Changeset 228411 in webkit
- Timestamp:
- Feb 12, 2018 5:12:28 PM (6 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 44 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGAbstractInterpreterInlines.h (modified) (3 diffs)
-
dfg/DFGAdjacencyList.h (modified) (1 diff)
-
dfg/DFGArgumentsEliminationPhase.cpp (modified) (12 diffs)
-
dfg/DFGBackwardsPropagationPhase.cpp (modified) (2 diffs)
-
dfg/DFGBasicBlock.cpp (modified) (2 diffs)
-
dfg/DFGBasicBlock.h (modified) (2 diffs)
-
dfg/DFGBasicBlockInlines.h (modified) (1 diff)
-
dfg/DFGByteCodeParser.cpp (modified) (1 diff)
-
dfg/DFGCFGSimplificationPhase.cpp (modified) (1 diff)
-
dfg/DFGCPSRethreadingPhase.cpp (modified) (2 diffs)
-
dfg/DFGCSEPhase.cpp (modified) (7 diffs)
-
dfg/DFGCleanUpPhase.cpp (modified) (1 diff)
-
dfg/DFGClobberize.h (modified) (8 diffs)
-
dfg/DFGConstantFoldingPhase.cpp (modified) (13 diffs)
-
dfg/DFGDCEPhase.cpp (modified) (2 diffs)
-
dfg/DFGDoesGC.cpp (modified) (2 diffs)
-
dfg/DFGFixupPhase.cpp (modified) (10 diffs)
-
dfg/DFGHeapLocation.cpp (modified) (1 diff)
-
dfg/DFGHeapLocation.h (modified) (1 diff)
-
dfg/DFGIntegerCheckCombiningPhase.cpp (modified) (1 diff)
-
dfg/DFGIntegerRangeOptimizationPhase.cpp (modified) (2 diffs)
-
dfg/DFGLICMPhase.cpp (modified) (1 diff)
-
dfg/DFGMayExit.cpp (modified) (1 diff)
-
dfg/DFGNode.cpp (modified) (2 diffs)
-
dfg/DFGNode.h (modified) (2 diffs)
-
dfg/DFGNodeType.h (modified) (3 diffs)
-
dfg/DFGObjectAllocationSinkingPhase.cpp (modified) (4 diffs)
-
dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
-
dfg/DFGPureValue.cpp (modified) (1 diff)
-
dfg/DFGPureValue.h (modified) (1 diff)
-
dfg/DFGPutStackSinkingPhase.cpp (modified) (1 diff)
-
dfg/DFGSSAConversionPhase.cpp (modified) (4 diffs)
-
dfg/DFGSSALoweringPhase.cpp (modified) (2 diffs)
-
dfg/DFGSafeToExecute.h (modified) (2 diffs)
-
dfg/DFGSpeculativeJIT.cpp (modified) (13 diffs)
-
dfg/DFGSpeculativeJIT.h (modified) (1 diff)
-
dfg/DFGSpeculativeJIT32_64.cpp (modified) (12 diffs)
-
dfg/DFGSpeculativeJIT64.cpp (modified) (11 diffs)
-
dfg/DFGStoreBarrierClusteringPhase.cpp (modified) (1 diff)
-
dfg/DFGValidate.cpp (modified) (1 diff)
-
dfg/DFGVarargsForwardingPhase.cpp (modified) (2 diffs)
-
ftl/FTLCapabilities.cpp (modified) (2 diffs)
-
ftl/FTLLowerDFGToB3.cpp (modified) (21 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r228402 r228411 1 2018-02-12 Saam Barati <sbarati@apple.com> 2 3 Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA 4 https://bugs.webkit.org/show_bug.cgi?id=182633 5 <rdar://problem/37441037> 6 7 Reviewed by Keith Miller. 8 9 This patch introduces a GetIndexMask node to DFG SSA. This is an input to 10 GetByVal for the GetByVal variants that do conservative index masking. 11 The reason I'm adding this node is I realized there were loads of 12 the butterfly index mask inside loops that B3 couldn't reason about 13 because B3 can't arbitrarily hoist loads out of loops if those loops 14 have side exits (because the side exit might be protecting the safety of the 15 load). However, for these loops I analyzed, the DFG would be able to hoist 16 these loads out of loops because it knows about JS semantics to correctly 17 reason about the safety of hoisting the load. 18 19 This is a 1% speedup on JetStream on Mac and iOS in my testing. 20 21 This patch also adds some infrastructure for eliminating and doing CSE on 22 varargs nodes. Because this patch makes GetByVal a varargs node, I ran into 23 issues we never had before. We never had a varargs node that could be CSEd or be 24 hoisted out of a loop until I made GetByVal varargs. To make it all work, 25 I added a CheckVarargs node. This is just like Check, but it's varargs. 26 27 * dfg/DFGAbstractInterpreterInlines.h: 28 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 29 * dfg/DFGAdjacencyList.h: 30 (JSC::DFG::AdjacencyList::AdjacencyList): 31 * dfg/DFGArgumentsEliminationPhase.cpp: 32 * dfg/DFGBackwardsPropagationPhase.cpp: 33 (JSC::DFG::BackwardsPropagationPhase::propagate): 34 * dfg/DFGBasicBlock.cpp: 35 (JSC::DFG::BasicBlock::replaceTerminal): 36 * dfg/DFGBasicBlock.h: 37 (JSC::DFG::BasicBlock::findTerminal const): 38 * dfg/DFGBasicBlockInlines.h: 39 (JSC::DFG::BasicBlock::replaceTerminal): 40 * dfg/DFGByteCodeParser.cpp: 41 (JSC::DFG::ByteCodeParser::parseBlock): 42 * dfg/DFGCFGSimplificationPhase.cpp: 43 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 44 * dfg/DFGCPSRethreadingPhase.cpp: 45 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 46 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 47 * dfg/DFGCSEPhase.cpp: 48 * dfg/DFGCleanUpPhase.cpp: 49 (JSC::DFG::CleanUpPhase::run): 50 * dfg/DFGClobberize.h: 51 (JSC::DFG::clobberize): 52 * dfg/DFGConstantFoldingPhase.cpp: 53 (JSC::DFG::ConstantFoldingPhase::foldConstants): 54 (JSC::DFG::ConstantFoldingPhase::fixUpsilons): 55 * dfg/DFGDCEPhase.cpp: 56 (JSC::DFG::DCEPhase::run): 57 (JSC::DFG::DCEPhase::fixupBlock): 58 * dfg/DFGDoesGC.cpp: 59 (JSC::DFG::doesGC): 60 * dfg/DFGFixupPhase.cpp: 61 (JSC::DFG::FixupPhase::fixupNode): 62 (JSC::DFG::FixupPhase::fixupChecksInBlock): 63 * dfg/DFGHeapLocation.cpp: 64 (WTF::printInternal): 65 * dfg/DFGHeapLocation.h: 66 * dfg/DFGIntegerCheckCombiningPhase.cpp: 67 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): 68 * dfg/DFGIntegerRangeOptimizationPhase.cpp: 69 * dfg/DFGLICMPhase.cpp: 70 (JSC::DFG::LICMPhase::attemptHoist): 71 * dfg/DFGMayExit.cpp: 72 * dfg/DFGNode.cpp: 73 (JSC::DFG::Node::remove): 74 (JSC::DFG::Node::convertToIdentityOn): 75 * dfg/DFGNode.h: 76 (JSC::DFG::Node::replaceWith): 77 * dfg/DFGNodeType.h: 78 * dfg/DFGObjectAllocationSinkingPhase.cpp: 79 * dfg/DFGPredictionPropagationPhase.cpp: 80 * dfg/DFGPureValue.cpp: 81 (JSC::DFG::PureValue::dump const): 82 * dfg/DFGPureValue.h: 83 (JSC::DFG::PureValue::PureValue): 84 * dfg/DFGPutStackSinkingPhase.cpp: 85 * dfg/DFGSSAConversionPhase.cpp: 86 (JSC::DFG::SSAConversionPhase::run): 87 * dfg/DFGSSALoweringPhase.cpp: 88 (JSC::DFG::SSALoweringPhase::handleNode): 89 * dfg/DFGSafeToExecute.h: 90 (JSC::DFG::safeToExecute): 91 * dfg/DFGSpeculativeJIT.cpp: 92 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 93 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 94 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 95 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 96 (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString): 97 (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol): 98 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): 99 (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): 100 * dfg/DFGSpeculativeJIT.h: 101 * dfg/DFGSpeculativeJIT32_64.cpp: 102 (JSC::DFG::SpeculativeJIT::compile): 103 * dfg/DFGSpeculativeJIT64.cpp: 104 (JSC::DFG::SpeculativeJIT::compile): 105 * dfg/DFGStoreBarrierClusteringPhase.cpp: 106 * dfg/DFGValidate.cpp: 107 * dfg/DFGVarargsForwardingPhase.cpp: 108 * ftl/FTLCapabilities.cpp: 109 (JSC::FTL::canCompile): 110 * ftl/FTLLowerDFGToB3.cpp: 111 (JSC::FTL::DFG::LowerDFGToB3::compileNode): 112 (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): 113 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): 114 (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): 115 (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): 116 (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray): 117 1 118 2018-02-12 Mark Lam <mark.lam@apple.com> 2 119 -
trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
r228035 r228411 1732 1732 break; 1733 1733 case Array::Undecided: { 1734 JSValue index = forNode( node->child2()).value();1734 JSValue index = forNode(m_graph.child(node, 1)).value(); 1735 1735 if (index && index.isInt32() && index.asInt32() >= 0) { 1736 1736 setConstant(node, jsUndefined()); … … 2526 2526 break; 2527 2527 } 2528 2529 case GetArrayMask: 2530 forNode(node).setType(SpecInt32Only); 2531 break; 2528 2532 2529 2533 case GetVectorLength: { … … 3345 3349 break; 3346 3350 3351 case CheckVarargs: 3347 3352 case Check: { 3348 3353 // Simplify out checks that don't actually do checking. 3349 for (unsigned i = 0; i < AdjacencyList::Size; ++i) { 3350 Edge edge = node->children.child(i); 3354 m_graph.doToChildren(node, [&] (Edge edge) { 3351 3355 if (!edge) 3352 break;3353 if (edge.isProved() || edge.willNotHaveCheck()) {3356 return; 3357 if (edge.isProved() || edge.willNotHaveCheck()) 3354 3358 m_state.setFoundConstants(true); 3355 break; 3356 } 3357 } 3359 }); 3358 3360 break; 3359 3361 } -
trunk/Source/JavaScriptCore/dfg/DFGAdjacencyList.h
r218794 r228411 62 62 setFirstChild(firstChild); 63 63 setNumChildren(numChildren); 64 // We need to make sure this is the empty value so equivalent adjacency 65 // lists produce identical hashes. 66 m_words[2] = Edge(); 64 67 } 65 68 -
trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
r228035 r228411 315 315 316 316 case GetByVal: 317 escapeBasedOnArrayMode(node->arrayMode(), node->child1(), node); 318 escape(node->child2(), node); 319 escape(node->child3(), node); 317 escapeBasedOnArrayMode(node->arrayMode(), m_graph.varArgChild(node, 0), node); 318 escape(m_graph.varArgChild(node, 1), node); 319 escape(m_graph.varArgChild(node, 2), node); 320 escape(m_graph.varArgChild(node, 3), node); 320 321 break; 321 322 … … 323 324 // FIXME: It would not be hard to support NewArrayWithSpread here if it is only over Spread(CreateRest) nodes. 324 325 escape(node->child2(), node); 326 break; 327 328 case GetArrayMask: 325 329 break; 326 330 … … 372 376 373 377 case Check: 378 case CheckVarargs: 374 379 m_graph.doToChildren( 375 380 node, … … 720 725 break; 721 726 722 // Meh, this is kind of hackish - we use an Identity so that we can reuse the723 // getArrayLength() helper.724 727 node->convertToIdentityOn(getArrayLength(candidate)); 728 break; 729 } 730 731 case GetArrayMask: { 732 Node* candidate = node->child1().node(); 733 if (!isEliminatedAllocation(candidate)) 734 break; 735 736 // NOTE: This is valid because the only user of this node at the moment is GetByVal. 737 // If the candidate is eliminated, it must also be eliminated for all GetByVal users. 738 // Therefore, we'll transform those GetByVal nodes to no longer use us. If we introduce 739 // other users of this node, we'll need to change this code. That would be easy: just 740 // introduce a ComputeArrayMask node, and transform this into ComputeArrayMask(getArrayLength(candidate)). 741 node->convertToConstant(m_graph.freeze(jsNumber(0))); 725 742 break; 726 743 } … … 734 751 // https://bugs.webkit.org/show_bug.cgi?id=143076 735 752 736 Node* candidate = node->child1().node();753 Node* candidate = m_graph.varArgChild(node, 0).node(); 737 754 if (!isEliminatedAllocation(candidate)) 738 755 break; … … 743 760 744 761 Node* result = nullptr; 745 if ( node->child2()->isInt32Constant()) {746 unsigned index = node->child2()->asUInt32();762 if (m_graph.varArgChild(node, 1)->isInt32Constant()) { 763 unsigned index = m_graph.varArgChild(node, 1)->asUInt32(); 747 764 InlineCallFrame* inlineCallFrame = candidate->origin.semantic.inlineCallFrame; 748 765 index += numberOfArgumentsToSkip; … … 765 782 insertionSet.insertNode( 766 783 nodeIndex, SpecNone, CheckInBounds, node->origin, 767 node->child2(), Edge(getArrayLength(candidate), Int32Use));784 m_graph.varArgChild(node, 1), Edge(getArrayLength(candidate), Int32Use)); 768 785 } 769 786 … … 781 798 result = insertionSet.insertNode( 782 799 nodeIndex, node->prediction(), op, node->origin, OpInfo(numberOfArgumentsToSkip), 783 node->child1(), node->child2());800 m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1)); 784 801 } 785 802 … … 945 962 } 946 963 947 node->remove( );964 node->remove(m_graph); 948 965 node->origin.exitOK = canExit; 949 966 break; … … 1010 1027 } 1011 1028 1012 node->remove( );1029 node->remove(m_graph); 1013 1030 node->origin.exitOK = canExit; 1014 1031 break; … … 1187 1204 if (!isEliminatedAllocation(node->child1().node())) 1188 1205 break; 1189 node->remove( );1206 node->remove(m_graph); 1190 1207 break; 1191 1208 } … … 1196 1213 break; 1197 1214 node->child1() = Edge(); // Remove the cell check since we've proven it's not needed and FTL lowering might botch this. 1198 node->remove( );1215 node->remove(m_graph); 1199 1216 break; 1200 1217 -
trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
r224276 r228411 205 205 case MovHint: 206 206 case Check: 207 case CheckVarargs: 207 208 break; 208 209 … … 352 353 353 354 case GetByVal: { 354 node->child1()->mergeFlags(NodeBytecodeUsesAsValue);355 node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex);355 m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue); 356 m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); 356 357 break; 357 358 } -
trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp
r224689 r228411 73 73 } 74 74 75 void BasicBlock::replaceTerminal( Node* node)75 void BasicBlock::replaceTerminal(Graph& graph, Node* node) 76 76 { 77 77 NodeAndIndex result = findTerminal(); … … 80 80 else { 81 81 m_nodes.insert(result.index + 1, node); 82 result.node->remove( );82 result.node->remove(graph); 83 83 } 84 84 -
trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h
r224689 r228411 88 88 // The bitter end can contain Phantoms and the like. There will probably only be one or two nodes after the terminal. They are all no-ops and will not have any checked children. 89 89 case Check: // This is here because it's our universal no-op. 90 case CheckVarargs: 90 91 case Phantom: 91 92 case PhantomLocal: … … 117 118 } 118 119 119 void replaceTerminal( Node*);120 void replaceTerminal(Graph&, Node*); 120 121 121 122 size_t numNodes() const { return phis.size() + size(); } -
trunk/Source/JavaScriptCore/dfg/DFGBasicBlockInlines.h
r206525 r228411 53 53 { 54 54 Node* result = graph.addNode(type, params...); 55 replaceTerminal( result);55 replaceTerminal(graph, result); 56 56 return result; 57 57 } -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r228031 r228411 4980 4980 else { 4981 4981 ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read); 4982 Node* getByVal = addToGraph(GetByVal, OpInfo(arrayMode.asWord()), OpInfo(prediction), base, property); 4982 addVarArgChild(base); 4983 addVarArgChild(property); 4984 addVarArgChild(0); // Leave room for property storage. 4985 if (isFTL(m_graph.m_plan.mode)) 4986 addVarArgChild(0); // Leave room for the array mask. 4987 Node* getByVal = addToGraph(Node::VarArg, GetByVal, OpInfo(arrayMode.asWord()), OpInfo(prediction)); 4983 4988 m_exitOK = false; // GetByVal must be treated as if it clobbers exit state, since FixupPhase may make it generic. 4984 4989 set(VirtualRegister(currentInstruction[1].u.operand), getByVal); -
trunk/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp
r217287 r228411 340 340 ASSERT(terminal->isTerminal()); 341 341 NodeOrigin boundaryNodeOrigin = terminal->origin; 342 terminal->remove( );342 terminal->remove(m_graph); 343 343 ASSERT(terminal->refCount() == 1); 344 344 -
trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp
r221637 r228411 188 188 if (otherNode->op() == GetLocal) { 189 189 // Replace all references to this GetLocal with otherNode. 190 node->replaceWith( otherNode);190 node->replaceWith(m_graph, otherNode); 191 191 return; 192 192 } 193 193 194 194 ASSERT(otherNode->op() == SetLocal); 195 node->replaceWith( otherNode->child1().node());195 node->replaceWith(m_graph, otherNode->child1().node()); 196 196 return; 197 197 } … … 241 241 // keep the last MovHinted value of that local alive. 242 242 243 node->remove( );243 node->remove(m_graph); 244 244 return; 245 245 } -
trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
r222115 r228411 450 450 451 451 if (m_node->op() == Identity || m_node->op() == IdentityWithProfile) { 452 m_node->replaceWith(m_ node->child1().node());452 m_node->replaceWith(m_graph, m_node->child1().node()); 453 453 m_changed = true; 454 454 } else { … … 533 533 return; 534 534 535 m_node->replaceWith(m atch);535 m_node->replaceWith(m_graph, match); 536 536 m_changed = true; 537 537 } … … 565 565 match.ensureIsNode(m_insertionSet, m_block, 0)->owner = m_block; 566 566 ASSERT(match.isNode()); 567 m_node->replaceWith(m atch.asNode());567 m_node->replaceWith(m_graph, match.asNode()); 568 568 m_changed = true; 569 569 } … … 653 653 654 654 if (m_node->op() == Identity || m_node->op() == IdentityWithProfile) { 655 m_node->replaceWith(m_ node->child1().node());655 m_node->replaceWith(m_graph, m_node->child1().node()); 656 656 m_changed = true; 657 657 } else … … 694 694 Node* candidate = result.iterator->value[i]; 695 695 if (m_graph.m_ssaDominators->dominates(candidate->owner, m_block)) { 696 m_node->replaceWith( candidate);696 m_node->replaceWith(m_graph, candidate); 697 697 m_changed = true; 698 698 return; … … 861 861 if (m_graph.m_ssaDominators->dominates(candidate->owner, m_block)) { 862 862 ASSERT(candidate); 863 match->replaceWith( candidate);863 match->replaceWith(m_graph, candidate); 864 864 match.setNode(candidate); 865 865 replaced = true; … … 872 872 } 873 873 ASSERT(match.asNode()); 874 m_node->replaceWith(m atch.asNode());874 m_node->replaceWith(m_graph, match.asNode()); 875 875 m_changed = true; 876 876 } -
trunk/Source/JavaScriptCore/dfg/DFGCleanUpPhase.cpp
r203808 r228411 65 65 kill = true; 66 66 break; 67 case CheckVarargs: 68 kill = true; 69 m_graph.doToChildren(node, [&] (Edge edge) { 70 kill &= !edge; 71 }); 72 break; 67 73 default: 68 74 break; -
trunk/Source/JavaScriptCore/dfg/DFGClobberize.h
r227742 r228411 141 141 case Phantom: 142 142 case Check: 143 case CheckVarargs: 143 144 case ExtractOSREntryLocal: 144 145 case ExtractCatchLocal: … … 794 795 if (mode.isInBounds()) { 795 796 read(DirectArgumentsProperties); 796 def(HeapLocation(indexedPropertyLoc, DirectArgumentsProperties, node->child1(), node->child2()), LazyNode(node));797 def(HeapLocation(indexedPropertyLoc, DirectArgumentsProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); 797 798 return; 798 799 } … … 803 804 case Array::ScopedArguments: 804 805 read(ScopeProperties); 805 def(HeapLocation(indexedPropertyLoc, ScopeProperties, node->child1(), node->child2()), LazyNode(node));806 def(HeapLocation(indexedPropertyLoc, ScopeProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); 806 807 return; 807 808 … … 810 811 read(Butterfly_publicLength); 811 812 read(IndexedInt32Properties); 812 def(HeapLocation(indexedPropertyLoc, IndexedInt32Properties, node->child1(), node->child2()), LazyNode(node));813 def(HeapLocation(indexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); 813 814 return; 814 815 } … … 821 822 read(Butterfly_publicLength); 822 823 read(IndexedDoubleProperties); 823 def(HeapLocation(indexedPropertyLoc, IndexedDoubleProperties, node->child1(), node->child2()), LazyNode(node));824 def(HeapLocation(indexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); 824 825 return; 825 826 } … … 832 833 read(Butterfly_publicLength); 833 834 read(IndexedContiguousProperties); 834 def(HeapLocation(indexedPropertyLoc, IndexedContiguousProperties, node->child1(), node->child2()), LazyNode(node));835 def(HeapLocation(indexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); 835 836 return; 836 837 } … … 865 866 read(TypedArrayProperties); 866 867 read(MiscFields); 867 def(HeapLocation(indexedPropertyLoc, TypedArrayProperties, node->child1(), node->child2()), LazyNode(node));868 def(HeapLocation(indexedPropertyLoc, TypedArrayProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); 868 869 return; 869 870 // We should not get an AnyTypedArray in a GetByVal as AnyTypedArray is only created from intrinsics, which … … 1203 1204 } 1204 1205 1206 case GetArrayMask: 1207 read(JSObject_butterflyMask); 1208 def(HeapLocation(ArrayMaskLoc, JSObject_butterflyMask, node->child1()), LazyNode(node)); 1209 return; 1210 1205 1211 case GetArrayLength: { 1206 1212 ArrayMode mode = node->arrayMode(); -
trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
r227136 r228411 185 185 if (value.m_structure.isSubsetOf(set)) { 186 186 m_interpreter.execute(indexInBlock); // Catch the fact that we may filter on cell. 187 node->remove( );187 node->remove(m_graph); 188 188 eliminated = true; 189 189 break; … … 197 197 if (constant.isCell() && constant.asCell()->inherits(m_graph.m_vm, node->classInfo())) { 198 198 m_interpreter.execute(indexInBlock); 199 node->remove( );199 node->remove(m_graph); 200 200 eliminated = true; 201 201 break; … … 207 207 if (value.m_structure.isSubClassOf(node->classInfo())) { 208 208 m_interpreter.execute(indexInBlock); 209 node->remove( );209 node->remove(m_graph); 210 210 eliminated = true; 211 211 break; … … 245 245 if (set.contains(m_graph.registerStructure(structure))) { 246 246 m_interpreter.execute(indexInBlock); 247 node->remove( );247 node->remove(m_graph); 248 248 eliminated = true; 249 249 break; … … 265 265 if (allGood) { 266 266 m_interpreter.execute(indexInBlock); 267 node->remove( );267 node->remove(m_graph); 268 268 eliminated = true; 269 269 break; … … 277 277 if (!node->arrayMode().alreadyChecked(m_graph, node, m_state.forNode(node->child1()))) 278 278 break; 279 node->remove( );279 node->remove(m_graph); 280 280 eliminated = true; 281 281 break; … … 286 286 break; 287 287 288 node->remove( );288 node->remove(m_graph); 289 289 eliminated = true; 290 290 break; … … 294 294 if (m_state.forNode(node->child1()).value() != node->cellOperand()->value()) 295 295 break; 296 node->remove( );296 node->remove(m_graph); 297 297 eliminated = true; 298 298 break; … … 303 303 if (m_state.forNode(node->child1()).m_type & SpecEmpty) 304 304 break; 305 node->remove( );305 node->remove(m_graph); 306 306 eliminated = true; 307 307 break; … … 327 327 328 328 if (constantUid == uid) { 329 node->remove( );329 node->remove(m_graph); 330 330 eliminated = true; 331 331 } … … 338 338 if (left && right && left.isInt32() && right.isInt32() 339 339 && static_cast<uint32_t>(left.asInt32()) < static_cast<uint32_t>(right.asInt32())) { 340 node->remove( );340 node->remove(m_graph); 341 341 eliminated = true; 342 342 break; … … 708 708 } 709 709 } 710 break; 711 } 712 713 case CheckVarargs: { 714 alreadyHandled = true; 715 m_interpreter.execute(indexInBlock); 716 unsigned targetIndex = 0; 717 for (unsigned i = 0; i < node->numChildren(); ++i) { 718 Edge& edge = m_graph.varArgChild(node, i); 719 if (!edge) 720 continue; 721 if (edge.isProved() || edge.willNotHaveCheck()) { 722 edge = Edge(); 723 changed = true; 724 continue; 725 } 726 Edge& dst = m_graph.varArgChild(node, targetIndex++); 727 std::swap(dst, edge); 728 } 729 node->children.setNumChildren(targetIndex); 710 730 break; 711 731 } … … 999 1019 case DoubleConstant: 1000 1020 case Int52Constant: 1001 node->remove( );1021 node->remove(m_graph); 1002 1022 break; 1003 1023 default: -
trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp
r221637 r228411 72 72 continue; 73 73 break; 74 case CheckVarargs: { 75 bool isEmpty = true; 76 m_graph.doToChildren(node, [&] (Edge edge) { 77 isEmpty &= !edge; 78 }); 79 if (isEmpty) 80 continue; 81 break; 82 } 74 83 default: 75 84 break; … … 127 136 } 128 137 129 node->remove( );138 node->remove(m_graph); 130 139 node->setRefCount(1); 131 140 } -
trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
r228018 r228411 230 230 case ConstantStoragePointer: 231 231 case Check: 232 case CheckVarargs: 232 233 case CheckTypeInfoFlags: 233 234 case MultiGetByOffset: … … 241 242 case GetIndexedPropertyStorage: 242 243 case GetArrayLength: 244 case GetArrayMask: 243 245 case GetVectorLength: 244 246 case ArrayPush: -
trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
r228035 r228411 711 711 node->arrayMode().refine( 712 712 m_graph, node, 713 node->child1()->prediction(),714 node->child2()->prediction(),713 m_graph.varArgChild(node, 0)->prediction(), 714 m_graph.varArgChild(node, 1)->prediction(), 715 715 SpecNone)); 716 716 717 blessArrayOperation( node->child1(), node->child2(), node->child3());717 blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2)); 718 718 719 719 ArrayMode arrayMode = node->arrayMode(); … … 794 794 break; 795 795 case Array::Generic: 796 if ( node->child1()->shouldSpeculateObject()) {797 if ( node->child2()->shouldSpeculateString()) {798 fixEdge<ObjectUse>( node->child1());799 fixEdge<StringUse>( node->child2());796 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) { 797 if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) { 798 fixEdge<ObjectUse>(m_graph.varArgChild(node, 0)); 799 fixEdge<StringUse>(m_graph.varArgChild(node, 1)); 800 800 break; 801 801 } 802 802 803 if ( node->child2()->shouldSpeculateSymbol()) {804 fixEdge<ObjectUse>( node->child1());805 fixEdge<SymbolUse>( node->child2());803 if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) { 804 fixEdge<ObjectUse>(m_graph.varArgChild(node, 0)); 805 fixEdge<SymbolUse>(m_graph.varArgChild(node, 1)); 806 806 break; 807 807 } 808 808 } 809 809 #if USE(JSVALUE32_64) 810 fixEdge<CellUse>( node->child1()); // Speculating cell due to register pressure on 32-bit.810 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit. 811 811 #endif 812 812 break; … … 814 814 break; 815 815 default: 816 fixEdge<KnownCellUse>( node->child1());817 fixEdge<Int32Use>( node->child2());816 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0)); 817 fixEdge<Int32Use>(m_graph.varArgChild(node, 1)); 818 818 break; 819 819 } … … 1568 1568 } 1569 1569 1570 case CheckVarargs: 1570 1571 case Check: { 1571 1572 m_graph.doToChildren( … … 1587 1588 case Phantom: 1588 1589 // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend. 1589 node->remove( );1590 node->remove(m_graph); 1590 1591 break; 1591 1592 … … 1766 1767 if (node->child1()->shouldSpeculateInt32()) { 1767 1768 fixEdge<Int32Use>(node->child1()); 1768 node->remove( );1769 node->remove(m_graph); 1769 1770 break; 1770 1771 } … … 1772 1773 if (enableInt52()) { 1773 1774 fixEdge<AnyIntUse>(node->child1()); 1774 node->remove( );1775 node->remove(m_graph); 1775 1776 break; 1776 1777 } … … 1781 1782 if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) { 1782 1783 fixEdge<NumberUse>(node->child1()); 1783 node->remove( );1784 node->remove(m_graph); 1784 1785 } else if (typeSet->doesTypeConformTo(TypeString)) { 1785 1786 fixEdge<StringUse>(node->child1()); 1786 node->remove( );1787 node->remove(m_graph); 1787 1788 } else if (typeSet->doesTypeConformTo(TypeBoolean)) { 1788 1789 fixEdge<BooleanUse>(node->child1()); 1789 node->remove( );1790 node->remove(m_graph); 1790 1791 } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) { 1791 1792 fixEdge<OtherUse>(node->child1()); 1792 node->remove( );1793 node->remove(m_graph); 1793 1794 } else if (typeSet->doesTypeConformTo(TypeObject)) { 1794 1795 StructureSet set; … … 2183 2184 case ExtractValueFromWeakMapGet: 2184 2185 case CPUIntrinsic: 2186 case GetArrayMask: 2185 2187 break; 2186 2188 #else … … 3464 3466 case MovHint: 3465 3467 case Check: 3468 case CheckVarargs: 3466 3469 m_graph.doToChildren( 3467 3470 node, -
trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
r225307 r228411 89 89 return; 90 90 91 case ArrayMaskLoc: 92 out.print("ArrayMaskLoc"); 93 return; 94 91 95 case VectorLengthLoc: 92 96 out.print("VectorLengthLoc"); -
trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h
r225307 r228411 38 38 39 39 ArrayLengthLoc, 40 ArrayMaskLoc, 40 41 VectorLengthLoc, 41 42 ButterflyLoc, -
trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp
r222007 r228411 285 285 286 286 case ArrayBounds: 287 node->remove( );287 node->remove(m_graph); 288 288 m_changed = true; 289 289 break; -
trunk/Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp
r223318 r228411 1331 1331 if (nonNegative && lessThanLength) { 1332 1332 executeNode(block->at(nodeIndex)); 1333 node->remove( );1333 node->remove(m_graph); 1334 1334 changed = true; 1335 1335 } … … 1341 1341 break; 1342 1342 1343 auto iter = m_relationships.find( node->child2().node());1343 auto iter = m_relationships.find(m_graph.varArgChild(node, 1).node()); 1344 1344 if (iter == m_relationships.end()) 1345 1345 break; -
trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp
r228035 r228411 344 344 } 345 345 346 // It just so happens that all of the nodes we currently know how to hoist 347 // don't have var-arg children. That may change and then we can fix this 348 // code. But for now we just assert that's the case. 349 DFG_ASSERT(m_graph, node, !(node->flags() & NodeHasVarArgs), node->op(), node->flags()); 350 351 nodeRef = m_graph.addNode(Check, originalOrigin, node->children); 346 nodeRef = m_graph.addNode((node->flags() & NodeHasVarArgs) ? CheckVarargs : Check, originalOrigin, node->children); 352 347 353 348 return true; -
trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp
r227410 r228411 59 59 case Phantom: 60 60 case Check: 61 case CheckVarargs: 61 62 case Identity: 62 63 case IdentityWithProfile: -
trunk/Source/JavaScriptCore/dfg/DFGNode.cpp
r227107 r228411 82 82 } 83 83 84 void Node::remove() 85 { 86 ASSERT(!(flags() & NodeHasVarArgs)); 87 88 children = children.justChecks(); 89 90 setOpAndDefaultFlags(Check); 84 void Node::remove(Graph& graph) 85 { 86 if (flags() & NodeHasVarArgs) { 87 unsigned targetIndex = 0; 88 for (unsigned i = 0; i < numChildren(); ++i) { 89 Edge& edge = graph.varArgChild(this, i); 90 if (!edge) 91 continue; 92 if (edge.willHaveCheck()) { 93 Edge& dst = graph.varArgChild(this, targetIndex++); 94 std::swap(dst, edge); 95 continue; 96 } 97 edge = Edge(); 98 } 99 setOpAndDefaultFlags(CheckVarargs); 100 children.setNumChildren(targetIndex); 101 } else { 102 children = children.justChecks(); 103 setOpAndDefaultFlags(Check); 104 } 91 105 } 92 106 … … 103 117 { 104 118 children.reset(); 119 clearFlags(NodeHasVarArgs); 105 120 child1() = child->defaultEdge(); 106 121 NodeFlags output = canonicalResultRepresentation(this->result()); -
trunk/Source/JavaScriptCore/dfg/DFGNode.h
r227462 r228411 431 431 } 432 432 433 void remove( );433 void remove(Graph&); 434 434 435 435 void convertToCheckStructure(RegisteredStructureSet* set) … … 452 452 } 453 453 454 void replaceWith( Node* other)455 { 456 remove( );454 void replaceWith(Graph& graph, Node* other) 455 { 456 remove(graph); 457 457 setReplacement(other); 458 458 } -
trunk/Source/JavaScriptCore/dfg/DFGNodeType.h
r227723 r228411 80 80 macro(Phantom, NodeMustGenerate) \ 81 81 macro(Check, NodeMustGenerate) /* Used if we want just a type check but not liveness. Non-checking uses will be removed. */\ 82 macro(CheckVarargs, NodeMustGenerate | NodeHasVarArgs) /* Used if we want just a type check but not liveness. Non-checking uses will be removed. */\ 82 83 macro(Upsilon, 0) \ 83 84 macro(Phi, 0) \ … … 172 173 /* this must be the directly subsequent property put. Note that PutByVal */\ 173 174 /* opcodes use VarArgs beause they may have up to 4 children. */\ 174 macro(GetByVal, NodeResultJS | NodeMustGenerate ) \175 macro(GetByVal, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \ 175 176 macro(GetByValWithThis, NodeResultJS | NodeMustGenerate) \ 176 177 macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate) \ … … 220 221 macro(MultiPutByOffset, NodeMustGenerate) \ 221 222 macro(GetArrayLength, NodeResultInt32) \ 223 macro(GetArrayMask, NodeResultInt32) \ 222 224 macro(GetVectorLength, NodeResultInt32) \ 223 225 macro(GetTypedArrayByteOffset, NodeResultInt32) \ -
trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
r227970 r228411 962 962 if (Node* value = heapResolve(location)) { 963 963 if (allocation->structures().isSubsetOf(validStructures)) 964 node->replaceWith( value);964 node->replaceWith(m_graph, value); 965 965 else { 966 966 Node* structure = heapResolve(PromotedHeapLocation(allocation->identifier(), StructurePLoc)); … … 1072 1072 1073 1073 case Check: 1074 case CheckVarargs: 1074 1075 m_graph.doToChildren( 1075 1076 node, … … 1104 1105 if (Node* value = heapResolve(PromotedHeapLocation(target->identifier(), exactRead))) { 1105 1106 ASSERT(!value->replacement()); 1106 node->replaceWith( value);1107 node->replaceWith(m_graph, value); 1107 1108 } 1108 1109 Node* identifier = target->get(exactRead); … … 1929 1930 1930 1931 default: 1931 node->remove( );1932 node->remove(m_graph); 1932 1933 break; 1933 1934 } -
trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
r227723 r228411 1066 1066 } 1067 1067 1068 case GetArrayMask: 1068 1069 case PutByValAlias: 1069 1070 case DoubleAsInt32: … … 1175 1176 case Phantom: 1176 1177 case Check: 1178 case CheckVarargs: 1177 1179 case PutGlobalVariable: 1178 1180 case CheckTraps: -
trunk/Source/JavaScriptCore/dfg/DFGPureValue.cpp
r172129 r228411 38 38 out.print("("); 39 39 CommaPrinter comma; 40 for (unsigned i = 0; i < AdjacencyList::Size; ++i) { 41 if (children().child(i)) 42 out.print(comma, children().child(i)); 40 if (defaultFlags(m_op) & NodeHasVarArgs) 41 out.print(comma, " VarArgs: firstChild=", m_children.firstChild(), " numChildren=", m_children.numChildren()); 42 else { 43 for (unsigned i = 0; i < AdjacencyList::Size; ++i) { 44 if (children().child(i)) 45 out.print(comma, children().child(i)); 46 } 43 47 } 44 48 if (m_info) -
trunk/Source/JavaScriptCore/dfg/DFGPureValue.h
r206525 r228411 42 42 PureValue(NodeType op, const AdjacencyList& children, uintptr_t info) 43 43 : m_op(op) 44 , m_children( children.sanitized())44 , m_children(defaultFlags(op) & NodeHasVarArgs ? children : children.sanitized()) 45 45 , m_info(info) 46 46 { 47 ASSERT(!(defaultFlags(op) & NodeHasVarArgs));48 47 } 49 48 -
trunk/Source/JavaScriptCore/dfg/DFGPutStackSinkingPhase.cpp
r228035 r228411 573 573 continue; 574 574 575 node->remove( );575 node->remove(m_graph); 576 576 } 577 577 } -
trunk/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp
r225893 r228411 350 350 variable->local(), variable->flushFormat())); 351 351 } else 352 node->remove( );352 node->remove(m_graph); 353 353 354 354 if (verbose) … … 368 368 node->children.reset(); 369 369 370 node->remove( );370 node->remove(m_graph); 371 371 if (verbose) 372 372 dataLog("Replacing node ", node, " with ", valueForOperand.operand(variable->local()), "\n"); … … 377 377 case Flush: { 378 378 node->children.reset(); 379 node->remove( );379 node->remove(m_graph); 380 380 break; 381 381 } … … 385 385 VariableAccessData* variable = node->variableAccessData(); 386 386 node->child1() = valueForOperand.operand(variable->local())->defaultEdge(); 387 node->remove( );387 node->remove(m_graph); 388 388 break; 389 389 } 390 390 391 391 case SetArgument: { 392 node->remove( );392 node->remove(m_graph); 393 393 break; 394 394 } -
trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp
r217202 r228411 69 69 { 70 70 switch (m_node->op()) { 71 case GetByVal:72 71 case AtomicsAdd: 73 72 case AtomicsAnd: … … 82 81 lowerBoundsCheck(m_graph.child(m_node, 0), m_graph.child(m_node, 1), m_graph.child(m_node, 2)); 83 82 break; 83 84 case GetByVal: { 85 lowerBoundsCheck(m_graph.varArgChild(m_node, 0), m_graph.varArgChild(m_node, 1), m_graph.varArgChild(m_node, 2)); 86 auto insertGetMask = [&] () { 87 Node* mask = m_insertionSet.insertNode( 88 m_nodeIndex, SpecInt32Only, GetArrayMask, 89 m_node->origin, Edge(m_graph.varArgChild(m_node, 0).node(), ObjectUse)); 90 m_graph.varArgChild(m_node, 3) = Edge(mask, Int32Use); 91 }; 92 auto arrayMode = m_node->arrayMode(); 93 switch (arrayMode.type()) { 94 case Array::Int32: 95 case Array::Contiguous: 96 case Array::Double: 97 case Array::ArrayStorage: 98 case Array::SlowPutArrayStorage: 99 // FIXME: Also support this in the DFG: 100 // https://bugs.webkit.org/show_bug.cgi?id=182711 101 insertGetMask(); 102 break; 103 default: 104 // FIXME: Pass in GetArrayLength on GetByVal's over Scoped/Direct Arguments. 105 // https://bugs.webkit.org/show_bug.cgi?id=182714 106 if (arrayMode.isSomeTypedArrayView()) 107 insertGetMask(); 108 break; 109 } 110 break; 111 } 84 112 85 113 case PutByVal: -
trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
r227723 r228411 373 373 case ConstantStoragePointer: 374 374 case Check: 375 case CheckVarargs: 375 376 case MultiPutByOffset: 376 377 case ValueRep: … … 477 478 case StringCharAt: 478 479 case StringCharCodeAt: 479 return node->arrayMode().alreadyChecked(graph, node, state.forNode(node->child1())); 480 return node->arrayMode().alreadyChecked(graph, node, state.forNode(graph.child(node, 0))); 481 482 case GetArrayMask: 483 return state.forNode(node->child1()).isType(SpecObject); 480 484 481 485 case ArrayPush: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r228035 r228411 72 72 : m_compileOkay(true) 73 73 , m_jit(jit) 74 , m_graph(m_jit.graph()) 74 75 , m_currentNode(0) 75 76 , m_lastGeneratedNode(LastNodeType) … … 2145 2146 void SpeculativeJIT::compileGetByValOnString(Node* node) 2146 2147 { 2147 SpeculateCellOperand base(this, node->child1());2148 SpeculateStrictInt32Operand property(this, node->child2());2149 StorageOperand storage(this, node->child3());2148 SpeculateCellOperand base(this, m_graph.child(node, 0)); 2149 SpeculateStrictInt32Operand property(this, m_graph.child(node, 1)); 2150 StorageOperand storage(this, m_graph.child(node, 2)); 2150 2151 GPRReg baseReg = base.gpr(); 2151 2152 GPRReg propertyReg = property.gpr(); … … 2164 2165 #endif 2165 2166 2166 ASSERT(ArrayMode(Array::String).alreadyChecked(m_jit.graph(), node, m_state.forNode( node->child1())));2167 ASSERT(ArrayMode(Array::String).alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.child(node, 0)))); 2167 2168 2168 2169 // unsigned comparison so we can filter out negative indices and indices that are too large … … 2913 2914 ASSERT(isInt(type)); 2914 2915 2915 SpeculateCellOperand base(this, node->child1());2916 SpeculateStrictInt32Operand property(this, node->child2());2917 StorageOperand storage(this, node->child3());2916 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2917 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2918 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2918 2919 2919 2920 GPRReg baseReg = base.gpr(); … … 2924 2925 GPRReg resultReg = result.gpr(); 2925 2926 2926 ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode( node->child1())));2927 ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0)))); 2927 2928 2928 2929 emitTypedArrayBoundsCheck(node, baseReg, propertyReg); … … 3146 3147 ASSERT(isFloat(type)); 3147 3148 3148 SpeculateCellOperand base(this, node->child1());3149 SpeculateStrictInt32Operand property(this, node->child2());3150 StorageOperand storage(this, node->child3());3149 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 3150 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 3151 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 3151 3152 3152 3153 GPRReg baseReg = base.gpr(); … … 3154 3155 GPRReg storageReg = storage.gpr(); 3155 3156 3156 ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode( node->child1())));3157 ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0)))); 3157 3158 3158 3159 FPRTemporary result(this); … … 3218 3219 void SpeculativeJIT::compileGetByValForObjectWithString(Node* node) 3219 3220 { 3220 SpeculateCellOperand arg1(this, node->child1());3221 SpeculateCellOperand arg2(this, node->child2());3221 SpeculateCellOperand arg1(this, m_graph.varArgChild(node, 0)); 3222 SpeculateCellOperand arg2(this, m_graph.varArgChild(node, 1)); 3222 3223 3223 3224 GPRReg arg1GPR = arg1.gpr(); 3224 3225 GPRReg arg2GPR = arg2.gpr(); 3225 3226 3226 speculateObject( node->child1(), arg1GPR);3227 speculateString( node->child2(), arg2GPR);3227 speculateObject(m_graph.varArgChild(node, 0), arg1GPR); 3228 speculateString(m_graph.varArgChild(node, 1), arg2GPR); 3228 3229 3229 3230 flushRegisters(); … … 3238 3239 void SpeculativeJIT::compileGetByValForObjectWithSymbol(Node* node) 3239 3240 { 3240 SpeculateCellOperand arg1(this, node->child1());3241 SpeculateCellOperand arg2(this, node->child2());3241 SpeculateCellOperand arg1(this, m_graph.varArgChild(node, 0)); 3242 SpeculateCellOperand arg2(this, m_graph.varArgChild(node, 1)); 3242 3243 3243 3244 GPRReg arg1GPR = arg1.gpr(); 3244 3245 GPRReg arg2GPR = arg2.gpr(); 3245 3246 3246 speculateObject( node->child1(), arg1GPR);3247 speculateSymbol( node->child2(), arg2GPR);3247 speculateObject(m_graph.varArgChild(node, 0), arg1GPR); 3248 speculateSymbol(m_graph.varArgChild(node, 1), arg2GPR); 3248 3249 3249 3250 flushRegisters(); … … 6432 6433 void SpeculativeJIT::compileGetByValOnDirectArguments(Node* node) 6433 6434 { 6434 SpeculateCellOperand base(this, node->child1());6435 SpeculateStrictInt32Operand property(this, node->child2());6435 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 6436 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 6436 6437 GPRTemporary result(this); 6437 6438 #if USE(JSVALUE32_64) … … 6454 6455 return; 6455 6456 6456 ASSERT(ArrayMode(Array::DirectArguments).alreadyChecked(m_jit.graph(), node, m_state.forNode( node->child1())));6457 ASSERT(ArrayMode(Array::DirectArguments).alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0)))); 6457 6458 6458 6459 speculationCheck( … … 6489 6490 void SpeculativeJIT::compileGetByValOnScopedArguments(Node* node) 6490 6491 { 6491 SpeculateCellOperand base(this, node->child1());6492 SpeculateStrictInt32Operand property(this, node->child2());6492 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 6493 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 6493 6494 GPRTemporary result(this); 6494 6495 #if USE(JSVALUE32_64) … … 6513 6514 return; 6514 6515 6515 ASSERT(ArrayMode(Array::ScopedArguments).alreadyChecked(m_jit.graph(), node, m_state.forNode( node->child1())));6516 ASSERT(ArrayMode(Array::ScopedArguments).alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0)))); 6516 6517 6517 6518 speculationCheck( -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
r227723 r228411 3352 3352 // The JIT, while also provides MacroAssembler functionality. 3353 3353 JITCompiler& m_jit; 3354 Graph& m_graph; 3354 3355 3355 3356 // The current node being generated. -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r227723 r228411 2551 2551 break; 2552 2552 case Array::Undecided: { 2553 SpeculateStrictInt32Operand index(this, node->child2());2553 SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 1)); 2554 2554 GPRTemporary resultTag(this, Reuse, index); 2555 2555 GPRTemporary resultPayload(this); … … 2562 2562 m_jit.branch32(MacroAssembler::LessThan, indexGPR, MacroAssembler::TrustedImm32(0))); 2563 2563 2564 use( node->child1());2564 use(m_graph.varArgChild(node, 0)); 2565 2565 index.use(); 2566 2566 … … 2571 2571 } 2572 2572 case Array::Generic: { 2573 if ( node->child1().useKind() == ObjectUse) {2574 if ( node->child2().useKind() == StringUse) {2573 if (m_graph.varArgChild(node, 0).useKind() == ObjectUse) { 2574 if (m_graph.varArgChild(node, 1).useKind() == StringUse) { 2575 2575 compileGetByValForObjectWithString(node); 2576 2576 break; … … 2583 2583 } 2584 2584 2585 SpeculateCellOperand base(this, node->child1()); // Save a register, speculate cell. We'll probably be right.2586 JSValueOperand property(this, node->child2());2585 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); // Save a register, speculate cell. We'll probably be right. 2586 JSValueOperand property(this, m_graph.varArgChild(node, 1)); 2587 2587 GPRReg baseGPR = base.gpr(); 2588 2588 JSValueRegs propertyRegs = property.jsValueRegs(); … … 2600 2600 case Array::Contiguous: { 2601 2601 if (node->arrayMode().isInBounds()) { 2602 SpeculateStrictInt32Operand property(this, node->child2());2603 StorageOperand storage(this, node->child3());2602 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2603 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2604 2604 2605 2605 GPRReg propertyReg = property.gpr(); … … 2657 2657 } 2658 2658 2659 SpeculateCellOperand base(this, node->child1());2660 SpeculateStrictInt32Operand property(this, node->child2());2661 StorageOperand storage(this, node->child3());2659 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2660 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2661 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2662 2662 2663 2663 GPRReg baseReg = base.gpr(); … … 2691 2691 case Array::Double: { 2692 2692 if (node->arrayMode().isInBounds()) { 2693 SpeculateStrictInt32Operand property(this, node->child2());2694 StorageOperand storage(this, node->child3());2693 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2694 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2695 2695 2696 2696 GPRReg propertyReg = property.gpr(); … … 2710 2710 } 2711 2711 2712 SpeculateCellOperand base(this, node->child1());2713 SpeculateStrictInt32Operand property(this, node->child2());2714 StorageOperand storage(this, node->child3());2712 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2713 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2714 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2715 2715 2716 2716 GPRReg baseReg = base.gpr(); … … 2747 2747 case Array::SlowPutArrayStorage: { 2748 2748 if (node->arrayMode().isInBounds()) { 2749 SpeculateStrictInt32Operand property(this, node->child2());2750 StorageOperand storage(this, node->child3());2749 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2750 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2751 2751 GPRReg propertyReg = property.gpr(); 2752 2752 GPRReg storageReg = storage.gpr(); … … 2768 2768 } 2769 2769 2770 SpeculateCellOperand base(this, node->child1());2771 SpeculateStrictInt32Operand property(this, node->child2());2772 StorageOperand storage(this, node->child3());2770 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2771 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2772 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2773 2773 GPRReg propertyReg = property.gpr(); 2774 2774 GPRReg storageReg = storage.gpr(); … … 5084 5084 case Phantom: 5085 5085 case Check: 5086 case CheckVarargs: 5086 5087 DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate); 5087 5088 noResult(node); … … 5206 5207 case CPUIntrinsic: 5207 5208 case AssertNotEmpty: 5209 case GetArrayMask: 5208 5210 DFG_CRASH(m_jit.graph(), node, "unexpected node in DFG backend"); 5209 5211 break; -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r228035 r228411 2689 2689 break; 2690 2690 case Array::Undecided: { 2691 SpeculateStrictInt32Operand index(this, node->child2());2691 SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 1)); 2692 2692 GPRTemporary result(this, Reuse, index); 2693 2693 GPRReg indexGPR = index.gpr(); … … 2697 2697 m_jit.branch32(MacroAssembler::LessThan, indexGPR, MacroAssembler::TrustedImm32(0))); 2698 2698 2699 use( node->child1());2699 use(m_graph.varArgChild(node, 0)); 2700 2700 index.use(); 2701 2701 … … 2705 2705 } 2706 2706 case Array::Generic: { 2707 if ( node->child1().useKind() == ObjectUse) {2708 if ( node->child2().useKind() == StringUse) {2707 if (m_graph.varArgChild(node, 0).useKind() == ObjectUse) { 2708 if (m_graph.varArgChild(node, 1).useKind() == StringUse) { 2709 2709 compileGetByValForObjectWithString(node); 2710 2710 break; 2711 2711 } 2712 2712 2713 if ( node->child2().useKind() == SymbolUse) {2713 if (m_graph.varArgChild(node, 1).useKind() == SymbolUse) { 2714 2714 compileGetByValForObjectWithSymbol(node); 2715 2715 break; 2716 2716 } 2717 2717 } 2718 JSValueOperand base(this, node->child1());2719 JSValueOperand property(this, node->child2());2718 JSValueOperand base(this, m_graph.varArgChild(node, 0)); 2719 JSValueOperand property(this, m_graph.varArgChild(node, 1)); 2720 2720 GPRReg baseGPR = base.gpr(); 2721 2721 GPRReg propertyGPR = property.gpr(); … … 2732 2732 case Array::Contiguous: { 2733 2733 if (node->arrayMode().isInBounds()) { 2734 SpeculateCellOperand base(this, node->child1());2735 SpeculateStrictInt32Operand property(this, node->child2());2736 StorageOperand storage(this, node->child3());2734 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2735 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2736 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2737 2737 2738 2738 GPRReg baseReg = base.gpr(); … … 2765 2765 } 2766 2766 2767 SpeculateCellOperand base(this, node->child1());2768 SpeculateStrictInt32Operand property(this, node->child2());2769 StorageOperand storage(this, node->child3());2767 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2768 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2769 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2770 2770 2771 2771 GPRReg baseReg = base.gpr(); … … 2799 2799 case Array::Double: { 2800 2800 if (node->arrayMode().isInBounds()) { 2801 SpeculateCellOperand base(this, node->child1());2802 SpeculateStrictInt32Operand property(this, node->child2());2803 StorageOperand storage(this, node->child3());2801 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2802 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2803 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2804 2804 2805 2805 GPRReg baseReg = base.gpr(); … … 2824 2824 } 2825 2825 2826 SpeculateCellOperand base(this, node->child1());2827 SpeculateStrictInt32Operand property(this, node->child2());2828 StorageOperand storage(this, node->child3());2826 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2827 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2828 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2829 2829 2830 2830 GPRReg baseReg = base.gpr(); … … 2862 2862 case Array::SlowPutArrayStorage: { 2863 2863 if (node->arrayMode().isInBounds()) { 2864 SpeculateStrictInt32Operand property(this, node->child2());2865 StorageOperand storage(this, node->child3());2864 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2865 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2866 2866 2867 2867 GPRReg propertyReg = property.gpr(); … … 2881 2881 } 2882 2882 2883 SpeculateCellOperand base(this, node->child1());2884 SpeculateStrictInt32Operand property(this, node->child2());2885 StorageOperand storage(this, node->child3());2883 SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); 2884 SpeculateStrictInt32Operand property(this, m_graph.varArgChild(node, 1)); 2885 StorageOperand storage(this, m_graph.varArgChild(node, 2)); 2886 2886 2887 2887 GPRReg baseReg = base.gpr(); … … 5263 5263 case Phantom: 5264 5264 case Check: 5265 case CheckVarargs: 5265 5266 DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate); 5266 5267 noResult(node); … … 5693 5694 case IdentityWithProfile: 5694 5695 case CPUIntrinsic: 5696 case GetArrayMask: 5695 5697 DFG_CRASH(m_jit.graph(), node, "Unexpected node"); 5696 5698 break; -
trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierClusteringPhase.cpp
r228035 r228411 121 121 NodeOrigin origin = node->origin; 122 122 m_neededBarriers.append(ChildAndOrigin(node->child1().node(), origin.semantic)); 123 node->remove( );123 node->remove(m_graph); 124 124 125 125 if (!m_barrierPoints[nodeIndex]) -
trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp
r227107 r228411 753 753 754 754 case Check: 755 case CheckVarargs: 755 756 // FIXME: This is probably not correct. 756 757 break; -
trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp
r221954 r228411 107 107 break; 108 108 109 case CheckVarargs: 109 110 case Check: { 110 111 bool sawEscape = false; … … 265 266 switch (node->op()) { 266 267 case Check: 268 case CheckVarargs: 267 269 case MovHint: 268 270 case PutHint: -
trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
r227723 r228411 174 174 case ConstantStoragePointer: 175 175 case Check: 176 case CheckVarargs: 176 177 case CountExecution: 177 178 case SuperSamplerBegin: … … 330 331 case InitializeEntrypointArguments: 331 332 case CPUIntrinsic: 333 case GetArrayMask: 332 334 // These are OK. 333 335 break; -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r228035 r228411 571 571 break; 572 572 case DFG::Check: 573 case CheckVarargs: 573 574 compileNoOp(); 574 575 break; … … 746 747 case GetArrayLength: 747 748 compileGetArrayLength(); 749 break; 750 case GetArrayMask: 751 compileGetArrayMask(); 748 752 break; 749 753 case GetVectorLength: … … 3623 3627 } 3624 3628 3629 void compileGetArrayMask() 3630 { 3631 setInt32(m_out.load32NonNegative(lowObject(m_node->child1()), m_heaps.JSObject_butterflyMask)); 3632 } 3633 3625 3634 void compileGetArrayLength() 3626 3635 { … … 3694 3703 case Array::Int32: 3695 3704 case Array::Contiguous: { 3696 LValue index = lowInt32(m_ node->child2());3697 LValue storage = lowStorage(m_ node->child3());3705 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3706 LValue storage = lowStorage(m_graph.varArgChild(m_node, 2)); 3698 3707 3699 3708 IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ? 3700 3709 m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties; 3701 3710 3702 LValue base = lowCell(m_node->child1()); 3711 LValue base = lowCell(m_graph.varArgChild(m_node, 0)); 3712 LValue mask = lowInt32(m_graph.varArgChild(m_node, 3)); 3703 3713 3704 3714 if (m_node->arrayMode().isInBounds()) { 3705 LValue result = m_out.load64(maskedIndex(heap, storage, index, base, m_node->child2()));3715 LValue result = m_out.load64(maskedIndex(heap, storage, index, mask, m_graph.varArgChild(m_node, 1))); 3706 3716 LValue isHole = m_out.isZero64(result); 3707 3717 if (m_node->arrayMode().isSaneChain()) { … … 3727 3737 LBasicBlock lastNext = m_out.appendTo(fastCase, slowCase); 3728 3738 3729 LValue fastResultValue = m_out.load64(maskedIndex(heap, storage, index, base, m_node->child2()));3739 LValue fastResultValue = m_out.load64(maskedIndex(heap, storage, index, mask, m_graph.varArgChild(m_node, 1))); 3730 3740 ValueFromBlock fastResult = m_out.anchor(fastResultValue); 3731 3741 m_out.branch( … … 3743 3753 3744 3754 case Array::Double: { 3745 LValue base = lowCell(m_node->child1()); 3746 LValue index = lowInt32(m_node->child2()); 3747 LValue storage = lowStorage(m_node->child3()); 3755 LValue base = lowCell(m_graph.varArgChild(m_node, 0)); 3756 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3757 LValue storage = lowStorage(m_graph.varArgChild(m_node, 2)); 3758 LValue mask = lowInt32(m_graph.varArgChild(m_node, 3)); 3748 3759 3749 3760 IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties; … … 3751 3762 if (m_node->arrayMode().isInBounds()) { 3752 3763 LValue result = m_out.loadDouble( 3753 maskedIndex(heap, storage, index, base, m_node->child2()));3764 maskedIndex(heap, storage, index, mask, m_graph.varArgChild(m_node, 1))); 3754 3765 3755 3766 if (!m_node->arrayMode().isSaneChain()) { … … 3774 3785 LBasicBlock lastNext = m_out.appendTo(inBounds, boxPath); 3775 3786 LValue doubleValue = m_out.loadDouble( 3776 maskedIndex(heap, storage, index, base, m_node->child2()));3787 maskedIndex(heap, storage, index, mask, m_graph.varArgChild(m_node, 1))); 3777 3788 m_out.branch( 3778 3789 m_out.doubleNotEqualOrUnordered(doubleValue, doubleValue), … … 3794 3805 3795 3806 case Array::Undecided: { 3796 LValue index = lowInt32(m_ node->child2());3807 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3797 3808 3798 3809 speculate(OutOfBounds, noValue(), m_node, m_out.lessThan(index, m_out.int32Zero)); … … 3802 3813 3803 3814 case Array::DirectArguments: { 3804 LValue base = lowCell(m_ node->child1());3805 LValue index = lowInt32(m_ node->child2());3815 LValue base = lowCell(m_graph.varArgChild(m_node, 0)); 3816 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3806 3817 3807 3818 speculate( … … 3845 3856 3846 3857 case Array::ScopedArguments: { 3847 LValue base = lowCell(m_ node->child1());3848 LValue index = lowInt32(m_ node->child2());3858 LValue base = lowCell(m_graph.varArgChild(m_node, 0)); 3859 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3849 3860 3850 3861 speculate( … … 3898 3909 3899 3910 case Array::Generic: { 3900 if (m_ node->child1().useKind() == ObjectUse) {3901 if (m_ node->child2().useKind() == StringUse) {3911 if (m_graph.varArgChild(m_node, 0).useKind() == ObjectUse) { 3912 if (m_graph.varArgChild(m_node, 1).useKind() == StringUse) { 3902 3913 setJSValue(vmCall( 3903 3914 Int64, m_out.operation(operationGetByValObjectString), m_callFrame, 3904 lowObject(m_ node->child1()), lowString(m_node->child2())));3915 lowObject(m_graph.varArgChild(m_node, 0)), lowString(m_graph.varArgChild(m_node, 1)))); 3905 3916 return; 3906 3917 } 3907 3918 3908 if (m_ node->child2().useKind() == SymbolUse) {3919 if (m_graph.varArgChild(m_node, 1).useKind() == SymbolUse) { 3909 3920 setJSValue(vmCall( 3910 3921 Int64, m_out.operation(operationGetByValObjectSymbol), m_callFrame, 3911 lowObject(m_ node->child1()), lowSymbol(m_node->child2())));3922 lowObject(m_graph.varArgChild(m_node, 0)), lowSymbol(m_graph.varArgChild(m_node, 1)))); 3912 3923 return; 3913 3924 } … … 3915 3926 setJSValue(vmCall( 3916 3927 Int64, m_out.operation(operationGetByVal), m_callFrame, 3917 lowJSValue(m_ node->child1()), lowJSValue(m_node->child2())));3928 lowJSValue(m_graph.varArgChild(m_node, 0)), lowJSValue(m_graph.varArgChild(m_node, 1)))); 3918 3929 return; 3919 3930 } … … 3921 3932 case Array::ArrayStorage: 3922 3933 case Array::SlowPutArrayStorage: { 3923 LValue base = lowCell(m_node->child1()); 3924 LValue index = lowInt32(m_node->child2()); 3925 LValue storage = lowStorage(m_node->child3()); 3934 LValue base = lowCell(m_graph.varArgChild(m_node, 0)); 3935 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3936 LValue storage = lowStorage(m_graph.varArgChild(m_node, 2)); 3937 LValue mask = lowInt32(m_graph.varArgChild(m_node, 3)); 3926 3938 3927 3939 IndexedAbstractHeap& heap = m_heaps.ArrayStorage_vector; 3928 3940 3929 3941 if (m_node->arrayMode().isInBounds()) { 3930 LValue result = m_out.load64(maskedIndex(heap, storage, index, base, m_node->child2()));3942 LValue result = m_out.load64(maskedIndex(heap, storage, index, mask, m_graph.varArgChild(m_node, 1))); 3931 3943 speculate(LoadFromHole, noValue(), 0, m_out.isZero64(result)); 3932 3944 setJSValue(result); … … 3943 3955 3944 3956 LBasicBlock lastNext = m_out.appendTo(inBounds, slowCase); 3945 LValue result = m_out.load64(maskedIndex(heap, storage, index, base, m_node->child2()));3957 LValue result = m_out.load64(maskedIndex(heap, storage, index, mask, m_graph.varArgChild(m_node, 1))); 3946 3958 ValueFromBlock fastResult = m_out.anchor(result); 3947 3959 m_out.branch( … … 3965 3977 3966 3978 default: { 3967 LValue base = lowCell(m_node->child1()); 3968 LValue index = lowInt32(m_node->child2()); 3969 LValue storage = lowStorage(m_node->child3()); 3979 LValue base = lowCell(m_graph.varArgChild(m_node, 0)); 3980 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 3981 LValue storage = lowStorage(m_graph.varArgChild(m_node, 2)); 3982 LValue mask = lowInt32(m_graph.varArgChild(m_node, 3)); 3970 3983 3971 3984 TypedArrayType type = m_node->arrayMode().typedArrayType(); 3972 3985 3973 3986 if (isTypedView(type)) { 3974 TypedPointer pointer = pointerIntoTypedArray(base, storage, index, type );3987 TypedPointer pointer = pointerIntoTypedArray(base, storage, index, type, mask); 3975 3988 3976 3989 if (isInt(type)) { … … 5967 5980 void compileStringCharAt() 5968 5981 { 5969 LValue base = lowCell(m_ node->child1());5970 LValue index = lowInt32(m_ node->child2());5971 LValue storage = lowStorage(m_ node->child3());5982 LValue base = lowCell(m_graph.child(m_node, 0)); 5983 LValue index = lowInt32(m_graph.child(m_node, 1)); 5984 LValue storage = lowStorage(m_graph.child(m_node, 2)); 5972 5985 5973 5986 LBasicBlock fastPath = m_out.newBlock(); … … 6003 6016 m_out.load8ZeroExt32(m_out.baseIndex( 6004 6017 m_heaps.characters8, storage, m_out.zeroExtPtr(indexForAccess), 6005 provenValue(m_ node->child2()))));6018 provenValue(m_graph.child(m_node, 1))))); 6006 6019 m_out.jump(bitsContinuation); 6007 6020 … … 6011 6024 m_out.baseIndex( 6012 6025 m_heaps.characters16, storage, m_out.zeroExtPtr(indexForAccess), 6013 provenValue(m_ node->child2())));6026 provenValue(m_graph.child(m_node, 1)))); 6014 6027 ValueFromBlock char16Bit = m_out.anchor(char16BitValue); 6015 6028 m_out.branch( … … 11195 11208 } 11196 11209 11197 TypedPointer maskedIndex(IndexedAbstractHeap& heap, LValue storage, LValue index, LValue baseObject, Edge edge, ptrdiff_t offset = 0)11210 TypedPointer maskedIndex(IndexedAbstractHeap& heap, LValue storage, LValue index, LValue mask, Edge edge, ptrdiff_t offset = 0) 11198 11211 { 11199 11212 if (m_indexMaskingMode == IndexMaskingDisabled) 11200 11213 return baseIndex(heap, storage, index, edge, offset); 11201 11214 11202 LValue mask = m_out.zeroExtPtr(m_out.load32(baseObject, m_heaps.JSObject_butterflyMask));11203 11215 return m_out.baseIndex( 11204 heap, storage, m_out.zeroExtPtr(index), provenValue(edge), offset, m ask);11216 heap, storage, m_out.zeroExtPtr(index), provenValue(edge), offset, m_out.zeroExtPtr(mask)); 11205 11217 } 11206 11218 … … 13279 13291 } 13280 13292 13281 TypedPointer pointerIntoTypedArray(LValue base, LValue storage, LValue index, TypedArrayType type) 13282 { 13283 if (m_indexMaskingMode == IndexMaskingEnabled) 13284 index = m_out.bitAnd(index, m_out.load32(base, m_heaps.JSObject_butterflyMask)); 13293 TypedPointer pointerIntoTypedArray(LValue base, LValue storage, LValue index, TypedArrayType type, LValue mask = nullptr) 13294 { 13295 if (m_indexMaskingMode == IndexMaskingEnabled) { 13296 if (!mask) 13297 mask = m_out.load32(base, m_heaps.JSObject_butterflyMask); 13298 index = m_out.bitAnd(index, mask); 13299 } 13285 13300 LValue offset = m_out.shl(m_out.zeroExtPtr(index), m_out.constIntPtr(logElementSize(type))); 13286 13301
Note: See TracChangeset
for help on using the changeset viewer.
