Changeset 118112 in webkit

Timestamp:

May 22, 2012, 8:48:52 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG should support op_get_argument_by_val and op_get_arguments_length
​https://bugs.webkit.org/show_bug.cgi?id=85911

Reviewed by Oliver Hunt.

Merged r116467 from dfgopt.

This adds a simple and relatively conservative implementation of op_get_argument_by_val
and op_get_arguments_length. We can optimize these later. For now it's great to have
the additional coverage.

This patch appears to be perf-neutral.

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::addressFor):
(JSC::DFG::AssemblyHelpers::tagFor):
(JSC::DFG::AssemblyHelpers::payloadFor):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.h:

(JSC::DFG::canCompileOpcode):
(JSC::DFG::canInlineOpcode):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:

(DFG):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_get_argument_by_val):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_get_argument_by_val):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractState.cpp (modified) (1 diff)
• dfg/DFGAssemblyHelpers.h (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCapabilities.h (modified) (2 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (3 diffs)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (6 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (1 diff)
• jit/JITOpcodes32_64.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-05-08  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should support op_get_argument_by_val and op_get_arguments_length
+        https://bugs.webkit.org/show_bug.cgi?id=85911
+
+        Reviewed by Oliver Hunt.
+        
+        Merged r116467 from dfgopt.
+        
+        This adds a simple and relatively conservative implementation of op_get_argument_by_val
+        and op_get_arguments_length. We can optimize these later. For now it's great to have
+        the additional coverage.
+        
+        This patch appears to be perf-neutral.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGAssemblyHelpers.h:
+        (JSC::DFG::AssemblyHelpers::addressFor):
+        (JSC::DFG::AssemblyHelpers::tagFor):
+        (JSC::DFG::AssemblyHelpers::payloadFor):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::canCompileOpcode):
+        (JSC::DFG::canInlineOpcode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_get_argument_by_val):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_get_argument_by_val):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2012-05-07  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1069 +1069 @@
         break;
         
+    case GetMyArgumentsLength:
+        // This potentially clobbers all structures if the arguments object had a getter
+        // installed on the length property.
+        clobberStructures(indexInBlock);
+        // We currently make no guarantee about what this returns because it does not
+        // speculate that the length property is actually a length.
+        forNode(nodeIndex).makeTop();
+        break;
+        
+    case GetMyArgumentByVal:
+        // This potentially clobbers all structures if the property we're accessing has
+        // a getter. We don't speculate against this.
+        clobberStructures(indexInBlock);
+        // But we do speculate that the index is an integer.
+        forNode(node.child1()).filter(PredictInt32);
+        // And the result is unknown.
+        forNode(nodeIndex).makeTop();
+        break;
+        
     case NewFunction:
     case NewFunctionExpression:

trunk/Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h

@@ -135 +135 @@
         return Address(GPRInfo::callFrameRegister, virtualRegister * sizeof(Register));
     }
+    static Address addressFor(int operand)
+    {
+        return addressFor(static_cast<VirtualRegister>(operand));
+    }
 
     static Address tagFor(VirtualRegister virtualRegister)
@@ -140 +144 @@
         return Address(GPRInfo::callFrameRegister, virtualRegister * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
     }
+    static Address tagFor(int operand)
+    {
+        return tagFor(static_cast<VirtualRegister>(operand));
+    }
 
     static Address payloadFor(VirtualRegister virtualRegister)
     {
         return Address(GPRInfo::callFrameRegister, virtualRegister * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
+    }
+    static Address payloadFor(int operand)
+    {
+        return payloadFor(static_cast<VirtualRegister>(operand));
     }
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2388 +2388 @@
         }
             
+        case op_get_arguments_length: {
+            set(currentInstruction[1].u.operand, addToGraph(GetMyArgumentsLength));
+            NEXT_OPCODE(op_get_arguments_length);
+        }
+            
+        case op_get_argument_by_val: {
+            set(currentInstruction[1].u.operand,
+                addToGraph(
+                    GetMyArgumentByVal, OpInfo(0), OpInfo(getPrediction()),
+                    get(currentInstruction[3].u.operand)));
+            NEXT_OPCODE(op_get_argument_by_val);
+        }
+            
         case op_new_func: {
             if (!currentInstruction[3].u.operand) {

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -168 +168 @@
     case op_new_func:
     case op_new_func_exp:
+    case op_get_argument_by_val:
+    case op_get_arguments_length:
         return true;
         
@@ -203 +205 @@
     case op_create_arguments:
     case op_tear_off_arguments:
+    case op_get_argument_by_val:
+    case op_get_arguments_length:
         return false;
         

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -513 +513 @@
         case GetByIdFlush:
         case GetByVal:
+        case GetMyArgumentByVal:
         case Call:
         case Construct:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -196 +196 @@
     macro(CreateArguments, NodeResultJS) \
     macro(TearOffArguments, NodeMustGenerate) \
+    macro(GetMyArgumentsLength, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
+    macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
     \
     /* Nodes for creating functions. */\

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1065 +1065 @@
     ASSERT(exec->codeBlock()->usesArguments() && !exec->codeBlock()->needsFullScopeChain());
     asArguments(argumentsCell)->tearOff(exec);
+}
+
+EncodedJSValue DFG_OPERATION operationGetArgumentsLength(ExecState* exec)
+{
+    Identifier ident(&exec->globalData(), "length");
+    JSValue baseValue = exec->uncheckedR(exec->codeBlock()->argumentsRegister()).jsValue();
+    PropertySlot slot(baseValue);
+    return JSValue::encode(baseValue.get(exec, ident, slot));
+}
+
+EncodedJSValue DFG_OPERATION operationGetArgumentByVal(ExecState* exec, int32_t index)
+{
+    return JSValue::encode(
+        exec->uncheckedR(exec->codeBlock()->argumentsRegister()).jsValue().get(exec, index));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -61 +61 @@
     G: GlobalResolveInfo*
 */
+typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_E)(ExecState*);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EA)(ExecState*, JSArray*);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ECC)(ExecState*, JSCell*, JSCell*);
@@ -76 +77 @@
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EPS)(ExecState*, void*, size_t);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ESS)(ExecState*, size_t, size_t);
+typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EZ)(ExecState*, int32_t);
 typedef JSCell* DFG_OPERATION (*C_DFGOperation_E)(ExecState*);
 typedef JSCell* DFG_OPERATION (*C_DFGOperation_EC)(ExecState*, JSCell*);
@@ -158 +160 @@
 void DFG_OPERATION operationTearOffActivation(ExecState*, JSCell*, int32_t unmodifiedArgumentsRegister);
 void DFG_OPERATION operationTearOffArguments(ExecState*, JSCell*);
+EncodedJSValue DFG_OPERATION operationGetArgumentsLength(ExecState*);
+EncodedJSValue DFG_OPERATION operationGetArgumentByVal(ExecState*, int32_t);
 JSCell* DFG_OPERATION operationNewFunction(ExecState*, JSCell*);
 JSCell* DFG_OPERATION operationNewFunctionExpression(ExecState*, JSCell*);

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -438 +438 @@
         }
             
+        case GetMyArgumentByVal: {
+            changed |= mergePrediction(node.getHeapPrediction());
+            changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsNumber | NodeUsedAsInt);
+            break;
+        }
+            
+        case GetMyArgumentsLength: {
+            changed |= setPrediction(PredictInt32);
+            break;
+        }
+            
         case GetPropertyStorage: 
         case GetIndexedPropertyStorage: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1212 +1212 @@
     // decision as to how to fill the regsiters to setupArguments* methods.
 #if USE(JSVALUE64)
+    JITCompiler::Call callOperation(J_DFGOperation_E operation, GPRReg result)
+    {
+        m_jit.setupArgumentsExecState();
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(J_DFGOperation_EP operation, GPRReg result, void* pointer)
     {
@@ -1270 +1275 @@
     }
     JITCompiler::Call callOperation(J_DFGOperation_EP operation, GPRReg result, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(J_DFGOperation_EZ operation, GPRReg result, GPRReg arg1)
     {
         m_jit.setupArgumentsWithExecState(arg1);
@@ -1432 +1442 @@
         return call;
     }
+    JITCompiler::Call callOperation(J_DFGOperation_E operation, GPRReg resultTag, GPRReg resultPayload)
+    {
+        m_jit.setupArgumentsExecState();
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
     JITCompiler::Call callOperation(J_DFGOperation_EP operation, GPRReg resultTag, GPRReg resultPayload, void* pointer)
     {
@@ -1507 +1522 @@
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
     }
+    JITCompiler::Call callOperation(J_DFGOperation_EZ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
     JITCompiler::Call callOperation(C_DFGOperation_E operation, GPRReg result)
     {
@@ -1652 +1672 @@
 #undef EABI_32BIT_DUMMY_ARG
     
+    template<typename FunctionType>
+    JITCompiler::Call callOperation(
+        FunctionType operation, JSValueRegs result)
+    {
+        return callOperation(operation, result.tagGPR(), result.payloadGPR());
+    }
     template<typename FunctionType, typename ArgumentType1>
     JITCompiler::Call callOperation(
@@ -1999 +2025 @@
     void compileGetCharCodeAt(Node&);
     void compileGetByValOnString(Node&);
+
     void compileGetByValOnArguments(Node&);
     void compileGetArgumentsLength(Node&);
+    
     void compileValueToInt32(Node&);
     void compileUInt32ToNumber(Node&);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3809 +3809 @@
     }
         
+    case GetMyArgumentsLength: {
+        GPRTemporary resultPayload(this);
+        GPRTemporary resultTag(this);
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+        
+        JITCompiler::Jump created = m_jit.branch32(
+            JITCompiler::NotEqual,
+            JITCompiler::tagFor(m_jit.codeBlock()->argumentsRegister()),
+            TrustedImm32(JSValue::EmptyValueTag));
+        
+        m_jit.load32(JITCompiler::payloadFor(RegisterFile::ArgumentCount), resultPayloadGPR);
+        m_jit.sub32(TrustedImm32(1), resultPayloadGPR);
+        m_jit.move(TrustedImm32(JSValue::Int32Tag), resultTagGPR);
+        
+        // FIXME: the slow path generator should perform a forward speculation that the
+        // result is an integer. For now we postpone the speculation by having this return
+        // a JSValue.
+        
+        addSlowPathGenerator(
+            slowPathCall(
+                created, this, operationGetArgumentsLength,
+                JSValueRegs(resultTagGPR, resultPayloadGPR)));
+        
+        jsValueResult(resultTagGPR, resultPayloadGPR, m_compileIndex);
+        break;
+    }
+        
+    case GetMyArgumentByVal: {
+        SpeculateStrictInt32Operand index(this, node.child1());
+        GPRTemporary resultPayload(this);
+        GPRTemporary resultTag(this);
+        GPRReg indexGPR = index.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+        
+        JITCompiler::JumpList slowPath;
+        slowPath.append(
+            m_jit.branch32(
+                JITCompiler::NotEqual,
+                JITCompiler::tagFor(m_jit.codeBlock()->argumentsRegister()),
+                TrustedImm32(JSValue::EmptyValueTag)));
+        
+        m_jit.add32(TrustedImm32(1), indexGPR, resultPayloadGPR);
+        slowPath.append(
+            m_jit.branch32(
+                JITCompiler::AboveOrEqual,
+                resultPayloadGPR,
+                JITCompiler::payloadFor(RegisterFile::ArgumentCount)));
+        
+        m_jit.neg32(resultPayloadGPR);
+        
+        m_jit.load32(
+            JITCompiler::BaseIndex(
+                GPRInfo::callFrameRegister, resultPayloadGPR, JITCompiler::TimesEight,
+                CallFrame::argumentOffsetIncludingThis(0) * sizeof(Register) +
+                OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)),
+            resultTagGPR);
+        m_jit.load32(
+            JITCompiler::BaseIndex(
+                GPRInfo::callFrameRegister, resultPayloadGPR, JITCompiler::TimesEight,
+                CallFrame::argumentOffsetIncludingThis(0) * sizeof(Register) +
+                OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)),
+            resultPayloadGPR);
+        
+        addSlowPathGenerator(
+            slowPathCall(
+                slowPath, this, operationGetArgumentByVal,
+                JSValueRegs(resultTagGPR, resultPayloadGPR), indexGPR));
+        
+        jsValueResult(resultTagGPR, resultPayloadGPR, m_compileIndex);
+        break;
+    }
+        
     case NewFunctionNoCheck:
         compileNewFunctionNoCheck(node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3822 +3822 @@
     }
         
+    case GetMyArgumentsLength: {
+        GPRTemporary result(this);
+        GPRReg resultGPR = result.gpr();
+        
+        JITCompiler::Jump created = m_jit.branchTestPtr(
+            JITCompiler::NonZero, JITCompiler::addressFor(m_jit.codeBlock()->argumentsRegister()));
+        
+        m_jit.load32(JITCompiler::payloadFor(RegisterFile::ArgumentCount), resultGPR);
+        m_jit.sub32(TrustedImm32(1), resultGPR);
+        m_jit.orPtr(GPRInfo::tagTypeNumberRegister, resultGPR);
+        
+        // FIXME: the slow path generator should perform a forward speculation that the
+        // result is an integer. For now we postpone the speculation by having this return
+        // a JSValue.
+        
+        addSlowPathGenerator(
+            slowPathCall(
+                created, this, operationGetArgumentsLength, resultGPR));
+        
+        jsValueResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case GetMyArgumentByVal: {
+        SpeculateStrictInt32Operand index(this, node.child1());
+        GPRTemporary result(this);
+        GPRReg indexGPR = index.gpr();
+        GPRReg resultGPR = result.gpr();
+        
+        JITCompiler::JumpList slowPath;
+        slowPath.append(
+            m_jit.branchTestPtr(
+                JITCompiler::NonZero,
+                JITCompiler::addressFor(m_jit.codeBlock()->argumentsRegister())));
+        
+        m_jit.add32(TrustedImm32(1), indexGPR, resultGPR);
+        slowPath.append(
+            m_jit.branch32(
+                JITCompiler::AboveOrEqual,
+                resultGPR,
+                JITCompiler::payloadFor(RegisterFile::ArgumentCount)));
+        
+        m_jit.neg32(resultGPR);
+        m_jit.signExtend32ToPtr(resultGPR, resultGPR);
+        
+        m_jit.loadPtr(
+            JITCompiler::BaseIndex(
+                GPRInfo::callFrameRegister, resultGPR, JITCompiler::TimesEight,
+                CallFrame::argumentOffsetIncludingThis(0) * sizeof(Register)),
+            resultGPR);
+        
+        addSlowPathGenerator(
+            slowPathCall(
+                slowPath, this, operationGetArgumentByVal, resultGPR, indexGPR));
+        
+        jsValueResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
     case NewFunctionNoCheck:
         compileNewFunctionNoCheck(node);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1527 +1527 @@
     signExtend32ToPtr(regT1, regT1);
     loadPtr(BaseIndex(callFrameRegister, regT1, TimesEight, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT0);
+    emitValueProfilingSite();
     emitPutVirtualRegister(dst, regT0);
 }

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1637 +1637 @@
     loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT0);
     loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT1);
+    emitValueProfilingSite();
     emitStore(dst, regT1, regT0);
 }

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1215 +1215 @@
     loadi ThisArgumentOffset + TagOffset[cfr, t2, 8], t0
     loadi ThisArgumentOffset + PayloadOffset[cfr, t2, 8], t1
+    loadi 16[PC], t2
     storei t0, TagOffset[cfr, t3, 8]
     storei t1, PayloadOffset[cfr, t3, 8]
+    valueProfile(t0, t1, t2)
     dispatch(5)
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1059 +1059 @@
     sxi2p t2, t2
     loadis 8[PB, PC, 8], t3
+    loadp 32[PB, PC, 8], t1
     loadp ThisArgumentOffset[cfr, t2, 8], t0
     storep t0, [cfr, t3, 8]
+    valueProfile(t0, t1)
     dispatch(5)