DFG should optimize typedArray.byteLength
https://bugs.webkit.org/show_bug.cgi?id=119909
Source/JavaScriptCore:
Reviewed by Oliver Hunt.
This adds typedArray.byteLength inlining to the DFG, and does so without changing
the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
legal since the byteLength of a typed array cannot exceed
numeric_limits<int32_t>::max().
* bytecode/SpeculatedType.cpp:
(JSC::typedArrayTypeFromSpeculation):
* bytecode/SpeculatedType.h:
* dfg/DFGArrayMode.cpp:
(JSC::DFG::toArrayType):
* dfg/DFGArrayMode.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
(JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
(JSC::DFG::FixupPhase::convertToGetArrayLength):
(JSC::DFG::FixupPhase::prependGetArrayLength):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::constantRegisterForConstant):
(JSC::DFG::Graph::convertToConstant):
* runtime/TypedArrayType.h:
(JSC::logElementSize):
(JSC::elementSize):
LayoutTests:
Reviewed by Oliver Hunt.
Convert two of the tyepd array tests to use byteLength instead of length.
These tests show speed-ups around 2.5x-5x.
* fast/js/regress/Int16Array-bubble-sort-with-byteLength-expected.txt: Added.
* fast/js/regress/Int16Array-bubble-sort-with-byteLength.html: Added.
* fast/js/regress/Int8Array-load-with-byteLength-expected.txt: Added.
* fast/js/regress/Int8Array-load-with-byteLength.html: Added.
* fast/js/regress/script-tests/Int16Array-bubble-sort-with-byteLength.js: Added.
(bubbleSort):
(myRandom):
(validateSort):
* fast/js/regress/script-tests/Int8Array-load-with-byteLength.js: Added.
(adler32):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 9808144..e5a7cea 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,36 @@
2013-08-16 Filip Pizlo <fpizlo@apple.com>
+ DFG should optimize typedArray.byteLength
+ https://bugs.webkit.org/show_bug.cgi?id=119909
+
+ Reviewed by Oliver Hunt.
+
+ This adds typedArray.byteLength inlining to the DFG, and does so without changing
+ the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
+ legal since the byteLength of a typed array cannot exceed
+ numeric_limits<int32_t>::max().
+
+ * bytecode/SpeculatedType.cpp:
+ (JSC::typedArrayTypeFromSpeculation):
+ * bytecode/SpeculatedType.h:
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::toArrayType):
+ * dfg/DFGArrayMode.h:
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
+ (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
+ (JSC::DFG::FixupPhase::convertToGetArrayLength):
+ (JSC::DFG::FixupPhase::prependGetArrayLength):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::constantRegisterForConstant):
+ (JSC::DFG::Graph::convertToConstant):
+ * runtime/TypedArrayType.h:
+ (JSC::logElementSize):
+ (JSC::elementSize):
+
+2013-08-16 Filip Pizlo <fpizlo@apple.com>
+
DFG optimizes out strict mode arguments tear off
https://bugs.webkit.org/show_bug.cgi?id=119504
diff --git a/Source/JavaScriptCore/bytecode/SpeculatedType.cpp b/Source/JavaScriptCore/bytecode/SpeculatedType.cpp
index eb7bc3c..bb9cab5 100644
--- a/Source/JavaScriptCore/bytecode/SpeculatedType.cpp
+++ b/Source/JavaScriptCore/bytecode/SpeculatedType.cpp
@@ -334,5 +334,37 @@
return SpecOther;
}
+TypedArrayType typedArrayTypeFromSpeculation(SpeculatedType type)
+{
+ if (isInt8ArraySpeculation(type))
+ return TypeInt8;
+
+ if (isInt16ArraySpeculation(type))
+ return TypeInt16;
+
+ if (isInt32ArraySpeculation(type))
+ return TypeInt32;
+
+ if (isUint8ArraySpeculation(type))
+ return TypeUint8;
+
+ if (isUint8ClampedArraySpeculation(type))
+ return TypeUint8Clamped;
+
+ if (isUint16ArraySpeculation(type))
+ return TypeUint16;
+
+ if (isUint32ArraySpeculation(type))
+ return TypeUint32;
+
+ if (isFloat32ArraySpeculation(type))
+ return TypeFloat32;
+
+ if (isFloat64ArraySpeculation(type))
+ return TypeFloat64;
+
+ return NotTypedArray;
+}
+
} // namespace JSC
diff --git a/Source/JavaScriptCore/bytecode/SpeculatedType.h b/Source/JavaScriptCore/bytecode/SpeculatedType.h
index b3dac36..bf31c5d 100644
--- a/Source/JavaScriptCore/bytecode/SpeculatedType.h
+++ b/Source/JavaScriptCore/bytecode/SpeculatedType.h
@@ -30,6 +30,7 @@
#define SpeculatedType_h
#include "JSCJSValue.h"
+#include "TypedArrayType.h"
#include <wtf/PrintStream.h>
namespace JSC {
@@ -330,6 +331,8 @@
SpeculatedType speculationFromCell(JSCell*);
SpeculatedType speculationFromValue(JSValue);
+TypedArrayType typedArrayTypeFromSpeculation(SpeculatedType);
+
} // namespace JSC
#endif // SpeculatedType_h
diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.cpp b/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
index fa0fb589..2483b9d 100644
--- a/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
@@ -484,6 +484,32 @@
}
}
+Array::Type toArrayType(TypedArrayType type)
+{
+ switch (type) {
+ case TypeInt8:
+ return Array::Int8Array;
+ case TypeInt16:
+ return Array::Int16Array;
+ case TypeInt32:
+ return Array::Int32Array;
+ case TypeUint8:
+ return Array::Uint8Array;
+ case TypeUint8Clamped:
+ return Array::Uint8ClampedArray;
+ case TypeUint16:
+ return Array::Uint16Array;
+ case TypeUint32:
+ return Array::Uint32Array;
+ case TypeFloat32:
+ return Array::Float32Array;
+ case TypeFloat64:
+ return Array::Float64Array;
+ default:
+ return Array::Generic;
+ }
+}
+
void ArrayMode::dump(PrintStream& out) const
{
out.print(type(), arrayClass(), speculation(), conversion());
diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.h b/Source/JavaScriptCore/dfg/DFGArrayMode.h
index 527595f..02a69a5 100644
--- a/Source/JavaScriptCore/dfg/DFGArrayMode.h
+++ b/Source/JavaScriptCore/dfg/DFGArrayMode.h
@@ -105,6 +105,7 @@
const char* arrayConversionToString(Array::Conversion);
TypedArrayType toTypedArrayType(Array::Type);
+Array::Type toArrayType(TypedArrayType);
class ArrayMode {
public:
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index fb6c6c7..62b5a00 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -729,56 +729,14 @@
case GetByIdFlush: {
if (!node->child1()->shouldSpeculateCell())
break;
- setUseKindAndUnboxIfProfitable<CellUse>(node->child1());
- if (!isInt32Speculation(node->prediction()))
+ if (m_graph.identifiers()[node->identifierNumber()] == vm().propertyNames->length.impl()) {
+ attemptToMakeGetArrayLength(node);
break;
- if (m_graph.identifiers()[node->identifierNumber()] != vm().propertyNames->length.impl())
- break;
- CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->codeOrigin);
- ArrayProfile* arrayProfile =
- profiledBlock->getArrayProfile(node->codeOrigin.bytecodeIndex);
- ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
- if (arrayProfile) {
- ConcurrentJITLocker locker(profiledBlock->m_lock);
- arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
- arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
- if (arrayMode.type() == Array::Unprofiled) {
- // For normal array operations, it makes sense to treat Unprofiled
- // accesses as ForceExit and get more data rather than using
- // predictions and then possibly ending up with a Generic. But here,
- // we treat anything that is Unprofiled as Generic and keep the
- // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
- // profit - from treating the Unprofiled case as
- // SelectUsingPredictions.
- arrayMode = ArrayMode(Array::SelectUsingPredictions);
- }
}
-
- arrayMode = arrayMode.refine(node->child1()->prediction(), node->prediction());
-
- if (arrayMode.type() == Array::Generic) {
- // Check if the input is something that we can't get array length for, but for which we
- // could insert some conversions in order to transform it into something that we can do it
- // for.
- if (node->child1()->shouldSpeculateStringObject())
- attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
- else if (node->child1()->shouldSpeculateStringOrStringObject())
- attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
+ if (m_graph.identifiers()[node->identifierNumber()] == vm().propertyNames->byteLength.impl()) {
+ attemptToMakeGetByteLength(node);
+ break;
}
-
- if (!arrayMode.supportsLength())
- break;
- node->setOp(GetArrayLength);
- ASSERT(node->flags() & NodeMustGenerate);
- node->clearFlags(NodeMustGenerate | NodeClobbersWorld);
- setUseKindAndUnboxIfProfitable<KnownCellUse>(node->child1());
- node->setArrayMode(arrayMode);
-
- Node* storage = checkArray(arrayMode, node->codeOrigin, node->child1().node(), 0, lengthNeedsStorage);
- if (!storage)
- break;
-
- node->child2() = Edge(storage);
break;
}
@@ -1448,6 +1406,105 @@
setUseKindAndUnboxIfProfitable<Int32Use>(node->child2());
return true;
}
+
+ bool attemptToMakeGetArrayLength(Node* node)
+ {
+ if (!isInt32Speculation(node->prediction()))
+ return false;
+ CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->codeOrigin);
+ ArrayProfile* arrayProfile =
+ profiledBlock->getArrayProfile(node->codeOrigin.bytecodeIndex);
+ ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
+ if (arrayProfile) {
+ ConcurrentJITLocker locker(profiledBlock->m_lock);
+ arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
+ arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
+ if (arrayMode.type() == Array::Unprofiled) {
+ // For normal array operations, it makes sense to treat Unprofiled
+ // accesses as ForceExit and get more data rather than using
+ // predictions and then possibly ending up with a Generic. But here,
+ // we treat anything that is Unprofiled as Generic and keep the
+ // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
+ // profit - from treating the Unprofiled case as
+ // SelectUsingPredictions.
+ arrayMode = ArrayMode(Array::SelectUsingPredictions);
+ }
+ }
+
+ arrayMode = arrayMode.refine(node->child1()->prediction(), node->prediction());
+
+ if (arrayMode.type() == Array::Generic) {
+ // Check if the input is something that we can't get array length for, but for which we
+ // could insert some conversions in order to transform it into something that we can do it
+ // for.
+ if (node->child1()->shouldSpeculateStringObject())
+ attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
+ else if (node->child1()->shouldSpeculateStringOrStringObject())
+ attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
+ }
+
+ if (!arrayMode.supportsLength())
+ return false;
+
+ convertToGetArrayLength(node, arrayMode);
+ return true;
+ }
+
+ bool attemptToMakeGetByteLength(Node* node)
+ {
+ if (!isInt32Speculation(node->prediction()))
+ return false;
+
+ TypedArrayType type = typedArrayTypeFromSpeculation(node->child1()->prediction());
+ if (!isTypedView(type))
+ return false;
+
+ if (elementSize(type) == 1) {
+ convertToGetArrayLength(node, ArrayMode(toArrayType(type)));
+ return true;
+ }
+
+ Node* length = prependGetArrayLength(
+ node->codeOrigin, node->child1().node(), ArrayMode(toArrayType(type)));
+
+ Node* shiftAmount = m_insertionSet.insertNode(
+ m_indexInBlock, SpecInt32, JSConstant, node->codeOrigin,
+ OpInfo(m_graph.constantRegisterForConstant(jsNumber(logElementSize(type)))));
+
+ // We can use a BitLShift here because typed arrays will never have a byteLength
+ // that overflows int32.
+ node->setOp(BitLShift);
+ ASSERT(node->flags() & NodeMustGenerate);
+ node->clearFlags(NodeMustGenerate | NodeClobbersWorld);
+ observeUseKindOnNode(length, Int32Use);
+ observeUseKindOnNode(shiftAmount, Int32Use);
+ node->child1() = Edge(length, Int32Use);
+ node->child2() = Edge(shiftAmount, Int32Use);
+ return true;
+ }
+
+ void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
+ {
+ node->setOp(GetArrayLength);
+ ASSERT(node->flags() & NodeMustGenerate);
+ node->clearFlags(NodeMustGenerate | NodeClobbersWorld);
+ setUseKindAndUnboxIfProfitable<KnownCellUse>(node->child1());
+ node->setArrayMode(arrayMode);
+
+ Node* storage = checkArray(arrayMode, node->codeOrigin, node->child1().node(), 0, lengthNeedsStorage);
+ if (!storage)
+ return;
+
+ node->child2() = Edge(storage);
+ }
+
+ Node* prependGetArrayLength(CodeOrigin codeOrigin, Node* child, ArrayMode arrayMode)
+ {
+ Node* storage = checkArray(arrayMode, codeOrigin, child, 0, lengthNeedsStorage);
+ return m_insertionSet.insertNode(
+ m_indexInBlock, SpecInt32, GetArrayLength, codeOrigin,
+ OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
+ }
BasicBlock* m_block;
unsigned m_indexInBlock;
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
index 40c197a..656f596 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.h
+++ b/Source/JavaScriptCore/dfg/DFGGraph.h
@@ -151,7 +151,7 @@
node->convertToConstant(constantNumber);
}
- void convertToConstant(Node* node, JSValue value)
+ unsigned constantRegisterForConstant(JSValue value)
{
unsigned constantRegister;
if (!m_codeBlock->findConstant(value, constantRegister)) {
@@ -161,7 +161,12 @@
m_codeBlock->ownerExecutable(),
value);
}
- convertToConstant(node, constantRegister);
+ return constantRegister;
+ }
+
+ void convertToConstant(Node* node, JSValue value)
+ {
+ convertToConstant(node, constantRegisterForConstant(value));
}
// CodeBlock is optional, but may allow additional information to be dumped (e.g. Identifier names).
diff --git a/Source/JavaScriptCore/runtime/TypedArrayType.h b/Source/JavaScriptCore/runtime/TypedArrayType.h
index a0d9900..4063e6d 100644
--- a/Source/JavaScriptCore/runtime/TypedArrayType.h
+++ b/Source/JavaScriptCore/runtime/TypedArrayType.h
@@ -64,7 +64,7 @@
}
}
-inline size_t elementSize(TypedArrayType type)
+inline unsigned logElementSize(TypedArrayType type)
{
switch (type) {
case NotTypedArray:
@@ -73,21 +73,26 @@
case TypeUint8:
case TypeUint8Clamped:
case TypeDataView:
- return 1;
+ return 0;
case TypeInt16:
case TypeUint16:
- return 2;
+ return 1;
case TypeInt32:
case TypeUint32:
case TypeFloat32:
- return 4;
+ return 2;
case TypeFloat64:
- return 8;
+ return 3;
}
RELEASE_ASSERT_NOT_REACHED();
return 0;
}
+inline size_t elementSize(TypedArrayType type)
+{
+ return static_cast<size_t>(1) << logElementSize(type);
+}
+
const ClassInfo* classInfoForType(TypedArrayType);
inline bool isInt(TypedArrayType type)
