Changeset 278462 in webkit

Timestamp:

Jun 4, 2021 8:58:13 AM (14 months ago)

Author:

Tadeu Zagallo

Message:

Optimize Function.prototype.toString
​https://bugs.webkit.org/show_bug.cgi?id=226418
<rdar://77861846>

Reviewed by Saam Barati.

JSTests:

• microbenchmarks/function-to-string.js: Added.

(f):
(C):
(C.prototype.method1):
(C.prototype.method2):
(test):
(test2):

Source/JavaScriptCore:

Add caching to Function.prototype.toString. This is used heavily in Speedometer2, and repeatedly recomputing a
string which is a constant is costly. We cache the results of toString in all cases except for bound functions.
To make this work for bound functions, we'd need to add a new field they can use for this cache. For other
functions, we cache it on the executable (either NativeExecutable or FunctionExecutable). The reason we can't
do this on the executable for bound functions is that all bound functions share the same executable, but
individual bound functions can have different names. The reason it's valid to cache the results in general is that a
function's name field can't be changed from JS code -- it's non-writable.

This patch also makes Function.prototype.toString an intrinsic in the DFG/FTL. We emit code on the fast path
which reads the cached value if it's present. If not, we call into the slow path, which will compute
the cached value for non bound functions, or compute the result for bound functions.

I added a new microbenchmark that speeds up by >35x:

function-to-string 2197.5952+-30.7118 ^{59.9861+-2.5550} definitely 36.6350x faster

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::getExecutable):
(JSC::DFG::SpeculativeJIT::compileFunctionToString):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::getExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):

• runtime/FunctionExecutable.cpp:

(JSC::FunctionExecutable::visitChildrenImpl):
(JSC::FunctionExecutable::toStringSlow):

• runtime/FunctionExecutable.h:
• runtime/FunctionExecutableInlines.h:

(JSC::FunctionExecutable::toString):

• runtime/FunctionPrototype.cpp:

(JSC::FunctionPrototype::addFunctionProperties):
(JSC::JSC_DEFINE_HOST_FUNCTION):

• runtime/Intrinsic.cpp:

(JSC::intrinsicName):

• runtime/Intrinsic.h:
• runtime/JSFunction.cpp:

(JSC::JSFunction::toString):

• runtime/JSFunction.h:
• runtime/JSFunctionInlines.h:

(JSC::JSFunction::asStringConcurrently const):

• runtime/JSStringInlines.h:
• runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::toStringSlow):
(JSC::NativeExecutable::visitChildrenImpl):

• runtime/NativeExecutable.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/microbenchmarks/function-to-string.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/FunctionExecutable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/FunctionExecutable.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/FunctionExecutableInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionPrototype.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Intrinsic.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Intrinsic.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunctionInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSStringInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/NativeExecutable.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/NativeExecutable.h (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-06-04  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Optimize Function.prototype.toString
+        https://bugs.webkit.org/show_bug.cgi?id=226418
+        <rdar://77861846>
+
+        Reviewed by Saam Barati.
+
+        * microbenchmarks/function-to-string.js: Added.
+        (f):
+        (C):
+        (C.prototype.method1):
+        (C.prototype.method2):
+        (test):
+        (test2):
+
 2021-06-03  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -944 +944 @@
     runtime/JSArrayIterator.h
     runtime/JSBigInt.h
+    runtime/JSBoundFunction.h
     runtime/JSCConfig.h
     runtime/JSCInlines.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-06-04  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Optimize Function.prototype.toString
+        https://bugs.webkit.org/show_bug.cgi?id=226418
+        <rdar://77861846>
+
+        Reviewed by Saam Barati.
+
+        Add caching to Function.prototype.toString. This is used heavily in Speedometer2, and repeatedly recomputing a
+        string which is a constant is costly. We cache the results of toString in all cases except for bound functions.
+        To make this work for bound functions, we'd need to add a new field they can use for this cache. For other
+        functions, we cache it on the executable (either NativeExecutable or FunctionExecutable). The reason we can't
+        do this on the executable for bound functions is that all bound functions share the same executable, but
+        individual bound functions can have different names. The reason it's valid to cache the results in general is that a
+        function's name field can't be changed from JS code -- it's non-writable.
+
+        This patch also makes Function.prototype.toString an intrinsic in the DFG/FTL. We emit code on the fast path
+        which reads the cached value if it's present. If not, we call into the slow path, which will compute
+        the cached value for non bound functions, or compute the result for bound functions.
+
+        I added a new microbenchmark that speeds up by >35x:
+
+        function-to-string     2197.5952+-30.7118    ^     59.9861+-2.5550        ^ definitely 36.6350x faster
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::getExecutable):
+        (JSC::DFG::SpeculativeJIT::compileFunctionToString):
+        (JSC::DFG::SpeculativeJIT::compileGetExecutable):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::getExecutable):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
+        (JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::visitChildrenImpl):
+        (JSC::FunctionExecutable::toStringSlow):
+        * runtime/FunctionExecutable.h:
+        * runtime/FunctionExecutableInlines.h:
+        (JSC::FunctionExecutable::toString):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::addFunctionProperties):
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::toString):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::asStringConcurrently const):
+        * runtime/JSStringInlines.h:
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::toStringSlow):
+        (JSC::NativeExecutable::visitChildrenImpl):
+        * runtime/NativeExecutable.h:
+
 2021-06-04  Michael Catanzaro  <mcatanzaro@gnome.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1303 +1303 @@
                 86F3EEBD168CDE930077B92A /* ObjCCallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 86F3EEB9168CCF750077B92A /* ObjCCallbackFunction.h */; };
                 86F3EEBF168CDE930077B92A /* ObjcRuntimeExtras.h in Headers */ = {isa = PBXBuildFile; fileRef = 86F3EEB616855A5B0077B92A /* ObjcRuntimeExtras.h */; };
-                86FA9E92142BBB2E001773B7 /* JSBoundFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 86FA9E90142BBB2E001773B7 /* JSBoundFunction.h */; };
+                86FA9E92142BBB2E001773B7 /* JSBoundFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 86FA9E90142BBB2E001773B7 /* JSBoundFunction.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 8B3BF5E41E3D368B0076A87A /* AsyncGeneratorPrototype.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = 8B3BF5E31E3D365A0076A87A /* AsyncGeneratorPrototype.lut.h */; };
                 8B6016F61F3E3CC000F9DE6A /* AsyncFromSyncIteratorPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = 8B6016F41F3E3CC000F9DE6A /* AsyncFromSyncIteratorPrototype.h */; };

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2856 +2856 @@
     }
 
+    case FunctionToString: {
+        JSValue value = m_state.forNode(node->child1()).value();
+        if (value) {
+            JSFunction* function = jsDynamicCast<JSFunction*>(m_vm, value);
+            if (JSString* asString = function->asStringConcurrently(m_vm)) {
+                setConstant(node, *m_graph.freeze(asString));
+                break;
+            }
+        }
+        setForNode(node, m_vm.stringStructure.get());
+        break;
+    }
+
     case NumberToStringWithRadix: {
         JSValue radixValue = forNode(node->child2()).m_value;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3741 +3741 @@
             return false;
 #endif
+        }
+
+        case FunctionToStringIntrinsic: {
+            if (m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType))
+                return false;
+
+            insertChecks();
+            Node* function = get(virtualRegisterForArgumentIncludingThis(0, registerOffset));
+            Node* resultNode = addToGraph(FunctionToString, function);
+            setResult(resultNode);
+            return true;
         }
 

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -1819 +1819 @@
             return;
         }
+
+    case FunctionToString:
+        def(PureValue(node));
+        return;
         
     case CountExecution:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -291 +291 @@
     case DirectTailCallInlinedCaller:
     case ForceOSRExit:
+    case FunctionToString:
     case GetById:
     case GetByIdDirect:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1974 +1974 @@
         }
 
+        case FunctionToString: {
+            fixEdge<FunctionUse>(node->child1());
+            break;
+        }
 
         case SetPrivateBrand: {

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -429 +429 @@
     macro(NumberToStringWithRadix, NodeResultJS | NodeMustGenerate) \
     macro(NumberToStringWithValidRadixConstant, NodeResultJS) \
+    macro(FunctionToString, NodeResultJS) \
     macro(MakeRope, NodeResultJS) \
     macro(InByVal, NodeResultBoolean | NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -2561 +2561 @@
 }
 
+JSC_DEFINE_JIT_OPERATION(operationFunctionToString, JSString*, (JSGlobalObject* globalObject, JSFunction* function))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    return function->toString(globalObject);
+}
+
 JSC_DEFINE_JIT_OPERATION(operationSingleCharacterString, JSString*, (VM* vmPointer, int32_t character))
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -247 +247 @@
 JSC_DECLARE_JIT_OPERATION(operationInt52ToStringWithValidRadix, char*, (JSGlobalObject*, int64_t, int32_t));
 JSC_DECLARE_JIT_OPERATION(operationDoubleToStringWithValidRadix, char*, (JSGlobalObject*, double, int32_t));
+JSC_DECLARE_JIT_OPERATION(operationFunctionToString, JSString*, (JSGlobalObject*, JSFunction*));
 
 JSC_DECLARE_JIT_OPERATION(operationNormalizeMapKeyHeapBigInt, EncodedJSValue, (VM*, JSBigInt*));

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -1159 +1159 @@
         case CallStringConstructor:
         case ToString:
+        case FunctionToString:
         case NumberToStringWithRadix:
         case NumberToStringWithValidRadixConstant:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -274 +274 @@
     case LogicalNot:
     case ToString:
+    case FunctionToString:
     case NumberToStringWithValidRadixConstant:
     case StrCat:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -53 +53 @@
 #include "JSAsyncFunction.h"
 #include "JSAsyncGeneratorFunction.h"
+#include "JSBoundFunction.h"
 #include "JSCInlines.h"
 #include "JSGeneratorFunction.h"
@@ -10556 +10557 @@
 }
 
+static void getExecutable(JITCompiler& jit, GPRReg functionGPR, GPRReg resultGPR)
+{
+    jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutableOrRareData()), resultGPR);
+    auto hasExecutable = jit.branchTestPtr(CCallHelpers::Zero, resultGPR, CCallHelpers::TrustedImm32(JSFunction::rareDataTag));
+    jit.loadPtr(CCallHelpers::Address(resultGPR, FunctionRareData::offsetOfExecutable() - JSFunction::rareDataTag), resultGPR);
+    hasExecutable.link(&jit);
+}
+
+void SpeculativeJIT::compileFunctionToString(Node* node)
+{
+    SpeculateCellOperand function(this, node->child1());
+    GPRTemporary executable(this);
+    GPRTemporary result(this);
+    JITCompiler::JumpList slowCases;
+
+    speculateFunction(node->child1(), function.gpr());
+
+    m_jit.emitLoadStructure(vm(), function.gpr(), result.gpr(), executable.gpr());
+    m_jit.loadPtr(JITCompiler::Address(result.gpr(), Structure::classInfoOffset()), result.gpr());
+    static_assert(std::is_final_v<JSBoundFunction>, "We don't handle subclasses when comparing classInfo below");
+    slowCases.append(m_jit.branchPtr(CCallHelpers::Equal, result.gpr(), TrustedImmPtr(JSBoundFunction::info())));
+
+    getExecutable(m_jit, function.gpr(), executable.gpr());
+    JITCompiler::Jump isNativeExecutable = m_jit.branch8(JITCompiler::Equal, JITCompiler::Address(executable.gpr(), JSCell::typeInfoTypeOffset()), TrustedImm32(NativeExecutableType));
+
+    m_jit.loadPtr(MacroAssembler::Address(executable.gpr(), FunctionExecutable::offsetOfRareData()), result.gpr());
+    slowCases.append(m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()));
+    m_jit.loadPtr(MacroAssembler::Address(result.gpr(), FunctionExecutable::offsetOfAsStringInRareData()), result.gpr());
+    JITCompiler::Jump continuation = m_jit.jump();
+
+    isNativeExecutable.link(&m_jit);
+    m_jit.loadPtr(MacroAssembler::Address(executable.gpr(), NativeExecutable::offsetOfAsString()), result.gpr());
+
+    continuation.link(&m_jit);
+    slowCases.append(m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()));
+
+    addSlowPathGenerator(slowPathCall(slowCases, this, operationFunctionToString, result.gpr(), TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), function.gpr()));
+
+    cellResult(result.gpr(), node);
+}
+
 void SpeculativeJIT::compileNumberToStringWithValidRadixConstant(Node* node)
 {
@@ -13305 +13347 @@
     SpeculateCellOperand function(this, node->child1());
     GPRTemporary result(this, Reuse, function);
-    GPRReg functionGPR = function.gpr();
-    GPRReg resultGPR = result.gpr();
-    speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
-    m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutableOrRareData()), resultGPR);
-    auto hasExecutable = m_jit.branchTestPtr(CCallHelpers::Zero, resultGPR, CCallHelpers::TrustedImm32(JSFunction::rareDataTag));
-    m_jit.loadPtr(CCallHelpers::Address(resultGPR, FunctionRareData::offsetOfExecutable() - JSFunction::rareDataTag), resultGPR);
-    hasExecutable.link(&m_jit);
-    cellResult(resultGPR, node);
+    speculateFunction(node->child1(), function.gpr());
+    getExecutable(m_jit, function.gpr(), result.gpr());
+    cellResult(result.gpr(), node);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1228 +1228 @@
     
     void compileToStringOrCallStringConstructorOrStringValueOf(Node*);
+    void compileFunctionToString(Node*);
     void compileNumberToStringWithRadix(Node*);
     void compileNumberToStringWithValidRadixConstant(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3206 +3206 @@
         break;
     }
+
+    case FunctionToString:
+        compileFunctionToString(node);
+        break;
         
     case NewStringObject: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3791 +3791 @@
         break;
     }
+
+    case FunctionToString:
+        compileFunctionToString(node);
+        break;
         
     case NewStringObject: {

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -78 +78 @@
     macro(DirectArguments_mappedArguments, DirectArguments::offsetOfMappedArguments()) \
     macro(DirectArguments_modifiedArgumentsDescriptor, DirectArguments::offsetOfModifiedArgumentsDescriptor()) \
+    macro(FunctionExecutable_rareData, FunctionExecutable::offsetOfRareData()) \
+    macro(FunctionExecutableRareData_asString, FunctionExecutable::offsetOfAsStringInRareData()) \
     macro(FunctionRareData_allocator, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfileWithPrototype::offsetOfAllocator()) \
     macro(FunctionRareData_structure, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfileWithPrototype::offsetOfStructure()) \
@@ -120 +122 @@
     macro(JSScope_next, JSScope::offsetOfNext()) \
     macro(JSSymbolTableObject_symbolTable, JSSymbolTableObject::offsetOfSymbolTable()) \
+    macro(NativeExecutable_asString, NativeExecutable::offsetOfAsString()) \
     macro(RegExpObject_regExpAndLastIndexIsNotWritableFlag, RegExpObject::offsetOfRegExpAndLastIndexIsNotWritableFlag()) \
     macro(RegExpObject_lastIndex, RegExpObject::offsetOfLastIndex()) \

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -218 +218 @@
     case ToNumeric:
     case ToString:
+    case FunctionToString:
     case ToObject:
     case CallObjectConstructor:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -78 +78 @@
 #include "JSAsyncGenerator.h"
 #include "JSAsyncGeneratorFunction.h"
+#include "JSBoundFunction.h"
 #include "JSCInlines.h"
 #include "JSGenerator.h"
@@ -1197 +1198 @@
             compileToStringOrCallStringConstructorOrStringValueOf();
             break;
+        case FunctionToString:
+            compileFunctionToString();
+            break;
         case ToPrimitive:
             compileToPrimitive();
@@ -3775 +3779 @@
     }
 
-    void compileGetExecutable()
+    LValue getExecutable(LValue function)
     {
         LBasicBlock continuation = m_out.newBlock();
         LBasicBlock hasRareData = m_out.newBlock();
-        LValue cell = lowCell(m_node->child1());
-        speculateFunction(m_node->child1(), cell);
-
-        LValue rareDataTags = m_out.loadPtr(cell, m_heaps.JSFunction_executableOrRareData);
+
+        LValue rareDataTags = m_out.loadPtr(function, m_heaps.JSFunction_executableOrRareData);
         ValueFromBlock fastExecutable = m_out.anchor(rareDataTags);
         m_out.branch(m_out.testIsZeroPtr(rareDataTags, m_out.constIntPtr(JSFunction::rareDataTag)), unsure(continuation), unsure(hasRareData));
@@ -3792 +3794 @@
 
         m_out.appendTo(continuation, lastNext);
-        setJSValue(m_out.phi(pointerType(), fastExecutable, slowExecutable));
+        return m_out.phi(pointerType(), fastExecutable, slowExecutable);
+    }
+
+    void compileGetExecutable()
+    {
+        LValue cell = lowCell(m_node->child1());
+        speculateFunction(m_node->child1(), cell);
+        LValue executable = getExecutable(cell);
+        setJSValue(executable);
     }
     
@@ -8220 +8230 @@
             break;
         }
+    }
+
+    void compileFunctionToString()
+    {
+        JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
+
+        LBasicBlock notBoundFunctionCase = m_out.newBlock();
+        LBasicBlock functionExecutableCase = m_out.newBlock();
+        LBasicBlock nativeExecutableCase = m_out.newBlock();
+        LBasicBlock testPtr = m_out.newBlock();
+        LBasicBlock hasRareData = m_out.newBlock();
+        LBasicBlock slowCase = m_out.newBlock();
+        LBasicBlock continuation = m_out.newBlock();
+
+        LValue function = lowCell(m_node->child1());
+        speculateFunction(m_node->child1(), function);
+
+        LValue structure = loadStructure(function);
+        LValue classInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
+        static_assert(std::is_final_v<JSBoundFunction>, "We don't handle subclasses when comparing classInfo below");
+        m_out.branch(m_out.equal(classInfo, m_out.constIntPtr(JSBoundFunction::info())), unsure(slowCase), unsure(notBoundFunctionCase));
+
+        LBasicBlock lastNext = m_out.appendTo(notBoundFunctionCase, nativeExecutableCase);
+        LValue executable = getExecutable(function);
+        m_out.branch(isType(executable, NativeExecutableType), unsure(nativeExecutableCase), unsure(functionExecutableCase));
+
+        m_out.appendTo(nativeExecutableCase, functionExecutableCase);
+        ValueFromBlock nativeResult = m_out.anchor(m_out.loadPtr(executable, m_heaps.NativeExecutable_asString));
+        m_out.jump(testPtr);
+
+        m_out.appendTo(functionExecutableCase, testPtr);
+        LValue rareData = m_out.loadPtr(executable, m_heaps.FunctionExecutable_rareData);
+        m_out.branch(m_out.notNull(rareData), usually(hasRareData), rarely(slowCase));
+
+        m_out.appendTo(hasRareData, slowCase);
+        ValueFromBlock functionResult = m_out.anchor(m_out.loadPtr(rareData, m_heaps.FunctionExecutableRareData_asString));
+        m_out.jump(testPtr);
+
+        m_out.appendTo(testPtr, continuation);
+        LValue asString = m_out.phi(pointerType(), nativeResult, functionResult);
+        ValueFromBlock fastResult = m_out.anchor(asString);
+        m_out.branch(m_out.notNull(asString), usually(continuation), rarely(slowCase));
+
+        m_out.appendTo(slowCase, continuation);
+        ValueFromBlock slowResult = m_out.anchor(vmCall(pointerType(), operationFunctionToString, weakPointer(globalObject), function));
+        m_out.jump(continuation);
+
+        m_out.appendTo(continuation, lastNext);
+        setJSValue(m_out.phi(pointerType(), fastResult, slowResult));
     }
     

trunk/Source/JavaScriptCore/runtime/FunctionExecutable.cpp

@@ -80 +80 @@
     if (RareData* rareData = thisObject->m_rareData.get()) {
         visitor.append(rareData->m_cachedPolyProtoStructure);
+        visitor.append(rareData->m_asString);
         if (TemplateObjectMap* map = rareData->m_templateObjectMap.get()) {
             Locker locker { thisObject->cellLock() };
@@ -117 +118 @@
 }
 
+JSString* FunctionExecutable::toStringSlow(JSGlobalObject* globalObject)
+{
+    VM& vm = getVM(globalObject);
+    ASSERT(m_rareData && !m_rareData->m_asString);
+
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
+    const auto& cache = [&](JSString* asString) {
+        WTF::storeStoreFence();
+        m_rareData->m_asString.set(vm, this, asString);
+        return asString;
+    };
+
+    const auto& cacheIfNoException = [&](JSValue value) -> JSString* {
+        RETURN_IF_EXCEPTION(throwScope, nullptr);
+        return cache(::JSC::asString(value));
+    };
+
+    if (isBuiltinFunction())
+        return cacheIfNoException(jsMakeNontrivialString(globalObject, "function ", name().string(), "() {\n    [native code]\n}"));
+
+    if (isClass())
+        return cache(jsString(vm, classSource().view().toString()));
+
+    String functionHeader;
+    switch (parseMode()) {
+    case SourceParseMode::GeneratorWrapperFunctionMode:
+    case SourceParseMode::GeneratorWrapperMethodMode:
+        functionHeader = "function* ";
+        break;
+
+    case SourceParseMode::NormalFunctionMode:
+    case SourceParseMode::GetterMode:
+    case SourceParseMode::SetterMode:
+    case SourceParseMode::MethodMode:
+    case SourceParseMode::ProgramMode:
+    case SourceParseMode::ModuleAnalyzeMode:
+    case SourceParseMode::ModuleEvaluateMode:
+    case SourceParseMode::GeneratorBodyMode:
+    case SourceParseMode::AsyncGeneratorBodyMode:
+    case SourceParseMode::AsyncFunctionBodyMode:
+    case SourceParseMode::AsyncArrowFunctionBodyMode:
+        functionHeader = "function ";
+        break;
+
+    case SourceParseMode::ArrowFunctionMode:
+    case SourceParseMode::ClassFieldInitializerMode:
+        functionHeader = "";
+        break;
+
+    case SourceParseMode::AsyncFunctionMode:
+    case SourceParseMode::AsyncMethodMode:
+        functionHeader = "async function ";
+        break;
+
+    case SourceParseMode::AsyncArrowFunctionMode:
+        functionHeader = "async ";
+        break;
+
+    case SourceParseMode::AsyncGeneratorWrapperFunctionMode:
+    case SourceParseMode::AsyncGeneratorWrapperMethodMode:
+        functionHeader = "async function* ";
+        break;
+    }
+
+    StringView src = source().provider()->getRange(
+        parametersStartOffset(),
+        parametersStartOffset() + source().length());
+
+    String name = this->name().string();
+    if (name == vm.propertyNames->starDefaultPrivateName.string())
+        name = emptyString();
+    return cacheIfNoException(jsMakeNontrivialString(globalObject, functionHeader, name, src));
+}
+
 void FunctionExecutable::overrideInfo(const FunctionOverrideInfo& overrideInfo)
 {

trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h

@@ -286 +286 @@
     void finalizeUnconditionally(VM&);
 
+    JSString* toString(JSGlobalObject*);
+    JSString* asStringConcurrently() const
+    {
+        if (!m_rareData)
+            return nullptr;
+        return m_rareData->m_asString.get();
+    }
+
+    static inline ptrdiff_t offsetOfRareData() { return OBJECT_OFFSETOF(FunctionExecutable, m_rareData); }
+    static inline ptrdiff_t offsetOfAsStringInRareData() { return OBJECT_OFFSETOF(RareData, m_asString); }
+
 private:
     friend class ExecutableBase;
@@ -305 +316 @@
         std::unique_ptr<TemplateObjectMap> m_templateObjectMap;
         WriteBarrier<Structure> m_cachedPolyProtoStructure;
+        WriteBarrier<JSString> m_asString;
     };
 
@@ -314 +326 @@
     }
     RareData& ensureRareDataSlow();
+
+    JSString* toStringSlow(JSGlobalObject*);
 
     // FIXME: We can merge rareData pointer and top-level executable pointer. First time, setting parent.

trunk/Source/JavaScriptCore/runtime/FunctionExecutableInlines.h

@@ -36 +36 @@
 }
 
+JSString* FunctionExecutable::toString(JSGlobalObject* globalObject)
+{
+    RareData& rareData = ensureRareData();
+    if (!rareData.m_asString)
+        return toStringSlow(globalObject);
+    return rareData.m_asString.get();
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp

@@ -55 +55 @@
 void FunctionPrototype::addFunctionProperties(VM& vm, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction)
 {
-    JSFunction* toStringFunction = JSFunction::create(vm, globalObject, 0, vm.propertyNames->toString.string(), functionProtoFuncToString);
-    putDirectWithoutTransition(vm, vm.propertyNames->toString, toStringFunction, static_cast<unsigned>(PropertyAttribute::DontEnum));
+    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().toStringPublicName(), functionProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0, FunctionToStringIntrinsic);
 
     *applyFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().applyPublicName(), functionPrototypeApplyCodeGenerator(vm), static_cast<unsigned>(PropertyAttribute::DontEnum));
@@ -82 +81 @@
         JSFunction* function = jsCast<JSFunction*>(thisValue);
         Integrity::auditStructureID(vm, function->structureID());
-        if (function->isHostOrBuiltinFunction())
-            RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, "function ", function->name(vm), "() {\n    [native code]\n}")));
-
-        FunctionExecutable* executable = function->jsExecutable();
-        if (executable->isClass())
-            return JSValue::encode(jsString(vm, executable->classSource().view().toString()));
-
-        String functionHeader;
-        switch (executable->parseMode()) {
-        case SourceParseMode::GeneratorWrapperFunctionMode:
-        case SourceParseMode::GeneratorWrapperMethodMode:
-            functionHeader = "function* ";
-            break;
-
-        case SourceParseMode::NormalFunctionMode:
-        case SourceParseMode::GetterMode:
-        case SourceParseMode::SetterMode:
-        case SourceParseMode::MethodMode:
-        case SourceParseMode::ProgramMode:
-        case SourceParseMode::ModuleAnalyzeMode:
-        case SourceParseMode::ModuleEvaluateMode:
-        case SourceParseMode::GeneratorBodyMode:
-        case SourceParseMode::AsyncGeneratorBodyMode:
-        case SourceParseMode::AsyncFunctionBodyMode:
-        case SourceParseMode::AsyncArrowFunctionBodyMode:
-            functionHeader = "function ";
-            break;
-
-        case SourceParseMode::ArrowFunctionMode:
-        case SourceParseMode::ClassFieldInitializerMode:
-            functionHeader = "";
-            break;
-
-        case SourceParseMode::AsyncFunctionMode:
-        case SourceParseMode::AsyncMethodMode:
-            functionHeader = "async function ";
-            break;
-
-        case SourceParseMode::AsyncArrowFunctionMode:
-            functionHeader = "async ";
-            break;
-
-        case SourceParseMode::AsyncGeneratorWrapperFunctionMode:
-        case SourceParseMode::AsyncGeneratorWrapperMethodMode:
-            functionHeader = "async function* ";
-            break;
-        }
-
-        StringView source = executable->source().provider()->getRange(
-            executable->parametersStartOffset(),
-            executable->parametersStartOffset() + executable->source().length());
-        RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, functionHeader, function->name(vm), source)));
+        RELEASE_AND_RETURN(scope, JSValue::encode(function->toString(globalObject)));
     }
 

trunk/Source/JavaScriptCore/runtime/Intrinsic.cpp

@@ -276 +276 @@
     case ParseIntIntrinsic:
         return "ParseIntIntrinsic";
+    case FunctionToStringIntrinsic:
+        return "FunctionToStringIntrinsic";
     case TypedArrayLengthIntrinsic:
         return "TypedArrayLengthIntrinsic";

trunk/Source/JavaScriptCore/runtime/Intrinsic.h

@@ -153 +153 @@
     AtomicsXorIntrinsic,
     ParseIntIntrinsic,
+    FunctionToStringIntrinsic,
 
     // Getter intrinsics.

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -248 +248 @@
 }
 
+JSString* JSFunction::toString(JSGlobalObject* globalObject)
+{
+    VM& vm = getVM(globalObject);
+    if (inherits<JSBoundFunction>(vm)) {
+        JSBoundFunction* function = jsCast<JSBoundFunction*>(this);
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        JSValue string = jsMakeNontrivialString(globalObject, "function ", function->nameString(), "() {\n    [native code]\n}");
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        return asString(string);
+    }
+
+    if (isHostFunction())
+        return static_cast<NativeExecutable*>(executable())->toString(globalObject);
+    return jsExecutable()->toString(globalObject);
+}
+
 const SourceCode* JSFunction::sourceCode() const
 {

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -91 +91 @@
     JS_EXPORT_PRIVATE String displayName(VM&);
     JS_EXPORT_PRIVATE const String calculatedDisplayName(VM&);
+    JS_EXPORT_PRIVATE JSString* toString(JSGlobalObject*);
+
+    JSString* asStringConcurrently(VM&) const;
 
     ExecutableBase* executable() const

trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h

@@ -27 +27 @@
 
 #include "FunctionExecutable.h"
+#include "JSBoundFunction.h"
 #include "JSFunction.h"
 #include "NativeExecutable.h"
@@ -157 +158 @@
 }
 
+inline JSString* JSFunction::asStringConcurrently(VM& vm) const
+{
+    if (inherits<JSBoundFunction>(vm))
+        return nullptr;
+    if (isHostFunction())
+        return static_cast<NativeExecutable*>(executable())->asStringConcurrently();
+    return jsExecutable()->asStringConcurrently();
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSStringInlines.h

@@ -26 +26 @@
 #pragma once
 
+#include "JSGlobalObjectInlines.h"
 #include "JSString.h"
 

trunk/Source/JavaScriptCore/runtime/NativeExecutable.cpp

@@ -94 +94 @@
 }
 
+JSString* NativeExecutable::toStringSlow(JSGlobalObject *globalObject)
+{
+    VM& vm = getVM(globalObject);
+
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
+    JSValue value = jsMakeNontrivialString(globalObject, "function ", name(), "() {\n    [native code]\n}");
+
+    RETURN_IF_EXCEPTION(throwScope, nullptr);
+
+    JSString* asString = ::JSC::asString(value);
+    WTF::storeStoreFence();
+    m_asString.set(vm, this, asString);
+    return asString;
+}
+
+template<typename Visitor>
+void NativeExecutable::visitChildrenImpl(JSCell* cell, Visitor& visitor)
+{
+    NativeExecutable* thisObject = jsCast<NativeExecutable*>(cell);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+    Base::visitChildren(thisObject, visitor);
+    visitor.append(thisObject->m_asString);
+}
+
+DEFINE_VISIT_CHILDREN(NativeExecutable);
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/NativeExecutable.h

@@ -68 +68 @@
     }
 
+    DECLARE_VISIT_CHILDREN;
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue proto);
         
@@ -77 +78 @@
     Intrinsic intrinsic() const;
 
+    JSString* toString(JSGlobalObject* globalObject)
+    {
+        if (!m_asString)
+            return toStringSlow(globalObject);
+        return m_asString.get();
+    }
+
+    JSString* asStringConcurrently() const { return m_asString.get(); }
+    static inline ptrdiff_t offsetOfAsString() { return OBJECT_OFFSETOF(NativeExecutable, m_asString); }
+
 private:
     NativeExecutable(VM&, TaggedNativeFunction, TaggedNativeFunction constructor);
     void finishCreation(VM&, Ref<JITCode>&& callThunk, Ref<JITCode>&& constructThunk, const String& name);
+
+    JSString* toStringSlow(JSGlobalObject*);
 
     TaggedNativeFunction m_function;
@@ -85 +98 @@
 
     String m_name;
+    WriteBarrier<JSString> m_asString;
 };