Typed arrays should not be 20x slower in the baseline JIT than in the DFG JIT
https://bugs.webkit.org/show_bug.cgi?id=98605
Reviewed by Oliver Hunt and Gavin Barraclough.
This adds typed array get_by_val/put_by_val patching to the baseline JIT. It's
a big (~40%) win on benchmarks that have trouble staying in the DFG JIT. Even
if we fix those benchmarks, this functionality gives us the insurance that we
typically desire with all speculative optimizations: even if we bail to
baseline, we're still reasonably performant.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* assembler/MacroAssembler.cpp: Added.
(JSC):
* assembler/MacroAssembler.h:
(MacroAssembler):
(JSC::MacroAssembler::patchableBranchPtr):
* assembler/MacroAssemblerARMv7.h:
(MacroAssemblerARMv7):
(JSC::MacroAssemblerARMv7::moveDoubleToInts):
(JSC::MacroAssemblerARMv7::moveIntsToDouble):
(JSC::MacroAssemblerARMv7::patchableBranchPtr):
* assembler/MacroAssemblerX86.h:
(MacroAssemblerX86):
(JSC::MacroAssemblerX86::moveDoubleToInts):
(JSC::MacroAssemblerX86::moveIntsToDouble):
* bytecode/ByValInfo.h:
(JSC::hasOptimizableIndexingForClassInfo):
(JSC):
(JSC::hasOptimizableIndexing):
(JSC::jitArrayModeForClassInfo):
(JSC::jitArrayModeForStructure):
(JSC::ByValInfo::ByValInfo):
(ByValInfo):
* dfg/DFGAssemblyHelpers.cpp:
(DFG):
* dfg/DFGAssemblyHelpers.h:
(AssemblyHelpers):
(JSC::DFG::AssemblyHelpers::boxDouble):
(JSC::DFG::AssemblyHelpers::unboxDouble):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* jit/JIT.h:
(JIT):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* runtime/JSCell.h:
* runtime/JSGlobalData.h:
(JSGlobalData):
(JSC::JSGlobalData::typedArrayDescriptor):
* runtime/TypedArrayDescriptor.h: Added.
(JSC):
(JSC::TypedArrayDescriptor::TypedArrayDescriptor):
(TypedArrayDescriptor):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130839 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h
index 49424c8..410d101 100644
--- a/Source/JavaScriptCore/jit/JIT.h
+++ b/Source/JavaScriptCore/jit/JIT.h
@@ -497,6 +497,8 @@
// case contains result in regT0, and it is not yet profiled.
JumpList emitContiguousGetByVal(Instruction*, PatchableJump& badType);
JumpList emitArrayStorageGetByVal(Instruction*, PatchableJump& badType);
+ JumpList emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badType, const TypedArrayDescriptor&, size_t elementSize, TypedArraySignedness);
+ JumpList emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badType, const TypedArrayDescriptor&, size_t elementSize);
// Property is in regT0, base is in regT0. regT2 contains indecing type.
// The value to store is not yet loaded. Property is int-checked and
@@ -504,7 +506,9 @@
// returns the slow cases.
JumpList emitContiguousPutByVal(Instruction*, PatchableJump& badType);
JumpList emitArrayStoragePutByVal(Instruction*, PatchableJump& badType);
-
+ JumpList emitIntTypedArrayPutByVal(Instruction*, PatchableJump& badType, const TypedArrayDescriptor&, size_t elementSize, TypedArraySignedness, TypedArrayRounding);
+ JumpList emitFloatTypedArrayPutByVal(Instruction*, PatchableJump& badType, const TypedArrayDescriptor&, size_t elementSize);
+
enum FinalObjectMode { MayBeFinal, KnownNotFinal };
#if USE(JSVALUE32_64)
