Changeset 206098 in webkit

Timestamp:

Sep 19, 2016 10:00:25 AM (8 years ago)

Author:

Yusuke Suzuki

Message:

[JSC][LLInt] Introduce is_cell_with_type
​https://bugs.webkit.org/show_bug.cgi?id=162132

Reviewed by Sam Weinig.

In this patch, we introduce is_cell_with_type bytecode. This bytecode can unify the following predicates,
op_is_string, op_is_jsarray, op_is_proxy_object, and op_is_derived_array!
And we now drop DFG node IsString since we can use IsCellWithType instead.
This automatically offers optimization to previous IsString node: dropping cell check by using CellUse edge filter.

Later, we are planning to use this is_cell_with_type to optimize @isRegExpObject, @isSet, and @isMap[1].

The performance results are neutral.

[1]: ​https://bugs.webkit.org/show_bug.cgi?id=162142

• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

• bytecode/SpeculatedType.cpp:

(JSC::speculationFromJSType):

• bytecode/SpeculatedType.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitEqualityOp):
(JSC::BytecodeGenerator::emitIsCellWithType):

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::emitIsJSArray):
(JSC::BytecodeGenerator::emitIsProxyObject):
(JSC::BytecodeGenerator::emitIsDerivedArray):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupIsCellWithType):

• dfg/DFGNode.h:

(JSC::DFG::Node::speculatedTypeForQuery):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileIsString): Deleted.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emitIsCellWithType): Deleted.
(JSC::JIT::emit_op_is_string): Deleted.
(JSC::JIT::emit_op_is_jsarray): Deleted.
(JSC::JIT::emit_op_is_proxy_object): Deleted.
(JSC::JIT::emit_op_is_derived_array): Deleted.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emitIsCellWithType): Deleted.
(JSC::JIT::emit_op_is_string): Deleted.
(JSC::JIT::emit_op_is_jsarray): Deleted.
(JSC::JIT::emit_op_is_proxy_object): Deleted.
(JSC::JIT::emit_op_is_derived_array): Deleted.

• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/BytecodeList.json (modified) (1 diff)
• bytecode/BytecodeUseDef.h (modified) (2 diffs)
• bytecode/CodeBlock.cpp (modified) (2 diffs)
• bytecode/SpeculatedType.cpp (modified) (1 diff)
• bytecode/SpeculatedType.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (3 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• dfg/DFGCapabilities.cpp (modified) (1 diff)
• dfg/DFGClobberize.h (modified) (1 diff)
• dfg/DFGDoesGC.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGSafeToExecute.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• ftl/FTLCapabilities.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• jit/JIT.cpp (modified) (1 diff)
• jit/JIT.h (modified) (2 diffs)
• jit/JITOpcodes.cpp (modified) (2 diffs)
• jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• llint/LLIntData.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC][LLInt] Introduce is_cell_with_type
+        https://bugs.webkit.org/show_bug.cgi?id=162132
+
+        Reviewed by Sam Weinig.
+
+        In this patch, we introduce is_cell_with_type bytecode. This bytecode can unify the following predicates,
+        op_is_string, op_is_jsarray, op_is_proxy_object, and op_is_derived_array!
+        And we now drop DFG node IsString since we can use IsCellWithType instead.
+        This automatically offers optimization to previous IsString node: dropping cell check by using CellUse edge filter.
+
+        Later, we are planning to use this is_cell_with_type to optimize @isRegExpObject, @isSet, and @isMap[1].
+
+        The performance results are neutral.
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=162142
+
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromJSType):
+        * bytecode/SpeculatedType.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEqualityOp):
+        (JSC::BytecodeGenerator::emitIsCellWithType):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::emitIsJSArray):
+        (JSC::BytecodeGenerator::emitIsProxyObject):
+        (JSC::BytecodeGenerator::emitIsDerivedArray):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupIsCellWithType):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::speculatedTypeForQuery):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsString): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emitIsCellWithType): Deleted.
+        (JSC::JIT::emit_op_is_string): Deleted.
+        (JSC::JIT::emit_op_is_jsarray): Deleted.
+        (JSC::JIT::emit_op_is_proxy_object): Deleted.
+        (JSC::JIT::emit_op_is_derived_array): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emitIsCellWithType): Deleted.
+        (JSC::JIT::emit_op_is_string): Deleted.
+        (JSC::JIT::emit_op_is_jsarray): Deleted.
+        (JSC::JIT::emit_op_is_proxy_object): Deleted.
+        (JSC::JIT::emit_op_is_derived_array): Deleted.
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2016-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -56 +56 @@
             { "name" : "op_is_boolean", "length" : 3 },
             { "name" : "op_is_number", "length" : 3 },
-            { "name" : "op_is_string", "length" : 3 },
-            { "name" : "op_is_jsarray", "length" : 3 },
-            { "name" : "op_is_proxy_object", "length" : 3 },
             { "name" : "op_is_object", "length" : 3 },
             { "name" : "op_is_object_or_null", "length" : 3 },
             { "name" : "op_is_function", "length" : 3 },
-            { "name" : "op_is_derived_array", "length" : 3 },
+            { "name" : "op_is_cell_with_type", "length" : 4 },
             { "name" : "op_in", "length" : 4 },
             { "name" : "op_get_array_length", "length" : 9 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -164 +164 @@
     case op_is_boolean:
     case op_is_number:
-    case op_is_string:
-    case op_is_jsarray:
-    case op_is_proxy_object:
     case op_is_object:
     case op_is_object_or_null:
+    case op_is_cell_with_type:
     case op_is_function:
-    case op_is_derived_array:
     case op_to_number:
     case op_to_string:
@@ -399 +396 @@
     case op_is_boolean:
     case op_is_number:
-    case op_is_string:
-    case op_is_jsarray:
-    case op_is_proxy_object:
     case op_is_object:
     case op_is_object_or_null:
+    case op_is_cell_with_type:
     case op_is_function:
-    case op_is_derived_array:
     case op_in:
     case op_to_number:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1103 +1103 @@
             break;
         }
-        case op_is_string: {
-            printUnaryOp(out, exec, location, it, "is_string");
-            break;
-        }
-        case op_is_jsarray: {
-            printUnaryOp(out, exec, location, it, "is_jsarray");
-            break;
-        }
-        case op_is_proxy_object: {
-            printUnaryOp(out, exec, location, it, "is_proxy_object");
+        case op_is_cell_with_type: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int type = (++it)->u.operand;
+            printLocationAndOp(out, exec, location, it, "is_cell_with_type");
+            out.printf("%s, %s, %d", registerName(r0).data(), registerName(r1).data(), type);
             break;
         }
@@ -1125 +1121 @@
         case op_is_function: {
             printUnaryOp(out, exec, location, it, "is_function");
-            break;
-        }
-        case op_is_derived_array: {
-            printUnaryOp(out, exec, location, it, "is_derived_array");
             break;
         }

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp

@@ -472 +472 @@
 }
 
+SpeculatedType speculationFromJSType(JSType type)
+{
+    switch (type) {
+    case StringType:
+        return SpecString;
+    case ArrayType:
+        return SpecArray;
+    case DerivedArrayType:
+        return SpecDerivedArray;
+    case RegExpObjectType:
+        return SpecRegExpObject;
+    case ProxyObjectType:
+        return SpecProxyObject;
+    default:
+        ASSERT_NOT_REACHED();
+    }
+    return SpecNone;
+}
+
 SpeculatedType leastUpperBoundOfStrictlyEquivalentSpeculations(SpeculatedType type)
 {

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -453 +453 @@
 SpeculatedType speculationFromCell(JSCell*);
 SpeculatedType speculationFromValue(JSValue);
+SpeculatedType speculationFromJSType(JSType);
 
 SpeculatedType speculationFromTypedArrayType(TypedArrayType); // only valid for typed views.

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1660 +1660 @@
             if (value == "string") {
                 rewindUnaryOp();
-                emitOpcode(op_is_string);
+                emitOpcode(op_is_cell_with_type);
                 instructions().append(dst->index());
                 instructions().append(srcIndex);
+                instructions().append(StringType);
                 return dst;
             }
@@ -4218 +4219 @@
 }
 
+RegisterID* BytecodeGenerator::emitIsCellWithType(RegisterID* dst, RegisterID* src, JSType type)
+{
+    emitOpcode(op_is_cell_with_type);
+    instructions().append(dst->index());
+    instructions().append(src->index());
+    instructions().append(type);
+    return dst;
+}
 
 RegisterID* BytecodeGenerator::emitIsObject(RegisterID* dst, RegisterID* src)

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -631 +631 @@
         RegisterID* emitToIndexString(RegisterID* dst, RegisterID* index);
 
-        RegisterID* emitIsJSArray(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_is_jsarray, dst, src); }
-        RegisterID* emitIsProxyObject(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_is_proxy_object, dst, src); }
+        RegisterID* emitIsCellWithType(RegisterID* dst, RegisterID* src, JSType);
+        RegisterID* emitIsJSArray(RegisterID* dst, RegisterID* src) { return emitIsCellWithType(dst, src, ArrayType); }
+        RegisterID* emitIsProxyObject(RegisterID* dst, RegisterID* src) { return emitIsCellWithType(dst, src, ProxyObjectType); }
         RegisterID* emitIsObject(RegisterID* dst, RegisterID* src);
         RegisterID* emitIsUndefined(RegisterID* dst, RegisterID* src);
         RegisterID* emitIsEmpty(RegisterID* dst, RegisterID* src);
-        RegisterID* emitIsDerivedArray(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_is_derived_array, dst, src); }
+        RegisterID* emitIsDerivedArray(RegisterID* dst, RegisterID* src) { return emitIsCellWithType(dst, src, DerivedArrayType); }
         void emitRequireObjectCoercible(RegisterID* value, const String& error);
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1014 +1014 @@
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:
@@ -1038 +1037 @@
             case IsNumber:
                 setConstant(node, jsBoolean(child.value().isNumber()));
-                break;
-            case IsString:
-                setConstant(node, jsBoolean(isJSString(child.value())));
                 break;
             case IsObject:
@@ -1143 +1139 @@
             
             if (!(child.m_type & SpecFullNumber)) {
-                setConstant(node, jsBoolean(false));
-                constantWasSet = true;
-                break;
-            }
-            
-            break;
-        case IsString:
-            if (!(child.m_type & ~SpecString)) {
-                setConstant(node, jsBoolean(true));
-                constantWasSet = true;
-                break;
-            }
-            
-            if (!(child.m_type & SpecString)) {
                 setConstant(node, jsBoolean(false));
                 constantWasSet = true;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2367 +2367 @@
 
         insertChecks();
-        Node* isRegExpObject = addToGraph(IsCellWithType, OpInfo(RegExpObjectType), OpInfo(SpecRegExpObject), get(virtualRegisterForArgument(1, registerOffset)));
+        Node* isRegExpObject = addToGraph(IsCellWithType, OpInfo(RegExpObjectType), get(virtualRegisterForArgument(1, registerOffset)));
         set(VirtualRegister(resultOperand), isRegExpObject);
         return true;
@@ -3971 +3971 @@
         }
 
-        case op_is_string: {
+        case op_is_cell_with_type: {
+            JSType type = static_cast<JSType>(currentInstruction[3].u.operand);
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsString, value));
-            NEXT_OPCODE(op_is_string);
-        }
-
-        case op_is_jsarray: {
-            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(ArrayType), OpInfo(SpecArray), value));
-            NEXT_OPCODE(op_is_jsarray);
-        }
-
-        case op_is_proxy_object: {
-            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(ProxyObjectType), OpInfo(SpecProxyObject), value));
-            NEXT_OPCODE(op_is_proxy_object);
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(type), value));
+            NEXT_OPCODE(op_is_cell_with_type);
         }
 
@@ -4005 +3994 @@
             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsFunction, value));
             NEXT_OPCODE(op_is_function);
-        }
-
-        case op_is_derived_array: {
-            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(DerivedArrayType), OpInfo(SpecDerivedArray), value));
-            NEXT_OPCODE(op_is_derived_array);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -141 +141 @@
     case op_is_boolean:
     case op_is_number:
-    case op_is_string:
-    case op_is_jsarray:
-    case op_is_proxy_object:
     case op_is_object:
     case op_is_object_or_null:
+    case op_is_cell_with_type:
     case op_is_function:
-    case op_is_derived_array:
     case op_not:
     case op_less:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -163 +163 @@
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsTypedArrayView:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -162 +162 @@
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1397 +1397 @@
             break;
         }
-
-        case IsString:
-            if (node->child1()->shouldSpeculateString()) {
-                m_insertionSet.insertNode(
-                    m_indexInBlock, SpecNone, Check, node->origin,
-                    Edge(node->child1().node(), StringUse));
-                m_graph.convertToConstant(node, jsBoolean(true));
-                observeUseKindOnNode<StringUse>(node);
-            }
-            break;
 
         case IsObject:
@@ -1768 +1758 @@
     {
         switch (node->speculatedTypeForQuery()) {
+        case SpecString:
+            if (node->child1()->shouldSpeculateString()) {
+                m_insertionSet.insertNode(
+                    m_indexInBlock, SpecNone, Check, node->origin,
+                    Edge(node->child1().node(), StringUse));
+                m_graph.convertToConstant(node, jsBoolean(true));
+                observeUseKindOnNode<StringUse>(node);
+                return;
+            }
+            break;
+
         case SpecProxyObject:
             if (node->child1()->shouldSpeculateProxyObject()) {

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1180 +1180 @@
     SpeculatedType speculatedTypeForQuery()
     {
-        return m_opInfo2.as<SpeculatedType>();
+        return speculationFromJSType(queriedType());
     }
     

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -315 +315 @@
     macro(IsBoolean, NodeResultBoolean) \
     macro(IsNumber, NodeResultBoolean) \
-    macro(IsString, NodeResultBoolean) \
     macro(IsObject, NodeResultBoolean) \
     macro(IsObjectOrNull, NodeResultBoolean) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -798 +798 @@
         case IsBoolean:
         case IsNumber:
-        case IsString:
         case IsObject:
         case IsObjectOrNull:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -268 +268 @@
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4641 +4641 @@
     }
 
-    case IsString: {
-        JSValueOperand value(this, node->child1());
-        GPRTemporary result(this, Reuse, value, TagWord);
-        
-        JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(value.jsValueRegs());
-        
-        m_jit.compare8(JITCompiler::Equal, 
-            JITCompiler::Address(value.payloadGPR(), JSCell::typeInfoTypeOffset()), 
-            TrustedImm32(StringType), 
-            result.gpr());
-        JITCompiler::Jump done = m_jit.jump();
-        
-        isNotCell.link(&m_jit);
-        m_jit.move(TrustedImm32(0), result.gpr());
-        
-        done.link(&m_jit);
-        booleanResult(result.gpr(), node);
-        break;
-    }
-
     case IsObject: {
         JSValueOperand value(this, node->child1());

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4612 +4612 @@
     }
         
-    case IsString: {
-        JSValueOperand value(this, node->child1());
-        GPRTemporary result(this, Reuse, value);
-        
-        JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(value.jsValueRegs());
-        
-        m_jit.compare8(JITCompiler::Equal, 
-            JITCompiler::Address(value.gpr(), JSCell::typeInfoTypeOffset()), 
-            TrustedImm32(StringType), 
-            result.gpr());
-        m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-        JITCompiler::Jump done = m_jit.jump();
-        
-        isNotCell.link(&m_jit);
-        m_jit.move(TrustedImm32(ValueFalse), result.gpr());
-        
-        done.link(&m_jit);
-        jsValueResult(result.gpr(), node, DataFormatJSBoolean);
-        break;
-    }
-
     case MapHash: {
         JSValueOperand input(this, node->child1());

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -191 +191 @@
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -896 +896 @@
         case IsNumber:
             compileIsNumber();
-            break;
-        case IsString:
-            compileIsString();
             break;
         case IsCellWithType:
@@ -6265 +6262 @@
     }
     
-    void compileIsString()
-    {
-        LValue value = lowJSValue(m_node->child1());
-        
-        LBasicBlock isCellCase = m_out.newBlock();
-        LBasicBlock continuation = m_out.newBlock();
-        
-        ValueFromBlock notCellResult = m_out.anchor(m_out.booleanFalse);
-        m_out.branch(
-            isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(continuation));
-        
-        LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation);
-        ValueFromBlock cellResult = m_out.anchor(isString(value, provenType(m_node->child1())));
-        m_out.jump(continuation);
-        
-        m_out.appendTo(continuation, lastNext);
-        setBoolean(m_out.phi(Int32, notCellResult, cellResult));
-    }
-
     void compileIsCellWithType()
     {

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -269 +269 @@
         DEFINE_OP(op_is_boolean)
         DEFINE_OP(op_is_number)
-        DEFINE_OP(op_is_string)
-        DEFINE_OP(op_is_jsarray)
-        DEFINE_OP(op_is_proxy_object)
         DEFINE_OP(op_is_object)
-        DEFINE_OP(op_is_derived_array)
+        DEFINE_OP(op_is_cell_with_type)
         DEFINE_OP(op_jeq_null)
         DEFINE_OP(op_jfalse)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -401 +401 @@
         int32_t getOperandConstantInt(int src);
         double getOperandConstantDouble(int src);
-
-        void emitIsCellWithType(Instruction*, JSType);
 
 #if USE(JSVALUE32_64)
@@ -517 +515 @@
         void emit_op_is_boolean(Instruction*);
         void emit_op_is_number(Instruction*);
-        void emit_op_is_string(Instruction*);
-        void emit_op_is_jsarray(Instruction*);
-        void emit_op_is_proxy_object(Instruction*);
         void emit_op_is_object(Instruction*);
-        void emit_op_is_derived_array(Instruction*);
+        void emit_op_is_cell_with_type(Instruction*);
         void emit_op_jeq_null(Instruction*);
         void emit_op_jfalse(Instruction*);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -244 +244 @@
 }
 
-void JIT::emitIsCellWithType(Instruction* currentInstruction, JSType type)
+void JIT::emit_op_is_cell_with_type(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;
     int value = currentInstruction[2].u.operand;
+    int type = currentInstruction[3].u.operand;
 
     emitGetVirtualRegister(value, regT0);
@@ -261 +262 @@
     done.link(this);
     emitPutVirtualRegister(dst);
-}
-
-void JIT::emit_op_is_string(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, StringType);
-}
-
-void JIT::emit_op_is_jsarray(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ArrayType);
-}
-
-void JIT::emit_op_is_proxy_object(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ProxyObjectType);
-}
-
-void JIT::emit_op_is_derived_array(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, DerivedArrayType);
 }
 

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -355 +355 @@
 }
 
-void JIT::emitIsCellWithType(Instruction* currentInstruction, JSType type)
+void JIT::emit_op_is_cell_with_type(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;
     int value = currentInstruction[2].u.operand;
+    int type = currentInstruction[3].u.operand;
 
     emitLoad(value, regT1, regT0);
@@ -371 +372 @@
     done.link(this);
     emitStoreBool(dst, regT0);
-}
-
-void JIT::emit_op_is_string(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, StringType);
-}
-
-void JIT::emit_op_is_jsarray(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ArrayType);
-}
-
-void JIT::emit_op_is_proxy_object(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ProxyObjectType);
-}
-
-void JIT::emit_op_is_derived_array(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, DerivedArrayType);
 }
 

trunk/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -218 +218 @@
     ASSERT(bitwise_cast<uintptr_t>(ShadowChicken::Packet::tailMarker()) == static_cast<uintptr_t>(0x7a11));
 
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_string) == 3);
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_jsarray) == 3);
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_proxy_object) == 3);
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_derived_array) == 3);
-
     // FIXME: make these assertions less horrible.
 #if !ASSERT_DISABLED

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1258 +1258 @@
 
 
-macro isCellWithType(type)
+_llint_op_is_cell_with_type:
+    traceExecution()
     loadi 8[PC], t1
     loadi 4[PC], t2
@@ -1264 +1265 @@
     storei BooleanTag, TagOffset[cfr, t2, 8]
     bineq t0, CellTag, .notCellCase
-    cbeq JSCell::m_type[t3], type, t1
+    loadi 12[PC], t0
+    cbeq JSCell::m_type[t3], t0, t1
     storei t1, PayloadOffset[cfr, t2, 8]
-    dispatch(3)
+    dispatch(4)
 .notCellCase:
     storep 0, PayloadOffset[cfr, t2, 8]
-    dispatch(3)
-end
-
-
-_llint_op_is_string:
-    traceExecution()
-    isCellWithType(StringType)
-
-
-_llint_op_is_jsarray:
-    traceExecution()
-    isCellWithType(ArrayType)
-
-
-_llint_op_is_proxy_object:
-    traceExecution()
-    isCellWithType(ProxyObjectType)
-
-
-_llint_op_is_derived_array:
-    traceExecution()
-    isCellWithType(DerivedArrayType)
+    dispatch(4)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1147 +1147 @@
 
 
-macro isCellWithType(type)
+_llint_op_is_cell_with_type:
+    traceExecution()
+    loadisFromInstruction(3, t3)
     loadisFromInstruction(2, t1)
     loadisFromInstruction(1, t2)
     loadConstantOrVariable(t1, t0)
     btqnz t0, tagMask, .notCellCase
-    cbeq JSCell::m_type[t0], type, t1
+    cbeq JSCell::m_type[t0], t3, t1
     orq ValueFalse, t1
     storeq t1, [cfr, t2, 8]
-    dispatch(3)
+    dispatch(4)
 .notCellCase:
     storeq ValueFalse, [cfr, t2, 8]
-    dispatch(3)
-end
-
-
-_llint_op_is_string:
-    traceExecution()
-    isCellWithType(StringType)
-
-
-_llint_op_is_jsarray:
-    traceExecution()
-    isCellWithType(ArrayType)
-
-
-_llint_op_is_proxy_object:
-    traceExecution()
-    isCellWithType(ProxyObjectType)
-
-
-_llint_op_is_derived_array:
-    traceExecution()
-    isCellWithType(DerivedArrayType)
+    dispatch(4)