode(node.child1()).filter(SpecCell);
+ break;
+ case Array::Int8Array:
+ forNode(node.child1()).filter(SpecInt8Array);
+ break;
+ case Array::Int16Array:
+ forNode(node.child1()).filter(SpecInt16Array);
+ break;
+ case Array::Int32Array:
+ forNode(node.child1()).filter(SpecInt32Array);
+ break;
+ case Array::Uint8Array:
+ forNode(node.child1()).filter(SpecUint8Array);
+ break;
+ case Array::Uint8ClampedArray:
+ forNode(node.child1()).filter(SpecUint8ClampedArray);
+ break;
+ case Array::Uint16Array:
+ forNode(node.child1()).filter(SpecUint16Array);
+ break;
+ case Array::Uint32Array:
+ forNode(node.child1()).filter(SpecUint32Array);
+ break;
+ case Array::Float32Array:
+ forNode(node.child1()).filter(SpecFloat32Array);
+ break;
+ case Array::Float64Array:
+ forNode(node.child1()).filter(SpecFloat64Array);
+ break;
+ default:
ASSERT_NOT_REACHED();
break;
}
- if (m_graph[node.child1()].prediction() == SpecString) {
- forNode(node.child1()).filter(SpecString);
- forNode(nodeIndex).clear();
- break;
- }
-
- if (m_graph[node.child1()].shouldSpeculateInt8Array()) {
- forNode(node.child1()).filter(SpecInt8Array);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateInt16Array()) {
- forNode(node.child1()).filter(SpecInt16Array);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateInt32Array()) {
- forNode(node.child1()).filter(SpecInt32Array);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint8Array()) {
- forNode(node.child1()).filter(SpecUint8Array);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint8ClampedArray()) {
- forNode(node.child1()).filter(SpecUint8ClampedArray);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint16Array()) {
- forNode(node.child1()).filter(SpecUint16Array);
- forNode(nodeIndex).set(SpecOther);
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateUint32Array()) {
- forNode(node.child1()).filter(SpecUint32Array);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateFloat32Array()) {
- forNode(node.child1()).filter(SpecFloat32Array);
- forNode(nodeIndex).clear();
- break;
- }
- if (m_graph[node.child1()].shouldSpeculateFloat64Array()) {
- forNode(node.child1()).filter(SpecFloat64Array);
- forNode(nodeIndex).clear();
- break;
- }
- forNode(node.child1()).filter(SpecCell);
forNode(nodeIndex).clear();
break;
}
diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
index 000e1a9..2f535ba 100644
--- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
@@ -145,7 +145,7 @@
}
// Figure out which variables alias the arguments and nothing else, and are
- // used only for GetByVal and GetArgumentsLength accesses. At the same time,
+ // used only for GetByVal and GetArrayLength accesses. At the same time,
// identify uses of CreateArguments that are not consistent with the arguments
// being aliased only to variables that satisfy these constraints.
for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
@@ -277,34 +277,25 @@
}
case GetByVal: {
- if (!node.prediction()
- || !m_graph[node.child1()].prediction()
- || !m_graph[node.child2()].prediction()) {
+ if (node.arrayMode() != Array::Arguments) {
observeBadArgumentsUses(node);
break;
}
-
- if (!isActionableArraySpeculation(m_graph[node.child1()].prediction())
- || !m_graph[node.child2()].shouldSpeculateInteger()) {
- observeBadArgumentsUses(node);
- break;
- }
-
- if (m_graph[node.child1()].shouldSpeculateArguments()) {
- // If arguments is used as an index, then it's an escaping use.
- // That's so awful and pretty much impossible since it would
- // imply that the arguments were predicted integer, but it's
- // good to be defensive and thorough.
- observeBadArgumentsUse(node.child2());
- observeProperArgumentsUse(node, node.child1());
- break;
- }
-
- observeBadArgumentsUses(node);
+
+ // That's so awful and pretty much impossible since it would
+ // imply that the arguments were predicted integer, but it's
+ // good to be defensive and thorough.
+ observeBadArgumentsUse(node.child2());
+ observeProperArgumentsUse(node, node.child1());
break;
}
- case GetArgumentsLength: {
+ case GetArrayLength: {
+ if (node.arrayMode() != Array::Arguments) {
+ observeBadArgumentsUses(node);
+ break;
+ }
+
observeProperArgumentsUse(node, node.child1());
break;
}
@@ -496,38 +487,32 @@
}
case GetByVal: {
- if (!node.prediction()
- || !m_graph[node.child1()].prediction()
- || !m_graph[node.child2()].prediction())
+ if (node.arrayMode() != Array::Arguments)
+ break;
+
+ // This can be simplified to GetMyArgumentByVal if we know that
+ // it satisfies either condition (1) or (2):
+ // 1) Its first child is a valid ArgumentsAliasingData and the
+ // InlineCallFrame* is not marked as creating arguments.
+ // 2) Its first child is CreateArguments and its InlineCallFrame*
+ // is not marked as creating arguments.
+
+ if (!isOKToOptimize(m_graph[node.child1()]))
break;
- if (!isActionableArraySpeculation(m_graph[node.child1()].prediction())
- || !m_graph[node.child2()].shouldSpeculateInteger())
- break;
-
- if (m_graph[node.child1()].shouldSpeculateArguments()) {
- // This can be simplified to GetMyArgumentByVal if we know that
- // it satisfies either condition (1) or (2):
- // 1) Its first child is a valid ArgumentsAliasingData and the
- // InlineCallFrame* is not marked as creating arguments.
- // 2) Its first child is CreateArguments and its InlineCallFrame*
- // is not marked as creating arguments.
-
- if (!isOKToOptimize(m_graph[node.child1()]))
- break;
-
- m_graph.deref(node.child1());
- node.children.child1() = node.children.child2();
- node.children.child2() = Edge();
- node.setOpAndDefaultFlags(GetMyArgumentByVal);
- changed = true;
- --indexInBlock; // Force reconsideration of this op now that it's a GetMyArgumentByVal.
- break;
- }
+ m_graph.deref(node.child1());
+ node.children.child1() = node.children.child2();
+ node.children.child2() = Edge();
+ node.setOpAndDefaultFlags(GetMyArgumentByVal);
+ changed = true;
+ --indexInBlock; // Force reconsideration of this op now that it's a GetMyArgumentByVal.
break;
}
- case GetArgumentsLength: {
+ case GetArrayLength: {
+ if (node.arrayMode() != Array::Arguments)
+ break;
+
if (!isOKToOptimize(m_graph[node.child1()]))
break;
diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.cpp b/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
new file mode 100644
index 0000000..ec4edc2
--- /dev/null
+++ b/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGArrayMode.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGAbstractValue.h"
+
+namespace JSC { namespace DFG {
+
+Array::Mode fromObserved(ArrayModes modes, bool makeSafe)
+{
+ // FIXME: we may want to add some polymorphic support in the future. That's why this
+ // is a switch statement right now.
+
+ switch (modes) {
+ case 0:
+ return Array::Undecided;
+ case IsJSArray:
+ return makeSafe ? Array::JSArrayOutOfBounds : Array::JSArray;
+ default:
+ // We know that this is possibly a kind of array for which, though there is no
+ // useful data in the array profile, we may be able to extract useful data from
+ // the value profiles of the inputs. Hence, we leave it as undecided, and let
+ // the predictions propagator decide later.
+ return Array::Undecided;
+ }
+}
+
+Array::Mode refineArrayMode(Array::Mode arrayMode, SpeculatedType base, SpeculatedType index)
+{
+ if (!base || !index) {
+ // It can be that we had a legitimate arrayMode but no incoming predictions. That'll
+ // happen if we inlined code based on, say, a global variable watchpoint, but later
+ // realized that the callsite could not have possibly executed. It may be worthwhile
+ // to fix that, but for now I'm leaving it as-is.
+ return Array::ForceExit;
+ }
+
+ if (!isInt32Speculation(index) || !isCellSpeculation(base))
+ return Array::Generic;
+
+ // Pass through any array modes that would have been decided by the array profile, since
+ // the predictions of the inputs will not tell us anything useful that we didn't already
+ // get from the array profile.
+ switch (arrayMode) {
+ case Array::ForceExit:
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds:
+ return arrayMode;
+ default:
+ break;
+ }
+
+ if (isStringSpeculation(base))
+ return Array::String;
+
+ if (isArgumentsSpeculation(base))
+ return Array::Arguments;
+
+ if (isInt8ArraySpeculation(base))
+ return Array::Int8Array;
+
+ if (isInt16ArraySpeculation(base))
+ return Array::Int16Array;
+
+ if (isInt32ArraySpeculation(base))
+ return Array::Int32Array;
+
+ if (isUint8ArraySpeculation(base))
+ return Array::Uint8Array;
+
+ if (isUint8ClampedArraySpeculation(base))
+ return Array::Uint8ClampedArray;
+
+ if (isUint16ArraySpeculation(base))
+ return Array::Uint16Array;
+
+ if (isUint32ArraySpeculation(base))
+ return Array::Uint32Array;
+
+ if (isFloat32ArraySpeculation(base))
+ return Array::Float32Array;
+
+ if (isFloat64ArraySpeculation(base))
+ return Array::Float64Array;
+
+ return Array::Generic;
+}
+
+bool modeAlreadyChecked(AbstractValue& value, Array::Mode arrayMode)
+{
+ switch (arrayMode) {
+ case Array::Generic:
+ return true;
+
+ case Array::ForceExit:
+ return false;
+
+ case Array::String:
+ return isStringSpeculation(value.m_type);
+
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds:
+ return value.m_currentKnownStructure.hasSingleton()
+ && value.m_currentKnownStructure.singleton()->classInfo() == &JSArray::s_info;
+
+ case Array::Arguments:
+ return isArgumentsSpeculation(value.m_type);
+
+ case Array::Int8Array:
+ return isInt8ArraySpeculation(value.m_type);
+
+ case Array::Int16Array:
+ return isInt16ArraySpeculation(value.m_type);
+
+ case Array::Int32Array:
+ return isInt32ArraySpeculation(value.m_type);
+
+ case Array::Uint8Array:
+ return isUint8ArraySpeculation(value.m_type);
+
+ case Array::Uint8ClampedArray:
+ return isUint8ClampedArraySpeculation(value.m_type);
+
+ case Array::Uint16Array:
+ return isUint16ArraySpeculation(value.m_type);
+
+ case Array::Uint32Array:
+ return isUint32ArraySpeculation(value.m_type);
+
+ case Array::Float32Array:
+ return isFloat32ArraySpeculation(value.m_type);
+
+ case Array::Float64Array:
+ return isFloat64ArraySpeculation(value.m_type);
+
+ case Array::Undecided:
+ break;
+ }
+
+ ASSERT_NOT_REACHED();
+ return false;
+}
+
+const char* modeToString(Array::Mode mode)
+{
+ switch (mode) {
+ case Array::Undecided:
+ return "Undecided";
+ case Array::Generic:
+ return "Generic";
+ case Array::ForceExit:
+ return "ForceExit";
+ case Array::String:
+ return "String";
+ case Array::JSArray:
+ return "JSArray";
+ case Array::JSArrayOutOfBounds:
+ return "JSArrayOutOfBounds";
+ case Array::Arguments:
+ return "Arguments";
+ case Array::Int8Array:
+ return "Int8Array";
+ case Array::Int16Array:
+ return "Int16Array";
+ case Array::Int32Array:
+ return "Int32Array";
+ case Array::Uint8Array:
+ return "Uint8Array";
+ case Array::Uint8ClampedArray:
+ return "Uint8ClampedArray";
+ case Array::Uint16Array:
+ return "Uint16Array";
+ case Array::Uint32Array:
+ return "Uint32Array";
+ case Array::Float32Array:
+ return "Float32Array";
+ case Array::Float64Array:
+ return "Float64Array";
+ default:
+ // Better to return something then it is to crash. Remember, this method
+ // is being called from our main diagnostic tool, the IR dumper. It's like
+ // a stack trace. So if we get here then probably something has already
+ // gone wrong.
+ return "Unknown!";
+ }
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.h b/Source/JavaScriptCore/dfg/DFGArrayMode.h
new file mode 100644
index 0000000..6ce62ae
--- /dev/null
+++ b/Source/JavaScriptCore/dfg/DFGArrayMode.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGArrayMode_h
+#define DFGArrayMode_h
+
+#include <wtf/Platform.h>
+
+#if ENABLE(DFG_JIT)
+
+#include "ArrayProfile.h"
+#include "SpeculatedType.h"
+
+namespace JSC { namespace DFG {
+
+struct AbstractValue;
+
+// Use a namespace + enum instead of enum alone to avoid the namespace collision
+// that would otherwise occur, since we say things like "Int8Array" and "JSArray"
+// in lots of other places, to mean subtly different things.
+namespace Array {
+enum Mode {
+ Undecided, // Implies that we need predictions to decide. We will never get to the backend in this mode.
+ ForceExit, // Implies that we have no idea how to execute this operation, so we should just give up.
+ Generic,
+ String,
+ JSArray,
+ JSArrayOutOfBounds,
+ Arguments,
+ Int8Array,
+ Int16Array,
+ Int32Array,
+ Uint8Array,
+ Uint8ClampedArray,
+ Uint16Array,
+ Uint32Array,
+ Float32Array,
+ Float64Array
+};
+} // namespace Array
+
+Array::Mode fromObserved(ArrayModes modes, bool makeSafe);
+
+Array::Mode refineArrayMode(Array::Mode, SpeculatedType base, SpeculatedType index);
+
+bool modeAlreadyChecked(AbstractValue&, Array::Mode);
+
+const char* modeToString(Array::Mode);
+
+inline bool canCSEStorage(Array::Mode arrayMode)
+{
+ switch (arrayMode) {
+ case Array::Undecided:
+ case Array::ForceExit:
+ case Array::Generic:
+ case Array::Arguments:
+ return false;
+ default:
+ return true;
+ }
+}
+
+inline Array::Mode modeForPut(Array::Mode arrayMode)
+{
+ switch (arrayMode) {
+ case Array::String:
+ return Array::Generic;
+#if USE(JSVALUE32_64)
+ case Array::Arguments:
+ return Array::Generic;
+#endif
+ default:
+ return arrayMode;
+ }
+}
+
+inline bool modesCompatibleForStorageLoad(Array::Mode left, Array::Mode right)
+{
+ if (left == right)
+ return true;
+
+ bool leftIsJSArray =
+ left == Array::JSArray
+ || left == Array::JSArrayOutOfBounds;
+
+ bool rightIsJSArray =
+ right == Array::JSArray
+ || right == Array::JSArrayOutOfBounds;
+
+ if (leftIsJSArray && rightIsJSArray)
+ return true;
+
+ return false;
+}
+
+inline bool modeSupportsLength(Array::Mode mode)
+{
+ switch (mode) {
+ case Array::Undecided:
+ case Array::ForceExit:
+ case Array::Generic:
+ return false;
+ default:
+ return true;
+ }
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGArrayMode_h
+
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index f7536f8..f9b1db9 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -31,6 +31,7 @@
#include "ArrayConstructor.h"
#include "CallLinkStatus.h"
#include "CodeBlock.h"
+#include "DFGArrayMode.h"
#include "DFGByteCodeCache.h"
#include "DFGCapabilities.h"
#include "GetByIdStatus.h"
@@ -816,6 +817,36 @@
{
return getPrediction(m_graph.size(), m_currentProfilingIndex);
}
+
+ Array::Mode getArrayModeWithoutOSRExit(Instruction* currentInstruction, NodeIndex base)
+ {
+ ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+ profile->computeUpdatedPrediction();
+ if (profile->hasDefiniteStructure())
+ addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(profile->expectedStructure())), base);
+
+#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
+ if (m_inlineStackTop->m_profiledBlock->numberOfRareCaseProfiles())
+ dataLog("Slow case profile for bc#%u: %u\n", m_currentIndex, m_inlineStackTop->m_profiledBlock->rareCaseProfileForBytecodeOffset(m_currentIndex)->m_counter);
+ dataLog("Array profile for bc#%u: %p%s, %u\n", m_currentIndex, profile->expectedStructure(), profile->structureIsPolymorphic() ? " (polymorphic)" : "", profile->observedArrayModes());
+#endif
+
+ bool makeSafe =
+ m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
+ || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, OutOfBounds);
+
+ return fromObserved(profile->observedArrayModes(), makeSafe);
+ }
+
+ Array::Mode getArrayMode(Instruction* currentInstruction, NodeIndex base)
+ {
+ Array::Mode result = getArrayModeWithoutOSRExit(currentInstruction, base);
+
+ if (result == Array::ForceExit)
+ addToGraph(ForceOSRExit);
+
+ return result;
+ }
NodeIndex makeSafe(NodeIndex nodeIndex)
{
@@ -1548,8 +1579,7 @@
return false;
int indexOperand = registerOffset + argumentToOperand(1);
- NodeIndex storage = addToGraph(GetIndexedPropertyStorage, get(thisOperand), getToInt32(indexOperand));
- NodeIndex charCode = addToGraph(StringCharCodeAt, get(thisOperand), getToInt32(indexOperand), storage);
+ NodeIndex charCode = addToGraph(StringCharCodeAt, OpInfo(Array::String), get(thisOperand), getToInt32(indexOperand));
if (usesResult)
set(resultOperand, charCode);
@@ -1565,8 +1595,7 @@
return false;
int indexOperand = registerOffset + argumentToOperand(1);
- NodeIndex storage = addToGraph(GetIndexedPropertyStorage, get(thisOperand), getToInt32(indexOperand));
- NodeIndex charCode = addToGraph(StringCharAt, get(thisOperand), getToInt32(indexOperand), storage);
+ NodeIndex charCode = addToGraph(StringCharAt, OpInfo(Array::String), get(thisOperand), getToInt32(indexOperand));
if (usesResult)
set(resultOperand, charCode);
@@ -2148,13 +2177,9 @@
SpeculatedType prediction = getPrediction();
NodeIndex base = get(currentInstruction[2].u.operand);
+ Array::Mode arrayMode = getArrayMode(currentInstruction, base);
NodeIndex property = get(currentInstruction[3].u.operand);
- ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
- profile->computeUpdatedPrediction();
- if (profile->hasDefiniteStructure())
- addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(profile->expectedStructure())), base);
- NodeIndex propertyStorage = addToGraph(GetIndexedPropertyStorage, base, property);
- NodeIndex getByVal = addToGraph(GetByVal, OpInfo(0), OpInfo(prediction), base, property, propertyStorage);
+ NodeIndex getByVal = addToGraph(GetByVal, OpInfo(arrayMode), OpInfo(prediction), base, property);
set(currentInstruction[1].u.operand, getByVal);
NEXT_OPCODE(op_get_by_val);
@@ -2162,26 +2187,16 @@
case op_put_by_val: {
NodeIndex base = get(currentInstruction[1].u.operand);
+
+ Array::Mode arrayMode = getArrayMode(currentInstruction, base);
+
NodeIndex property = get(currentInstruction[2].u.operand);
NodeIndex value = get(currentInstruction[3].u.operand);
- ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
- profile->computeUpdatedPrediction();
- if (profile->hasDefiniteStructure())
- addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(profile->expectedStructure())), base);
-
-#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
- dataLog("Slow case profile for bc#%u: %u\n", m_currentIndex, m_inlineStackTop->m_profiledBlock->rareCaseProfileForBytecodeOffset(m_currentIndex)->m_counter);
-#endif
-
- bool makeSafe =
- m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
- || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, OutOfBounds);
-
addVarArgChild(base);
addVarArgChild(property);
addVarArgChild(value);
- addToGraph(Node::VarArg, makeSafe ? PutByValSafe : PutByVal, OpInfo(0), OpInfo(0));
+ addToGraph(Node::VarArg, PutByVal, OpInfo(arrayMode), OpInfo(0));
NEXT_OPCODE(op_put_by_val);
}
diff --git a/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp b/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
index b78ddc8..dce57d5 100644
--- a/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
@@ -284,8 +284,7 @@
return index;
break;
case PutByVal:
- case PutByValAlias:
- case PutByValSafe: {
+ case PutByValAlias: {
if (!m_graph.byValIsPure(node))
return NoNode;
if (m_graph.varArgChild(node, 0) == child1 && canonicalize(m_graph.varArgChild(node, 1)) == canonicalize(child2))
@@ -365,7 +364,6 @@
case PutByVal:
case PutByValAlias:
- case PutByValSafe:
if (m_graph.byValIsPure(node)) {
// If PutByVal speculates that it's accessing an array with an
// integer index, then it's impossible for it to cause a structure
@@ -409,7 +407,6 @@
case PutByVal:
case PutByValAlias:
- case PutByValSafe:
if (m_graph.byValIsPure(node)) {
// If PutByVal speculates that it's accessing an array with an
// integer index, then it's impossible for it to cause a structure
@@ -515,7 +512,6 @@
case PutByVal:
case PutByValAlias:
- case PutByValSafe:
if (m_graph.byValIsPure(node)) {
// If PutByVal speculates that it's accessing an array with an
// integer index, then it's impossible for it to cause a structure
@@ -560,7 +556,6 @@
case PutByVal:
case PutByValAlias:
case GetByVal:
- case PutByValSafe:
if (m_graph.byValIsPure(node)) {
// If PutByVal speculates that it's accessing an array with an
// integer index, then it's impossible for it to cause a structure
@@ -613,7 +608,6 @@
case PutByVal:
case PutByValAlias:
- case PutByValSafe:
if (m_graph.byValIsPure(node)) {
// If PutByVal speculates that it's accessing an array with an
// integer index, then it's impossible for it to cause a structure
@@ -925,17 +919,7 @@
case ArithMin:
case ArithMax:
case ArithSqrt:
- case GetInt8ArrayLength:
- case GetInt16ArrayLength:
- case GetInt32ArrayLength:
- case GetUint8ArrayLength:
- case GetUint8ClampedArrayLength:
- case GetUint16ArrayLength:
- case GetUint32ArrayLength:
- case GetFloat32ArrayLength:
- case GetFloat64ArrayLength:
case GetCallee:
- case GetStringLength:
case StringCharAt:
case StringCharCodeAt:
case Int32ToDouble:
@@ -1103,8 +1087,7 @@
setReplacement(getByValLoadElimination(node.child1().index(), node.child2().index()));
break;
- case PutByVal:
- case PutByValSafe: {
+ case PutByVal: {
Edge child1 = m_graph.varArgChild(node, 0);
Edge child2 = m_graph.varArgChild(node, 1);
if (isActionableMutableArraySpeculation(m_graph[child1].prediction())
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index f7b10fc..fe7cae8 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -74,97 +74,89 @@
switch (op) {
case GetById: {
+ Node* nodePtr = &node;
+
if (!isInt32Speculation(m_graph[m_compileIndex].prediction()))
break;
- if (codeBlock()->identifier(node.identifierNumber()) != globalData().propertyNames->length)
+ if (codeBlock()->identifier(nodePtr->identifierNumber()) != globalData().propertyNames->length)
break;
- bool isArray = isArraySpeculation(m_graph[node.child1()].prediction());
- bool isArguments = isArgumentsSpeculation(m_graph[node.child1()].prediction());
- bool isString = isStringSpeculation(m_graph[node.child1()].prediction());
- bool isInt8Array = m_graph[node.child1()].shouldSpeculateInt8Array();
- bool isInt16Array = m_graph[node.child1()].shouldSpeculateInt16Array();
- bool isInt32Array = m_graph[node.child1()].shouldSpeculateInt32Array();
- bool isUint8Array = m_graph[node.child1()].shouldSpeculateUint8Array();
- bool isUint8ClampedArray = m_graph[node.child1()].shouldSpeculateUint8ClampedArray();
- bool isUint16Array = m_graph[node.child1()].shouldSpeculateUint16Array();
- bool isUint32Array = m_graph[node.child1()].shouldSpeculateUint32Array();
- bool isFloat32Array = m_graph[node.child1()].shouldSpeculateFloat32Array();
- bool isFloat64Array = m_graph[node.child1()].shouldSpeculateFloat64Array();
- if (!isArray && !isArguments && !isString && !isInt8Array && !isInt16Array && !isInt32Array && !isUint8Array && !isUint8ClampedArray && !isUint16Array && !isUint32Array && !isFloat32Array && !isFloat64Array)
- break;
-
-#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
- dataLog(" @%u -> %s", m_compileIndex, isArray ? "GetArrayLength" : "GetStringLength");
-#endif
- if (isArray) {
- node.setOp(GetArrayLength);
- ASSERT(node.flags() & NodeMustGenerate);
- node.clearFlags(NodeMustGenerate);
- m_graph.deref(m_compileIndex);
-
- ArrayProfile* arrayProfile =
- m_graph.baselineCodeBlockFor(node.codeOrigin)->getArrayProfile(
- node.codeOrigin.bytecodeIndex);
- if (!arrayProfile)
- break;
+ ArrayProfile* arrayProfile =
+ m_graph.baselineCodeBlockFor(nodePtr->codeOrigin)->getArrayProfile(
+ nodePtr->codeOrigin.bytecodeIndex);
+ Array::Mode arrayMode = Array::Undecided;
+ if (arrayProfile) {
arrayProfile->computeUpdatedPrediction();
- if (!arrayProfile->hasDefiniteStructure())
- break;
- m_graph.ref(node.child1());
- Node checkStructure(CheckStructure, node.codeOrigin, OpInfo(m_graph.addStructureSet(arrayProfile->expectedStructure())), node.child1().index());
- checkStructure.ref();
- NodeIndex checkStructureIndex = m_graph.size();
- m_graph.append(checkStructure);
- m_insertionSet.append(m_indexInBlock, checkStructureIndex);
- break;
+ arrayMode = refineArrayMode(
+ fromObserved(arrayProfile->observedArrayModes(), false),
+ m_graph[node.child1()].prediction(),
+ m_graph[m_compileIndex].prediction());
+ if (modeSupportsLength(arrayMode)
+ && arrayProfile->hasDefiniteStructure()) {
+ m_graph.ref(nodePtr->child1());
+ Node checkStructure(CheckStructure, nodePtr->codeOrigin, OpInfo(m_graph.addStructureSet(arrayProfile->expectedStructure())), nodePtr->child1().index());
+ checkStructure.ref();
+ NodeIndex checkStructureIndex = m_graph.size();
+ m_graph.append(checkStructure);
+ m_insertionSet.append(m_indexInBlock, checkStructureIndex);
+ nodePtr = &m_graph[m_compileIndex];
+ }
+ } else {
+ arrayMode = refineArrayMode(
+ arrayMode,
+ m_graph[node.child1()].prediction(),
+ m_graph[m_compileIndex].prediction());
}
- if (isArguments)
- node.setOp(GetArgumentsLength);
- else if (isString)
- node.setOp(GetStringLength);
- else if (isInt8Array)
- node.setOp(GetInt8ArrayLength);
- else if (isInt16Array)
- node.setOp(GetInt16ArrayLength);
- else if (isInt32Array)
- node.setOp(GetInt32ArrayLength);
- else if (isUint8Array)
- node.setOp(GetUint8ArrayLength);
- else if (isUint8ClampedArray)
- node.setOp(GetUint8ClampedArrayLength);
- else if (isUint16Array)
- node.setOp(GetUint16ArrayLength);
- else if (isUint32Array)
- node.setOp(GetUint32ArrayLength);
- else if (isFloat32Array)
- node.setOp(GetFloat32ArrayLength);
- else if (isFloat64Array)
- node.setOp(GetFloat64ArrayLength);
- else
- ASSERT_NOT_REACHED();
- // No longer MustGenerate
- ASSERT(node.flags() & NodeMustGenerate);
- node.clearFlags(NodeMustGenerate);
+ if (!modeSupportsLength(arrayMode))
+ break;
+ nodePtr->setOp(GetArrayLength);
+ ASSERT(nodePtr->flags() & NodeMustGenerate);
+ nodePtr->clearFlags(NodeMustGenerate);
m_graph.deref(m_compileIndex);
+ nodePtr->setArrayMode(arrayMode);
break;
}
case GetIndexedPropertyStorage: {
- if (!m_graph[node.child1()].prediction()
- || !m_graph[node.child2()].shouldSpeculateInteger()
- || m_graph[node.child1()].shouldSpeculateArguments()) {
- node.setOpAndDefaultFlags(Nop);
- m_graph.clearAndDerefChild1(node);
- m_graph.clearAndDerefChild2(node);
- m_graph.clearAndDerefChild3(node);
- node.setRefCount(0);
- }
+ node.setArrayMode(
+ refineArrayMode(
+ node.arrayMode(),
+ m_graph[node.child1()].prediction(),
+ m_graph[node.child2()].prediction()));
+ // Predictions should only become more, rather than less, refined. Hence
+ // if we were ever able to CSE the storage pointer for this operation,
+ // then we should always continue to be able to do so.
+ ASSERT(canCSEStorage(node.arrayMode()));
break;
}
case GetByVal:
case StringCharAt:
case StringCharCodeAt: {
- if (!!node.child3() && m_graph[node.child3()].op() == Nop)
- node.children.child3() = Edge();
+ node.setArrayMode(
+ refineArrayMode(
+ node.arrayMode(),
+ m_graph[node.child1()].prediction(),
+ m_graph[node.child2()].prediction()));
+
+ if (canCSEStorage(node.arrayMode())) {
+ if (node.child3()) {
+ ASSERT(m_graph[node.child3()].op() == GetIndexedPropertyStorage);
+ ASSERT(modesCompatibleForStorageLoad(m_graph[node.child3()].arrayMode(), node.arrayMode()));
+ } else {
+ // Make sure we don't use the node reference after we do the append.
+ Node getIndexedPropertyStorage(
+ GetIndexedPropertyStorage, node.codeOrigin, OpInfo(node.arrayMode()),
+ node.child1().index(), node.child2().index());
+ NodeIndex getIndexedPropertyStorageIndex = m_graph.size();
+ node.children.child3() = Edge(getIndexedPropertyStorageIndex);
+ m_graph.append(getIndexedPropertyStorage);
+ m_graph.ref(getIndexedPropertyStorageIndex); // Once because it's MustGenerate.
+ m_graph.ref(getIndexedPropertyStorageIndex); // And again because it's referenced from the GetByVal.
+ m_insertionSet.append(m_indexInBlock, getIndexedPropertyStorageIndex);
+ }
+ } else {
+ // See above. Continued fixup of the graph should not regress our ability
+ // to speculate.
+ ASSERT(!node.child3());
+ }
break;
}
@@ -334,24 +326,30 @@
}
case PutByVal:
- case PutByValSafe: {
+ case PutByValAlias: {
Edge child1 = m_graph.varArgChild(node, 0);
Edge child2 = m_graph.varArgChild(node, 1);
Edge child3 = m_graph.varArgChild(node, 2);
- if (!m_graph[child1].prediction() || !m_graph[child2].prediction())
+ node.setArrayMode(
+ refineArrayMode(
+ node.arrayMode(), m_graph[child1].prediction(), m_graph[child2].prediction()));
+
+ switch (modeForPut(node.arrayMode())) {
+ case Array::Int8Array:
+ case Array::Int16Array:
+ case Array::Int32Array:
+ case Array::Uint8Array:
+ case Array::Uint8ClampedArray:
+ case Array::Uint16Array:
+ case Array::Uint32Array:
+ if (!m_graph[child3].shouldSpeculateInteger())
+ fixDoubleEdge(2);
break;
- if (!m_graph[child2].shouldSpeculateInteger())
- break;
- if (isActionableIntMutableArraySpeculation(m_graph[child1].prediction())) {
- if (m_graph[child3].isConstant())
- break;
- if (m_graph[child3].shouldSpeculateInteger())
- break;
+ case Array::Float32Array:
+ case Array::Float64Array:
fixDoubleEdge(2);
break;
- }
- if (isActionableFloatMutableArraySpeculation(m_graph[child1].prediction())) {
- fixDoubleEdge(2);
+ default:
break;
}
break;
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp b/Source/JavaScriptCore/dfg/DFGGraph.cpp
index 9ae0648..8e80ff2 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.cpp
+++ b/Source/JavaScriptCore/dfg/DFGGraph.cpp
@@ -211,6 +211,10 @@
dataLog("%s%s", hasPrinted ? ", " : "", nodeFlagsAsString(node.flags()));
hasPrinted = true;
}
+ if (node.hasArrayMode()) {
+ dataLog("%s%s", hasPrinted ? ", " : "", modeToString(node.arrayMode()));
+ hasPrinted = true;
+ }
if (node.hasVarNumber()) {
dataLog("%svar%u", hasPrinted ? ", " : "", node.varNumber());
hasPrinted = true;
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
index 8d164a2..ba5d86f 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.h
+++ b/Source/JavaScriptCore/dfg/DFGGraph.h
@@ -488,48 +488,20 @@
bool byValIsPure(Node& node)
{
- switch (node.op()) {
- case PutByVal: {
- if (!at(varArgChild(node, 1)).shouldSpeculateInteger())
- return false;
- SpeculatedType prediction = at(varArgChild(node, 0)).prediction();
- if (!isActionableMutableArraySpeculation(prediction))
- return false;
- return true;
- }
-
- case PutByValSafe: {
- if (!at(varArgChild(node, 1)).shouldSpeculateInteger())
- return false;
- SpeculatedType prediction = at(varArgChild(node, 0)).prediction();
- if (!isActionableMutableArraySpeculation(prediction))
- return false;
- if (isArraySpeculation(prediction))
- return false;
- return true;
- }
-
- case PutByValAlias: {
- if (!at(varArgChild(node, 1)).shouldSpeculateInteger())
- return false;
- SpeculatedType prediction = at(varArgChild(node, 0)).prediction();
- if (!isActionableMutableArraySpeculation(prediction))
- return false;
- return true;
- }
-
- case GetByVal: {
- if (!at(node.child2()).shouldSpeculateInteger())
- return false;
- SpeculatedType prediction = at(node.child1()).prediction();
- if (!isActionableArraySpeculation(prediction))
- return false;
- return true;
- }
-
- default:
- ASSERT_NOT_REACHED();
+ switch (node.arrayMode()) {
+ case Array::Generic:
+ case Array::JSArrayOutOfBounds:
return false;
+ case Array::String:
+ return node.op() == GetByVal;
+#if USE(JSVALUE32_64)
+ case Array::Arguments:
+ if (node.op() == GetByVal)
+ return true;
+ return false;
+#endif // USE(JSVALUE32_64)
+ default:
+ return true;
}
}
@@ -549,7 +521,6 @@
return !isPredictedNumerical(node);
case GetByVal:
case PutByVal:
- case PutByValSafe:
case PutByValAlias:
return !byValIsPure(node);
default:
diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
index dac855b..7ca4d8d4 100644
--- a/Source/JavaScriptCore/dfg/DFGNode.h
+++ b/Source/JavaScriptCore/dfg/DFGNode.h
@@ -33,6 +33,7 @@
#include "CodeBlock.h"
#include "CodeOrigin.h"
#include "DFGAdjacencyList.h"
+#include "DFGArrayMode.h"
#include "DFGCommon.h"
#include "DFGNodeFlags.h"
#include "DFGNodeType.h"
@@ -732,6 +733,34 @@
return m_opInfo;
}
+ bool hasArrayMode()
+ {
+ switch (op()) {
+ case GetIndexedPropertyStorage:
+ case GetArrayLength:
+ case PutByVal:
+ case PutByValAlias:
+ case GetByVal:
+ case StringCharAt:
+ case StringCharCodeAt:
+ return true;
+ default:
+ return false;
+ }
+ }
+
+ Array::Mode arrayMode()
+ {
+ ASSERT(hasArrayMode());
+ return static_cast<Array::Mode>(m_opInfo);
+ }
+
+ void setArrayMode(Array::Mode arrayMode)
+ {
+ ASSERT(hasArrayMode());
+ m_opInfo = arrayMode;
+ }
+
bool hasVirtualRegister()
{
return m_virtualRegister != InvalidVirtualRegister;
diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
index f0f8cb1..ee5ad90 100644
--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
@@ -113,7 +113,6 @@
/* opcodes use VarArgs beause they may have up to 4 children. */\
macro(GetByVal, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
macro(PutByVal, NodeMustGenerate | NodeHasVarArgs | NodeMightClobber) \
- macro(PutByValSafe, NodeMustGenerate | NodeHasVarArgs | NodeMightClobber) \
macro(PutByValAlias, NodeMustGenerate | NodeHasVarArgs | NodeMightClobber) \
macro(GetById, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
macro(GetByIdFlush, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
@@ -143,17 +142,6 @@
macro(GetByOffset, NodeResultJS) \
macro(PutByOffset, NodeMustGenerate) \
macro(GetArrayLength, NodeResultInt32) \
- macro(GetArgumentsLength, NodeResultInt32) \
- macro(GetStringLength, NodeResultInt32) \
- macro(GetInt8ArrayLength, NodeResultInt32) \
- macro(GetInt16ArrayLength, NodeResultInt32) \
- macro(GetInt32ArrayLength, NodeResultInt32) \
- macro(GetUint8ArrayLength, NodeResultInt32) \
- macro(GetUint8ClampedArrayLength, NodeResultInt32) \
- macro(GetUint16ArrayLength, NodeResultInt32) \
- macro(GetUint32ArrayLength, NodeResultInt32) \
- macro(GetFloat32ArrayLength, NodeResultInt32) \
- macro(GetFloat64ArrayLength, NodeResultInt32) \
macro(GetScopeChain, NodeResultJS) \
macro(GetScopedVar, NodeResultJS | NodeMustGenerate) \
macro(PutScopedVar, NodeMustGenerate | NodeClobbersWorld) \
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index 1247528..258d119 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -612,17 +612,6 @@
case PutByValAlias:
case GetArrayLength:
- case GetArgumentsLength:
- case GetInt8ArrayLength:
- case GetInt16ArrayLength:
- case GetInt32ArrayLength:
- case GetUint8ArrayLength:
- case GetUint8ClampedArrayLength:
- case GetUint16ArrayLength:
- case GetUint32ArrayLength:
- case GetFloat32ArrayLength:
- case GetFloat64ArrayLength:
- case GetStringLength:
case Int32ToDouble:
case DoubleAsInt32:
case GetLocalUnlinked:
@@ -637,7 +626,6 @@
}
case PutByVal:
- case PutByValSafe:
changed |= m_graph[m_graph.varArgChild(node, 0)].mergeFlags(NodeUsedAsValue);
changed |= m_graph[m_graph.varArgChild(node, 1)].mergeFlags(NodeUsedAsNumber | NodeUsedAsInt);
changed |= m_graph[m_graph.varArgChild(node, 2)].mergeFlags(NodeUsedAsValue);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index 6c66157..d742074 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -269,12 +269,82 @@
m_fprs = RegisterBank<FPRInfo>();
}
-void SpeculativeJIT::speculateArray(Edge edge, GPRReg baseReg)
+const TypedArrayDescriptor* SpeculativeJIT::typedArrayDescriptor(Array::Mode arrayMode)
{
- AbstractValue& arrayValue = m_state.forNode(edge);
- if (arrayValue.m_currentKnownStructure.hasSingleton()
- && arrayValue.m_currentKnownStructure.singleton()->classInfo() == &JSArray::s_info)
- return;
+ switch (arrayMode) {
+ case Array::Int8Array:
+ return &m_jit.globalData()->int8ArrayDescriptor();
+ case Array::Int16Array:
+ return &m_jit.globalData()->int16ArrayDescriptor();
+ case Array::Int32Array:
+ return &m_jit.globalData()->int32ArrayDescriptor();
+ case Array::Uint8Array:
+ return &m_jit.globalData()->uint8ArrayDescriptor();
+ case Array::Uint8ClampedArray:
+ return &m_jit.globalData()->uint8ClampedArrayDescriptor();
+ case Array::Uint16Array:
+ return &m_jit.globalData()->uint16ArrayDescriptor();
+ case Array::Uint32Array:
+ return &m_jit.globalData()->uint32ArrayDescriptor();
+ case Array::Float32Array:
+ return &m_jit.globalData()->float32ArrayDescriptor();
+ case Array::Float64Array:
+ return &m_jit.globalData()->float32ArrayDescriptor();
+ default:
+ return 0;
+ }
+}
+
+const TypedArrayDescriptor* SpeculativeJIT::speculateArray(Array::Mode arrayMode, Edge edge, GPRReg baseReg)
+{
+ const TypedArrayDescriptor* result = typedArrayDescriptor(arrayMode);
+
+ if (modeAlreadyChecked(m_state.forNode(edge), arrayMode))
+ return result;
+
+ const ClassInfo* expectedClassInfo = 0;
+
+ switch (arrayMode) {
+ case Array::ForceExit:
+ ASSERT_NOT_REACHED();
+ terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
+ return result;
+ case Array::String:
+ expectedClassInfo = &JSString::s_info;
+ break;
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds: {
+ // This code duplicates the code below in anticipation of this code being
+ // substantially changed in the future.
+ GPRTemporary temp(this);
+ m_jit.loadPtr(
+ MacroAssembler::Address(baseReg, JSCell::structureOffset()), temp.gpr());
+ speculationCheck(
+ Uncountable, JSValueRegs(), NoNode,
+ m_jit.branchPtr(
+ MacroAssembler::NotEqual,
+ MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()),
+ MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
+ return result;
+ }
+ case Array::Arguments:
+ expectedClassInfo = &Arguments::s_info;
+ break;
+ case Array::Int8Array:
+ case Array::Int16Array:
+ case Array::Int32Array:
+ case Array::Uint8Array:
+ case Array::Uint8ClampedArray:
+ case Array::Uint16Array:
+ case Array::Uint32Array:
+ case Array::Float32Array:
+ case Array::Float64Array:
+ expectedClassInfo = result->m_classInfo;
+ break;
+ default:
+ ASSERT_NOT_REACHED();
+ break;
+ }
GPRTemporary temp(this);
m_jit.loadPtr(
@@ -284,7 +354,9 @@
m_jit.branchPtr(
MacroAssembler::NotEqual,
MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()),
- MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
+ MacroAssembler::TrustedImmPtr(expectedClassInfo)));
+
+ return result;
}
GPRReg SpeculativeJIT::fillStorage(NodeIndex nodeIndex)
@@ -1620,11 +1692,7 @@
GPRReg propertyReg = property.gpr();
GPRReg storageReg = storage.gpr();
- if (!isStringSpeculation(m_state.forNode(node.child1()).m_type)) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), NoNode);
- noResult(m_compileIndex);
- return;
- }
+ ASSERT(modeAlreadyChecked(m_state.forNode(node.child1()), Array::String));
// unsigned comparison so we can filter out negative indices and indices that are too large
speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSString::offsetOfLength())));
@@ -2018,23 +2086,7 @@
}
-void SpeculativeJIT::compileGetTypedArrayLength(const TypedArrayDescriptor& descriptor, Node& node, bool needsSpeculationCheck)
-{
- SpeculateCellOperand base(this, node.child1());
- GPRTemporary result(this);
-
- GPRReg baseGPR = base.gpr();
- GPRReg resultGPR = result.gpr();
-
- if (needsSpeculationCheck)
- speculationCheck(BadType, JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
-
- m_jit.load32(MacroAssembler::Address(baseGPR, descriptor.m_lengthOffset), resultGPR);
-
- integerResult(resultGPR, m_compileIndex);
-}
-
-void SpeculativeJIT::compileGetByValOnIntTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements, TypedArraySignedness signedness)
+void SpeculativeJIT::compileGetByValOnIntTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySignedness signedness)
{
SpeculateCellOperand base(this, node.child1());
SpeculateStrictInt32Operand property(this, node.child2());
@@ -2047,12 +2099,7 @@
GPRTemporary result(this);
GPRReg resultReg = result.gpr();
- if (speculationRequirements != NoTypedArrayTypeSpecCheck) {
- ASSERT_NOT_REACHED();
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), NoNode);
- noResult(m_compileIndex);
- return;
- }
+ ASSERT(modeAlreadyChecked(m_state.forNode(node.child1()), node.arrayMode()));
speculationCheck(
Uncountable, JSValueRegs(), NoNode,
@@ -2097,13 +2144,10 @@
doubleResult(fresult.fpr(), m_compileIndex);
}
-void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements, TypedArraySignedness signedness, TypedArrayRounding rounding)
+void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySignedness signedness, TypedArrayRounding rounding)
{
- Edge baseUse = m_jit.graph().varArgChild(node, 0);
Edge valueUse = m_jit.graph().varArgChild(node, 2);
- if (speculationRequirements != NoTypedArrayTypeSpecCheck)
- speculationCheck(BadType, JSValueSource::unboxedCell(base), baseUse, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
GPRTemporary value;
GPRReg valueGPR;
@@ -2174,7 +2218,7 @@
ASSERT(valueGPR != storageReg);
m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
MacroAssembler::Jump outOfBounds;
- if (speculationRequirements != NoTypedArraySpecCheck)
+ if (node.op() == PutByVal)
outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(base, descriptor.m_lengthOffset));
switch (elementSize) {
@@ -2190,12 +2234,12 @@
default:
ASSERT_NOT_REACHED();
}
- if (speculationRequirements != NoTypedArraySpecCheck)
+ if (node.op() == PutByVal)
outOfBounds.link(&m_jit);
noResult(m_compileIndex);
}
-void SpeculativeJIT::compileGetByValOnFloatTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements)
+void SpeculativeJIT::compileGetByValOnFloatTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize)
{
SpeculateCellOperand base(this, node.child1());
SpeculateStrictInt32Operand property(this, node.child2());
@@ -2204,17 +2248,11 @@
GPRReg baseReg = base.gpr();
GPRReg propertyReg = property.gpr();
GPRReg storageReg = storage.gpr();
-
- if (speculationRequirements != NoTypedArrayTypeSpecCheck) {
- ASSERT_NOT_REACHED();
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), NoNode);
- noResult(m_compileIndex);
- return;
- }
+
+ ASSERT(modeAlreadyChecked(m_state.forNode(node.child1()), node.arrayMode()));
FPRTemporary result(this);
FPRReg resultReg = result.fpr();
- ASSERT(speculationRequirements != NoTypedArraySpecCheck);
speculationCheck(
Uncountable, JSValueRegs(), NoNode,
m_jit.branch32(
@@ -2238,15 +2276,14 @@
doubleResult(resultReg, m_compileIndex);
}
-void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements)
+void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize)
{
Edge baseUse = m_jit.graph().varArgChild(node, 0);
Edge valueUse = m_jit.graph().varArgChild(node, 2);
SpeculateDoubleOperand valueOp(this, valueUse);
- if (speculationRequirements != NoTypedArrayTypeSpecCheck)
- speculationCheck(BadType, JSValueSource::unboxedCell(base), baseUse.index(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
+ ASSERT_UNUSED(baseUse, modeAlreadyChecked(m_state.forNode(baseUse), node.arrayMode()));
GPRTemporary result(this);
@@ -2255,7 +2292,7 @@
m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
MacroAssembler::Jump outOfBounds;
- if (speculationRequirements != NoTypedArraySpecCheck)
+ if (node.op() == PutByVal)
outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(base, descriptor.m_lengthOffset));
switch (elementSize) {
@@ -2272,7 +2309,7 @@
default:
ASSERT_NOT_REACHED();
}
- if (speculationRequirements != NoTypedArraySpecCheck)
+ if (node.op() == PutByVal)
outOfBounds.link(&m_jit);
noResult(m_compileIndex);
}
@@ -3066,75 +3103,36 @@
void SpeculativeJIT::compileGetIndexedPropertyStorage(Node& node)
{
- ASSERT(at(node.child1()).prediction());
- ASSERT(at(node.child2()).shouldSpeculateInteger());
-
SpeculateCellOperand base(this, node.child1());
GPRReg baseReg = base.gpr();
GPRTemporary storage(this);
GPRReg storageReg = storage.gpr();
- if (at(node.child1()).shouldSpeculateArguments()) {
- ASSERT_NOT_REACHED();
- } else if (at(node.child1()).prediction() == SpecString) {
- if (!isStringSpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
-
+
+ const TypedArrayDescriptor* descriptor =
+ speculateArray(node.arrayMode(), node.child1(), baseReg);
+
+ switch (node.arrayMode()) {
+ case Array::String:
m_jit.loadPtr(MacroAssembler::Address(baseReg, JSString::offsetOfValue()), storageReg);
// Speculate that we're not accessing a rope
speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branchTest32(MacroAssembler::Zero, storageReg));
m_jit.loadPtr(MacroAssembler::Address(storageReg, StringImpl::dataOffset()), storageReg);
- } else if (at(node.child1()).shouldSpeculateInt8Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->int8ArrayDescriptor();
- if (!isInt8ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateInt16Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->int16ArrayDescriptor();
- if (!isInt16ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateInt32Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->int32ArrayDescriptor();
- if (!isInt32ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateUint8Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->uint8ArrayDescriptor();
- if (!isUint8ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateUint8ClampedArray()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->uint8ClampedArrayDescriptor();
- if (!isUint8ClampedArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateUint16Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->uint16ArrayDescriptor();
- if (!isUint16ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateUint32Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->uint32ArrayDescriptor();
- if (!isUint32ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateFloat32Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->float32ArrayDescriptor();
- if (!isFloat32ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else if (at(node.child1()).shouldSpeculateFloat64Array()) {
- const TypedArrayDescriptor& descriptor = m_jit.globalData()->float64ArrayDescriptor();
- if (!isFloat64ArraySpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
- m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor.m_storageOffset), storageReg);
- } else {
- speculateArray(node.child1(), baseReg);
+ break;
+
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds:
m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+ break;
+
+ default:
+ ASSERT(descriptor);
+ m_jit.loadPtr(MacroAssembler::Address(baseReg, descriptor->m_storageOffset), storageReg);
+ break;
}
+
storageResult(storageReg, m_compileIndex);
}
@@ -3252,6 +3250,42 @@
integerResult(resultReg, m_compileIndex);
}
+void SpeculativeJIT::compileGetArrayLength(Node& node)
+{
+ SpeculateCellOperand base(this, node.child1());
+ GPRTemporary result(this);
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ const TypedArrayDescriptor* descriptor =
+ speculateArray(node.arrayMode(), node.child1(), baseGPR);
+
+ switch (node.arrayMode()) {
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds:
+ m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR);
+ m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR);
+
+ speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
+
+ integerResult(resultGPR, m_compileIndex);
+ break;
+ case Array::String:
+ m_jit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
+ integerResult(resultGPR, m_compileIndex);
+ break;
+ case Array::Arguments:
+ compileGetArgumentsLength(node);
+ break;
+ default:
+ ASSERT(descriptor);
+ m_jit.load32(MacroAssembler::Address(baseGPR, descriptor->m_lengthOffset), resultGPR);
+ integerResult(resultGPR, m_compileIndex);
+ break;
+ }
+}
+
void SpeculativeJIT::compileNewFunctionNoCheck(Node& node)
{
GPRResult result(this);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index 073dbb4..69a30a9 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -2082,6 +2082,8 @@
void compileGetByValOnArguments(Node&);
void compileGetArgumentsLength(Node&);
+ void compileGetArrayLength(Node&);
+
void compileValueToInt32(Node&);
void compileUInt32ToNumber(Node&);
void compileDoubleAsInt32(Node&);
@@ -2095,12 +2097,6 @@
#endif
void compileArithMod(Node&);
void compileSoftModulo(Node&);
- void compileGetTypedArrayLength(const TypedArrayDescriptor&, Node&, bool needsSpeculationCheck);
- enum TypedArraySpeculationRequirements {
- NoTypedArraySpecCheck,
- NoTypedArrayTypeSpecCheck,
- AllTypedArraySpecChecks
- };
enum TypedArraySignedness {
SignedTypedArray,
UnsignedTypedArray
@@ -2110,10 +2106,10 @@
ClampRounding
};
void compileGetIndexedPropertyStorage(Node&);
- void compileGetByValOnIntTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements, TypedArraySignedness);
- void compilePutByValForIntTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize, TypedArraySpeculationRequirements, TypedArraySignedness, TypedArrayRounding = TruncateRounding);
- void compileGetByValOnFloatTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements);
- void compilePutByValForFloatTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize, TypedArraySpeculationRequirements);
+ void compileGetByValOnIntTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySignedness);
+ void compilePutByValForIntTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize, TypedArraySignedness, TypedArrayRounding = TruncateRounding);
+ void compileGetByValOnFloatTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize);
+ void compilePutByValForFloatTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize);
void compileNewFunctionNoCheck(Node&);
void compileNewFunctionExpression(Node&);
bool compileRegExpExec(Node&);
@@ -2199,7 +2195,9 @@
JumpReplacementWatchpoint* forwardSpeculationWatchpoint(ExitKind = UncountableWatchpoint);
JumpReplacementWatchpoint* speculationWatchpointWithConditionalDirection(ExitKind, bool isForward);
- void speculateArray(Edge baseEdge, GPRReg baseReg);
+ const TypedArrayDescriptor* typedArrayDescriptor(Array::Mode);
+
+ const TypedArrayDescriptor* speculateArray(Array::Mode, Edge baseEdge, GPRReg baseReg);
template<bool strict>
GPRReg fillSpeculateIntInternal(NodeIndex, DataFormat& returnFormat);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 7a9ba1e..26a48dc 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -2341,12 +2341,13 @@
}
case GetByVal: {
- if (!node.prediction() || !at(node.child1()).prediction() || !at(node.child2()).prediction()) {
+ switch (node.arrayMode()) {
+ case Array::Undecided:
+ case Array::ForceExit:
+ ASSERT_NOT_REACHED();
terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
break;
- }
-
- if (!at(node.child2()).shouldSpeculateInteger() || (!node.child3() && !at(node.child1()).shouldSpeculateArguments())) {
+ case Array::Generic: {
SpeculateCellOperand base(this, node.child1()); // Save a register, speculate cell. We'll probably be right.
JSValueOperand property(this, node.child2());
GPRReg baseGPR = base.gpr();
@@ -2361,125 +2362,94 @@
jsValueResult(resultTag.gpr(), resultPayload.gpr(), m_compileIndex);
break;
}
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds: {
+ SpeculateStrictInt32Operand property(this, node.child2());
+ StorageOperand storage(this, node.child3());
+ GPRReg propertyReg = property.gpr();
+ GPRReg storageReg = storage.gpr();
- if (at(node.child1()).shouldSpeculateArguments()) {
- compileGetByValOnArguments(node);
if (!m_compileOkay)
return;
+
+ // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
+ // If we have predicted the base to be type array, we can skip the check.
+ {
+ SpeculateCellOperand base(this, node.child1());
+ GPRReg baseReg = base.gpr();
+ // We've already speculated that it's some kind of array, at this point.
+ speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
+ }
+
+ GPRTemporary resultTag(this);
+ GPRTemporary resultPayload(this);
+
+ m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTag.gpr());
+ speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag)));
+ m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayload.gpr());
+
+ jsValueResult(resultTag.gpr(), resultPayload.gpr(), m_compileIndex);
break;
}
-
- if (at(node.child1()).prediction() == SpecString) {
+ case Array::String:
compileGetByValOnString(node);
- if (!m_compileOkay)
- return;
+ break;
+ case Array::Arguments:
+ compileGetByValOnArguments(node);
+ break;
+ case Array::Int8Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), SignedTypedArray);
+ break;
+ case Array::Int16Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), SignedTypedArray);
+ break;
+ case Array::Int32Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), SignedTypedArray);
+ break;
+ case Array::Uint8Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), UnsignedTypedArray);
+ break;
+ case Array::Uint8ClampedArray:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), node, sizeof(uint8_t), UnsignedTypedArray);
+ break;
+ case Array::Uint16Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), UnsignedTypedArray);
+ break;
+ case Array::Uint32Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), UnsignedTypedArray);
+ break;
+ case Array::Float32Array:
+ compileGetByValOnFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float));
+ break;
+ case Array::Float64Array:
+ compileGetByValOnFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double));
+ break;
+ default:
+ ASSERT_NOT_REACHED();
break;
}
-
- if (at(node.child1()).shouldSpeculateInt8Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), isInt8ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateInt16Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), isInt16ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateInt32Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), isInt32ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint8Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), isUint8ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint8ClampedArray()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), node, sizeof(uint8_t), isUint8ClampedArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint16Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), isUint16ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint32Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), isUint32ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateFloat32Array()) {
- compileGetByValOnFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float), isFloat32ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateFloat64Array()) {
- compileGetByValOnFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double), isFloat64ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- SpeculateStrictInt32Operand property(this, node.child2());
- StorageOperand storage(this, node.child3());
- GPRReg propertyReg = property.gpr();
- GPRReg storageReg = storage.gpr();
-
- if (!m_compileOkay)
- return;
-
- // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
- // If we have predicted the base to be type array, we can skip the check.
- {
- SpeculateCellOperand base(this, node.child1());
- GPRReg baseReg = base.gpr();
- // We've already speculated that it's some kind of array, at this point.
- speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
- }
-
- GPRTemporary resultTag(this);
- GPRTemporary resultPayload(this);
-
- m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTag.gpr());
- speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag)));
- m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayload.gpr());
-
- jsValueResult(resultTag.gpr(), resultPayload.gpr(), m_compileIndex);
break;
}
case PutByVal:
- case PutByValSafe: {
+ case PutByValAlias: {
Edge child1 = m_jit.graph().varArgChild(node, 0);
Edge child2 = m_jit.graph().varArgChild(node, 1);
Edge child3 = m_jit.graph().varArgChild(node, 2);
- if (!at(child1).prediction() || !at(child2).prediction()) {
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
- break;
- }
+ Array::Mode arrayMode = modeForPut(node.arrayMode());
+ bool alreadyHandled = false;
- if (!at(child2).shouldSpeculateInteger()
- || at(child1).shouldSpeculateArguments()) {
+ switch (arrayMode) {
+ case Array::Undecided:
+ case Array::ForceExit:
+ ASSERT_NOT_REACHED();
+ terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
+ alreadyHandled = true;
+ break;
+ case Array::Generic: {
+ ASSERT(node.op() == PutByVal);
+
SpeculateCellOperand base(this, child1); // Save a register, speculate cell. We'll probably be right.
JSValueOperand property(this, child2);
JSValueOperand value(this, child3);
@@ -2493,233 +2463,144 @@
callOperation(m_jit.codeBlock()->isStrictMode() ? operationPutByValCellStrict : operationPutByValCellNonStrict, baseGPR, propertyTagGPR, propertyPayloadGPR, valueTagGPR, valuePayloadGPR);
noResult(m_compileIndex);
+ alreadyHandled = true;
break;
}
-
+ default:
+ break;
+ }
+
+ if (alreadyHandled)
+ break;
+
SpeculateCellOperand base(this, child1);
SpeculateStrictInt32Operand property(this, child2);
- if (at(child1).shouldSpeculateInt8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), isInt8ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
- if (at(child1).shouldSpeculateInt16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), isInt16ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), isInt32ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), isUint8ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8ClampedArray()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), isUint8ClampedArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray, ClampRounding);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), isUint16ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), isUint32ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat32Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), isFloat32ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat64Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), isFloat64ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- JSValueOperand value(this, child3);
- // Map base, property & value into registers, allocate a scratch register.
GPRReg baseReg = base.gpr();
GPRReg propertyReg = property.gpr();
- GPRReg valueTagReg = value.tagGPR();
- GPRReg valuePayloadReg = value.payloadGPR();
+
+ speculateArray(arrayMode, child1, baseReg);
+
+ switch (arrayMode) {
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds: {
+ JSValueOperand value(this, child3);
+
+ GPRReg valueTagReg = value.tagGPR();
+ GPRReg valuePayloadReg = value.payloadGPR();
+
+ if (!m_compileOkay)
+ return;
+
+ {
+ GPRTemporary scratch(this);
+ GPRReg scratchReg = scratch.gpr();
+ writeBarrier(baseReg, valueTagReg, child3, WriteBarrierForPropertyAccess, scratchReg);
+ }
+
+ if (node.op() == PutByValAlias) {
+ // Get the array storage.
+ GPRTemporary storage(this);
+ GPRReg storageReg = storage.gpr();
+ m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+
+ // Store the value to the array.
+ GPRReg propertyReg = property.gpr();
+ m_jit.store32(value.tagGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+ m_jit.store32(value.payloadGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
+
+ noResult(m_compileIndex);
+ break;
+ }
+
+ MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));
+ if (arrayMode == Array::JSArray)
+ speculationCheck(OutOfBounds, JSValueRegs(), NoNode, beyondArrayBounds);
+
+ base.use();
+ property.use();
+ value.use();
+
+ // Get the array storage.
+ GPRTemporary storage(this);
+ GPRReg storageReg = storage.gpr();
+ m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+
+ // Check if we're writing to a hole; if so increment m_numValuesInVector.
+ MacroAssembler::Jump notHoleValue = m_jit.branch32(MacroAssembler::NotEqual, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
+ m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
+
+ // If we're writing to a hole we might be growing the array;
+ MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+ m_jit.add32(TrustedImm32(1), propertyReg);
+ m_jit.store32(propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+ m_jit.sub32(TrustedImm32(1), propertyReg);
+
+ lengthDoesNotNeedUpdate.link(&m_jit);
+ notHoleValue.link(&m_jit);
+
+ // Store the value to the array.
+ m_jit.store32(valueTagReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+ m_jit.store32(valuePayloadReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
- if (!m_compileOkay)
- return;
-
- {
- GPRTemporary scratch(this);
- GPRReg scratchReg = scratch.gpr();
- writeBarrier(baseReg, valueTagReg, child3, WriteBarrierForPropertyAccess, scratchReg);
- }
-
- speculateArray(child1, baseReg);
-
- MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));
- if (node.op() == PutByVal)
- speculationCheck(OutOfBounds, JSValueRegs(), NoNode, beyondArrayBounds);
-
- base.use();
- property.use();
- value.use();
-
- // Get the array storage.
- GPRTemporary storage(this);
- GPRReg storageReg = storage.gpr();
- m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
-
- // Check if we're writing to a hole; if so increment m_numValuesInVector.
- MacroAssembler::Jump notHoleValue = m_jit.branch32(MacroAssembler::NotEqual, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
- m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
-
- // If we're writing to a hole we might be growing the array;
- MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
- m_jit.add32(TrustedImm32(1), propertyReg);
- m_jit.store32(propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
- m_jit.sub32(TrustedImm32(1), propertyReg);
-
- lengthDoesNotNeedUpdate.link(&m_jit);
- notHoleValue.link(&m_jit);
-
- // Store the value to the array.
- m_jit.store32(valueTagReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
- m_jit.store32(valuePayloadReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-
- if (node.op() == PutByValSafe) {
- addSlowPathGenerator(
- slowPathCall(
- beyondArrayBounds, this,
- m_jit.codeBlock()->isStrictMode() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict,
- NoResult, baseReg, propertyReg, valueTagReg, valuePayloadReg));
+ if (arrayMode == Array::JSArrayOutOfBounds) {
+ addSlowPathGenerator(
+ slowPathCall(
+ beyondArrayBounds, this,
+ m_jit.codeBlock()->isStrictMode() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict,
+ NoResult, baseReg, propertyReg, valueTagReg, valuePayloadReg));
+ }
+
+ noResult(m_compileIndex, UseChildrenCalledExplicitly);
+ break;
}
- noResult(m_compileIndex, UseChildrenCalledExplicitly);
- break;
- }
-
- case PutByValAlias: {
- Edge child1 = m_jit.graph().varArgChild(node, 0);
- Edge child2 = m_jit.graph().varArgChild(node, 1);
- Edge child3 = m_jit.graph().varArgChild(node, 2);
-
- if (!at(child1).prediction() || !at(child2).prediction()) {
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
+ case Array::Arguments:
+ // FIXME: we could at some point make this work. Right now we're assuming that the register
+ // pressure would be too great.
+ ASSERT_NOT_REACHED();
+ break;
+
+ case Array::Int8Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), SignedTypedArray);
+ break;
+
+ case Array::Int16Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), SignedTypedArray);
+ break;
+
+ case Array::Int32Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), SignedTypedArray);
+ break;
+
+ case Array::Uint8Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), UnsignedTypedArray);
+ break;
+
+ case Array::Uint8ClampedArray:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), UnsignedTypedArray, ClampRounding);
+ break;
+
+ case Array::Uint16Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), UnsignedTypedArray);
+ break;
+
+ case Array::Uint32Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), UnsignedTypedArray);
+ break;
+
+ case Array::Float32Array:
+ compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float));
+ break;
+
+ case Array::Float64Array:
+ compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double));
+ break;
+
+ default:
+ ASSERT_NOT_REACHED();
break;
}
-
- ASSERT(isActionableMutableArraySpeculation(at(child1).prediction()));
- ASSERT(at(child2).shouldSpeculateInteger());
-
- SpeculateCellOperand base(this, child1);
- SpeculateStrictInt32Operand property(this, child2);
-
- if (at(child1).shouldSpeculateInt8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), NoTypedArraySpecCheck, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), NoTypedArraySpecCheck, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), NoTypedArraySpecCheck, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8ClampedArray()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray, ClampRounding);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), NoTypedArraySpecCheck, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), NoTypedArraySpecCheck, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat32Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), NoTypedArraySpecCheck);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat64Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), NoTypedArraySpecCheck);
- if (!m_compileOkay)
- return;
- break;
- }
-
- ASSERT(at(child1).shouldSpeculateArray());
-
- JSValueOperand value(this, child3);
- GPRTemporary scratch(this, base);
-
- GPRReg baseReg = base.gpr();
- GPRReg scratchReg = scratch.gpr();
-
- writeBarrier(baseReg, value.tagGPR(), child3, WriteBarrierForPropertyAccess, scratchReg);
-
- // Get the array storage.
- GPRReg storageReg = scratchReg;
- m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
-
- // Store the value to the array.
- GPRReg propertyReg = property.gpr();
- m_jit.store32(value.tagGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
- m_jit.store32(value.payloadGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-
- noResult(m_compileIndex);
break;
}
@@ -2787,7 +2668,7 @@
writeBarrier(baseGPR, valueTagGPR, node.child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
}
- speculateArray(node.child1(), baseGPR);
+ speculateArray(Array::JSArray, node.child1(), baseGPR);
GPRTemporary storage(this);
GPRReg storageGPR = storage.gpr();
@@ -2827,7 +2708,7 @@
GPRReg storageGPR = storage.gpr();
GPRReg storageLengthGPR = storageLength.gpr();
- speculateArray(node.child1(), baseGPR);
+ speculateArray(Array::JSArray, node.child1(), baseGPR);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);
@@ -3373,82 +3254,10 @@
break;
}
- case GetArrayLength: {
- SpeculateCellOperand base(this, node.child1());
- GPRReg baseGPR = base.gpr();
+ case GetArrayLength:
+ compileGetArrayLength(node);
+ break;
- speculateArray(node.child1(), baseGPR);
-
- GPRTemporary result(this);
- GPRReg resultGPR = result.gpr();
-
- m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR);
- m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR);
-
- speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
-
- integerResult(resultGPR, m_compileIndex);
- break;
- }
-
- case GetArgumentsLength: {
- compileGetArgumentsLength(node);
- break;
- }
-
- case GetStringLength: {
- SpeculateCellOperand base(this, node.child1());
- GPRTemporary result(this);
-
- GPRReg baseGPR = base.gpr();
- GPRReg resultGPR = result.gpr();
-
- if (!isStringSpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
-
- m_jit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
-
- integerResult(resultGPR, m_compileIndex);
- break;
- }
-
- case GetInt8ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->int8ArrayDescriptor(), node, !isInt8ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetInt16ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->int16ArrayDescriptor(), node, !isInt16ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetInt32ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->int32ArrayDescriptor(), node, !isInt32ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint8ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint8ArrayDescriptor(), node, !isUint8ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint8ClampedArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint8ClampedArrayDescriptor(), node, !isUint8ClampedArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint16ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint16ArrayDescriptor(), node, !isUint16ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint32ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint32ArrayDescriptor(), node, !isUint32ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetFloat32ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->float32ArrayDescriptor(), node, !isFloat32ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetFloat64ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->float64ArrayDescriptor(), node, !isFloat64ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
-
case CheckFunction: {
SpeculateCellOperand function(this, node.child1());
speculationCheck(BadCache, JSValueRegs(), NoNode, m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node.function()));
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index c215108..c2e2072 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -2374,12 +2374,13 @@
}
case GetByVal: {
- if (!node.prediction() || !at(node.child1()).prediction() || !at(node.child2()).prediction()) {
+ switch (node.arrayMode()) {
+ case Array::Undecided:
+ case Array::ForceExit:
+ ASSERT_NOT_REACHED();
terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
break;
- }
-
- if (!at(node.child2()).shouldSpeculateInteger() || (!node.child3() && !at(node.child1()).shouldSpeculateArguments())) {
+ case Array::Generic: {
JSValueOperand base(this, node.child1());
JSValueOperand property(this, node.child2());
GPRReg baseGPR = base.gpr();
@@ -2392,120 +2393,90 @@
jsValueResult(result.gpr(), m_compileIndex);
break;
}
-
- if (at(node.child1()).shouldSpeculateArguments()) {
- compileGetByValOnArguments(node);
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds: {
+ SpeculateCellOperand base(this, node.child1());
+ SpeculateStrictInt32Operand property(this, node.child2());
+ StorageOperand storage(this, node.child3());
+
+ GPRReg baseReg = base.gpr();
+ GPRReg propertyReg = property.gpr();
+ GPRReg storageReg = storage.gpr();
+
if (!m_compileOkay)
return;
+
+ // We will have already speculated that the base is some kind of array,
+ // at this point.
+
+ speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
+
+ GPRTemporary result(this);
+ m_jit.loadPtr(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])), result.gpr());
+ speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()));
+
+ jsValueResult(result.gpr(), m_compileIndex);
break;
}
-
- if (at(node.child1()).prediction() == SpecString) {
+ case Array::String:
compileGetByValOnString(node);
- if (!m_compileOkay)
- return;
+ break;
+ case Array::Arguments:
+ compileGetByValOnArguments(node);
+ break;
+ case Array::Int8Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), SignedTypedArray);
+ break;
+ case Array::Int16Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), SignedTypedArray);
+ break;
+ case Array::Int32Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), SignedTypedArray);
+ break;
+ case Array::Uint8Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), UnsignedTypedArray);
+ break;
+ case Array::Uint8ClampedArray:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), node, sizeof(uint8_t), UnsignedTypedArray);
+ break;
+ case Array::Uint16Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), UnsignedTypedArray);
+ break;
+ case Array::Uint32Array:
+ compileGetByValOnIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), UnsignedTypedArray);
+ break;
+ case Array::Float32Array:
+ compileGetByValOnFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float));
+ break;
+ case Array::Float64Array:
+ compileGetByValOnFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double));
+ break;
+ default:
+ ASSERT_NOT_REACHED();
break;
}
-
- if (at(node.child1()).shouldSpeculateInt8Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), isInt8ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateInt16Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), isInt16ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateInt32Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), isInt32ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint8Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), isUint8ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint8ClampedArray()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), node, sizeof(uint8_t), isUint8ClampedArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint16Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), isUint16ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateUint32Array()) {
- compileGetByValOnIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), isUint32ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateFloat32Array()) {
- compileGetByValOnFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float), isFloat32ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(node.child1()).shouldSpeculateFloat64Array()) {
- compileGetByValOnFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double), isFloat64ArraySpeculation(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- SpeculateCellOperand base(this, node.child1());
- SpeculateStrictInt32Operand property(this, node.child2());
- StorageOperand storage(this, node.child3());
-
- GPRReg baseReg = base.gpr();
- GPRReg propertyReg = property.gpr();
- GPRReg storageReg = storage.gpr();
-
- if (!m_compileOkay)
- return;
-
- // We will have already speculated that the base is some kind of array,
- // at this point.
-
- speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
-
- GPRTemporary result(this);
- m_jit.loadPtr(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])), result.gpr());
- speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()));
-
- jsValueResult(result.gpr(), m_compileIndex);
break;
}
case PutByVal:
- case PutByValSafe: {
+ case PutByValAlias: {
Edge child1 = m_jit.graph().varArgChild(node, 0);
Edge child2 = m_jit.graph().varArgChild(node, 1);
Edge child3 = m_jit.graph().varArgChild(node, 2);
- if (!at(child1).prediction() || !at(child2).prediction()) {
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
- break;
- }
+ Array::Mode arrayMode = modeForPut(node.arrayMode());
+ bool alreadyHandled = false;
- if (!at(child2).shouldSpeculateInteger()) {
+ switch (arrayMode) {
+ case Array::Undecided:
+ case Array::ForceExit:
+ ASSERT_NOT_REACHED();
+ terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
+ alreadyHandled = true;
+ break;
+ case Array::Generic: {
+ ASSERT(node.op() == PutByVal);
+
JSValueOperand arg1(this, child1);
JSValueOperand arg2(this, child2);
JSValueOperand arg3(this, child3);
@@ -2517,19 +2488,97 @@
callOperation(m_jit.strictModeFor(node.codeOrigin) ? operationPutByValStrict : operationPutByValNonStrict, arg1GPR, arg2GPR, arg3GPR);
noResult(m_compileIndex);
+ alreadyHandled = true;
break;
}
-
+ default:
+ break;
+ }
+
+ if (alreadyHandled)
+ break;
+
SpeculateCellOperand base(this, child1);
SpeculateStrictInt32Operand property(this, child2);
- if (at(child1).shouldSpeculateArguments()) {
- dataLog(" in here ");
+
+ GPRReg baseReg = base.gpr();
+ GPRReg propertyReg = property.gpr();
+
+ speculateArray(arrayMode, child1, baseReg);
+
+ switch (arrayMode) {
+ case Array::JSArray:
+ case Array::JSArrayOutOfBounds: {
+ JSValueOperand value(this, child3);
+ GPRTemporary scratch(this);
+
+ // Map base, property & value into registers, allocate a scratch register.
+ GPRReg valueReg = value.gpr();
+ GPRReg scratchReg = scratch.gpr();
+
+ if (!m_compileOkay)
+ return;
+
+ writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratchReg);
+
+ if (node.op() == PutByValAlias) {
+ GPRReg storageReg = scratchReg;
+ m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+
+ // Store the value to the array.
+ GPRReg propertyReg = property.gpr();
+ GPRReg valueReg = value.gpr();
+ m_jit.storePtr(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
+
+ noResult(m_compileIndex);
+ break;
+ }
+
+ MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));
+ if (arrayMode == Array::JSArray)
+ speculationCheck(OutOfBounds, JSValueRegs(), NoNode, beyondArrayBounds);
+
+ base.use();
+ property.use();
+ value.use();
+
+ // Get the array storage.
+ GPRReg storageReg = scratchReg;
+ m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+
+ // Check if we're writing to a hole; if so increment m_numValuesInVector.
+ MacroAssembler::Jump notHoleValue = m_jit.branchTestPtr(MacroAssembler::NonZero, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
+ m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
+
+ // If we're writing to a hole we might be growing the array;
+ MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+ m_jit.add32(TrustedImm32(1), propertyReg);
+ m_jit.store32(propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+ m_jit.sub32(TrustedImm32(1), propertyReg);
+
+ lengthDoesNotNeedUpdate.link(&m_jit);
+ notHoleValue.link(&m_jit);
+
+ // Store the value to the array.
+ m_jit.storePtr(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
+
+ if (arrayMode == Array::JSArrayOutOfBounds) {
+ addSlowPathGenerator(
+ slowPathCall(
+ beyondArrayBounds, this,
+ m_jit.codeBlock()->isStrictMode() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict,
+ NoResult, baseReg, propertyReg, valueReg));
+ }
+
+ noResult(m_compileIndex, UseChildrenCalledExplicitly);
+ break;
+ }
+
+ case Array::Arguments: {
JSValueOperand value(this, child3);
GPRTemporary scratch(this);
GPRTemporary scratch2(this);
- GPRReg baseReg = base.gpr();
- GPRReg propertyReg = property.gpr();
GPRReg valueReg = value.gpr();
GPRReg scratchReg = scratch.gpr();
GPRReg scratch2Reg = scratch2.gpr();
@@ -2537,15 +2586,6 @@
if (!m_compileOkay)
return;
- if (!isArgumentsSpeculation(m_state.forNode(child1).m_type)) {
- speculationCheck(
- BadType, JSValueSource::unboxedCell(baseReg), child1,
- m_jit.branchPtr(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(baseReg, JSCell::classInfoOffset()),
- MacroAssembler::TrustedImmPtr(&Arguments::s_info)));
- }
-
m_jit.loadPtr(
MacroAssembler::Address(baseReg, Arguments::offsetOfData()),
scratchReg);
@@ -2579,225 +2619,51 @@
noResult(m_compileIndex);
break;
}
-
- if (at(child1).shouldSpeculateInt8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), isInt8ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), isInt16ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), isInt32ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), isUint8ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8ClampedArray()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), isUint8ClampedArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray, ClampRounding);
- break;
- }
-
- if (at(child1).shouldSpeculateUint16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), isUint16ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), isUint32ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat32Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), isFloat32ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat64Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), isFloat64ArraySpeculation(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
- if (!m_compileOkay)
- return;
- break;
- }
- JSValueOperand value(this, child3);
- GPRTemporary scratch(this);
-
- // Map base, property & value into registers, allocate a scratch register.
- GPRReg baseReg = base.gpr();
- GPRReg propertyReg = property.gpr();
- GPRReg valueReg = value.gpr();
- GPRReg scratchReg = scratch.gpr();
-
- if (!m_compileOkay)
- return;
-
- writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratchReg);
-
- speculateArray(child1, baseReg);
-
- MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));
- if (node.op() == PutByVal)
- speculationCheck(OutOfBounds, JSValueRegs(), NoNode, beyondArrayBounds);
-
- base.use();
- property.use();
- value.use();
-
- // Get the array storage.
- GPRReg storageReg = scratchReg;
- m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
-
- // Check if we're writing to a hole; if so increment m_numValuesInVector.
- MacroAssembler::Jump notHoleValue = m_jit.branchTestPtr(MacroAssembler::NonZero, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
- m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
-
- // If we're writing to a hole we might be growing the array;
- MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
- m_jit.add32(TrustedImm32(1), propertyReg);
- m_jit.store32(propertyReg, MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)));
- m_jit.sub32(TrustedImm32(1), propertyReg);
-
- lengthDoesNotNeedUpdate.link(&m_jit);
- notHoleValue.link(&m_jit);
-
- // Store the value to the array.
- m_jit.storePtr(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
-
- if (node.op() == PutByValSafe) {
- addSlowPathGenerator(
- slowPathCall(
- beyondArrayBounds, this,
- m_jit.codeBlock()->isStrictMode() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict,
- NoResult, baseReg, propertyReg, valueReg));
- }
-
- noResult(m_compileIndex, UseChildrenCalledExplicitly);
- break;
- }
-
- case PutByValAlias: {
- Edge child1 = m_jit.graph().varArgChild(node, 0);
- Edge child2 = m_jit.graph().varArgChild(node, 1);
- Edge child3 = m_jit.graph().varArgChild(node, 2);
-
- if (!at(child1).prediction() || !at(child2).prediction()) {
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
+ case Array::Int8Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), SignedTypedArray);
break;
- }
-
- ASSERT(isActionableMutableArraySpeculation(at(child1).prediction()));
- ASSERT(at(child2).shouldSpeculateInteger());
-
- SpeculateCellOperand base(this, child1);
- SpeculateStrictInt32Operand property(this, child2);
- if (at(child1).shouldSpeculateInt8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), NoTypedArraySpecCheck, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), NoTypedArraySpecCheck, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateInt32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), NoTypedArraySpecCheck, SignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint8ClampedArray()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray, ClampRounding);
- if (!m_compileOkay)
- return;
+
+ case Array::Int16Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), SignedTypedArray);
+ break;
+
+ case Array::Int32Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), SignedTypedArray);
+ break;
+
+ case Array::Uint8Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), UnsignedTypedArray);
+ break;
+
+ case Array::Uint8ClampedArray:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint8ClampedArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), UnsignedTypedArray, ClampRounding);
+ break;
+
+ case Array::Uint16Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), UnsignedTypedArray);
+ break;
+
+ case Array::Uint32Array:
+ compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), UnsignedTypedArray);
+ break;
+
+ case Array::Float32Array:
+ compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float));
+ break;
+
+ case Array::Float64Array:
+ compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double));
+ break;
+
+ default:
+ ASSERT_NOT_REACHED();
break;
}
- if (at(child1).shouldSpeculateUint16Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), NoTypedArraySpecCheck, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateUint32Array()) {
- compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), NoTypedArraySpecCheck, UnsignedTypedArray);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat32Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), NoTypedArraySpecCheck);
- if (!m_compileOkay)
- return;
- break;
- }
-
- if (at(child1).shouldSpeculateFloat64Array()) {
- compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), NoTypedArraySpecCheck);
- if (!m_compileOkay)
- return;
- break;
- }
-
- ASSERT(at(child1).shouldSpeculateArray());
-
- JSValueOperand value(this, child3);
- GPRTemporary scratch(this);
-
- GPRReg baseReg = base.gpr();
- GPRReg scratchReg = scratch.gpr();
-
- writeBarrier(base.gpr(), value.gpr(), child3, WriteBarrierForPropertyAccess, scratchReg);
-
- // Get the array storage.
- GPRReg storageReg = scratchReg;
- m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
-
- // Store the value to the array.
- GPRReg propertyReg = property.gpr();
- GPRReg valueReg = value.gpr();
- m_jit.storePtr(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
-
- noResult(m_compileIndex);
break;
}
-
+
case RegExpExec: {
if (compileRegExpExec(node))
return;
@@ -2859,7 +2725,7 @@
writeBarrier(baseGPR, valueGPR, node.child2(), WriteBarrierForPropertyAccess, storageGPR, storageLengthGPR);
- speculateArray(node.child1(), baseGPR);
+ speculateArray(Array::JSArray, node.child1(), baseGPR);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);
@@ -2896,7 +2762,7 @@
GPRReg storageGPR = storage.gpr();
GPRReg storageLengthGPR = storageLength.gpr();
- speculateArray(node.child1(), baseGPR);
+ speculateArray(Array::JSArray, node.child1(), baseGPR);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);
@@ -3386,81 +3252,10 @@
break;
}
- case GetArrayLength: {
- SpeculateCellOperand base(this, node.child1());
- GPRTemporary result(this);
+ case GetArrayLength:
+ compileGetArrayLength(node);
+ break;
- GPRReg baseGPR = base.gpr();
- GPRReg resultGPR = result.gpr();
-
- speculateArray(node.child1(), baseGPR);
-
- m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR);
- m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR);
-
- speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
-
- integerResult(resultGPR, m_compileIndex);
- break;
- }
-
- case GetArgumentsLength: {
- compileGetArgumentsLength(node);
- break;
- }
-
- case GetStringLength: {
- SpeculateCellOperand base(this, node.child1());
- GPRTemporary result(this);
-
- GPRReg baseGPR = base.gpr();
- GPRReg resultGPR = result.gpr();
-
- if (!isStringSpeculation(m_state.forNode(node.child1()).m_type))
- speculationCheck(BadType, JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
-
- m_jit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
-
- integerResult(resultGPR, m_compileIndex);
- break;
- }
-
- case GetInt8ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->int8ArrayDescriptor(), node, !isInt8ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetInt16ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->int16ArrayDescriptor(), node, !isInt16ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetInt32ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->int32ArrayDescriptor(), node, !isInt32ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint8ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint8ArrayDescriptor(), node, !isUint8ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint8ClampedArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint8ClampedArrayDescriptor(), node, !isUint8ClampedArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint16ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint16ArrayDescriptor(), node, !isUint16ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetUint32ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->uint32ArrayDescriptor(), node, !isUint32ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetFloat32ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->float32ArrayDescriptor(), node, !isFloat32ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
- case GetFloat64ArrayLength: {
- compileGetTypedArrayLength(m_jit.globalData()->float64ArrayDescriptor(), node, !isFloat64ArraySpeculation(m_state.forNode(node.child1()).m_type));
- break;
- }
case CheckFunction: {
SpeculateCellOperand function(this, node.child1());
speculationCheck(BadCache, JSValueRegs(), NoNode, m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node.function()));
diff --git a/Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp b/Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp
index 68627f9..eb04a67 100644
--- a/Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp
@@ -98,7 +98,6 @@
case GetByVal:
case PutByVal:
case PutByValAlias:
- case PutByValSafe:
case GetArrayLength:
case Phantom:
// Don't count these uses.
@@ -215,53 +214,12 @@
}
case GetByVal:
- if (!node.prediction() || !m_graph[node.child1()].prediction() || !m_graph[node.child2()].prediction())
- break;
- if (!isActionableArraySpeculation(m_graph[node.child1()].prediction()) || !m_graph[node.child2()].shouldSpeculateInteger())
- clobber(live);
- break;
-
case PutByVal:
case PutByValAlias:
- case PutByValSafe: {
- Edge child1 = m_graph.varArgChild(node, 0);
- Edge child2 = m_graph.varArgChild(node, 1);
-
- if (!m_graph[child1].prediction() || !m_graph[child2].prediction())
- break;
- if (!m_graph[child2].shouldSpeculateInteger()
-#if USE(JSVALUE32_64)
- || m_graph[child1].shouldSpeculateArguments()
-#endif
- ) {
- clobber(live);
- break;
- }
- if (node.op() != PutByValSafe)
- break;
- if (m_graph[child1].shouldSpeculateArguments())
- break;
- if (m_graph[child1].shouldSpeculateInt8Array())
- break;
- if (m_graph[child1].shouldSpeculateInt16Array())
- break;
- if (m_graph[child1].shouldSpeculateInt32Array())
- break;
- if (m_graph[child1].shouldSpeculateUint8Array())
- break;
- if (m_graph[child1].shouldSpeculateUint8ClampedArray())
- break;
- if (m_graph[child1].shouldSpeculateUint16Array())
- break;
- if (m_graph[child1].shouldSpeculateUint32Array())
- break;
- if (m_graph[child1].shouldSpeculateFloat32Array())
- break;
- if (m_graph[child1].shouldSpeculateFloat64Array())
+ if (m_graph.byValIsPure(node))
break;
clobber(live);
break;
- }
case GetMyArgumentsLengthSafe:
case GetMyArgumentByValSafe:
