Changeset 193781 in webkit

Timestamp:

Dec 8, 2015, 1:44:12 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

Polymorphic operand types for DFG and FTL div.
​https://bugs.webkit.org/show_bug.cgi?id=151747

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Perf on benchmarks is neutral. The new JSRegress ftl-object-div test shows
a speed up not from the div operator itself, but from the fact that the
polymorphic operand types support now allow the test function to run without OSR
exiting, thereby realizing the DFG and FTL's speed up on other work that the test
function does.

This patch has passed the layout tests on x86_64 with a debug build.
It passed the JSC tests with x86 and x86_64 debug builds.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileArithDiv):

• ftl/FTLCompileBinaryOp.cpp:

(JSC::FTL::generateBinaryArithOpFastPath):
(JSC::FTL::generateBinaryOpFastPath):

• ftl/FTLInlineCacheDescriptor.h:
• ftl/FTLInlineCacheDescriptorInlines.h:

(JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
(JSC::FTL::ArithDivDescriptor::icSize):

• ftl/FTLInlineCacheSize.cpp:

(JSC::FTL::sizeOfArithDiv):

• ftl/FTLInlineCacheSize.h:

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::lower):
(JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):

• Fixed a cut-paste bug where the op_mul IC was using the op_sub IC size. This bug is benign because the op_sub IC size turns out to be larger than op_mul needs.

(JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):

• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_div):

• Fixed a bug where the scratchFPR was not allocated for the 64bit port. This bug is benign because the scratchFPR is only needed if we are using scratchGPR register (used for branchConvertDoubleToInt32()) is

  X86Registers::r8. Since we're always using regT2 for the scratchT2,

  the scratchFPR is never needed. However, we should fix this anyway to be correct.

• tests/stress/op_div.js:
• Fixed some test values.

LayoutTests:

• js/regress/ftl-object-div-expected.txt: Added.
• js/regress/ftl-object-div.html: Added.
• js/regress/script-tests/ftl-object-div.js: Added.

(o1.valueOf):
(foo):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/ftl-object-div-expected.txt (added)
• LayoutTests/js/regress/ftl-object-div.html (added)
• LayoutTests/js/regress/script-tests/ftl-object-div.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCompileBinaryOp.cpp (modified) (4 diffs)
• Source/JavaScriptCore/ftl/FTLInlineCacheDescriptor.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLInlineCacheSize.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITArithmetic.cpp (modified) (2 diffs)
• Source/JavaScriptCore/tests/stress/op_div.js (modified) (2 diffs)

trunk/LayoutTests/ChangeLog ¶

@@ +1 @@
+2015-12-08  Mark Lam  <mark.lam@apple.com>
+
+        Polymorphic operand types for DFG and FTL div.
+        https://bugs.webkit.org/show_bug.cgi?id=151747
+
+        Reviewed by Geoffrey Garen.
+
+        * js/regress/ftl-object-div-expected.txt: Added.
+        * js/regress/ftl-object-div.html: Added.
+        * js/regress/script-tests/ftl-object-div.js: Added.
+        (o1.valueOf):
+        (foo):
+
 2015-12-08  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog ¶

@@ +1 @@
+2015-12-08  Mark Lam  <mark.lam@apple.com>
+
+        Polymorphic operand types for DFG and FTL div.
+        https://bugs.webkit.org/show_bug.cgi?id=151747
+
+        Reviewed by Geoffrey Garen.
+
+        Perf on benchmarks is neutral.  The new JSRegress ftl-object-div test shows
+        a speed up not from the div operator itself, but from the fact that the
+        polymorphic operand types support now allow the test function to run without OSR
+        exiting, thereby realizing the DFG and FTL's speed up on other work that the test
+        function does.
+
+        This patch has passed the layout tests on x86_64 with a debug build.
+        It passed the JSC tests with x86 and x86_64 debug builds.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithDiv):
+
+        * ftl/FTLCompileBinaryOp.cpp:
+        (JSC::FTL::generateBinaryArithOpFastPath):
+        (JSC::FTL::generateBinaryOpFastPath):
+
+        * ftl/FTLInlineCacheDescriptor.h:
+        * ftl/FTLInlineCacheDescriptorInlines.h:
+        (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
+        (JSC::FTL::ArithDivDescriptor::icSize):
+
+        * ftl/FTLInlineCacheSize.cpp:
+        (JSC::FTL::sizeOfArithDiv):
+        * ftl/FTLInlineCacheSize.h:
+
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::lower):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
+        - Fixed a cut-paste bug where the op_mul IC was using the op_sub IC size.
+          This bug is benign because the op_sub IC size turns out to be larger
+          than op_mul needs.
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
+
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_div):
+        - Fixed a bug where the scratchFPR was not allocated for the 64bit port.
+          This bug is benign because the scratchFPR is only needed if we are
+          using scratchGPR register (used for branchConvertDoubleToInt32()) is
+          >= X86Registers::r8.  Since we're always using regT2 for the scratchT2,
+          the scratchFPR is never needed.   However, we should fix this anyway to
+          be correct.
+
+        * tests/stress/op_div.js:
+        - Fixed some test values.
+
 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h ¶

@@ -673 +673 @@
                 typeOfDoubleQuotient(
                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
+            break;
+        case UntypedUse:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            forNode(node).setType(m_graph, SpecBytecodeNumber);
             break;
         default:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h ¶

@@ -248 +248 @@
     case ArithAdd:
     case ArithNegate:
-    case ArithDiv:
     case ArithMod:
     case DoubleAsInt32:
@@ -255 +254 @@
         return;
 
+    case ArithDiv:
+    case ArithMul:
     case ArithSub:
-    case ArithMul:
         switch (node->binaryUseKind()) {
         case Int32Use:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp ¶

@@ -266 +266 @@
         case ArithDiv:
         case ArithMod: {
-            if (Node::shouldSpeculateInt32OrBooleanForArithmetic(node->child1().node(), node->child2().node())
+            Edge& leftChild = node->child1();
+            Edge& rightChild = node->child2();
+            if (op == ArithDiv
+                && (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
+                    || m_graph.hasExitSite(node->origin.semantic, BadType))) {
+                fixEdge<UntypedUse>(leftChild);
+                fixEdge<UntypedUse>(rightChild);
+                node->setResult(NodeResultJS);
+                break;
+            }
+            if (Node::shouldSpeculateInt32OrBooleanForArithmetic(leftChild.node(), rightChild.node())
                 && node->canSpeculateInt32(FixupPass)) {
                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
-                    fixIntOrBooleanEdge(node->child1());
-                    fixIntOrBooleanEdge(node->child2());
+                    fixIntOrBooleanEdge(leftChild);
+                    fixIntOrBooleanEdge(rightChild);
                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
                         node->setArithMode(Arith::Unchecked);
@@ -281 +291 @@
                 
                 // This will cause conversion nodes to be inserted later.
-                fixDoubleOrBooleanEdge(node->child1());
-                fixDoubleOrBooleanEdge(node->child2());
+                fixDoubleOrBooleanEdge(leftChild);
+                fixDoubleOrBooleanEdge(rightChild);
                 
                 // We don't need to do ref'ing on the children because we're stealing them from
@@ -298 +308 @@
                 break;
             }
-            fixDoubleOrBooleanEdge(node->child1());
-            fixDoubleOrBooleanEdge(node->child2());
+            fixDoubleOrBooleanEdge(leftChild);
+            fixDoubleOrBooleanEdge(rightChild);
             node->setResult(NodeResultDouble);
             break;

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp ¶

@@ -201 +201 @@
 }
 
+EncodedJSValue JIT_OPERATION operationValueDiv(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    double a = op1.toNumber(exec);
+    double b = op2.toNumber(exec);
+    return JSValue::encode(jsNumber(a / b));
+}
+
 EncodedJSValue JIT_OPERATION operationValueMul(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h ¶

@@ -46 +46 @@
 EncodedJSValue JIT_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueDiv(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueMul(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueSub(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp ¶

@@ -355 +355 @@
             
             if (left && right) {
-                if (Node::shouldSpeculateInt32OrBooleanForArithmetic(node->child1().node(), node->child2().node())
-                    && node->canSpeculateInt32(m_pass))
-                    changed |= mergePrediction(SpecInt32);
-                else
-                    changed |= mergePrediction(SpecBytecodeDouble);
+                if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
+                    && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
+                    if (Node::shouldSpeculateInt32OrBooleanForArithmetic(node->child1().node(), node->child2().node())
+                        && node->canSpeculateInt32(m_pass))
+                        changed |= mergePrediction(SpecInt32);
+                    else
+                        changed |= mergePrediction(SpecBytecodeDouble);
+                } else
+                    changed |= mergePrediction(SpecInt32 | SpecBytecodeDouble);
             }
             break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp ¶

@@ -40 +40 @@
 #include "DirectArguments.h"
 #include "JITAddGenerator.h"
+#include "JITDivGenerator.h"
 #include "JITMulGenerator.h"
 #include "JITSubGenerator.h"
@@ -3687 +3688 @@
         break;
     }
-        
+
+    case UntypedUse: {
+        Edge& leftChild = node->child1();
+        Edge& rightChild = node->child2();
+
+        if (isKnownNotNumber(leftChild.node()) || isKnownNotNumber(rightChild.node())) {
+            JSValueOperand left(this, leftChild);
+            JSValueOperand right(this, rightChild);
+            JSValueRegs leftRegs = left.jsValueRegs();
+            JSValueRegs rightRegs = right.jsValueRegs();
+#if USE(JSVALUE64)
+            GPRTemporary result(this);
+            JSValueRegs resultRegs = JSValueRegs(result.gpr());
+#else
+            GPRTemporary resultTag(this);
+            GPRTemporary resultPayload(this);
+            JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+#endif
+            flushRegisters();
+            callOperation(operationValueDiv, resultRegs, leftRegs, rightRegs);
+            m_jit.exceptionCheck();
+
+            jsValueResult(resultRegs, node);
+            return;
+        }
+
+        Optional<JSValueOperand> left;
+        Optional<JSValueOperand> right;
+
+        JSValueRegs leftRegs;
+        JSValueRegs rightRegs;
+
+        FPRTemporary leftNumber(this);
+        FPRTemporary rightNumber(this);
+        FPRReg leftFPR = leftNumber.fpr();
+        FPRReg rightFPR = rightNumber.fpr();
+        FPRTemporary fprScratch(this);
+        FPRReg scratchFPR = fprScratch.fpr();
+
+#if USE(JSVALUE64)
+        GPRTemporary result(this);
+        JSValueRegs resultRegs = JSValueRegs(result.gpr());
+        GPRTemporary scratch(this);
+        GPRReg scratchGPR = scratch.gpr();
+#else
+        GPRTemporary resultTag(this);
+        GPRTemporary resultPayload(this);
+        JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+        GPRReg scratchGPR = resultTag.gpr();
+#endif
+
+        SnippetOperand leftOperand(m_state.forNode(leftChild).resultType());
+        SnippetOperand rightOperand(m_state.forNode(rightChild).resultType());
+
+        if (leftChild->isInt32Constant())
+            leftOperand.setConstInt32(leftChild->asInt32());
+#if USE(JSVALUE64)
+        else if (leftChild->isDoubleConstant())
+            leftOperand.setConstDouble(leftChild->asNumber());
+#endif
+
+        if (leftOperand.isConst()) {
+            // The snippet generator only supports 1 argument as a constant.
+            // Ignore the rightChild's const-ness.
+        } else if (rightChild->isInt32Constant())
+            rightOperand.setConstInt32(rightChild->asInt32());
+#if USE(JSVALUE64)
+        else if (rightChild->isDoubleConstant())
+            rightOperand.setConstDouble(rightChild->asNumber());
+#endif
+
+        RELEASE_ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
+
+        if (!leftOperand.isConst()) {
+            left = JSValueOperand(this, leftChild);
+            leftRegs = left->jsValueRegs();
+        }
+        if (!rightOperand.isConst()) {
+            right = JSValueOperand(this, rightChild);
+            rightRegs = right->jsValueRegs();
+        }
+
+        JITDivGenerator gen(leftOperand, rightOperand, resultRegs, leftRegs, rightRegs,
+            leftFPR, rightFPR, scratchGPR, scratchFPR);
+        gen.generateFastPath(m_jit);
+
+        ASSERT(gen.didEmitFastPath());
+        gen.endJumpList().append(m_jit.jump());
+
+        gen.slowPathJumpList().link(&m_jit);
+        silentSpillAllRegisters(resultRegs);
+
+        if (leftOperand.isConst()) {
+            leftRegs = resultRegs;
+            m_jit.moveValue(leftChild->asJSValue(), leftRegs);
+        }
+        if (rightOperand.isConst()) {
+            rightRegs = resultRegs;
+            m_jit.moveValue(rightChild->asJSValue(), rightRegs);
+        }
+
+        callOperation(operationValueDiv, resultRegs, leftRegs, rightRegs);
+
+        silentFillAllRegisters(resultRegs);
+        m_jit.exceptionCheck();
+
+        gen.endJumpList().link(&m_jit);
+        jsValueResult(resultRegs, node);
+        return;
+    }
+
     default:
         RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/ftl/FTLCompileBinaryOp.cpp ¶

@@ -33 +33 @@
 #include "GPRInfo.h"
 #include "JITAddGenerator.h"
+#include "JITDivGenerator.h"
 #include "JITMulGenerator.h"
 #include "JITSubGenerator.h"
@@ -154 +155 @@
 };
 
-template<typename BinaryArithOpGenerator>
+enum ScratchFPRUsage {
+    DontNeedScratchFPR,
+    NeedScratchFPR
+};
+
+template<typename BinaryArithOpGenerator, ScratchFPRUsage scratchFPRUsage = DontNeedScratchFPR>
 void generateBinaryArithOpFastPath(BinaryOpDescriptor& ic, CCallHelpers& jit,
     GPRReg result, GPRReg left, GPRReg right, RegisterSet usedRegisters,
@@ -167 +173 @@
     FPRReg rightFPR = allocator.allocateScratchFPR();
     FPRReg scratchFPR = InvalidFPRReg;
+    if (scratchFPRUsage == NeedScratchFPR)
+        scratchFPR = allocator.allocateScratchFPR();
 
     BinaryArithOpGenerator gen(ic.leftOperand(), ic.rightOperand(), JSValueRegs(result),
@@ -196 +204 @@
 {
     switch (ic.nodeType()) {
+    case ArithDiv:
+        generateBinaryArithOpFastPath<JITDivGenerator, NeedScratchFPR>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);
+        break;
     case ArithMul:
         generateBinaryArithOpFastPath<JITMulGenerator>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheDescriptor.h ¶

@@ -166 +166 @@
 };
 
+class ArithDivDescriptor : public BinaryOpDescriptor {
+public:
+    ArithDivDescriptor(unsigned stackmapID, CodeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand);
+    static size_t icSize();
+};
+
 class ArithMulDescriptor : public BinaryOpDescriptor {
 public:

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h ¶

@@ -35 +35 @@
 
 namespace JSC { namespace FTL {
+
+ArithDivDescriptor::ArithDivDescriptor(unsigned stackmapID, CodeOrigin codeOrigin,
+    const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+    : BinaryOpDescriptor(DFG::ArithDiv, stackmapID, codeOrigin, icSize(),
+        "ArithDiv", "ArithDiv IC fast path", DFG::operationValueDiv, leftOperand, rightOperand)
+{
+}
+
+size_t ArithDivDescriptor::icSize()
+{
+    return sizeOfArithDiv();
+}
 
 ArithMulDescriptor::ArithMulDescriptor(unsigned stackmapID, CodeOrigin codeOrigin,

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp ¶

@@ -126 +126 @@
 #else
     return 5; 
+#endif
+}
+
+size_t sizeOfArithDiv()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+    return 180; // ARM64 release.
+#else
+    return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+    return 199; // X86_64 release.
+#else
+    return 286; // X86_64 debug.
+#endif
 #endif
 }

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheSize.h ¶

@@ -47 +47 @@
 size_t sizeOfConstructForwardVarargs();
 size_t sizeOfIn();
+size_t sizeOfArithDiv();
 size_t sizeOfArithMul();
 size_t sizeOfArithSub();

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp ¶

@@ -241 +241 @@
                         break;
                     }
+                    case ArithDiv:
                     case ArithMul:
                     case ArithSub:
@@ -1862 +1863 @@
             StackmapArgumentList arguments;
             arguments.append(m_out.constInt64(stackmapID));
-            arguments.append(m_out.constInt32(ArithSubDescriptor::icSize()));
+            arguments.append(m_out.constInt32(ArithMulDescriptor::icSize()));
             arguments.append(constNull(m_out.ref8));
             arguments.append(m_out.constInt32(2));
@@ -1944 +1945 @@
             break;
         }
-            
+
+        case UntypedUse: {
+            Edge& leftChild = m_node->child1();
+            Edge& rightChild = m_node->child2();
+
+            if (!(provenType(leftChild) & SpecFullNumber) || !(provenType(rightChild) & SpecFullNumber)) {
+                setJSValue(vmCall(m_out.int64, m_out.operation(operationValueDiv), m_callFrame,
+                    lowJSValue(leftChild), lowJSValue(rightChild)));
+                return;
+            }
+
+            unsigned stackmapID = m_stackmapIDs++;
+
+            if (Options::verboseCompilation())
+                dataLog("    Emitting ArithDiv patchpoint with stackmap #", stackmapID, "\n");
+
+#if FTL_USES_B3
+            CRASH();
+#else
+            LValue left = lowJSValue(leftChild);
+            LValue right = lowJSValue(rightChild);
+
+            SnippetOperand leftOperand(abstractValue(leftChild).resultType());
+            SnippetOperand rightOperand(abstractValue(rightChild).resultType());
+
+            if (leftChild->isInt32Constant())
+                leftOperand.setConstInt32(leftChild->asInt32());
+#if USE(JSVALUE64)
+            else if (leftChild->isDoubleConstant())
+                leftOperand.setConstDouble(leftChild->asNumber());
+#endif
+
+            if (leftOperand.isConst()) {
+                // The snippet generator only supports 1 argument as a constant.
+                // Ignore the rightChild's const-ness.
+            } else if (rightChild->isInt32Constant())
+                rightOperand.setConstInt32(rightChild->asInt32());
+#if USE(JSVALUE64)
+            else if (rightChild->isDoubleConstant())
+                rightOperand.setConstDouble(rightChild->asNumber());
+#endif
+
+            RELEASE_ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
+
+            // Arguments: id, bytes, target, numArgs, args...
+            StackmapArgumentList arguments;
+            arguments.append(m_out.constInt64(stackmapID));
+            arguments.append(m_out.constInt32(ArithDivDescriptor::icSize()));
+            arguments.append(constNull(m_out.ref8));
+            arguments.append(m_out.constInt32(2));
+            arguments.append(left);
+            arguments.append(right);
+
+            appendOSRExitArgumentsForPatchpointIfWillCatchException(arguments,
+                ExceptionType::BinaryOpGenerator, 3); // left, right, and result show up in the stackmap locations.
+
+            LValue call = m_out.call(m_out.int64, m_out.patchpointInt64Intrinsic(), arguments);
+            setInstructionCallingConvention(call, LLVMAnyRegCallConv);
+
+            m_ftlState.binaryOps.append(ArithDivDescriptor(stackmapID, m_node->origin.semantic, leftOperand, rightOperand));
+
+            setJSValue(call);
+#endif // FTL_USES_B3
+            break;
+        }
+
         default:
             DFG_CRASH(m_graph, m_node, "Bad use kind");

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp ¶

@@ -800 +800 @@
     JSValueRegs resultRegs = leftRegs;
     GPRReg scratchGPR = regT2;
-    FPRReg scratchFPR = InvalidFPRReg;
 #else
     JSValueRegs leftRegs = JSValueRegs(regT1, regT0);
@@ -806 +805 @@
     JSValueRegs resultRegs = leftRegs;
     GPRReg scratchGPR = regT4;
+#endif
     FPRReg scratchFPR = fpRegT2;
-#endif
 
     uint32_t* profilingCounter = &m_codeBlock->addSpecialFastCaseProfile(m_bytecodeOffset)->m_counter;

trunk/Source/JavaScriptCore/tests/stress/op_div.js ¶

@@ -44 +44 @@
     '0x10000',
     '-0x10000',
-    '0x7ffffff',
-    '-0x7ffffff',
+    '0x7fffffff',
+    '-0x7fffffff',
     '0x100000000',
     '-0x100000000',
@@ -60 +60 @@
     '"0x10000"',
     '"-0x10000"',
-    '"0x7ffffff"',
-    '"-0x7ffffff"',
+    '"0x7fffffff"',
+    '"-0x7fffffff"',
     '"0x100000000"',
     '"-0x100000000"',