Context Navigation

← Previous Changeset
Next Changeset →

Changeset 182433 in webkit

Timestamp:

Apr 6, 2015 12:07:12 PM (9 years ago)

Author:

Yusuke Suzuki

Message:

[ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
https://bugs.webkit.org/show_bug.cgi?id=143424

Reviewed by Geoffrey Garen.

In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).

ToString(symbol) throws a type error.
However, String(symbol) produces SymbolDescriptiveString(symbol).

So, in DFG and FTL phase, they should not inline StringConstructor to ToString.

Now, in the template literals patch, ToString DFG operation is planned to be used.
And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
In CallStringConstructor, all behavior in DFG analysis is the same.
Only the difference from ToString is, when calling DFG operation functions, it calls
operationCallStringConstructorOnCell and operationCallStringConstructor instead of
operationToStringOnCell and operationToString.

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

dfg/DFGBackwardsPropagationPhase.cpp:

(JSC::DFG::BackwardsPropagationPhase::propagate):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
(JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
(JSC::DFG::FixupPhase::fixupToString): Deleted.

dfg/DFGNodeType.h:
dfg/DFGOperations.cpp:
dfg/DFGOperations.h:
dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
(JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.

dfg/DFGSpeculativeJIT.h:
dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGStructureRegistrationPhase.cpp:

(JSC::DFG::StructureRegistrationPhase::run):

ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
(JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.

runtime/StringConstructor.cpp:

(JSC::stringConstructor):
(JSC::callStringConstructor):

runtime/StringConstructor.h:
tests/stress/symbol-and-string-constructor.js: Added.

(performString):

Location:

trunk/Source/JavaScriptCore

Files:

: 1 added
: 21 edited

ChangeLog (modified) (1 diff)
dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
dfg/DFGBackwardsPropagationPhase.cpp (modified) (1 diff)
dfg/DFGByteCodeParser.cpp (modified) (1 diff)
dfg/DFGClobberize.h (modified) (1 diff)
dfg/DFGDoesGC.cpp (modified) (1 diff)
dfg/DFGFixupPhase.cpp (modified) (3 diffs)
dfg/DFGNodeType.h (modified) (1 diff)
dfg/DFGOperations.cpp (modified) (1 diff)
dfg/DFGOperations.h (modified) (1 diff)
dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
dfg/DFGSafeToExecute.h (modified) (1 diff)
dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
dfg/DFGSpeculativeJIT.h (modified) (1 diff)
dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
dfg/DFGSpeculativeJIT64.cpp (modified) (3 diffs)
dfg/DFGStructureRegistrationPhase.cpp (modified) (1 diff)
ftl/FTLCapabilities.cpp (modified) (1 diff)
ftl/FTLLowerDFGToLLVM.cpp (modified) (3 diffs)
runtime/StringConstructor.cpp (modified) (1 diff)
runtime/StringConstructor.h (modified) (1 diff)
tests/stress/symbol-and-string-constructor.js (added)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-                      r182406
+                      r182433
+-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
+        [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
+        https://bugs.webkit.org/show_bug.cgi?id=143424
+        Reviewed by Geoffrey Garen.
+        In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
+        ToString(symbol) throws a type error.
+        However, String(symbol) produces SymbolDescriptiveString(symbol).
+        So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
+        Now, in the template literals patch, ToString DFG operation is planned to be used.
+        And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
+        So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
+        In CallStringConstructor, all behavior in DFG analysis is the same.
+        Only the difference from ToString is, when calling DFG operation functions, it calls
+        operationCallStringConstructorOnCell and operationCallStringConstructor instead of
+        operationToStringOnCell and operationToString.
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
+        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
+        (JSC::DFG::FixupPhase::fixupToString): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
+        (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureRegistrationPhase.cpp:
+        (JSC::DFG::StructureRegistrationPhase::run):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileNode):
+        (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
+        (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
+        * runtime/StringConstructor.cpp:
+        (JSC::stringConstructor):
+        (JSC::callStringConstructor):
+        * runtime/StringConstructor.h:
+        * tests/stress/symbol-and-string-constructor.js: Added.
+        (performString):
 -04-06  Yusuke Suzuki  <utatane.tea@gmail.com>

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

-                      r181993
+                      r182433
+    }
+    case ToString: {
+    case ToString:
+    case CallStringConstructor: {
         switch (node->child1().useKind()) {
         case StringObjectUse:

trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp

-                      r181993
+                      r182433
+        }
+        case ToString: {
+        case ToString:
+        case CallStringConstructor: {
             node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
             break;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

r182294	r182433
2178	2178	result = jsConstant(m_vm->smallStrings.emptyString());
2179	2179	else
2180		result = addToGraph(~~ToString~~, get(virtualRegisterForArgument(1, registerOffset)));
	2180	result = addToGraph(CallStringConstructor, get(virtualRegisterForArgument(1, registerOffset)));
2181	2181
2182	2182	if (kind == CodeForConstruct)

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

r182213	r182433
898	898
899	899	case ToString:
	900	case CallStringConstructor:
900	901	switch (node->child1().useKind()) {
901	902	case StringObjectUse:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

r181993	r182433
144	144	case ToPrimitive:
145	145	case ToString:
	146	case CallStringConstructor:
146	147	case In:
147	148	case Jump:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

-                      r182114
+                      r182433
+        }
+        case ToString: {
+            fixupToString(node);
+        case ToString:
+        case CallStringConstructor: {
+            fixupToStringOrCallStringConstructor(node);
             break;
+        }
 …
+    }
     void fixupToString(Node* node)
+    void fixupToStringOrCallStringConstructor(Node* node)
+    {
         if (node->child1()->shouldSpeculateString()) {
 …
             fixupToPrimitive(toPrimitive);
             fixupToString(toString);
+            fixupToStringOrCallStringConstructor(toString);
             right.setNode(toString);

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

r181993	r182433
262	262	macro(ToPrimitive, NodeResultJS \| NodeMustGenerate) \
263	263	macro(ToString, NodeResultJS \| NodeMustGenerate) \
	264	macro(CallStringConstructor, NodeResultJS \| NodeMustGenerate) \
264	265	macro(NewStringObject, NodeResultJS) \
265	266	macro(MakeRope, NodeResultJS) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

-                      r182057
+                      r182433
+}
+JSCell* JIT_OPERATION operationCallStringConstructorOnCell(ExecState* exec, JSCell* cell)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    return stringConstructor(exec, cell);
+}
+JSCell* JIT_OPERATION operationCallStringConstructor(ExecState* exec, EncodedJSValue value)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    return stringConstructor(exec, JSValue::decode(value));
+}
 JSCell* JIT_OPERATION operationMakeRope2(ExecState* exec, JSString* left, JSString* right)
+{

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

r181993	r182433
122	122	JSCell* JIT_OPERATION operationToStringOnCell(ExecState, JSCell);
123	123	JSCell* JIT_OPERATION operationToString(ExecState*, EncodedJSValue);
	124	JSCell* JIT_OPERATION operationCallStringConstructorOnCell(ExecState, JSCell);
	125	JSCell* JIT_OPERATION operationCallStringConstructor(ExecState*, EncodedJSValue);
124	126	JSCell* JIT_OPERATION operationMakeRope2(ExecState, JSString, JSString*);
125	127	JSCell* JIT_OPERATION operationMakeRope3(ExecState, JSString, JSString, JSString);

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

r181993	r182433
481	481	}
482	482	case StringCharAt:
	483	case CallStringConstructor:
483	484	case ToString:
484	485	case MakeRope: {

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

r181993	r182433
220	220	case ToPrimitive:
221	221	case ToString:
	222	case CallStringConstructor:
222	223	case NewStringObject:
223	224	case MakeRope:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

-                      r182098
+                      r182433
+}
 void SpeculativeJIT::compileToStringOnCell(Node* node)
+void SpeculativeJIT::compileToStringOrCallStringConstructorOnCell(Node* node)
+{
     SpeculateCellOperand op1(this, node->child1());
 …
             needCall.link(&m_jit);
+        }
+        callOperation(operationToStringOnCell, resultGPR, op1GPR);
+        if (node->op() == ToString)
+            callOperation(operationToStringOnCell, resultGPR, op1GPR);
+        else {
+            ASSERT(node->op() == CallStringConstructor);
+            callOperation(operationCallStringConstructorOnCell, resultGPR, op1GPR);
+        }
         if (done.isSet())
             done.link(&m_jit);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

r181993	r182433
2139	2139	void emitSwitch(Node*);
2140	2140
2141		void compileToStringOnCell(Node*);
	2141	void compileToStringOrCallStringConstructorOnCell(Node*);
2142	2142	void compileNewStringObject(Node*);
2143	2143

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

-                      r182001
+                      r182433
+    }
+    case ToString: {
+    case ToString:
+    case CallStringConstructor: {
         if (node->child1().useKind() == UntypedUse) {
             JSValueOperand op1(this, node->child1());
 …
                 slowPath2.link(&m_jit);
+            }
+            callOperation(operationToString, resultGPR, op1TagGPR, op1PayloadGPR);
+            if (op == ToString)
+                callOperation(operationToString, resultGPR, op1TagGPR, op1PayloadGPR);
+            else {
+                ASSERT(op == CallStringConstructor);
+                callOperation(operationCallStringConstructor, resultGPR, op1TagGPR, op1PayloadGPR);
+            }
             if (done.isSet())
                 done.link(&m_jit);
 …
+        }
         compileToStringOnCell(node);
+        compileToStringOrCallStringConstructorOnCell(node);
         break;
+    }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

-                      r181993
+                      r182433
+    }
+    case ToString: {
+    case ToString:
+    case CallStringConstructor: {
         if (node->child1().useKind() == UntypedUse) {
             JSValueOperand op1(this, node->child1());
 …
                 slowPath2.link(&m_jit);
+            }
+            callOperation(operationToString, resultGPR, op1GPR);
+            if (op == ToString)
+                callOperation(operationToString, resultGPR, op1GPR);
+            else {
+                ASSERT(op == CallStringConstructor);
+                callOperation(operationCallStringConstructor, resultGPR, op1GPR);
+            }
             if (done.isSet())
                 done.link(&m_jit);
 …
+        }
         compileToStringOnCell(node);
+        compileToStringOrCallStringConstructorOnCell(node);
         break;
+    }

trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp

r181993	r182433
112	112
113	113	case ToString:
	114	case CallStringConstructor:
114	115	registerStructure(m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
115	116	break;

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

r181993	r182433
147	147	case GetArgumentCount:
148	148	case ToString:
	149	case CallStringConstructor:
149	150	case MakeRope:
150	151	case NewArrayWithSize:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

-                      r182009
+                      r182433
             break;
         case ToString:
+            compileToString();
+        case CallStringConstructor:
+            compileToStringOrCallStringConstructor();
             break;
         case ToPrimitive:
 …
+    }
     void compileToString()
+    void compileToStringOrCallStringConstructor()
+    {
         switch (m_node->child1().useKind()) {
 …
             LValue operation;
             if (m_node->child1().useKind() == CellUse)
                 operation = m_out.operation(operationToStringOnCell);
+                operation = m_out.operation(m_node->op() == ToString ? operationToStringOnCell : operationCallStringConstructorOnCell);
             else
                 operation = m_out.operation(operationToString);
+                operation = m_out.operation(m_node->op() == ToString ? operationToString : operationCallStringConstructor);
             ValueFromBlock convertedResult = m_out.anchor(vmCall(operation, m_callFrame, value));
             m_out.jump(continuation);

trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp

-                      r179429
+                      r182433
+}
+JSCell* stringConstructor(ExecState* exec, JSValue argument)
+{
+    if (argument.isSymbol())
+        return jsNontrivialString(exec, asSymbol(argument)->descriptiveString());
+    return argument.toString(exec);
+}
 static EncodedJSValue JSC_HOST_CALL callStringConstructor(ExecState* exec)
+{
     if (!exec->argumentCount())
         return JSValue::encode(jsEmptyString(exec));
+    JSValue argument = exec->uncheckedArgument(0);
+    if (argument.isSymbol())
+        return JSValue::encode(jsString(exec, asSymbol(argument)->descriptiveString()));
+    return JSValue::encode(argument.toString(exec));
+    return JSValue::encode(stringConstructor(exec, exec->uncheckedArgument(0)));
+}

trunk/Source/JavaScriptCore/runtime/StringConstructor.h

-                      r173269
+                      r182433
     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
 };
 JSCell* JSC_HOST_CALL stringFromCharCode(ExecState*, int32_t);
+JSCell* stringConstructor(ExecState*, JSValue);
 } // namespace JSC

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 182433 in webkit

Legend:

Download in other formats: