The relationship between abstract values and structure transition watchpoints should be rationalized https://bugs.webkit.org/show_bug.cgi?id=94205 Reviewed by Geoffrey Garen. This patch does a number of things related to the handling of the abstract values arrising from values with structures known to be watchpointable: - This rationalizes the relationship between the structure that we know an object to have *right now* based on having executed a check against that structure, and the structure that we know the object could have *in the future* based on a type check executed in the past over a structure that was watchpointable. - We use the above to assert that structure transition watchpoints are being used soundly. - We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint whenever possible. - This rationalizes the handling of CFA over constants that appeared in the bytecode. If at compile-time the constant has a watchpointable structure, then we can prove what structures it may have in the future. The analysis uses this to both assert that structure transition watchpoints are being used correctly, and to find opportunities for using them more aggressively. The net effect of all of these changes is that OSR entry should work more smoothly. It may also be a slight win due to strength reductions, though most of those strength reductions would have already been done by the parser and the structure check hoister. * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::beginBasicBlock): (JSC::DFG::AbstractState::execute): * dfg/DFGAbstractValue.h: (DFG): (JSC::DFG::AbstractValue::clear): (JSC::DFG::AbstractValue::isClear): (JSC::DFG::AbstractValue::makeTop): (JSC::DFG::AbstractValue::clobberStructures): (JSC::DFG::AbstractValue::isTop): (JSC::DFG::AbstractValue::setFuturePossibleStructure): (AbstractValue): (JSC::DFG::AbstractValue::filterFuturePossibleStructure): (JSC::DFG::AbstractValue::setMostSpecific): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::operator==): (JSC::DFG::AbstractValue::merge): (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::filterValueByType): (JSC::DFG::AbstractValue::validateType): (JSC::DFG::AbstractValue::validate): (JSC::DFG::AbstractValue::checkConsistency): (JSC::DFG::AbstractValue::dump): * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::checkStructureLoadElimination): (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGNode.h: (JSC::DFG::Node::convertToStructureTransitionWatchpoint): (Node): (JSC::DFG::Node::hasStructure): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): (JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint): (DFG): (JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection): (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): (JSC::DFG::SpeculativeJIT::speculateArray): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStructureAbstractValue.h: Added. (DFG): (StructureAbstractValue): (JSC::DFG::StructureAbstractValue::StructureAbstractValue): (JSC::DFG::StructureAbstractValue::clear): (JSC::DFG::StructureAbstractValue::makeTop): (JSC::DFG::StructureAbstractValue::top): (JSC::DFG::StructureAbstractValue::add): (JSC::DFG::StructureAbstractValue::addAll): (JSC::DFG::StructureAbstractValue::contains): (JSC::DFG::StructureAbstractValue::isSubsetOf): (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): (JSC::DFG::StructureAbstractValue::isSupersetOf): (JSC::DFG::StructureAbstractValue::filter): (JSC::DFG::StructureAbstractValue::isClear): (JSC::DFG::StructureAbstractValue::isTop): (JSC::DFG::StructureAbstractValue::isClearOrTop): (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop): (JSC::DFG::StructureAbstractValue::size): (JSC::DFG::StructureAbstractValue::at): (JSC::DFG::StructureAbstractValue::operator[]): (JSC::DFG::StructureAbstractValue::last): (JSC::DFG::StructureAbstractValue::speculationFromStructures): (JSC::DFG::StructureAbstractValue::hasSingleton): (JSC::DFG::StructureAbstractValue::singleton): (JSC::DFG::StructureAbstractValue::operator==): (JSC::DFG::StructureAbstractValue::dump): (JSC::DFG::StructureAbstractValue::topValue): * dfg/DFGStructureCheckHoistingPhase.cpp: (JSC::DFG::StructureCheckHoistingPhase::run): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125999 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: eb3323ddb4db1e943ce08895efdd662baf2d1775 [log] [tgz]
author: fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Mon Aug 20 06:11:24 2012 +0000
committer: fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Mon Aug 20 06:11:24 2012 +0000
tree: 128b43101366adb61f85c199bddcbdf1243449ff
parent: 14a2fb2fe6e96db2f4eb6583b1ae42491cd7f1bb [diff] [blame]
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 46a0636..64604f6 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,121 @@
+2012-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        The relationship between abstract values and structure transition watchpoints should be rationalized
+        https://bugs.webkit.org/show_bug.cgi?id=94205
+
+        Reviewed by Geoffrey Garen.
+
+        This patch does a number of things related to the handling of the abstract values
+        arrising from values with structures known to be watchpointable:
+        
+        - This rationalizes the relationship between the structure that we know an object
+          to have *right now* based on having executed a check against that structure, and
+          the structure that we know the object could have *in the future* based on a type
+          check executed in the past over a structure that was watchpointable.
+        
+        - We use the above to assert that structure transition watchpoints are being used
+          soundly.
+        
+        - We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint
+          whenever possible.
+        
+        - This rationalizes the handling of CFA over constants that appeared in the bytecode.
+          If at compile-time the constant has a watchpointable structure, then we can prove
+          what structures it may have in the future. The analysis uses this to both assert
+          that structure transition watchpoints are being used correctly, and to find
+          opportunities for using them more aggressively.
+        
+        The net effect of all of these changes is that OSR entry should work more smoothly.
+        It may also be a slight win due to strength reductions, though most of those strength
+        reductions would have already been done by the parser and the structure check hoister.
+
+        * GNUmakefile.list.am:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::beginBasicBlock):
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGAbstractValue.h:
+        (DFG):
+        (JSC::DFG::AbstractValue::clear):
+        (JSC::DFG::AbstractValue::isClear):
+        (JSC::DFG::AbstractValue::makeTop):
+        (JSC::DFG::AbstractValue::clobberStructures):
+        (JSC::DFG::AbstractValue::isTop):
+        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
+        (AbstractValue):
+        (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
+        (JSC::DFG::AbstractValue::setMostSpecific):
+        (JSC::DFG::AbstractValue::set):
+        (JSC::DFG::AbstractValue::operator==):
+        (JSC::DFG::AbstractValue::merge):
+        (JSC::DFG::AbstractValue::filter):
+        (JSC::DFG::AbstractValue::filterValueByType):
+        (JSC::DFG::AbstractValue::validateType):
+        (JSC::DFG::AbstractValue::validate):
+        (JSC::DFG::AbstractValue::checkConsistency):
+        (JSC::DFG::AbstractValue::dump):
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
+        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
+        (Node):
+        (JSC::DFG::Node::hasStructure):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+        (JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint):
+        (DFG):
+        (JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection):
+        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+        (JSC::DFG::SpeculativeJIT::speculateArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureAbstractValue.h: Added.
+        (DFG):
+        (StructureAbstractValue):
+        (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
+        (JSC::DFG::StructureAbstractValue::clear):
+        (JSC::DFG::StructureAbstractValue::makeTop):
+        (JSC::DFG::StructureAbstractValue::top):
+        (JSC::DFG::StructureAbstractValue::add):
+        (JSC::DFG::StructureAbstractValue::addAll):
+        (JSC::DFG::StructureAbstractValue::contains):
+        (JSC::DFG::StructureAbstractValue::isSubsetOf):
+        (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
+        (JSC::DFG::StructureAbstractValue::isSupersetOf):
+        (JSC::DFG::StructureAbstractValue::filter):
+        (JSC::DFG::StructureAbstractValue::isClear):
+        (JSC::DFG::StructureAbstractValue::isTop):
+        (JSC::DFG::StructureAbstractValue::isClearOrTop):
+        (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
+        (JSC::DFG::StructureAbstractValue::size):
+        (JSC::DFG::StructureAbstractValue::at):
+        (JSC::DFG::StructureAbstractValue::operator[]):
+        (JSC::DFG::StructureAbstractValue::last):
+        (JSC::DFG::StructureAbstractValue::speculationFromStructures):
+        (JSC::DFG::StructureAbstractValue::hasSingleton):
+        (JSC::DFG::StructureAbstractValue::singleton):
+        (JSC::DFG::StructureAbstractValue::operator==):
+        (JSC::DFG::StructureAbstractValue::dump):
+        (JSC::DFG::StructureAbstractValue::topValue):
+        * dfg/DFGStructureCheckHoistingPhase.cpp:
+        (JSC::DFG::StructureCheckHoistingPhase::run):
+
 2012-08-17  Filip Pizlo  <fpizlo@apple.com>
 
         The current state of the call frame should be taken into account in the DFG for both predictions and proofs
commit	eb3323ddb4db1e943ce08895efdd662baf2d1775	[log] [tgz]
author	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Mon Aug 20 06:11:24 2012 +0000
committer	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Mon Aug 20 06:11:24 2012 +0000
tree	128b43101366adb61f85c199bddcbdf1243449ff
parent	14a2fb2fe6e96db2f4eb6583b1ae42491cd7f1bb [diff] [blame]