Changeset 194996 in webkit

Timestamp:

Jan 13, 2016, 3:28:38 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

The StringFromCharCode DFG intrinsic should support untyped operands.
​https://bugs.webkit.org/show_bug.cgi?id=153046

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

The current StringFromCharCode DFG intrinsic assumes that its operand charCode
must be an Int32. This results in 26000+ BadType OSR exits in the LongSpider
crypto-aes benchmark. With support for Untyped operands, the number of OSR
exits drops to 202.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileFromCharCode):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGValidate.cpp:

(JSC::DFG::Validate::validate):

• runtime/JSCJSValueInlines.h:

(JSC::JSValue::toUInt32):

LayoutTests:

• js/regress/ftl-polymorphic-StringFromCharCode-expected.txt: Added.
• js/regress/ftl-polymorphic-StringFromCharCode.html: Added.
• js/regress/script-tests/ftl-polymorphic-StringFromCharCode.js: Added.

(o1.valueOf):
(foo):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/ftl-polymorphic-StringFromCharCode-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-StringFromCharCode.html (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-StringFromCharCode.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGValidate.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValueInlines.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-01-13  Mark Lam  <mark.lam@apple.com>
+
+        The StringFromCharCode DFG intrinsic should support untyped operands.
+        https://bugs.webkit.org/show_bug.cgi?id=153046
+
+        Reviewed by Geoffrey Garen.
+
+        * js/regress/ftl-polymorphic-StringFromCharCode-expected.txt: Added.
+        * js/regress/ftl-polymorphic-StringFromCharCode.html: Added.
+        * js/regress/script-tests/ftl-polymorphic-StringFromCharCode.js: Added.
+        (o1.valueOf):
+        (foo):
+
 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-01-13  Mark Lam  <mark.lam@apple.com>
+
+        The StringFromCharCode DFG intrinsic should support untyped operands.
+        https://bugs.webkit.org/show_bug.cgi?id=153046
+
+        Reviewed by Geoffrey Garen.
+
+        The current StringFromCharCode DFG intrinsic assumes that its operand charCode
+        must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
+        crypto-aes benchmark.  With support for Untyped operands, the number of OSR
+        exits drops to 202.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGValidate.cpp:
+        (JSC::DFG::Validate::validate):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toUInt32):
+
 2016-01-13  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -136 +136 @@
     case SkipScope:
     case StringCharCodeAt:
-    case StringFromCharCode:
     case CompareStrictEq:
     case IsUndefined:
@@ -258 +257 @@
         return;
     }
+
+    case StringFromCharCode:
+        switch (node->child1().useKind()) {
+        case Int32Use:
+            def(PureValue(node));
+            return;
+        case UntypedUse:
+            read(World);
+            write(Heap);
+            return;
+        default:
+            DFG_CRASH(graph, node, "Bad use kind");
+        }
+        return;
 
     case ArithAdd:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -603 +603 @@
 
         case StringFromCharCode:
+            if (node->child1()->shouldSpeculateUntypedForArithmetic()) {
+                fixEdge<UntypedUse>(node->child1());
+                break;
+            }
             fixEdge<Int32Use>(node->child1());
             break;

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1314 +1314 @@
 }
 
+EncodedJSValue JIT_OPERATION operationStringFromCharCodeUntyped(ExecState* exec, EncodedJSValue encodedValue)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    JSValue charValue = JSValue::decode(encodedValue);
+    int32_t chInt = charValue.toUInt32(exec);
+    return JSValue::encode(JSC::stringFromCharCode(exec, chInt));
+}
+
 int64_t JIT_OPERATION operationConvertBoxedDoubleToInt52(EncodedJSValue encodedValue)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -39 +39 @@
 
 JSCell* JIT_OPERATION operationStringFromCharCode(ExecState*, int32_t)  WTF_INTERNAL; 
+EncodedJSValue JIT_OPERATION operationStringFromCharCodeUntyped(ExecState*, EncodedJSValue)  WTF_INTERNAL;
 
 // These routines are provide callbacks out to C++ implementations of operations too complex to JIT.

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1872 +1872 @@
 void SpeculativeJIT::compileFromCharCode(Node* node)
 {
-    SpeculateStrictInt32Operand property(this, node->child1());
+    Edge& child = node->child1();
+    if (child.useKind() == UntypedUse) {
+        JSValueOperand opr(this, child);
+        JSValueRegs oprRegs = opr.jsValueRegs();
+#if USE(JSVALUE64)
+        GPRTemporary result(this);
+        JSValueRegs resultRegs = JSValueRegs(result.gpr());
+#else
+        GPRTemporary resultTag(this);
+        GPRTemporary resultPayload(this);
+        JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+#endif
+        flushRegisters();
+        callOperation(operationStringFromCharCodeUntyped, resultRegs, oprRegs);
+        m_jit.exceptionCheck();
+        
+        jsValueResult(resultRegs, node);
+        return;
+    }
+
+    SpeculateStrictInt32Operand property(this, child);
     GPRReg propertyReg = property.gpr();
     GPRTemporary smallStrings(this);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1410 +1410 @@
         return appendCallSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(J_JITOperation_EJ operation, JSValueRegs result, JSValueRegs arg1)
+    {
+        return callOperation(operation, result.payloadGPR(), arg1.payloadGPR());
+    }
     JITCompiler::Call callOperation(J_JITOperation_EJ operation, GPRReg result, GPRReg arg1)
     {
@@ -1610 +1614 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2);
         return appendCallSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(J_JITOperation_EJ operation, JSValueRegs result, JSValueRegs arg1)
+    {
+        return callOperation(operation, result.tagGPR(), result.payloadGPR(), arg1.tagGPR(), arg1.payloadGPR());
     }
     JITCompiler::Call callOperation(J_JITOperation_EJ operation, GPRReg resultPayload, GPRReg resultTag, GPRReg arg1)

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -265 +265 @@
                     break;
                 case CheckStructure:
+                case StringFromCharCode:
                     VALIDATE((node), !!node->child1());
                     break;

trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

@@ -47 +47 @@
 inline uint32_t JSValue::toUInt32(ExecState* exec) const
 {
-    // See comment on JSC::toUInt32, above.
+    // See comment on JSC::toUInt32, in JSCJSValue.h.
     return toInt32(exec);
 }