Context Navigation

← Previous Changeset
Next Changeset →

Changeset 126715 in webkit

Timestamp:

Aug 26, 2012 3:35:26 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

Array type checks and storage accesses should be uniformly represented and available to CSE
https://bugs.webkit.org/show_bug.cgi?id=95013

Reviewed by Oliver Hunt.

This uniformly breaks up all array accesses into up to three parts:

1) The type check, using a newly introduced CheckArray node, in addition to possibly

a CheckStructure node. We were already inserting the CheckStructure prior to this
patch. The CheckArray node will be automatically eliminated if the thing it was
checking for had already been checked for, either intentionally (a CheckStructure
inserted based on the array profile of this access) or accidentally (some checks,
typically a CheckStructure, inserted for some unrelated operations). The
CheckArray node may not be inserted if the array type is non-specific (Generic or
ForceExit).

2) The storage load using GetIndexedPropertyStorage. Previously, this only worked for

GetByVal. Now it works for all array accesses. The storage load may not be
inserted if the mode of array access does not permit CSE of storage loads (like
non-specific modes or Arguments).

3) The access itself: one of GetByVal, PutByVal, PutByValAlias, ArrayPush, ArrayPop,

GetArrayLength, StringCharAt, or StringCharCodeAt.

This means that the type check can be subjected to CSE even if the CFA isn't smart
enough to reason about it (yet!). It also means that the storage load can always be
subjected to CSE; previously CSE on storage load only worked for array loads and not
other forms of access. Finally, it removes the bizarre behavior that
GetIndexedPropertyStorage previously had: previously, it was responsible for the type
check in some cases, but not others; this made reasoning about the CFA really
confusing.

This change also disables late refinement of array mode, since I decided that
supporting that feature is both confusing and likely unprofitable. The array modes are
now locked in in the first fixup run after prediction propagation. Of course,
refinements from Generic to something else would not have been a problem; we could
reenable those if we thought we really needed to.

dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

dfg/DFGArgumentsSimplificationPhase.cpp:

(JSC::DFG::ArgumentsSimplificationPhase::run):

dfg/DFGArrayMode.cpp:

(JSC::DFG::fromStructure):
(DFG):
(JSC::DFG::refineArrayMode):

dfg/DFGArrayMode.h:

(DFG):
(JSC::DFG::modeIsJSArray):
(JSC::DFG::lengthNeedsStorage):
(JSC::DFG::modeIsSpecific):
(JSC::DFG::modeSupportsLength):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::getArrayMode):
(ByteCodeParser):
(JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::parseBlock):

dfg/DFGCFGSimplificationPhase.cpp:

(JSC::DFG::CFGSimplificationPhase::mergeBlocks):

dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::CSEPhase):
(JSC::DFG::CSEPhase::checkStructureElimination):
(CSEPhase):
(JSC::DFG::CSEPhase::checkArrayElimination):
(JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::performCSE):

dfg/DFGCSEPhase.h:

(DFG):

dfg/DFGCommon.h:
dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

dfg/DFGDriver.cpp:

(JSC::DFG::compile):

dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::checkArray):
(FixupPhase):
(JSC::DFG::FixupPhase::blessArrayOperation):

dfg/DFGGraph.cpp:

(JSC::DFG::Graph::Graph):
(DFG):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::collectGarbage):

dfg/DFGGraph.h:

(Graph):
(JSC::DFG::Graph::vote):
(JSC::DFG::Graph::substitute):

dfg/DFGNode.h:

(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::setArrayMode):

dfg/DFGNodeType.h:

(DFG):

dfg/DFGOperations.cpp:
dfg/DFGPhase.h:

(DFG):

dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):

dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::useChildren):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):

dfg/DFGSpeculativeJIT.h:

(SpeculativeJIT):

dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGStructureCheckHoistingPhase.cpp:

(JSC::DFG::StructureCheckHoistingPhase::run):

Location:

trunk/Source/JavaScriptCore

Files:

: 25 edited

ChangeLog (modified) (1 diff)
dfg/DFGAbstractState.cpp (modified) (18 diffs)
dfg/DFGArgumentsSimplificationPhase.cpp (modified) (2 diffs)
dfg/DFGArrayMode.cpp (modified) (2 diffs)
dfg/DFGArrayMode.h (modified) (5 diffs)
dfg/DFGByteCodeParser.cpp (modified) (10 diffs)
dfg/DFGCFGSimplificationPhase.cpp (modified) (1 diff)
dfg/DFGCSEPhase.cpp (modified) (11 diffs)
dfg/DFGCSEPhase.h (modified) (1 diff)
dfg/DFGCommon.h (modified) (1 diff)
dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
dfg/DFGDriver.cpp (modified) (3 diffs)
dfg/DFGFixupPhase.cpp (modified) (6 diffs)
dfg/DFGGraph.cpp (modified) (4 diffs)
dfg/DFGGraph.h (modified) (4 diffs)
dfg/DFGNode.h (modified) (2 diffs)
dfg/DFGNodeType.h (modified) (1 diff)
dfg/DFGOperations.cpp (modified) (2 diffs)
dfg/DFGPhase.h (modified) (1 diff)
dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
dfg/DFGSpeculativeJIT.cpp (modified) (10 diffs)
dfg/DFGSpeculativeJIT.h (modified) (1 diff)
dfg/DFGSpeculativeJIT32_64.cpp (modified) (9 diffs)
dfg/DFGSpeculativeJIT64.cpp (modified) (6 diffs)
dfg/DFGStructureCheckHoistingPhase.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-                      r126712
+                      r126715
+-08-26  Filip Pizlo  <fpizlo@apple.com>
+        Array type checks and storage accesses should be uniformly represented and available to CSE
+        https://bugs.webkit.org/show_bug.cgi?id=95013
+        Reviewed by Oliver Hunt.
+        This uniformly breaks up all array accesses into up to three parts:
+) The type check, using a newly introduced CheckArray node, in addition to possibly
+           a CheckStructure node. We were already inserting the CheckStructure prior to this
+           patch. The CheckArray node will be automatically eliminated if the thing it was
+           checking for had already been checked for, either intentionally (a CheckStructure
+           inserted based on the array profile of this access) or accidentally (some checks,
+           typically a CheckStructure, inserted for some unrelated operations). The
+           CheckArray node may not be inserted if the array type is non-specific (Generic or
+           ForceExit).
+) The storage load using GetIndexedPropertyStorage. Previously, this only worked for
+           GetByVal. Now it works for all array accesses. The storage load may not be
+           inserted if the mode of array access does not permit CSE of storage loads (like
+           non-specific modes or Arguments).
+) The access itself: one of GetByVal, PutByVal, PutByValAlias, ArrayPush, ArrayPop,
+           GetArrayLength, StringCharAt, or StringCharCodeAt.
+        This means that the type check can be subjected to CSE even if the CFA isn't smart
+        enough to reason about it (yet!). It also means that the storage load can always be
+        subjected to CSE; previously CSE on storage load only worked for array loads and not
+        other forms of access. Finally, it removes the bizarre behavior that
+        GetIndexedPropertyStorage previously had: previously, it was responsible for the type
+        check in some cases, but not others; this made reasoning about the CFA really
+        confusing.
+        This change also disables late refinement of array mode, since I decided that
+        supporting that feature is both confusing and likely unprofitable. The array modes are
+        now locked in in the first fixup run after prediction propagation. Of course,
+        refinements from Generic to something else would not have been a problem; we could
+        reenable those if we thought we really needed to.
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::fromStructure):
+        (DFG):
+        (JSC::DFG::refineArrayMode):
+        * dfg/DFGArrayMode.h:
+        (DFG):
+        (JSC::DFG::modeIsJSArray):
+        (JSC::DFG::lengthNeedsStorage):
+        (JSC::DFG::modeIsSpecific):
+        (JSC::DFG::modeSupportsLength):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::getArrayMode):
+        (ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+        (JSC::DFG::ByteCodeParser::handleIntrinsic):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::CSEPhase):
+        (JSC::DFG::CSEPhase::checkStructureElimination):
+        (CSEPhase):
+        (JSC::DFG::CSEPhase::checkArrayElimination):
+        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        (JSC::DFG::performCSE):
+        * dfg/DFGCSEPhase.h:
+        (DFG):
+        * dfg/DFGCommon.h:
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compile):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::checkArray):
+        (FixupPhase):
+        (JSC::DFG::FixupPhase::blessArrayOperation):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::Graph):
+        (DFG):
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::collectGarbage):
+        * dfg/DFGGraph.h:
+        (Graph):
+        (JSC::DFG::Graph::vote):
+        (JSC::DFG::Graph::substitute):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasArrayMode):
+        (JSC::DFG::Node::setArrayMode):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGPhase.h:
+        (DFG):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::useChildren):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        * dfg/DFGSpeculativeJIT.h:
+        (SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureCheckHoistingPhase.cpp:
+        (JSC::DFG::StructureCheckHoistingPhase::run):
 -08-26  Filip Pizlo  <fpizlo@apple.com>

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

-                      r126494
+                      r126715
             break;
         case Array::String:
-            forNode(node.child1()).filter(SpecString);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecString);
             break;
         case Array::Arguments:
-            forNode(node.child1()).filter(SpecArguments);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).makeTop();
 …
             // FIXME: We should have more conservative handling of the out-of-bounds
             // case.
-            forNode(node.child1()).filter(SpecCell);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).makeTop();
             break;
         case Array::Int8Array:
-            forNode(node.child1()).filter(SpecInt8Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);
             break;
         case Array::Int16Array:
-            forNode(node.child1()).filter(SpecInt16Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);
             break;
         case Array::Int32Array:
-            forNode(node.child1()).filter(SpecInt32Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);
             break;
         case Array::Uint8Array:
-            forNode(node.child1()).filter(SpecUint8Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);
             break;
         case Array::Uint8ClampedArray:
-            forNode(node.child1()).filter(SpecUint8ClampedArray);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);
             break;
         case Array::Uint16Array:
-            forNode(node.child1()).filter(SpecUint16Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);
             break;
         case Array::Uint32Array:
-            forNode(node.child1()).filter(SpecUint32Array);
             forNode(node.child2()).filter(SpecInt32);
             if (node.shouldSpeculateInteger())
 …
             break;
         case Array::Float32Array:
-            forNode(node.child1()).filter(SpecFloat32Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecDouble);
             break;
         case Array::Float64Array:
-            forNode(node.child1()).filter(SpecFloat64Array);
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecDouble);
 …
     case PutByValAlias: {
         node.setCanExit(true);
-        Edge child1 = m_graph.varArgChild(node, 0);
         Edge child2 = m_graph.varArgChild(node, 1);
         Edge child3 = m_graph.varArgChild(node, 2);
 …
             break;
         case Array::JSArray:
-            forNode(child1).filter(SpecCell);
             forNode(child2).filter(SpecInt32);
             break;
         case Array::JSArrayOutOfBounds:
-            forNode(child1).filter(SpecCell);
             forNode(child2).filter(SpecInt32);
             clobberWorld(node.codeOrigin, indexInBlock);
             break;
         case Array::Arguments:
-            forNode(child1).filter(SpecArguments);
             forNode(child2).filter(SpecInt32);
             break;
         case Array::Int8Array:
-            forNode(child1).filter(SpecInt8Array);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Int16Array:
-            forNode(child1).filter(SpecInt16Array);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Int32Array:
-            forNode(child1).filter(SpecInt32Array);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Uint8Array:
-            forNode(child1).filter(SpecUint8Array);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Uint8ClampedArray:
-            forNode(child1).filter(SpecUint8ClampedArray);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Uint16Array:
-            forNode(child1).filter(SpecUint16Array);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Uint32Array:
-            forNode(child1).filter(SpecUint32Array);
             forNode(child2).filter(SpecInt32);
             if (m_graph[child3].shouldSpeculateInteger())
 …
             break;
         case Array::Float32Array:
-            forNode(child1).filter(SpecFloat32Array);
             forNode(child2).filter(SpecInt32);
             forNode(child3).filter(SpecNumber);
             break;
         case Array::Float64Array:
-            forNode(child1).filter(SpecFloat64Array);
             forNode(child2).filter(SpecInt32);
             forNode(child3).filter(SpecNumber);
 …
     case ArrayPush:
         node.setCanExit(true);
-        forNode(node.child1()).filter(SpecCell);
         forNode(nodeIndex).set(SpecNumber);
         break;
 …
     case ArrayPop:
         node.setCanExit(true);
-        forNode(node.child1()).filter(SpecCell);
         forNode(nodeIndex).makeTop();
         break;
 …
     case GetArrayLength:
+        switch (node.arrayMode()) {
+        case Array::Undecided:
+            ASSERT_NOT_REACHED();
+            break;
+        case Array::ForceExit:
+            m_isValid = false;
+            break;
+        case Array::Generic:
+            ASSERT_NOT_REACHED();
+            break;
+        case Array::String:
+            node.setCanExit(!isStringSpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecString);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::JSArray:
+            node.setCanExit(true);
+            forNode(node.child1()).filter(SpecCell);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::JSArrayOutOfBounds:
+            ASSERT_NOT_REACHED();
+            break;
+        case Array::Arguments:
+            node.setCanExit(true);
+            forNode(node.child1()).filter(SpecArguments);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Int8Array:
+            node.setCanExit(!isInt8ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecInt8Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Int16Array:
+            node.setCanExit(!isInt16ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecInt16Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Int32Array:
+            node.setCanExit(!isInt32ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecInt32Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Uint8Array:
+            node.setCanExit(!isUint8ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecUint8Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Uint8ClampedArray:
+            node.setCanExit(!isUint8ClampedArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecUint8ClampedArray);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Uint16Array:
+            node.setCanExit(!isUint16ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecUint16Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Uint32Array:
+            node.setCanExit(!isUint32ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecUint32Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Float32Array:
+            node.setCanExit(!isFloat32ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecFloat32Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        case Array::Float64Array:
+            node.setCanExit(!isFloat64ArraySpeculation(forNode(node.child1()).m_type));
+            forNode(node.child1()).filter(SpecFloat64Array);
+            forNode(nodeIndex).set(SpecInt32);
+            break;
+        }
+        node.setCanExit(true); // Lies, but it's true for the common case of JSArray, so it's good enough.
+        forNode(nodeIndex).set(SpecInt32);
         break;
 …
         forNode(nodeIndex).clear(); // The result is not a JS value.
         break;
+    case GetIndexedPropertyStorage: {
+        node.setCanExit(true); // Lies, but this is (almost) always followed by GetByVal, which does exit. So no point in trying to be more precise.
+    case CheckArray: {
+        if (modeAlreadyChecked(forNode(node.child1()), node.arrayMode())) {
+            m_foundConstants = true;
+            node.setCanExit(false);
+            break;
+        }
+        node.setCanExit(true); // Lies, but this is followed by operations (like GetByVal) that always exit, so there is no point in us trying to be clever here.
         switch (node.arrayMode()) {
         case Array::String:
 …
             forNode(node.child1()).filter(SpecCell);
             break;
+        case Array::Arguments:
+            forNode(node.child1()).filter(SpecArguments);
+            break;
         case Array::Int8Array:
             forNode(node.child1()).filter(SpecInt8Array);
 …
         default:
             ASSERT_NOT_REACHED();
+            break;
+        }
+        break;
+    }
+    case GetIndexedPropertyStorage: {
+        switch (node.arrayMode()) {
+        case Array::String:
+            // Strings are weird - we may spec fail if the string was a rope. That is of course
+            // stupid, and we should fix that, but for now let's at least be honest about it.
+            node.setCanExit(true);
+            break;
+        default:
+            node.setCanExit(false);
             break;
+        }

trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp

-                      r126387
+                      r126715
                 case StructureTransitionWatchpoint:
                 case ForwardStructureTransitionWatchpoint:
+                case CheckArray:
                     // We don't care about these because if we get uses of the relevant
                     // variable then we can safely get rid of these, too. This of course
 …
                 case ForwardCheckStructure:
                 case StructureTransitionWatchpoint:
+                case ForwardStructureTransitionWatchpoint: {
+                case ForwardStructureTransitionWatchpoint:
+                case CheckArray: {
                     // We can just get rid of this node, if it references a phantom argument.
                     if (!isOKToOptimize(m_graph[node.child1()]))

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

-                      r126387
+                      r126715
+}
+Array::Mode fromStructure(Structure* structure, bool makeSafe)
+{
+    return fromObserved(arrayModeFromStructure(structure), makeSafe);
+}
 Array::Mode refineArrayMode(Array::Mode arrayMode, SpeculatedType base, SpeculatedType index)
+{
 …
         return Array::Generic;
+    // Pass through any array modes that would have been decided by the array profile, since
+    // the predictions of the inputs will not tell us anything useful that we didn't already
+    // get from the array profile.
+    switch (arrayMode) {
+    case Array::ForceExit:
+    case Array::JSArray:
+    case Array::JSArrayOutOfBounds:
+    if (arrayMode != Array::Undecided)
         return arrayMode;
-    default:
-        break;
+    }
     if (isStringSpeculation(base))

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

-                      r126387
+                      r126715
 Array::Mode fromObserved(ArrayModes modes, bool makeSafe);
+Array::Mode fromStructure(Structure*, bool makeSafe);
 Array::Mode refineArrayMode(Array::Mode, SpeculatedType base, SpeculatedType index);
 …
 const char* modeToString(Array::Mode);
+inline bool modeIsJSArray(Array::Mode arrayMode)
+{
+    switch (arrayMode) {
+    case Array::JSArray:
+    case Array::JSArrayOutOfBounds:
+        return true;
+    default:
+        return false;
+    }
+}
 inline bool canCSEStorage(Array::Mode arrayMode)
 …
         return true;
+    }
+}
+inline bool lengthNeedsStorage(Array::Mode arrayMode)
+{
+    return modeIsJSArray(arrayMode);
+}
 …
+}
 inline bool modeSupportsLength(Array::Mode mode)
+inline bool modeIsSpecific(Array::Mode mode)
+{
     switch (mode) {
 …
+}
+inline bool modeSupportsLength(Array::Mode mode)
+{
+    return modeIsSpecific(mode);
+}
 } } // namespace JSC::DFG

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

-                      r126695
+                      r126715
         , m_haveBuiltOperandMaps(false)
         , m_emptyJSValueIndex(UINT_MAX)
+        , m_currentInstruction(0)
+    {
         ASSERT(m_profiledBlock);
 …
+    }
+    Array::Mode getArrayModeWithoutOSRExit(Instruction* currentInstruction, NodeIndex base)
+    {
+        ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+    Array::Mode getArrayMode(ArrayProfile* profile)
+    {
+        profile->computeUpdatedPrediction();
+        return fromObserved(profile->observedArrayModes(), false);
+    }
+    Array::Mode getArrayModeAndEmitChecks(ArrayProfile* profile, NodeIndex base)
+    {
         profile->computeUpdatedPrediction();
         if (profile->hasDefiniteStructure())
 …
+    }
-    Array::Mode getArrayMode(Instruction* currentInstruction, NodeIndex base)
+    {
-        Array::Mode result = getArrayModeWithoutOSRExit(currentInstruction, base);
-        if (result == Array::ForceExit)
-            addToGraph(ForceOSRExit);
-        return result;
+    }
     NodeIndex makeSafe(NodeIndex nodeIndex)
+    {
 …
     // Cache of code blocks that we've generated bytecode for.
     ByteCodeCache<canInlineFunctionFor> m_codeBlockCache;
+    Instruction* m_currentInstruction;
 };
 …
             return false;
+        NodeIndex arrayPush = addToGraph(ArrayPush, OpInfo(0), OpInfo(prediction), get(registerOffset + argumentToOperand(0)), get(registerOffset + argumentToOperand(1)));
+        Array::Mode arrayMode = getArrayMode(m_currentInstruction[5].u.arrayProfile);
+        if (!modeIsJSArray(arrayMode))
+            return false;
+        NodeIndex arrayPush = addToGraph(ArrayPush, OpInfo(arrayMode), OpInfo(prediction), get(registerOffset + argumentToOperand(0)), get(registerOffset + argumentToOperand(1)));
         if (usesResult)
             set(resultOperand, arrayPush);
 …
             return false;
+        NodeIndex arrayPop = addToGraph(ArrayPop, OpInfo(0), OpInfo(prediction), get(registerOffset + argumentToOperand(0)));
+        Array::Mode arrayMode = getArrayMode(m_currentInstruction[5].u.arrayProfile);
+        if (!modeIsJSArray(arrayMode))
+            return false;
+        NodeIndex arrayPop = addToGraph(ArrayPop, OpInfo(arrayMode), OpInfo(prediction), get(registerOffset + argumentToOperand(0)));
         if (usesResult)
             set(resultOperand, arrayPop);
 …
         // Switch on the current bytecode opcode.
         Instruction* currentInstruction = instructionsBegin + m_currentIndex;
+        m_currentInstruction = currentInstruction; // Some methods want to use this, and we'd rather not thread it through calls.
         OpcodeID opcodeID = interpreter->getOpcodeID(currentInstruction->u.opcode);
         switch (opcodeID) {
 …
             NodeIndex base = get(currentInstruction[2].u.operand);
             Array::Mode arrayMode = getArrayMode(currentInstruction, base);
+            Array::Mode arrayMode = getArrayModeAndEmitChecks(currentInstruction[4].u.arrayProfile, base);
             NodeIndex property = get(currentInstruction[3].u.operand);
             NodeIndex getByVal = addToGraph(GetByVal, OpInfo(arrayMode), OpInfo(prediction), base, property);
 …
             NodeIndex base = get(currentInstruction[1].u.operand);
             Array::Mode arrayMode = getArrayMode(currentInstruction, base);
+            Array::Mode arrayMode = getArrayModeAndEmitChecks(currentInstruction[4].u.arrayProfile, base);
             NodeIndex property = get(currentInstruction[2].u.operand);
 …
             addVarArgChild(property);
             addVarArgChild(value);
+            addVarArgChild(NoNode); // Leave room for property storage.
             addToGraph(Node::VarArg, PutByVal, OpInfo(arrayMode), OpInfo(0));

trunk/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp

-                      r126494
+                      r126715
                     for (unsigned childIdx = node.firstChild();
                          childIdx < node.firstChild() + node.numChildren();
+                         ++childIdx)
+                        fixPossibleGetLocal(firstBlock, m_graph.m_varArgChildren[childIdx], changeRef);
+                         ++childIdx) {
+                        if (!!m_graph.m_varArgChildren[childIdx])
+                            fixPossibleGetLocal(firstBlock, m_graph.m_varArgChildren[childIdx], changeRef);
+                    }
                 } else if (!!node.child1()) {
                     fixPossibleGetLocal(firstBlock, node.children.child1(), changeRef);

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

-                      r126387
+                      r126715
 class CSEPhase : public Phase {
 public:
     CSEPhase(Graph& graph, OptimizationFixpointState fixpointState)
+    CSEPhase(Graph& graph)
         : Phase(graph, "common subexpression elimination")
-        , m_fixpointState(fixpointState)
+    {
         // Replacements are used to implement local common subexpression elimination.
 …
+    }
     bool checkStructureLoadElimination(const StructureSet& structureSet, NodeIndex child1)
+    bool checkStructureElimination(const StructureSet& structureSet, NodeIndex child1)
+    {
         for (unsigned i = m_indexInBlock; i--;) {
 …
         return NoNode;
+    }
     NodeIndex getIndexedPropertyStorageLoadElimination(NodeIndex child1, bool hasIntegerIndexPrediction)
+    bool checkArrayElimination(NodeIndex child1, Array::Mode arrayMode)
+    {
         for (unsigned i = m_indexInBlock; i--;) {
 …
             Node& node = m_graph[index];
             switch (node.op()) {
+            case PutByOffset:
+            case PutStructure:
+                // Changing the structure or putting to the storage cannot
+                // change the property storage pointer.
+                break;
+            case CheckArray:
+                if (node.child1() == child1 && node.arrayMode() == arrayMode)
+                    return true;
+                break;
+            default:
+                if (m_graph.clobbersWorld(index))
+                    return false;
+                break;
+            }
+        }
+        return false;
+    }
+    NodeIndex getIndexedPropertyStorageLoadElimination(NodeIndex child1, Array::Mode arrayMode)
+    {
+        for (unsigned i = m_indexInBlock; i--;) {
+            NodeIndex index = m_currentBlock->at(i);
+            if (index == child1)
+                break;
+            Node& node = m_graph[index];
+            switch (node.op()) {
             case GetIndexedPropertyStorage: {
+                SpeculatedType basePrediction = m_graph[node.child2()].prediction();
+                bool nodeHasIntegerIndexPrediction = !(!(basePrediction & SpecInt32) && basePrediction);
+                if (node.child1() == child1 && hasIntegerIndexPrediction == nodeHasIntegerIndexPrediction)
+                if (node.child1() == child1 && node.arrayMode() == arrayMode)
                     return index;
                 break;
 …
             // FIXME: We should be able to remove SetLocals that can exit; we just need
             // to replace them with appropriate type checks.
             if (m_fixpointState == FixpointNotConverged) {
+            if (m_graph.m_fixpointState == FixpointNotConverged) {
                 // Need to be conservative at this time; if the SetLocal has any chance of performing
                 // any speculations then we cannot do anything.
 …
         case PutGlobalVar:
         case PutGlobalVarCheck:
             if (m_fixpointState == FixpointNotConverged)
+            if (m_graph.m_fixpointState == FixpointNotConverged)
                 break;
             eliminate(globalVarStoreElimination(node.registerPointer()));
 …
         case CheckStructure:
         case ForwardCheckStructure:
             if (checkStructureLoadElimination(node.structureSet(), node.child1().index()))
+            if (checkStructureElimination(node.structureSet(), node.child1().index()))
                 eliminate();
             break;
 …
         case PutStructure:
             if (m_fixpointState == FixpointNotConverged)
+            if (m_graph.m_fixpointState == FixpointNotConverged)
                 break;
             eliminate(putStructureStoreElimination(node.child1().index()), PhantomPutStructure);
 …
             break;
+        case CheckArray:
+            if (checkArrayElimination(node.child1().index(), node.arrayMode()))
+                eliminate();
+            break;
         case GetIndexedPropertyStorage: {
+            SpeculatedType basePrediction = m_graph[node.child2()].prediction();
+            bool nodeHasIntegerIndexPrediction = !(!(basePrediction & SpecInt32) && basePrediction);
+            setReplacement(getIndexedPropertyStorageLoadElimination(node.child1().index(), nodeHasIntegerIndexPrediction));
+            setReplacement(getIndexedPropertyStorageLoadElimination(node.child1().index(), node.arrayMode()));
             break;
+        }
 …
         case PutByOffset:
             if (m_fixpointState == FixpointNotConverged)
+            if (m_graph.m_fixpointState == FixpointNotConverged)
                 break;
             eliminate(putByOffsetStoreElimination(m_graph.m_storageAccessData[node.storageAccessDataIndex()].identifierNumber, node.child1().index()));
 …
     Vector<NodeIndex, 16> m_replacements;
     FixedArray<unsigned, LastNodeType> m_lastSeen;
-    OptimizationFixpointState m_fixpointState;
     bool m_changed; // Only tracks changes that have a substantive effect on other optimizations.
 };
 bool performCSE(Graph& graph, OptimizationFixpointState fixpointState)
+bool performCSE(Graph& graph)
+{
     SamplingRegion samplingRegion("DFG CSE Phase");
     return runPhase<CSEPhase>(graph, fixpointState);
+    return runPhase<CSEPhase>(graph);
+}

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.h

r118468	r126715
42	42	// on a few benchmarks, and is relatively cheap to run.
43	43
44		bool performCSE(Graph&~~, OptimizationFixpointState~~);
	44	bool performCSE(Graph&);
45	45
46	46	} } // namespace JSC::DFG

trunk/Source/JavaScriptCore/dfg/DFGCommon.h

r121798	r126715
133	133	enum NoResultTag { NoResult };
134	134
135		enum OptimizationFixpointState { ~~FixpointConverged, FixpointNo~~tConverged };
	135	enum OptimizationFixpointState { BeforeFixpoint, FixpointNotConverged, FixpointConverged };
136	136
137	137	inline bool shouldShowDisassembly()

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

-                      r125999
+                      r126715
                 break;
+            }
+            case CheckArray: {
+                if (!modeAlreadyChecked(m_state.forNode(node.child1()), node.arrayMode()))
+                    break;
+                ASSERT(node.refCount() == 1);
+                node.setOpAndDefaultFlags(Phantom);
+                eliminated = true;
+                break;
+            }
             default:
                 break;

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

-                      r126689
+                      r126715
     performStructureCheckHoisting(dfg);
     unsigned cnt = 1;
+    dfg.m_fixpointState = FixpointNotConverged;
     for (;; ++cnt) {
 #if DFG_ENABLE(DEBUG_VERBOSE)
 …
         changed |= performArgumentsSimplification(dfg);
         changed |= performCFGSimplification(dfg);
         changed |= performCSE(dfg, FixpointNotConverged);
+        changed |= performCSE(dfg);
         if (!changed)
             break;
 …
         performFixup(dfg);
+    }
+    performCSE(dfg, FixpointConverged);
+    dfg.m_fixpointState = FixpointConverged;
+    performCSE(dfg);
 #if DFG_ENABLE(DEBUG_VERBOSE)
     dataLog("DFG optimization fixpoint converged in %u iterations.\n", cnt);

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

-                      r126387
+                      r126715
         switch (op) {
         case GetById: {
+            if (m_graph.m_fixpointState > BeforeFixpoint)
+                break;
             Node* nodePtr = &node;
 …
                     m_graph[node.child1()].prediction(),
                     m_graph[m_compileIndex].prediction());
+                if (modeSupportsLength(arrayMode)
+                    && arrayProfile->hasDefiniteStructure()) {
+                if (modeSupportsLength(arrayMode) && arrayProfile->hasDefiniteStructure()) {
                     m_graph.ref(nodePtr->child1());
                     Node checkStructure(CheckStructure, nodePtr->codeOrigin, OpInfo(m_graph.addStructureSet(arrayProfile->expectedStructure())), nodePtr->child1().index());
 …
             m_graph.deref(m_compileIndex);
             nodePtr->setArrayMode(arrayMode);
+            NodeIndex storage = checkArray(arrayMode, nodePtr->codeOrigin, nodePtr->child1().index(), lengthNeedsStorage, nodePtr->shouldGenerate());
+            if (storage == NoNode)
+                break;
+            nodePtr = &m_graph[m_compileIndex];
+            nodePtr->children.child2() = Edge(storage);
             break;
+        }
         case GetIndexedPropertyStorage: {
-            node.setArrayMode(
-                refineArrayMode(
-                    node.arrayMode(),
-                    m_graph[node.child1()].prediction(),
-                    m_graph[node.child2()].prediction()));
-            // Predictions should only become more, rather than less, refined. Hence
-            // if we were ever able to CSE the storage pointer for this operation,
-            // then we should always continue to be able to do so.
             ASSERT(canCSEStorage(node.arrayMode()));
             break;
 …
                     m_graph[node.child2()].prediction()));
+            if (canCSEStorage(node.arrayMode())) {
+                if (node.child3()) {
+                    ASSERT(m_graph[node.child3()].op() == GetIndexedPropertyStorage);
+                    ASSERT(modesCompatibleForStorageLoad(m_graph[node.child3()].arrayMode(), node.arrayMode()));
+                } else {
+                    // Make sure we don't use the node reference after we do the append.
+                    Node getIndexedPropertyStorage(
+                        GetIndexedPropertyStorage, node.codeOrigin, OpInfo(node.arrayMode()),
+                        node.child1().index(), node.child2().index());
+                    NodeIndex getIndexedPropertyStorageIndex = m_graph.size();
+                    node.children.child3() = Edge(getIndexedPropertyStorageIndex);
+                    m_graph.append(getIndexedPropertyStorage);
+                    m_graph.ref(getIndexedPropertyStorageIndex); // Once because it's MustGenerate.
+                    m_graph.ref(getIndexedPropertyStorageIndex); // And again because it's referenced from the GetByVal.
+                    m_insertionSet.append(m_indexInBlock, getIndexedPropertyStorageIndex);
+                }
+            } else {
+                // See above. Continued fixup of the graph should not regress our ability
+                // to speculate.
+                ASSERT(!node.child3());
+            }
+            break;
+            blessArrayOperation(node.child1(), 2);
+            break;
+        }
+        case ArrayPush: {
+            blessArrayOperation(node.child1(), 2);
+            break;
+        }
+        case ArrayPop: {
+            blessArrayOperation(node.child1(), 1);
+        }
 …
             Edge child2 = m_graph.varArgChild(node, 1);
             Edge child3 = m_graph.varArgChild(node, 2);
             node.setArrayMode(
                 refineArrayMode(
+                    node.arrayMode(), m_graph[child1].prediction(), m_graph[child2].prediction()));
+            switch (modeForPut(node.arrayMode())) {
+                    node.arrayMode(),
+                    m_graph[child1].prediction(),
+                    m_graph[child2].prediction()));
+            blessArrayOperation(child1, 3);
+            Node* nodePtr = &m_graph[m_compileIndex];
+            switch (modeForPut(nodePtr->arrayMode())) {
             case Array::Int8Array:
             case Array::Int16Array:
 …
+    }
+    NodeIndex checkArray(Array::Mode arrayMode, CodeOrigin codeOrigin, NodeIndex array, bool (*storageCheck)(Array::Mode) = canCSEStorage, bool shouldGenerate = true)
+    {
+        ASSERT(modeIsSpecific(arrayMode));
+        m_graph.ref(array);
+        Node checkArray(CheckArray, codeOrigin, OpInfo(arrayMode), array);
+        checkArray.ref();
+        NodeIndex checkArrayIndex = m_graph.size();
+        m_graph.append(checkArray);
+        m_insertionSet.append(m_indexInBlock, checkArrayIndex);
+        if (!storageCheck(arrayMode))
+            return NoNode;
+        if (shouldGenerate)
+            m_graph.ref(array);
+        Node getIndexedPropertyStorage(
+            GetIndexedPropertyStorage, codeOrigin, OpInfo(arrayMode), array);
+        if (shouldGenerate)
+            getIndexedPropertyStorage.ref();
+        NodeIndex getIndexedPropertyStorageIndex = m_graph.size();
+        m_graph.append(getIndexedPropertyStorage);
+        m_insertionSet.append(m_indexInBlock, getIndexedPropertyStorageIndex);
+        return getIndexedPropertyStorageIndex;
+    }
+    void blessArrayOperation(Edge base, unsigned storageChildIdx)
+    {
+        if (m_graph.m_fixpointState > BeforeFixpoint)
+            return;
+        Node* nodePtr = &m_graph[m_compileIndex];
+        if (nodePtr->arrayMode() == Array::ForceExit) {
+            Node forceExit(ForceOSRExit, nodePtr->codeOrigin);
+            forceExit.ref();
+            NodeIndex forceExitIndex = m_graph.size();
+            m_graph.append(forceExit);
+            m_insertionSet.append(m_indexInBlock, forceExitIndex);
+            return;
+        }
+        if (!modeIsSpecific(nodePtr->arrayMode()))
+            return;
+        NodeIndex storage = checkArray(nodePtr->arrayMode(), nodePtr->codeOrigin, base.index());
+        if (storage == NoNode)
+            return;
+        m_graph.child(m_graph[m_compileIndex], storageChildIdx) = Edge(storage);
+    }
     void fixIntEdge(Edge& edge)
+    {

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

-                      r126387
+                      r126715
 #undef STRINGIZE_DFG_OP_ENUM
 };
+Graph::Graph(JSGlobalData& globalData, CodeBlock* codeBlock, unsigned osrEntryBytecodeIndex, const Operands<JSValue>& mustHandleValues)
+    : m_globalData(globalData)
+    , m_codeBlock(codeBlock)
+    , m_profiledBlock(codeBlock->alternative())
+    , m_hasArguments(false)
+    , m_osrEntryBytecodeIndex(osrEntryBytecodeIndex)
+    , m_mustHandleValues(mustHandleValues)
+    , m_fixpointState(BeforeFixpoint)
+{
+    ASSERT(m_profiledBlock);
+}
 const char *Graph::opName(NodeType op)
 …
             else
                 hasPrinted = true;
+            if (!m_varArgChildren[childIdx])
+                continue;
             dataLog("%s@%u%s",
                     useKindToString(m_varArgChildren[childIdx].useKind()),
 …
             for (unsigned _childIdx = _node.firstChild();               \
                  _childIdx < _node.firstChild() + _node.numChildren();  \
+                 _childIdx++)                                           \
+                thingToDo(m_varArgChildren[_childIdx]);                 \
+                 _childIdx++) {                                         \
+                if (!!m_varArgChildren[_childIdx])                      \
+                    thingToDo(m_varArgChildren[_childIdx]);             \
+            }                                                           \
         } else {                                                        \
             if (!_node.child1()) {                                      \
 …
                  childIdx < node.firstChild() + node.numChildren();
                  ++childIdx) {
+                if (!m_varArgChildren[childIdx])
+                    continue;
                 NodeIndex childNodeIndex = m_varArgChildren[childIdx].index();
                 if (!at(childNodeIndex).ref())

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

-                      r126712
+                      r126715
 class Graph : public Vector<Node, 64> {
 public:
+    Graph(JSGlobalData& globalData, CodeBlock* codeBlock, unsigned osrEntryBytecodeIndex, const Operands<JSValue>& mustHandleValues)
+        : m_globalData(globalData)
+        , m_codeBlock(codeBlock)
+        , m_profiledBlock(codeBlock->alternative())
+        , m_hasArguments(false)
+        , m_osrEntryBytecodeIndex(osrEntryBytecodeIndex)
+        , m_mustHandleValues(mustHandleValues)
+    {
+        ASSERT(m_profiledBlock);
+    }
+    Graph(JSGlobalData&, CodeBlock*, unsigned osrEntryBytecodeIndex, const Operands<JSValue>& mustHandleValues);
     using Vector<Node, 64>::operator[];
 …
             for (unsigned childIdx = node.firstChild();
                  childIdx < node.firstChild() + node.numChildren();
+                 childIdx++)
+                vote(m_varArgChildren[childIdx], ballot);
+                 childIdx++) {
+                if (!!m_varArgChildren[childIdx])
+                    vote(m_varArgChildren[childIdx], ballot);
+            }
             return;
+        }
 …
             Node& node = at(nodeIndex);
             if (node.flags() & NodeHasVarArgs) {
+                for (unsigned childIdx = node.firstChild(); childIdx < node.firstChild() + node.numChildren(); ++childIdx)
+                    compareAndSwap(m_varArgChildren[childIdx], oldThing, newThing, node.shouldGenerate());
+                for (unsigned childIdx = node.firstChild(); childIdx < node.firstChild() + node.numChildren(); ++childIdx) {
+                    if (!!m_varArgChildren[childIdx])
+                        compareAndSwap(m_varArgChildren[childIdx], oldThing, newThing, node.shouldGenerate());
+                }
                 continue;
+            }
 …
     unsigned m_osrEntryBytecodeIndex;
     Operands<JSValue> m_mustHandleValues;
+    OptimizationFixpointState m_fixpointState;
 private:

trunk/Source/JavaScriptCore/dfg/DFGNode.h

-                      r126387
+                      r126715
         case StringCharAt:
         case StringCharCodeAt:
+        case CheckArray:
+        case ArrayPush:
+        case ArrayPop:
             return true;
         default:
 …
+    }
     void setArrayMode(Array::Mode arrayMode)
+    bool setArrayMode(Array::Mode arrayMode)
+    {
         ASSERT(hasArrayMode());
+        if (this->arrayMode() == arrayMode)
+            return false;
         m_opInfo = arrayMode;
+        return true;
+    }

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

-                      r126387
+                      r126715
     macro(ReallocatePropertyStorage, NodeMustGenerate | NodeDoesNotExit | NodeResultStorage) \
     macro(GetPropertyStorage, NodeResultStorage) \
+    macro(GetIndexedPropertyStorage, NodeMustGenerate | NodeResultStorage) \
+    macro(CheckArray, NodeMustGenerate) \
+    macro(GetIndexedPropertyStorage, NodeResultStorage) \
     macro(GetByOffset, NodeResultJS) \
     macro(PutByOffset, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

-                      r126494
+                      r126715
+}
+EncodedJSValue DFG_OPERATION operationArrayPop(ExecState* exec, JSArray* array)
+{
+    JSGlobalData* globalData = &exec->globalData();
+    NativeCallFrameTracer tracer(globalData, exec);
+    return JSValue::encode(array->pop(exec));
+}
 EncodedJSValue DFG_OPERATION operationRegExpExec(ExecState* exec, JSCell* base, JSCell* argument)
+{
 …
     JSString* input = argument->isString() ? asString(argument) : asObject(argument)->toString(exec);
     return asRegExpObject(base)->test(exec, input);
+}
-EncodedJSValue DFG_OPERATION operationArrayPop(ExecState* exec, JSArray* array)
+{
-    JSGlobalData* globalData = &exec->globalData();
-    NativeCallFrameTracer tracer(globalData, exec);
-    return JSValue::encode(array->pop(exec));
+}

trunk/Source/JavaScriptCore/dfg/DFGPhase.h

-                      r122167
+                      r126715
+}
-template<typename PhaseType, typename ArgumentType1>
-bool runPhase(Graph& graph, ArgumentType1 arg1)
+{
-    PhaseType phase(graph, arg1);
-    return runAndLog(phase);
+}
 } } // namespace JSC::DFG

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

-                      r126387
+                      r126715
         case GetMyArgumentByVal:
         case PhantomPutStructure:
+        case PhantomArguments: {
+        case PhantomArguments:
+        case CheckArray: {
             // This node should never be visible at this stage of compilation. It is
             // inserted by fixup(), which follows this phase.
 …
             for (unsigned childIdx = node.firstChild();
                  childIdx < node.firstChild() + node.numChildren();
+                 childIdx++)
+                changed |= m_graph[m_graph.m_varArgChildren[childIdx]].mergeFlags(NodeUsedAsValue);
+                 childIdx++) {
+                if (!!m_graph.m_varArgChildren[childIdx])
+                    changed |= m_graph[m_graph.m_varArgChildren[childIdx]].mergeFlags(NodeUsedAsValue);
+            }
         } else {
             if (!node.child1())

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

-                      r126387
+                      r126715
+}
+const TypedArrayDescriptor* SpeculativeJIT::speculateArray(Array::Mode arrayMode, Edge edge, GPRReg baseReg)
+{
+    const TypedArrayDescriptor* result = typedArrayDescriptor(arrayMode);
+    if (modeAlreadyChecked(m_state.forNode(edge), arrayMode))
+        return result;
+void SpeculativeJIT::checkArray(Node& node)
+{
+    ASSERT(modeIsSpecific(node.arrayMode()));
+    SpeculateCellOperand base(this, node.child1());
+    GPRReg baseReg = base.gpr();
+    const TypedArrayDescriptor* result = typedArrayDescriptor(node.arrayMode());
+    if (modeAlreadyChecked(m_state.forNode(node.child1()), node.arrayMode())) {
+        noResult(m_compileIndex);
+        return;
+    }
     const ClassInfo* expectedClassInfo = 0;
+    switch (arrayMode) {
+    case Array::ForceExit:
+        ASSERT_NOT_REACHED();
+        terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), NoNode);
+        return result;
+    switch (node.arrayMode()) {
     case Array::String:
         expectedClassInfo = &JSString::s_info;
 …
                 MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()),
                 MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
+        return result;
+        noResult(m_compileIndex);
+        return;
+    }
     case Array::Arguments:
 …
             MacroAssembler::TrustedImmPtr(expectedClassInfo)));
     return result;
+    noResult(m_compileIndex);
+}
 …
+{
     if (node.flags() & NodeHasVarArgs) {
+        for (unsigned childIdx = node.firstChild(); childIdx < node.firstChild() + node.numChildren(); childIdx++)
+            use(m_jit.graph().m_varArgChildren[childIdx]);
+        for (unsigned childIdx = node.firstChild(); childIdx < node.firstChild() + node.numChildren(); childIdx++) {
+            if (!!m_jit.graph().m_varArgChildren[childIdx])
+                use(m_jit.graph().m_varArgChildren[childIdx]);
+        }
     } else {
         Edge child1 = node.child1();
 …
 void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySignedness signedness, TypedArrayRounding rounding)
+{
+    StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
+    GPRReg storageReg = storage.gpr();
     Edge valueUse = m_jit.graph().varArgChild(node, 2);
 …
     ASSERT_UNUSED(valueGPR, valueGPR != property);
     ASSERT(valueGPR != base);
-    GPRTemporary storage(this);
-    GPRReg storageReg = storage.gpr();
     ASSERT(valueGPR != storageReg);
-    m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
     MacroAssembler::Jump outOfBounds;
     if (node.op() == PutByVal)
 …
 void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize)
+{
+    StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
+    GPRReg storageReg = storage.gpr();
     Edge baseUse = m_jit.graph().varArgChild(node, 0);
     Edge valueUse = m_jit.graph().varArgChild(node, 2);
 …
     GPRTemporary result(this);
-    GPRTemporary storage(this);
-    GPRReg storageReg = storage.gpr();
-    m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
     MacroAssembler::Jump outOfBounds;
     if (node.op() == PutByVal)
 …
     GPRReg storageReg = storage.gpr();
+    const TypedArrayDescriptor* descriptor =
+        speculateArray(node.arrayMode(), node.child1(), baseReg);
+    const TypedArrayDescriptor* descriptor = typedArrayDescriptor(node.arrayMode());
     switch (node.arrayMode()) {
 …
 void SpeculativeJIT::compileGetArrayLength(Node& node)
+{
+    SpeculateCellOperand base(this, node.child1());
+    GPRTemporary result(this);
+    GPRReg baseGPR = base.gpr();
+    GPRReg resultGPR = result.gpr();
+    const TypedArrayDescriptor* descriptor =
+        speculateArray(node.arrayMode(), node.child1(), baseGPR);
+    const TypedArrayDescriptor* descriptor = typedArrayDescriptor(node.arrayMode());
     switch (node.arrayMode()) {
     case Array::JSArray:
+    case Array::JSArrayOutOfBounds:
+        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR);
+        m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR);
+    case Array::JSArrayOutOfBounds: {
+        StorageOperand storage(this, node.child2());
+        GPRTemporary result(this, storage);
+        GPRReg storageReg = storage.gpr();
+        GPRReg resultReg = result.gpr();
+        m_jit.load32(MacroAssembler::Address(storageReg, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultReg);
         speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
+        speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultReg, MacroAssembler::TrustedImm32(0)));
         integerResult(resultGPR, m_compileIndex);
+        integerResult(resultReg, m_compileIndex);
         break;
+    case Array::String:
+    }
+    case Array::String: {
+        SpeculateCellOperand base(this, node.child1());
+        GPRTemporary result(this, base);
+        GPRReg baseGPR = base.gpr();
+        GPRReg resultGPR = result.gpr();
         m_jit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
         integerResult(resultGPR, m_compileIndex);
         break;
+    case Array::Arguments:
+    }
+    case Array::Arguments: {
         compileGetArgumentsLength(node);
         break;
+    }
     default:
+        SpeculateCellOperand base(this, node.child1());
+        GPRTemporary result(this, base);
+        GPRReg baseGPR = base.gpr();
+        GPRReg resultGPR = result.gpr();
         ASSERT(descriptor);
         m_jit.load32(MacroAssembler::Address(baseGPR, descriptor->m_lengthOffset), resultGPR);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

r126387	r126715
2198	2198	const TypedArrayDescriptor* typedArrayDescriptor(Array::Mode);
2199	2199
2200		~~const TypedArrayDescriptor* speculateArray(Array::Mode, Edge baseEdge, GPRReg baseReg~~);
	2200	void checkArray(Node&);
2201	2201
2202	2202	template<bool strict>

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

-                      r126695
+                      r126715
         break;
+    }
+    case CheckArray: {
+        checkArray(node);
+        break;
+    }
     case GetByVal: {
 …
         Edge child2 = m_jit.graph().varArgChild(node, 1);
         Edge child3 = m_jit.graph().varArgChild(node, 2);
+        Edge child4 = m_jit.graph().varArgChild(node, 3);
         Array::Mode arrayMode = modeForPut(node.arrayMode());
 …
         GPRReg propertyReg = property.gpr();
-        speculateArray(arrayMode, child1, baseReg);
         switch (arrayMode) {
         case Array::JSArray:
 …
                 writeBarrier(baseReg, valueTagReg, child3, WriteBarrierForPropertyAccess, scratchReg);
+            }
+            StorageOperand storage(this, child4);
+            GPRReg storageReg = storage.gpr();
             if (node.op() == PutByValAlias) {
-                // Get the array storage.
-                GPRTemporary storage(this);
-                GPRReg storageReg = storage.gpr();
-                m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
                 // Store the value to the array.
                 GPRReg propertyReg = property.gpr();
 …
             property.use();
             value.use();
+            // Get the array storage.
+            GPRTemporary storage(this);
+            GPRReg storageReg = storage.gpr();
+            m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+            storage.use();
             // Check if we're writing to a hole; if so increment m_numValuesInVector.
             MacroAssembler::Jump notHoleValue = m_jit.branch32(MacroAssembler::NotEqual, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
 …
     case ArrayPush: {
+        ASSERT(modeIsJSArray(node.arrayMode()));
         SpeculateCellOperand base(this, node.child1());
         JSValueOperand value(this, node.child2());
 …
         GPRReg storageLengthGPR = storageLength.gpr();
+        {
+        if (Heap::isWriteBarrierEnabled()) {
             GPRTemporary scratch(this);
             writeBarrier(baseGPR, valueTagGPR, node.child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
+        }
+        speculateArray(Array::JSArray, node.child1(), baseGPR);
+        GPRTemporary storage(this);
+        StorageOperand storage(this, node.child3());
         GPRReg storageGPR = storage.gpr();
-        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
         m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);
 …
     case ArrayPop: {
+        ASSERT(modeIsJSArray(node.arrayMode()));
         SpeculateCellOperand base(this, node.child1());
+        StorageOperand storage(this, node.child2());
         GPRTemporary valueTag(this);
         GPRTemporary valuePayload(this);
-        GPRTemporary storage(this);
         GPRTemporary storageLength(this);
 …
         GPRReg storageLengthGPR = storageLength.gpr();
-        speculateArray(Array::JSArray, node.child1(), baseGPR);
-        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
         m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

-                      r126695
+                      r126715
         break;
+    }
+    case CheckArray: {
+        checkArray(node);
+        break;
+    }
     case GetByVal: {
 …
         Edge child2 = m_jit.graph().varArgChild(node, 1);
         Edge child3 = m_jit.graph().varArgChild(node, 2);
+        Edge child4 = m_jit.graph().varArgChild(node, 3);
         Array::Mode arrayMode = modeForPut(node.arrayMode());
 …
         GPRReg propertyReg = property.gpr();
-        speculateArray(arrayMode, child1, baseReg);
         switch (arrayMode) {
         case Array::JSArray:
         case Array::JSArrayOutOfBounds: {
             JSValueOperand value(this, child3);
-            GPRTemporary scratch(this);
             // Map base, property & value into registers, allocate a scratch register.
             GPRReg valueReg = value.gpr();
-            GPRReg scratchReg = scratch.gpr();
             if (!m_compileOkay)
                 return;
+            writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratchReg);
+            if (Heap::isWriteBarrierEnabled()) {
+                GPRTemporary scratch(this);
+                writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratch.gpr());
+            }
+            StorageOperand storage(this, child4);
+            GPRReg storageReg = storage.gpr();
             if (node.op() == PutByValAlias) {
-                GPRReg storageReg = scratchReg;
-                m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
                 // Store the value to the array.
                 GPRReg propertyReg = property.gpr();
 …
             property.use();
             value.use();
+            // Get the array storage.
+            GPRReg storageReg = scratchReg;
+            m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+            storage.use();
             // Check if we're writing to a hole; if so increment m_numValuesInVector.
             MacroAssembler::Jump notHoleValue = m_jit.branchTestPtr(MacroAssembler::NonZero, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
 …
     case ArrayPush: {
+        ASSERT(modeIsJSArray(node.arrayMode()));
         SpeculateCellOperand base(this, node.child1());
         JSValueOperand value(this, node.child2());
-        GPRTemporary storage(this);
         GPRTemporary storageLength(this);
         GPRReg baseGPR = base.gpr();
         GPRReg valueGPR = value.gpr();
+        GPRReg storageLengthGPR = storageLength.gpr();
+        if (Heap::isWriteBarrierEnabled()) {
+            GPRTemporary scratch(this);
+            writeBarrier(baseGPR, valueGPR, node.child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
+        }
+        StorageOperand storage(this, node.child3());
         GPRReg storageGPR = storage.gpr();
+        GPRReg storageLengthGPR = storageLength.gpr();
+        writeBarrier(baseGPR, valueGPR, node.child2(), WriteBarrierForPropertyAccess, storageGPR, storageLengthGPR);
+        speculateArray(Array::JSArray, node.child1(), baseGPR);
+        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
         m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);
 …
     case ArrayPop: {
+        ASSERT(modeIsJSArray(node.arrayMode()));
         SpeculateCellOperand base(this, node.child1());
+        StorageOperand storage(this, node.child2());
         GPRTemporary value(this);
-        GPRTemporary storage(this);
         GPRTemporary storageLength(this);
         GPRReg baseGPR = base.gpr();
+        GPRReg storageGPR = storage.gpr();
         GPRReg valueGPR = value.gpr();
-        GPRReg storageGPR = storage.gpr();
         GPRReg storageLengthGPR = storageLength.gpr();
-        speculateArray(Array::JSArray, node.child1(), baseGPR);
-        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
         m_jit.load32(MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), storageLengthGPR);

trunk/Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp

r126387	r126715
100	100	case PutByValAlias:
101	101	case GetArrayLength:
	102	case CheckArray:
	103	case GetIndexedPropertyStorage:
102	104	case Phantom:
103	105	// Don't count these uses.

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 126715 in webkit

Legend:

Download in other formats: