Changeset 134151 in webkit

Timestamp:

Nov 9, 2012, 9:54:11 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
​https://bugs.webkit.org/show_bug.cgi?id=101720

Reviewed by Mark Hahnenberg.

Previously, "original" arrays was just a hint that we could find the structure
of the array if we needed to even if the array profile didn't have it due to
polymorphism. Now, "original" arrays are a property that is actually checked:
if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
can be sure that the code performing the access is dealing with not just a
JSArray, but a JSArray that has no named properties, no indexed accessors, and
the ArrayPrototype as its prototype. This will be useful for optimizations that
are being done as part of ​https://bugs.webkit.org/show_bug.cgi?id=101720.

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::originalArrayStructure):
(DFG):
(JSC::DFG::ArrayMode::alreadyChecked):

• dfg/DFGArrayMode.h:

(JSC):
(DFG):
(JSC::DFG::ArrayMode::withProfile):
(ArrayMode):
(JSC::DFG::ArrayMode::benefitsFromOriginalArray):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::checkArray):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
(JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractState.cpp (modified) (2 diffs)
• dfg/DFGArrayMode.cpp (modified) (5 diffs)
• dfg/DFGArrayMode.h (modified) (5 diffs)
• dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (9 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-11-09  Filip Pizlo  <fpizlo@apple.com>
+
+        If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
+        https://bugs.webkit.org/show_bug.cgi?id=101720
+
+        Reviewed by Mark Hahnenberg.
+
+        Previously, "original" arrays was just a hint that we could find the structure
+        of the array if we needed to even if the array profile didn't have it due to
+        polymorphism. Now, "original" arrays are a property that is actually checked:
+        if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
+        can be sure that the code performing the access is dealing with not just a
+        JSArray, but a JSArray that has no named properties, no indexed accessors, and
+        the ArrayPrototype as its prototype. This will be useful for optimizations that
+        are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::originalArrayStructure):
+        (DFG):
+        (JSC::DFG::ArrayMode::alreadyChecked):
+        * dfg/DFGArrayMode.h:
+        (JSC):
+        (DFG):
+        (JSC::DFG::ArrayMode::withProfile):
+        (ArrayMode):
+        (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::checkArray):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
+
 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1453 +1453 @@
         break;
     case CheckArray: {
-        if (node.arrayMode().alreadyChecked(forNode(node.child1()))) {
+        if (node.arrayMode().alreadyChecked(m_graph, node, forNode(node.child1()))) {
             m_foundConstants = true;
             node.setCanExit(false);
@@ -1509 +1509 @@
     }
     case Arrayify: {
-        if (node.arrayMode().alreadyChecked(forNode(node.child1()))) {
+        if (node.arrayMode().alreadyChecked(m_graph, node, forNode(node.child1()))) {
             m_foundConstants = true;
             node.setCanExit(false);

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

@@ -30 +30 @@
 
 #include "DFGAbstractValue.h"
+#include "DFGGraph.h"
 
 namespace JSC { namespace DFG {
@@ -201 +202 @@
 }
 
-bool ArrayMode::alreadyChecked(AbstractValue& value, IndexingType shape) const
-{
-    if (isJSArray()) {
+Structure* ArrayMode::originalArrayStructure(Graph& graph, const CodeOrigin& codeOrigin) const
+{
+    if (!isJSArrayWithOriginalStructure())
+        return 0;
+    
+    JSGlobalObject* globalObject = graph.globalObjectFor(codeOrigin);
+    
+    switch (type()) {
+    case Array::Int32:
+        return globalObject->originalArrayStructureForIndexingType(ArrayWithInt32);
+    case Array::Double:
+        return globalObject->originalArrayStructureForIndexingType(ArrayWithDouble);
+    case Array::Contiguous:
+        return globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous);
+    case Array::ArrayStorage:
+        return globalObject->originalArrayStructureForIndexingType(ArrayWithArrayStorage);
+    default:
+        CRASH();
+        return 0;
+    }
+}
+
+Structure* ArrayMode::originalArrayStructure(Graph& graph, Node& node) const
+{
+    return originalArrayStructure(graph, node.codeOrigin);
+}
+
+bool ArrayMode::alreadyChecked(Graph& graph, Node& node, AbstractValue& value, IndexingType shape) const
+{
+    switch (arrayClass()) {
+    case Array::OriginalArray:
+        return value.m_currentKnownStructure.hasSingleton()
+            && (value.m_currentKnownStructure.singleton()->indexingType() & IndexingShapeMask) == shape
+            && (value.m_currentKnownStructure.singleton()->indexingType() & IsArray)
+            && graph.globalObjectFor(node.codeOrigin)->isOriginalArrayStructure(value.m_currentKnownStructure.singleton());
+        
+    case Array::Array:
         if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModes(shape | IsArray)))
             return true;
@@ -209 +244 @@
             && (value.m_currentKnownStructure.singleton()->indexingType() & IndexingShapeMask) == shape
             && (value.m_currentKnownStructure.singleton()->indexingType() & IsArray);
-    }
-    if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModes(shape) | asArrayModes(shape | IsArray)))
-        return true;
-    return value.m_currentKnownStructure.hasSingleton()
-        && (value.m_currentKnownStructure.singleton()->indexingType() & IndexingShapeMask) == shape;
-}
-
-bool ArrayMode::alreadyChecked(AbstractValue& value) const
+        
+    default:
+        if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModes(shape) | asArrayModes(shape | IsArray)))
+            return true;
+        return value.m_currentKnownStructure.hasSingleton()
+            && (value.m_currentKnownStructure.singleton()->indexingType() & IndexingShapeMask) == shape;
+    }
+}
+
+bool ArrayMode::alreadyChecked(Graph& graph, Node& node, AbstractValue& value) const
 {
     switch (type()) {
@@ -229 +266 @@
         
     case Array::Int32:
-        return alreadyChecked(value, Int32Shape);
+        return alreadyChecked(graph, node, value, Int32Shape);
         
     case Array::Double:
-        return alreadyChecked(value, DoubleShape);
+        return alreadyChecked(graph, node, value, DoubleShape);
         
     case Array::Contiguous:
-        return alreadyChecked(value, ContiguousShape);
+        return alreadyChecked(graph, node, value, ContiguousShape);
         
     case Array::ArrayStorage:
-        return alreadyChecked(value, ArrayStorageShape);
+        return alreadyChecked(graph, node, value, ArrayStorageShape);
         
     case Array::SlowPutArrayStorage:
-        if (isJSArray()) {
+        switch (arrayClass()) {
+        case Array::OriginalArray:
+            CRASH();
+            return false;
+        
+        case Array::Array:
             if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModes(ArrayWithArrayStorage) | asArrayModes(ArrayWithSlowPutArrayStorage)))
                 return true;
@@ -247 +289 @@
                 && hasArrayStorage(value.m_currentKnownStructure.singleton()->indexingType())
                 && (value.m_currentKnownStructure.singleton()->indexingType() & IsArray);
+        
+        default:
+            if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModes(NonArrayWithArrayStorage) | asArrayModes(ArrayWithArrayStorage) | asArrayModes(NonArrayWithSlowPutArrayStorage) | asArrayModes(ArrayWithSlowPutArrayStorage)))
+                return true;
+            return value.m_currentKnownStructure.hasSingleton()
+                && hasArrayStorage(value.m_currentKnownStructure.singleton()->indexingType());
         }
-        if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModes(NonArrayWithArrayStorage) | asArrayModes(ArrayWithArrayStorage) | asArrayModes(NonArrayWithSlowPutArrayStorage) | asArrayModes(ArrayWithSlowPutArrayStorage)))
-            return true;
-        return value.m_currentKnownStructure.hasSingleton()
-            && hasArrayStorage(value.m_currentKnownStructure.singleton()->indexingType());
         
     case Array::Arguments:

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

@@ -34 +34 @@
 #include "SpeculatedType.h"
 
-namespace JSC { namespace DFG {
-
+namespace JSC {
+
+struct CodeOrigin;
+
+namespace DFG {
+
+class Graph;
 struct AbstractValue;
+struct Node;
 
 // Use a namespace + enum instead of enum alone to avoid the namespace collision
@@ -162 +168 @@
         
         if (isJSArray()) {
-            if (profile->usesOriginalArrayStructures())
+            if (profile->usesOriginalArrayStructures() && benefitsFromOriginalArray())
                 myArrayClass = Array::OriginalArray;
             else
@@ -184 +190 @@
     ArrayMode refine(SpeculatedType base, SpeculatedType index, SpeculatedType value = SpecNone) const;
     
-    bool alreadyChecked(AbstractValue&) const;
+    bool alreadyChecked(Graph&, Node&, AbstractValue&) const;
     
     const char* toString() const;
@@ -303 +309 @@
         }
     }
+    
+    bool benefitsFromOriginalArray() const
+    {
+        switch (type()) {
+        case Array::Int32:
+        case Array::Double:
+        case Array::Contiguous:
+        case Array::ArrayStorage:
+            return true;
+        default:
+            return false;
+        }
+    }
+    
+    // Returns 0 if this is not OriginalArray.
+    Structure* originalArrayStructure(Graph&, const CodeOrigin&) const;
+    Structure* originalArrayStructure(Graph&, Node&) const;
     
     bool benefitsFromStructureCheck() const
@@ -376 +399 @@
     }
     
-    bool alreadyChecked(AbstractValue&, IndexingType shape) const;
+    bool alreadyChecked(Graph&, Node&, AbstractValue&, IndexingType shape) const;
     
     union {

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -117 +117 @@
             case CheckArray:
             case Arrayify: {
-                if (!node.arrayMode().alreadyChecked(m_state.forNode(node.child1())))
+                if (!node.arrayMode().alreadyChecked(m_graph, node, m_state.forNode(node.child1())))
                     break;
                 ASSERT(node.refCount() == 1);

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -425 +425 @@
         m_graph.ref(array);
 
+        Structure* structure = arrayMode.originalArrayStructure(m_graph, codeOrigin);
+        
         if (arrayMode.doesConversion()) {
             if (index != NoNode)
                 m_graph.ref(index);
-            
-            Structure* structure = 0;
-            if (arrayMode.isJSArrayWithOriginalStructure()) {
-                JSGlobalObject* globalObject = m_graph.baselineCodeBlockFor(codeOrigin)->globalObject();
-                switch (arrayMode.type()) {
-                case Array::Int32:
-                    structure = globalObject->originalArrayStructureForIndexingType(ArrayWithInt32);
-                    break;
-                case Array::Double:
-                    structure = globalObject->originalArrayStructureForIndexingType(ArrayWithDouble);
-                    break;
-                case Array::Contiguous:
-                    structure = globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous);
-                    break;
-                case Array::ArrayStorage:
-                    structure = globalObject->originalArrayStructureForIndexingType(ArrayWithArrayStorage);
-                    break;
-                default:
-                    break;
-                }
-            }
             
             if (structure) {
@@ -464 +445 @@
             }
         } else {
-            Node checkArray(CheckArray, codeOrigin, OpInfo(arrayMode.asWord()), array);
-            checkArray.ref();
-            NodeIndex checkArrayIndex = m_graph.size();
-            m_graph.append(checkArray);
-            m_insertionSet.append(m_indexInBlock, checkArrayIndex);
+            if (structure) {
+                Node checkStructure(CheckStructure, codeOrigin, OpInfo(m_graph.addStructureSet(structure)), array);
+                checkStructure.ref();
+                NodeIndex checkStructureIndex = m_graph.size();
+                m_graph.append(checkStructure);
+                m_insertionSet.append(m_indexInBlock, checkStructureIndex);
+            } else {
+                Node checkArray(CheckArray, codeOrigin, OpInfo(arrayMode.asWord()), array);
+                checkArray.ref();
+                NodeIndex checkArrayIndex = m_graph.size();
+                m_graph.append(checkArray);
+                m_insertionSet.append(m_indexInBlock, checkArrayIndex);
+            }
         }
         

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -362 +362 @@
 JITCompiler::Jump SpeculativeJIT::jumpSlowForUnwantedArrayMode(GPRReg tempGPR, ArrayMode arrayMode, IndexingType shape, bool invert)
 {
-    if (arrayMode.isJSArray()) {
+    switch (arrayMode.arrayClass()) {
+    case Array::OriginalArray: {
+        CRASH();
+        JITCompiler::Jump result; // I already know that VC++ takes unkindly to the expression "return Jump()", so I'm doing it this way in anticipation of someone eventually using VC++ to compile the DFG.
+        return result;
+    }
+        
+    case Array::Array:
         m_jit.and32(TrustedImm32(IsArray | IndexingShapeMask), tempGPR);
         return m_jit.branch32(
             invert ? MacroAssembler::Equal : MacroAssembler::NotEqual, tempGPR, TrustedImm32(IsArray | shape));
-    }
-    m_jit.and32(TrustedImm32(IndexingShapeMask), tempGPR);
-    return m_jit.branch32(invert ? MacroAssembler::Equal : MacroAssembler::NotEqual, tempGPR, TrustedImm32(shape));
+        
+    default:
+        m_jit.and32(TrustedImm32(IndexingShapeMask), tempGPR);
+        return m_jit.branch32(invert ? MacroAssembler::Equal : MacroAssembler::NotEqual, tempGPR, TrustedImm32(shape));
+    }
 }
 
@@ -387 +396 @@
     case Array::ArrayStorage:
     case Array::SlowPutArrayStorage: {
+        ASSERT(!arrayMode.isJSArrayWithOriginalStructure());
+        
         if (arrayMode.isJSArray()) {
             if (arrayMode.isSlowPut()) {
                 if (invert) {
-                    JITCompiler::Jump slow = 
-                        m_jit.branchTest32(
-                            MacroAssembler::Zero, tempGPR, MacroAssembler::TrustedImm32(IsArray));
+                    JITCompiler::Jump slow = m_jit.branchTest32(
+                        MacroAssembler::Zero, tempGPR, MacroAssembler::TrustedImm32(IsArray));
                     m_jit.and32(TrustedImm32(IndexingShapeMask), tempGPR);
                     m_jit.sub32(TrustedImm32(ArrayStorageShape), tempGPR);
@@ -450 +460 @@
     const TypedArrayDescriptor* result = typedArrayDescriptor(node.arrayMode());
     
-    if (node.arrayMode().alreadyChecked(m_state.forNode(node.child1()))) {
+    if (node.arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(node.child1()))) {
         noResult(m_compileIndex);
         return;
@@ -1960 +1970 @@
     GPRReg storageReg = storage.gpr();
 
-    ASSERT(ArrayMode(Array::String).alreadyChecked(m_state.forNode(node.child1())));
+    ASSERT(ArrayMode(Array::String).alreadyChecked(m_jit.graph(), node, m_state.forNode(node.child1())));
 
     // unsigned comparison so we can filter out negative indices and indices that are too large
@@ -2369 +2379 @@
     GPRReg resultReg = result.gpr();
 
-    ASSERT(node.arrayMode().alreadyChecked(m_state.forNode(node.child1())));
+    ASSERT(node.arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(node.child1())));
 
     speculationCheck(
@@ -2519 +2529 @@
     GPRReg storageReg = storage.gpr();
 
-    ASSERT(node.arrayMode().alreadyChecked(m_state.forNode(node.child1())));
+    ASSERT(node.arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(node.child1())));
 
     FPRTemporary result(this);
@@ -2556 +2566 @@
     SpeculateDoubleOperand valueOp(this, valueUse);
     
-    ASSERT_UNUSED(baseUse, node.arrayMode().alreadyChecked(m_state.forNode(baseUse)));
+    ASSERT_UNUSED(baseUse, node.arrayMode().alreadyChecked(m_jit.graph(), m_jit.graph()[m_compileIndex], m_state.forNode(baseUse)));
     
     GPRTemporary result(this);
@@ -3379 +3389 @@
         return;
   
-    ASSERT(ArrayMode(Array::Arguments).alreadyChecked(m_state.forNode(node.child1())));
+    ASSERT(ArrayMode(Array::Arguments).alreadyChecked(m_jit.graph(), node, m_state.forNode(node.child1())));
     
     // Two really lame checks.
@@ -3436 +3446 @@
         return;
     
-    ASSERT(ArrayMode(Array::Arguments).alreadyChecked(m_state.forNode(node.child1())));
+    ASSERT(ArrayMode(Array::Arguments).alreadyChecked(m_jit.graph(), node, m_state.forNode(node.child1())));
     
     speculationCheck(