DFG should flush SetLocals to arguments
https://bugs.webkit.org/show_bug.cgi?id=83554
Source/JavaScriptCore:
Reviewed by Gavin Barraclough.
This is necessary to match baseline JIT argument capture behavior.
But to make this work right we need to have a story for arguments into
which we store values of different formats. This patch introduces the
notion of an ArgumentPosition - i.e. an argument in a particular inline
call frame - and forces unification of all data pertinent to selecting
the argument's data format.
Also fixed an amusing bug in the handling of OSR on SetLocals if there
was any insertion/deletion of nodes in the basic block. This is benign
for now but won't be eventually since the DFG is getting smarter. So
better fix it now.
Also fixed an amusing bug in the handling of OSR on SetLocals if they
are immediately followed by a Flush. I think this bug might have always
been there but now it'll happen more commonly, and it's covered by the
run-javascriptcore-tests.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGArgumentPosition.h: Added.
(DFG):
(ArgumentPosition):
(JSC::DFG::ArgumentPosition::ArgumentPosition):
(JSC::DFG::ArgumentPosition::addVariable):
(JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(InlineStackEntry):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGDoubleFormatState.h: Added.
(DFG):
(JSC::DFG::mergeDoubleFormatStates):
(JSC::DFG::mergeDoubleFormatState):
(JSC::DFG::doubleFormatStateToString):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::VariableAccessData):
(JSC::DFG::VariableAccessData::predict):
(JSC::DFG::VariableAccessData::argumentAwarePrediction):
(VariableAccessData):
(JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
(JSC::DFG::VariableAccessData::doubleFormatState):
(JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
(JSC::DFG::VariableAccessData::mergeDoubleFormatState):
(JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
Source/WTF:
Reviewed by Gavin Barraclough.
Added an isRoot() method that is a faster shorthand for saying
find() == this.
* wtf/UnionFind.h:
(WTF::UnionFind::isRoot):
(UnionFind):
LayoutTests:
Rubber stamped by Gavin Barraclough.
Added a variety of tests for reassigning arguments prior to function.arguments
retrieval.
* fast/js/dfg-inline-arguments-become-double-expected.txt: Added.
* fast/js/dfg-inline-arguments-become-double.html: Added.
* fast/js/dfg-inline-arguments-become-int32-expected.txt: Added.
* fast/js/dfg-inline-arguments-become-int32.html: Added.
* fast/js/dfg-inline-arguments-reset-changetype-expected.txt: Added.
* fast/js/dfg-inline-arguments-reset-changetype.html: Added.
* fast/js/dfg-inline-arguments-reset-expected.txt: Added.
* fast/js/dfg-inline-arguments-reset.html: Added.
* fast/js/script-tests/dfg-inline-arguments-become-double.js: Added.
(foo):
(bar):
(baz):
(argsToStr):
* fast/js/script-tests/dfg-inline-arguments-become-int32.js: Added.
(foo):
(bar):
(baz):
(argsToStr):
* fast/js/script-tests/dfg-inline-arguments-reset-changetype.js: Added.
(foo):
(bar):
(baz):
(argsToStr):
* fast/js/script-tests/dfg-inline-arguments-reset.js: Added.
(foo):
(bar):
(baz):
(argsToStr):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@113796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
27 files changed
