Changeset 137683 in webkit

Timestamp:

Dec 13, 2012 4:32:55 PM (11 years ago)

Author:

oliver@apple.com

Message:

Support op_typeof in the DFG
​https://bugs.webkit.org/show_bug.cgi?id=98898

Reviewed by Filip Pizlo.

Adds a TypeOf node to the DFG to support op_typeof.

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

We try to determine the result early here, and substitute in a constant.
Otherwise we leave the node intact, and set the result type to SpecString.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

Parse op_typeof

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::performNodeCSE):

TypeOf nodes can be subjected to pure CSE

• dfg/DFGCapabilities.h:

(JSC::DFG::canCompileOpcode):

We can handle typeof.

• dfg/DFGNodeType.h:

(DFG):

Define the node.

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h: Add operationTypeOf to support the non-trivial cases.
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Actual codegen

• runtime/Operations.cpp:

(JSC::jsTypeStringForValue):
(JSC):

• runtime/Operations.h:

(JSC):

Some refactoring to allow us to get the type string for an
object without needing a callframe.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractState.cpp (modified) (3 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCSEPhase.cpp (modified) (2 diffs)
• dfg/DFGCapabilities.h (modified) (1 diff)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• runtime/Operations.cpp (modified) (3 diffs)
• runtime/Operations.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-13-11  Oliver Hunt  <oliver@apple.com>
+
+        Support op_typeof in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=98898
+
+        Reviewed by Filip Pizlo.
+
+        Adds a TypeOf node to the DFG to support op_typeof. 
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+          We try to determine the result early here, and substitute in a constant.
+          Otherwise we leave the node intact, and set the result type to SpecString.
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+          Parse op_typeof
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::performNodeCSE):
+          TypeOf nodes can be subjected to pure CSE
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::canCompileOpcode):
+          We can handle typeof.
+        * dfg/DFGNodeType.h:
+        (DFG):
+          Define the node.
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+          Add operationTypeOf to support the non-trivial cases.
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+          Actual codegen
+        * runtime/Operations.cpp:
+        (JSC::jsTypeStringForValue):
+        (JSC):
+        * runtime/Operations.h:
+        (JSC):
+          Some refactoring to allow us to get the type string for an
+          object without needing a callframe.
+
 2012-12-12  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -32 +32 @@
 #include "DFGBasicBlock.h"
 #include "GetByIdStatus.h"
+#include "Operations.h"
 #include "PutByIdStatus.h"
 
@@ -708 +709 @@
                 constantWasSet = trySetConstant(nodeIndex, jsBoolean(isJSString(child)));
                 break;
+            case IsObject:
+                if (child.isNull() || !child.isObject()) {
+                    constantWasSet = trySetConstant(nodeIndex, jsBoolean(child.isNull()));
+                    break;
+                }
             default:
                 constantWasSet = false;
@@ -717 +723 @@
             }
         }
+
         forNode(nodeIndex).set(SpecBoolean);
+        break;
+    }
+
+    case TypeOf: {
+        JSGlobalData* globalData = m_codeBlock->globalData();
+        JSValue child = forNode(node.child1()).value();
+        AbstractValue& abstractChild = forNode(node.child1());
+        if (child) {
+            JSValue typeString = jsTypeStringForValue(*globalData, m_codeBlock->globalObjectFor(node.codeOrigin), child);
+            if (trySetConstant(nodeIndex, typeString)) {
+                m_foundConstants = true;
+                break;
+            }
+        } else if (isNumberSpeculation(abstractChild.m_type)) {
+            if (trySetConstant(nodeIndex, globalData->smallStrings.numberString(globalData))) {
+                forNode(node.child1()).filter(SpecNumber);
+                m_foundConstants = true;
+                break;
+            }
+        } else if (isStringSpeculation(abstractChild.m_type)) {
+            if (trySetConstant(nodeIndex, globalData->smallStrings.stringString(globalData))) {
+                forNode(node.child1()).filter(SpecString);
+                m_foundConstants = true;
+                break;
+            }
+        } else if (isFinalObjectSpeculation(abstractChild.m_type) || isArraySpeculation(abstractChild.m_type) || isArgumentsSpeculation(abstractChild.m_type)) {
+            if (trySetConstant(nodeIndex, globalData->smallStrings.objectString(globalData))) {
+                forNode(node.child1()).filter(SpecFinalObject | SpecArray | SpecArguments);
+                m_foundConstants = true;
+                break;
+            }
+        } else if (isFunctionSpeculation(abstractChild.m_type)) {
+            if (trySetConstant(nodeIndex, globalData->smallStrings.functionString(globalData))) {
+                forNode(node.child1()).filter(SpecFunction);
+                m_foundConstants = true;
+                break;
+            }
+        } else if (isBooleanSpeculation(abstractChild.m_type)) {
+            if (trySetConstant(nodeIndex, globalData->smallStrings.booleanString(globalData))) {
+                forNode(node.child1()).filter(SpecBoolean);
+                m_foundConstants = true;
+                break;
+            }
+        } else {
+            Node& childNode = m_graph[node.child1()];
+            if (isCellSpeculation(childNode.prediction())) {
+                if (isStringSpeculation(childNode.prediction()))
+                    forNode(node.child1()).filter(SpecString);
+                else
+                    forNode(node.child1()).filter(SpecCell);
+                node.setCanExit(true);
+            }
+        }
+        forNode(nodeIndex).set(SpecString);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3256 +3256 @@
         }
 
+        case op_typeof: {
+            set(currentInstruction[1].u.operand,
+                addToGraph(TypeOf, get(currentInstruction[2].u.operand)));
+            NEXT_OPCODE(op_typeof);
+        }
+
         default:
             // Parse failed! This should not happen because the capabilities checker

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

@@ -563 +563 @@
             case AllocatePropertyStorage:
             case ReallocatePropertyStorage:
+            case TypeOf:
                 return NoNode;
                 
@@ -1128 +1129 @@
         case SkipScope:
         case GetScopeRegisters:
+        case TypeOf:
             setReplacement(pureCSE(node));
             break;

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -197 +197 @@
     case op_put_to_base_variable:
     case op_put_to_base:
+    case op_typeof:
         return CanCompile;
         

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -211 +211 @@
     macro(IsObject, NodeResultBoolean) \
     macro(IsFunction, NodeResultBoolean) \
+    macro(TypeOf, NodeResultJS) \
     macro(LogicalNot, NodeResultBoolean) \
     macro(ToPrimitive, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1369 +1369 @@
 {
     return jsIsFunctionType(JSValue::decode(value));
+}
+
+JSCell* DFG_OPERATION operationTypeOf(ExecState* exec, JSCell* value)
+{
+    return jsTypeStringForValue(exec, JSValue(value)).asCell();
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -199 +199 @@
 size_t DFG_OPERATION operationIsObject(ExecState*, EncodedJSValue) WTF_INTERNAL;
 size_t DFG_OPERATION operationIsFunction(EncodedJSValue) WTF_INTERNAL;
+JSCell* DFG_OPERATION operationTypeOf(ExecState*, JSCell*) WTF_INTERNAL;
 void DFG_OPERATION operationReallocateStorageAndFinishPut(ExecState*, JSObject*, Structure*, PropertyOffset, EncodedJSValue) WTF_INTERNAL;
 char* DFG_OPERATION operationAllocatePropertyStorageWithInitialCapacity(ExecState*) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -498 +498 @@
             break;
         }
-            
+
+        case TypeOf: {
+            changed |= setPrediction(SpecString);
+            changed |= mergeDefaultFlags(node);
+            break;
+        }
+
         case GetById: {
             changed |= mergePrediction(node.getHeapPrediction());

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4559 +4559 @@
         break;
     }
+    case TypeOf: {
+        JSValueOperand value(this, node.child1());
+        GPRReg tagGPR = value.tagGPR();
+        GPRReg payloadGPR = value.payloadGPR();
+        GPRTemporary temp(this);
+        GPRReg tempGPR = temp.gpr();
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+        JITCompiler::JumpList doneJumps;
+
+        flushRegisters();
+
+        JITCompiler::Jump isNotCell = m_jit.branch32(JITCompiler::NotEqual, tagGPR, JITCompiler::TrustedImm32(JSValue::CellTag));
+        Node& child = m_jit.graph()[node.child1()];
+        if (child.shouldSpeculateCell())
+            speculationCheck(BadType, JSValueRegs(tagGPR, payloadGPR), node.child1(), isNotCell);
+
+        if (!child.shouldSpeculateNonStringCell()) {
+            m_jit.loadPtr(JITCompiler::Address(payloadGPR, JSCell::structureOffset()), tempGPR);
+            JITCompiler::Jump notString = m_jit.branch8(JITCompiler::NotEqual, JITCompiler::Address(tempGPR, Structure::typeInfoTypeOffset()), TrustedImm32(StringType));
+            if (child.shouldSpeculateString())
+                speculationCheck(BadType, JSValueRegs(tagGPR, payloadGPR), node.child1(), notString);
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.stringString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            if (!child.shouldSpeculateString()) {
+                notString.link(&m_jit);
+                callOperation(operationTypeOf, resultGPR, payloadGPR);
+                doneJumps.append(m_jit.jump());
+            }
+        } else {
+            callOperation(operationTypeOf, resultGPR, payloadGPR);
+            doneJumps.append(m_jit.jump());
+        }
+
+        if (!child.shouldSpeculateCell()) {
+            isNotCell.link(&m_jit);
+
+            m_jit.add32(TrustedImm32(1), tagGPR, tempGPR);
+            JITCompiler::Jump notNumber = m_jit.branch32(JITCompiler::AboveOrEqual, tempGPR, JITCompiler::TrustedImm32(JSValue::LowestTag + 1));
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.numberString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            notNumber.link(&m_jit);
+
+            JITCompiler::Jump notUndefined = m_jit.branch32(JITCompiler::NotEqual, tagGPR, TrustedImm32(JSValue::UndefinedTag));
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.undefinedString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            notUndefined.link(&m_jit);
+
+            JITCompiler::Jump notNull = m_jit.branch32(JITCompiler::NotEqual, tagGPR, TrustedImm32(JSValue::NullTag));
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.objectString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            notNull.link(&m_jit);
+
+            // Only boolean left
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.booleanString(m_jit.globalData())), resultGPR);
+        }
+        doneJumps.link(&m_jit);
+        cellResult(resultGPR, m_compileIndex);
+        break;
+    }
 
     case Phi:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4070 +4070 @@
         
         jsValueResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
-        
+
         break;
     }
@@ -4482 +4482 @@
         m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
         jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
+        break;
+    }
+
+    case TypeOf: {
+        JSValueOperand value(this, node.child1());
+        GPRReg valueGPR = value.gpr();
+        GPRTemporary temp(this);
+        GPRReg tempGPR = temp.gpr();
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+        JITCompiler::JumpList doneJumps;
+
+        flushRegisters();
+
+        JITCompiler::Jump isNotCell = m_jit.branchTest64(JITCompiler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
+        Node& child = m_jit.graph()[node.child1()];
+        if (child.shouldSpeculateCell())
+            speculationCheck(BadType, JSValueSource(valueGPR), node.child1(), isNotCell);
+
+        if (!child.shouldSpeculateNonStringCell()) {
+            m_jit.loadPtr(JITCompiler::Address(valueGPR, JSCell::structureOffset()), tempGPR);
+            JITCompiler::Jump notString = m_jit.branch8(JITCompiler::NotEqual, JITCompiler::Address(tempGPR, Structure::typeInfoTypeOffset()), TrustedImm32(StringType));
+            if (child.shouldSpeculateString())
+                speculationCheck(BadType, JSValueSource(valueGPR), node.child1(), notString);
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.stringString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            if (!child.shouldSpeculateString()) {
+                notString.link(&m_jit);
+                callOperation(operationTypeOf, resultGPR, valueGPR);
+                doneJumps.append(m_jit.jump());
+            }
+        } else {
+            callOperation(operationTypeOf, resultGPR, valueGPR);
+            doneJumps.append(m_jit.jump());
+        }
+
+        if (!child.shouldSpeculateCell()) {
+            isNotCell.link(&m_jit);
+            JITCompiler::Jump notNumber = m_jit.branchTest64(JITCompiler::Zero, valueGPR, GPRInfo::tagTypeNumberRegister);
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.numberString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            notNumber.link(&m_jit);
+
+            JITCompiler::Jump notUndefined = m_jit.branch64(JITCompiler::NotEqual, valueGPR, JITCompiler::TrustedImm64(ValueUndefined));
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.undefinedString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            notUndefined.link(&m_jit);
+
+            JITCompiler::Jump notNull = m_jit.branch64(JITCompiler::NotEqual, valueGPR, JITCompiler::TrustedImm64(ValueNull));
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.objectString(m_jit.globalData())), resultGPR);
+            doneJumps.append(m_jit.jump());
+            notNull.link(&m_jit);
+
+            // Only boolean left
+            m_jit.move(TrustedImmPtr(m_jit.globalData()->smallStrings.booleanString(m_jit.globalData())), resultGPR);
+        }
+        doneJumps.link(&m_jit);
+        cellResult(resultGPR, m_compileIndex);
         break;
     }

trunk/Source/JavaScriptCore/runtime/Operations.cpp

@@ -57 +57 @@
 }
 
-JSValue jsTypeStringForValue(CallFrame* callFrame, JSValue v)
+JSValue jsTypeStringForValue(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue v)
 {
-    JSGlobalData& globalData = callFrame->globalData();
     if (v.isUndefined())
         return globalData.smallStrings.undefinedString(&globalData);
@@ -71 +70 @@
         // Return "undefined" for objects that should be treated
         // as null when doing comparisons.
-        if (asObject(v)->structure()->masqueradesAsUndefined(callFrame->lexicalGlobalObject()))
+        if (asObject(v)->structure()->masqueradesAsUndefined(globalObject))
             return globalData.smallStrings.undefinedString(&globalData);
         CallData callData;
@@ -79 +78 @@
     }
     return globalData.smallStrings.objectString(&globalData);
+}
+
+JSValue jsTypeStringForValue(CallFrame* callFrame, JSValue v)
+{
+    return jsTypeStringForValue(callFrame->globalData(), callFrame->lexicalGlobalObject(), v);
 }
 

trunk/Source/JavaScriptCore/runtime/Operations.h

@@ -33 +33 @@
     NEVER_INLINE JSValue jsAddSlowCase(CallFrame*, JSValue, JSValue);
     JSValue jsTypeStringForValue(CallFrame*, JSValue);
+    JSValue jsTypeStringForValue(JSGlobalData&, JSGlobalObject*, JSValue);
     bool jsIsObjectType(CallFrame*, JSValue);
     bool jsIsFunctionType(JSValue);