Changeset 200606 in webkit

Timestamp:

May 9, 2016 7:01:28 PM (8 years ago)

Author:

fpizlo@apple.com

Message:

Polymorphic operands in operators coerces downstream values to double.
​https://bugs.webkit.org/show_bug.cgi?id=151793

Reviewed by Mark Lam.
Source/JavaScriptCore:

Previously if an object flowed into arithmetic, the prediction propagation phase would either
assume that the output of the arithmetic had to be double or sometimes it would assume that it
couldn't be double. We want it to only assume that the output is double if it actually had been.

The first part of this patch is to roll out ​http://trac.webkit.org/changeset/200502. That removed
some of the machinery that we had in place to detect whether the output of an operation is int or
double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
it.

This also makes two other changes to shore up ResultProfile:

• OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
• Baseline JIT slow paths now set bits in ResultProfile.

Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
is already strictly better than what prediction propagation was doing before.

This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
up 8x with this change (object-int-add-array).

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.h:

(JSC::CodeBlock::addFrequentExitSite):
(JSC::CodeBlock::hasExitSite):

• bytecode/DFGExitProfile.cpp:

(JSC::DFG::FrequentExitSite::dump):
(JSC::DFG::ExitProfile::ExitProfile):
(JSC::DFG::ExitProfile::~ExitProfile):
(JSC::DFG::ExitProfile::add):

• bytecode/DFGExitProfile.h:

(JSC::DFG::FrequentExitSite::isHashTableDeletedValue):

• bytecode/MethodOfGettingAValueProfile.cpp:

(JSC::MethodOfGettingAValueProfile::fromLazyOperand):
(JSC::MethodOfGettingAValueProfile::emitReportValue):
(JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.

• bytecode/MethodOfGettingAValueProfile.h:

(JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
(JSC::MethodOfGettingAValueProfile::operator bool):
(JSC::MethodOfGettingAValueProfile::operator!): Deleted.

• bytecode/PolymorphicAccess.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/ValueProfile.cpp:

(JSC::ResultProfile::emitDetectBitsLight):
(JSC::ResultProfile::emitSetDouble):
(JSC::ResultProfile::emitSetNonNumber):
(WTF::printInternal):

• bytecode/ValueProfile.h:

(JSC::ResultProfile::ResultProfile):
(JSC::ResultProfile::bytecodeOffset):
(JSC::ResultProfile::specialFastPathCount):
(JSC::ResultProfile::didObserveNonInt32):
(JSC::ResultProfile::didObserveDouble):
(JSC::ResultProfile::didObserveNonNegZeroDouble):
(JSC::ResultProfile::didObserveNegZeroDouble):
(JSC::ResultProfile::didObserveNonNumber):
(JSC::ResultProfile::didObserveInt32Overflow):
(JSC::ResultProfile::didObserveInt52Overflow):
(JSC::ResultProfile::setObservedNonNegZeroDouble):
(JSC::ResultProfile::setObservedNegZeroDouble):
(JSC::ResultProfile::setObservedNonNumber):
(JSC::ResultProfile::setObservedInt32Overflow):
(JSC::ResultProfile::addressOfFlags):
(JSC::ResultProfile::addressOfSpecialFastPathCount):
(JSC::ResultProfile::detectBitsLight):
(JSC::ResultProfile::hasBits):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::makeSafe):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::ensureNaturalLoops):
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
(JSC::DFG::Graph::valueProfileFor): Deleted.

• dfg/DFGGraph.h:

(JSC::DFG::Graph::hasExitSite):
(JSC::DFG::Graph::numBlocks):

• dfg/DFGNode.h:

(JSC::DFG::Node::arithNodeFlags):
(JSC::DFG::Node::mayHaveNonIntResult):
(JSC::DFG::Node::mayHaveDoubleResult):
(JSC::DFG::Node::mayHaveNonNumberResult):
(JSC::DFG::Node::hasConstantBuffer):

• dfg/DFGNodeFlags.cpp:

(JSC::DFG::dumpNodeFlags):

• dfg/DFGNodeFlags.h:
• dfg/DFGOSRExitCompiler32_64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::branchIfEqual):
(JSC::AssemblyHelpers::branchIfNotCell):
(JSC::AssemblyHelpers::branchIfNotNumber):
(JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
(JSC::AssemblyHelpers::branchIfBoolean):
(JSC::AssemblyHelpers::branchIfEmpty):
(JSC::AssemblyHelpers::branchStructure):

• jit/CCallHelpers.h:

(JSC::CCallHelpers::CCallHelpers):
(JSC::CCallHelpers::setupArguments):
(JSC::CCallHelpers::setupArgumentsWithExecState):

• jit/IntrinsicEmitter.cpp:

(JSC::AccessCase::emitIntrinsicGetter):

• jit/JIT.h:
• jit/JITAddGenerator.cpp:

(JSC::JITAddGenerator::generateFastPath):

• jit/JITAddGenerator.h:

(JSC::JITAddGenerator::JITAddGenerator):

• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_add):
(JSC::JIT::emitSlow_op_add):
(JSC::JIT::emit_op_div):
(JSC::JIT::emit_op_mul):
(JSC::JIT::emitSlow_op_mul):
(JSC::JIT::emit_op_sub):
(JSC::JIT::emitSlow_op_sub):

• jit/JITInlines.h:

(JSC::JIT::callOperation):
(JSC::JIT::callOperationNoExceptionCheck):

• jit/JITMulGenerator.cpp:

(JSC::JITMulGenerator::generateFastPath):

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• jit/JITSubGenerator.cpp:

(JSC::JITSubGenerator::generateFastPath):

• jit/JITSubGenerator.h:

(JSC::JITSubGenerator::JITSubGenerator):

• jit/TagRegistersMode.cpp: Added.

(WTF::printInternal):

• jit/TagRegistersMode.h: Added.
• runtime/CommonSlowPaths.cpp:

(JSC::updateResultProfileForBinaryArithOp):

LayoutTests:

• js/regress/object-int-add-array-expected.txt: Added.
• js/regress/object-int-add-array.html: Added.
• js/regress/object-int-add-expected.txt: Added.
• js/regress/object-int-add.html: Added.
• js/regress/object-int-mul-array-expected.txt: Added.
• js/regress/object-int-mul-array.html: Added.
• js/regress/object-int-sub-array-expected.txt: Added.
• js/regress/object-int-sub-array.html: Added.
• js/regress/object-int-sub-expected.txt: Added.
• js/regress/object-int-sub.html: Added.
• js/regress/script-tests/object-int-add-array.js: Added.

(i.o.valueOf):

• js/regress/script-tests/object-int-add.js: Added.

(i.o.valueOf):

• js/regress/script-tests/object-int-mul-array.js: Added.

(i.o.valueOf):

• js/regress/script-tests/object-int-sub-array.js: Added.

(i.o.valueOf):

• js/regress/script-tests/object-int-sub.js: Added.

(i.o.valueOf):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/object-int-add-array-expected.txt (added)
• LayoutTests/js/regress/object-int-add-array.html (added)
• LayoutTests/js/regress/object-int-add-expected.txt (added)
• LayoutTests/js/regress/object-int-add.html (added)
• LayoutTests/js/regress/object-int-mul-array-expected.txt (added)
• LayoutTests/js/regress/object-int-mul-array.html (added)
• LayoutTests/js/regress/object-int-sub-array-expected.txt (added)
• LayoutTests/js/regress/object-int-sub-array.html (added)
• LayoutTests/js/regress/object-int-sub-expected.txt (added)
• LayoutTests/js/regress/object-int-sub.html (added)
• LayoutTests/js/regress/script-tests/object-int-add-array.js (added)
• LayoutTests/js/regress/script-tests/object-int-add.js (added)
• LayoutTests/js/regress/script-tests/object-int-mul-array.js (added)
• LayoutTests/js/regress/script-tests/object-int-sub-array.js (added)
• LayoutTests/js/regress/script-tests/object-int-sub.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/DFGExitProfile.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/DFGExitProfile.h (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.cpp (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.h (modified) (6 diffs)
• Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/ValueProfile.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/ValueProfile.h (modified) (7 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGGraph.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeFlags.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeFlags.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/CCallHelpers.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/GPRInfo.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/IntrinsicEmitter.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITAddGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITAddGenerator.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITArithmetic.cpp (modified) (8 diffs)
• Source/JavaScriptCore/jit/JITInlines.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITMulGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITSubGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITSubGenerator.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/TagRegistersMode.cpp (added)
• Source/JavaScriptCore/jit/TagRegistersMode.h (added)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Options.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-05-09  Filip Pizlo  <fpizlo@apple.com>
+
+        Polymorphic operands in operators coerces downstream values to double.
+        https://bugs.webkit.org/show_bug.cgi?id=151793
+
+        Reviewed by Mark Lam.
+
+        * js/regress/object-int-add-array-expected.txt: Added.
+        * js/regress/object-int-add-array.html: Added.
+        * js/regress/object-int-add-expected.txt: Added.
+        * js/regress/object-int-add.html: Added.
+        * js/regress/object-int-mul-array-expected.txt: Added.
+        * js/regress/object-int-mul-array.html: Added.
+        * js/regress/object-int-sub-array-expected.txt: Added.
+        * js/regress/object-int-sub-array.html: Added.
+        * js/regress/object-int-sub-expected.txt: Added.
+        * js/regress/object-int-sub.html: Added.
+        * js/regress/script-tests/object-int-add-array.js: Added.
+        (i.o.valueOf):
+        * js/regress/script-tests/object-int-add.js: Added.
+        (i.o.valueOf):
+        * js/regress/script-tests/object-int-mul-array.js: Added.
+        (i.o.valueOf):
+        * js/regress/script-tests/object-int-sub-array.js: Added.
+        (i.o.valueOf):
+        * js/regress/script-tests/object-int-sub.js: Added.
+        (i.o.valueOf):
+
 2016-05-09  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -564 +564 @@
     jit/ScratchRegisterAllocator.cpp
     jit/SetupVarargsFrame.cpp
+    jit/TagRegistersMode.cpp
     jit/TempRegisterSet.cpp
     jit/ThunkGenerators.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-05-09  Filip Pizlo  <fpizlo@apple.com>
+
+        Polymorphic operands in operators coerces downstream values to double.
+        https://bugs.webkit.org/show_bug.cgi?id=151793
+
+        Reviewed by Mark Lam.
+        
+        Previously if an object flowed into arithmetic, the prediction propagation phase would either
+        assume that the output of the arithmetic had to be double or sometimes it would assume that it
+        couldn't be double. We want it to only assume that the output is double if it actually had been.
+        
+        The first part of this patch is to roll out http://trac.webkit.org/changeset/200502. That removed
+        some of the machinery that we had in place to detect whether the output of an operation is int or
+        double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
+        The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
+        false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
+        in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
+        change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
+        it.
+        
+        This also makes two other changes to shore up ResultProfile:
+        - OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
+        - Baseline JIT slow paths now set bits in ResultProfile.
+        
+        Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
+        ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
+        prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
+        those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
+        is already strictly better than what prediction propagation was doing before.
+        
+        This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
+        problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
+        up 8x with this change (object-int-add-array).
+        
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addFrequentExitSite):
+        (JSC::CodeBlock::hasExitSite):
+        * bytecode/DFGExitProfile.cpp:
+        (JSC::DFG::FrequentExitSite::dump):
+        (JSC::DFG::ExitProfile::ExitProfile):
+        (JSC::DFG::ExitProfile::~ExitProfile):
+        (JSC::DFG::ExitProfile::add):
+        * bytecode/DFGExitProfile.h:
+        (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
+        * bytecode/MethodOfGettingAValueProfile.cpp:
+        (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
+        (JSC::MethodOfGettingAValueProfile::emitReportValue):
+        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.
+        * bytecode/MethodOfGettingAValueProfile.h:
+        (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
+        (JSC::MethodOfGettingAValueProfile::operator bool):
+        (JSC::MethodOfGettingAValueProfile::operator!): Deleted.
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ValueProfile.cpp:
+        (JSC::ResultProfile::emitDetectBitsLight):
+        (JSC::ResultProfile::emitSetDouble):
+        (JSC::ResultProfile::emitSetNonNumber):
+        (WTF::printInternal):
+        * bytecode/ValueProfile.h:
+        (JSC::ResultProfile::ResultProfile):
+        (JSC::ResultProfile::bytecodeOffset):
+        (JSC::ResultProfile::specialFastPathCount):
+        (JSC::ResultProfile::didObserveNonInt32):
+        (JSC::ResultProfile::didObserveDouble):
+        (JSC::ResultProfile::didObserveNonNegZeroDouble):
+        (JSC::ResultProfile::didObserveNegZeroDouble):
+        (JSC::ResultProfile::didObserveNonNumber):
+        (JSC::ResultProfile::didObserveInt32Overflow):
+        (JSC::ResultProfile::didObserveInt52Overflow):
+        (JSC::ResultProfile::setObservedNonNegZeroDouble):
+        (JSC::ResultProfile::setObservedNegZeroDouble):
+        (JSC::ResultProfile::setObservedNonNumber):
+        (JSC::ResultProfile::setObservedInt32Overflow):
+        (JSC::ResultProfile::addressOfFlags):
+        (JSC::ResultProfile::addressOfSpecialFastPathCount):
+        (JSC::ResultProfile::detectBitsLight):
+        (JSC::ResultProfile::hasBits):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::makeSafe):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::ensureNaturalLoops):
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+        (JSC::DFG::Graph::valueProfileFor): Deleted.
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::hasExitSite):
+        (JSC::DFG::Graph::numBlocks):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::arithNodeFlags):
+        (JSC::DFG::Node::mayHaveNonIntResult):
+        (JSC::DFG::Node::mayHaveDoubleResult):
+        (JSC::DFG::Node::mayHaveNonNumberResult):
+        (JSC::DFG::Node::hasConstantBuffer):
+        * dfg/DFGNodeFlags.cpp:
+        (JSC::DFG::dumpNodeFlags):
+        * dfg/DFGNodeFlags.h:
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfEqual):
+        (JSC::AssemblyHelpers::branchIfNotCell):
+        (JSC::AssemblyHelpers::branchIfNotNumber):
+        (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
+        (JSC::AssemblyHelpers::branchIfBoolean):
+        (JSC::AssemblyHelpers::branchIfEmpty):
+        (JSC::AssemblyHelpers::branchStructure):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::CCallHelpers):
+        (JSC::CCallHelpers::setupArguments):
+        (JSC::CCallHelpers::setupArgumentsWithExecState):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::AccessCase::emitIntrinsicGetter):
+        * jit/JIT.h:
+        * jit/JITAddGenerator.cpp:
+        (JSC::JITAddGenerator::generateFastPath):
+        * jit/JITAddGenerator.h:
+        (JSC::JITAddGenerator::JITAddGenerator):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_add):
+        (JSC::JIT::emitSlow_op_add):
+        (JSC::JIT::emit_op_div):
+        (JSC::JIT::emit_op_mul):
+        (JSC::JIT::emitSlow_op_mul):
+        (JSC::JIT::emit_op_sub):
+        (JSC::JIT::emitSlow_op_sub):
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation):
+        (JSC::JIT::callOperationNoExceptionCheck):
+        * jit/JITMulGenerator.cpp:
+        (JSC::JITMulGenerator::generateFastPath):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITSubGenerator.cpp:
+        (JSC::JITSubGenerator::generateFastPath):
+        * jit/JITSubGenerator.h:
+        (JSC::JITSubGenerator::JITSubGenerator):
+        * jit/TagRegistersMode.cpp: Added.
+        (WTF::printInternal):
+        * jit/TagRegistersMode.h: Added.
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::updateResultProfileForBinaryArithOp):
+
 2016-05-09  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1993 +1993 @@
                 DC2143071CA32E55000A8869 /* ICStats.h in Headers */ = {isa = PBXBuildFile; fileRef = DC2143061CA32E52000A8869 /* ICStats.h */; };
                 DC2143081CA32E58000A8869 /* ICStats.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC2143051CA32E52000A8869 /* ICStats.cpp */; };
+                DC7997831CDE9FA0004D4A09 /* TagRegistersMode.h in Headers */ = {isa = PBXBuildFile; fileRef = DC7997821CDE9F9E004D4A09 /* TagRegistersMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                DC7997841CDE9FA2004D4A09 /* TagRegistersMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC7997811CDE9F9E004D4A09 /* TagRegistersMode.cpp */; };
                 DCF3D5691CD2946D003D5C65 /* LazyClassStructure.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCF3D5641CD29468003D5C65 /* LazyClassStructure.cpp */; };
                 DCF3D56A1CD29470003D5C65 /* LazyClassStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF3D5651CD29468003D5C65 /* LazyClassStructure.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4205 +4207 @@
                 DC2143051CA32E52000A8869 /* ICStats.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ICStats.cpp; sourceTree = "<group>"; };
                 DC2143061CA32E52000A8869 /* ICStats.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ICStats.h; sourceTree = "<group>"; };
+                DC7997811CDE9F9E004D4A09 /* TagRegistersMode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TagRegistersMode.cpp; sourceTree = "<group>"; };
+                DC7997821CDE9F9E004D4A09 /* TagRegistersMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TagRegistersMode.h; sourceTree = "<group>"; };
                 DCF3D5641CD29468003D5C65 /* LazyClassStructure.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LazyClassStructure.cpp; sourceTree = "<group>"; };
                 DCF3D5651CD29468003D5C65 /* LazyClassStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LazyClassStructure.h; sourceTree = "<group>"; };
@@ -5085 +5089 @@
                                 A7386551118697B400540279 /* SpecializedThunkJIT.h */,
                                 A7FF647A18C52E8500B55307 /* SpillRegistersMode.h */,
+                                DC7997811CDE9F9E004D4A09 /* TagRegistersMode.cpp */,
+                                DC7997821CDE9F9E004D4A09 /* TagRegistersMode.h */,
                                 0FC314111814559100033232 /* TempRegisterSet.cpp */,
                                 0F24E54817EE274900ABB217 /* TempRegisterSet.h */,
@@ -7862 +7868 @@
                                 14CA958D16AB50FA00938A06 /* ObjectAllocationProfile.h in Headers */,
                                 DCF3D56C1CD29475003D5C65 /* LazyProperty.h in Headers */,
+                                DC7997831CDE9FA0004D4A09 /* TagRegistersMode.h in Headers */,
                                 BC18C4450E16F5CD00B34460 /* ObjectConstructor.h in Headers */,
                                 996B73221BDA08EF00331B84 /* ObjectConstructor.lut.h in Headers */,
@@ -9017 +9024 @@
                                 A57D23E51890CEBF0031C7FA /* InspectorDebuggerAgent.cpp in Sources */,
                                 A532438918568335002ED692 /* InspectorFrontendDispatchers.cpp in Sources */,
+                                DC7997841CDE9FA2004D4A09 /* TagRegistersMode.cpp in Sources */,
                                 99F1A6FE1B8E6D9400463B26 /* InspectorFrontendRouter.cpp in Sources */,
                                 A5339EC71BB399A90054F005 /* InspectorHeapAgent.cpp in Sources */,

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -501 +501 @@
         ASSERT(JITCode::isBaselineCode(jitType()));
         ConcurrentJITLocker locker(m_lock);
-        return m_exitProfile.add(locker, site);
+        return m_exitProfile.add(locker, this, site);
     }
 

trunk/Source/JavaScriptCore/bytecode/DFGExitProfile.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include "CodeBlock.h"
+
 namespace JSC { namespace DFG {
+
+void FrequentExitSite::dump(PrintStream& out) const
+{
+    out.print("bc#", m_bytecodeOffset, ": ", m_kind, "/", m_jitType);
+}
 
 ExitProfile::ExitProfile() { }
 ExitProfile::~ExitProfile() { }
 
-bool ExitProfile::add(const ConcurrentJITLocker&, const FrequentExitSite& site)
+bool ExitProfile::add(const ConcurrentJITLocker&, CodeBlock* owner, const FrequentExitSite& site)
 {
     ASSERT(site.jitType() != ExitFromAnything);
+
+    if (Options::verboseExitProfile())
+        dataLog(pointerDump(owner), ": Adding exit site: ", site, "\n");
     
     // If we've never seen any frequent exits then create the list and put this site

trunk/Source/JavaScriptCore/bytecode/DFGExitProfile.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2012, 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2014, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -117 +117 @@
         return m_kind == ExitKindUnset && m_bytecodeOffset;
     }
+    
+    void dump(PrintStream& out) const;
 
 private:
@@ -160 +162 @@
     // rare to begin with, and implies doing O(n) operations on the CodeBlock
     // anyway.
-    bool add(const ConcurrentJITLocker&, const FrequentExitSite&);
+    bool add(const ConcurrentJITLocker&, CodeBlock* owner, const FrequentExitSite&);
     
     // Get the frequent exit sites for a bytecode index. This is O(n), and is

trunk/Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include "CCallHelpers.h"
 #include "CodeBlock.h"
 #include "JSCInlines.h"
@@ -45 +46 @@
 }
 
-EncodedJSValue* MethodOfGettingAValueProfile::getSpecFailBucket(unsigned index) const
+void MethodOfGettingAValueProfile::emitReportValue(CCallHelpers& jit, JSValueRegs regs) const
 {
     switch (m_kind) {
     case None:
-        return 0;
+        return;
         
     case Ready:
-        return u.profile->specFailBucket(index);
+        jit.storeValue(regs, u.profile->specFailBucket(0));
+        return;
         
     case LazyOperand: {
@@ -60 +62 @@
         LazyOperandValueProfile* profile =
             u.lazyOperand.codeBlock->lazyOperandValueProfiles().add(locker, key);
-        return profile->specFailBucket(index);
+        jit.storeValue(regs, profile->specFailBucket(0));
+        return;
     }
         
-    default:
-        RELEASE_ASSERT_NOT_REACHED();
-        return 0;
-    }
+    case ResultProfileReady: {
+        u.resultProfile->emitDetectNumericness(jit, regs, DoNotHaveTagRegisters);
+        return;
+    } }
+    
+    RELEASE_ASSERT_NOT_REACHED();
 }
 

trunk/Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 #if ENABLE(DFG_JIT)
 
+#include "GPRInfo.h"
 #include "JSCJSValue.h"
 
 namespace JSC {
 
+class CCallHelpers;
 class CodeBlock;
 class LazyOperandValueProfileKey;
+struct ResultProfile;
 struct ValueProfile;
 
@@ -48 +51 @@
     }
     
-    explicit MethodOfGettingAValueProfile(ValueProfile* profile)
+    MethodOfGettingAValueProfile(ValueProfile* profile)
     {
         if (profile) {
@@ -57 +60 @@
     }
     
+    MethodOfGettingAValueProfile(ResultProfile* profile)
+    {
+        if (profile) {
+            m_kind = ResultProfileReady;
+            u.resultProfile = profile;
+        } else
+            m_kind = None;
+    }
+    
     static MethodOfGettingAValueProfile fromLazyOperand(
         CodeBlock*, const LazyOperandValueProfileKey&);
     
-    bool operator!() const { return m_kind == None; }
+    explicit operator bool() const { return m_kind != None; }
     
-    // This logically has a pointer to a "There exists X such that
-    // ValueProfileBase<X>". But since C++ does not have existential
-    // templates, I cannot return it. So instead, for any methods that
-    // users of this class would like to call, we'll just have to provide
-    // a method here that does it through an indirection. Or we could
-    // possibly just make ValueProfile less template-based. But last I
-    // tried that, it felt more yucky than this class.
-    
-    EncodedJSValue* getSpecFailBucket(unsigned index) const;
+    void emitReportValue(CCallHelpers&, JSValueRegs) const;
     
 private:
@@ -76 +80 @@
         None,
         Ready,
+        ResultProfileReady,
         LazyOperand
     };
@@ -82 +87 @@
     union {
         ValueProfile* profile;
+        ResultProfile* resultProfile;
         struct {
             CodeBlock* codeBlock;

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -1147 +1147 @@
                 dataLog("Have type: ", type->descriptor(), "\n");
             state.failAndRepatch.append(
-                jit.branchIfNotType(
-                    valueRegs, scratchGPR, type->descriptor(), CCallHelpers::HaveTagRegisters));
+                jit.branchIfNotType(valueRegs, scratchGPR, type->descriptor()));
         } else if (verbose)
             dataLog("Don't have type.\n");
@@ -1178 +1177 @@
                 dataLog("Have type: ", type->descriptor(), "\n");
             state.failAndRepatch.append(
-                jit.branchIfNotType(
-                    valueRegs, scratchGPR, type->descriptor(), CCallHelpers::HaveTagRegisters));
+                jit.branchIfNotType(valueRegs, scratchGPR, type->descriptor()));
         } else if (verbose)
             dataLog("Don't have type.\n");

trunk/Source/JavaScriptCore/bytecode/ValueProfile.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "ValueProfile.h"
 
+#include "CCallHelpers.h"
+#include "JSCInlines.h"
+
+namespace JSC {
+
+void ResultProfile::emitDetectNumericness(CCallHelpers& jit, JSValueRegs regs, TagRegistersMode mode)
+{
+    CCallHelpers::Jump isInt32 = jit.branchIfInt32(regs, mode);
+    CCallHelpers::Jump notDouble = jit.branchIfNotDoubleKnownNotInt32(regs, mode);
+    // FIXME: We could be more precise here.
+    emitSetDouble(jit);
+    CCallHelpers::Jump done = jit.jump();
+    notDouble.link(&jit);
+    emitSetNonNumber(jit);
+    done.link(&jit);
+    isInt32.link(&jit);
+}
+
+void ResultProfile::emitSetDouble(CCallHelpers& jit)
+{
+    jit.or32(CCallHelpers::TrustedImm32(ResultProfile::Int32Overflow | ResultProfile::Int52Overflow | ResultProfile::NegZeroDouble | ResultProfile::NonNegZeroDouble), CCallHelpers::AbsoluteAddress(addressOfFlags()));
+}
+
+void ResultProfile::emitSetNonNumber(CCallHelpers& jit)
+{
+    jit.or32(CCallHelpers::TrustedImm32(ResultProfile::NonNumber), CCallHelpers::AbsoluteAddress(addressOfFlags()));
+}
+
+} // namespace JSC
+
 namespace WTF {
     
@@ -35 +65 @@
     const char* separator = "";
 
-    if (profile.didObserveNegZeroDouble()) {
-        out.print(separator, "NegZeroDouble");
+    if (!profile.didObserveNonInt32()) {
+        out.print("Int32");
         separator = "|";
+    } else {
+        if (profile.didObserveNegZeroDouble()) {
+            out.print(separator, "NegZeroDouble");
+            separator = "|";
+        }
+        if (profile.didObserveNonNegZeroDouble()) {
+            out.print("NonNegZeroDouble");
+            separator = "|";
+        }
+        if (profile.didObserveNonNumber()) {
+            out.print("NonNumber");
+            separator = "|";
+        }
+        if (profile.didObserveInt32Overflow()) {
+            out.print("Int32Overflow");
+            separator = "|";
+        }
+        if (profile.didObserveInt52Overflow()) {
+            out.print("Int52Overflow");
+            separator = "|";
+        }
     }
-    if (profile.didObserveNonNumber()) {
-        out.print("NonNumber");
-        separator = "|";
-    }
-    if (profile.didObserveInt32Overflow()) {
-        out.print("Int32Overflow");
-        separator = "|";
-    }
-    if (profile.didObserveInt52Overflow()) {
-        out.print("Int52Overflow");
-        separator = "|";
-    }
-
     if (profile.specialFastPathCount()) {
         out.print(" special fast path: ");

trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35 +35 @@
 #include "SpeculatedType.h"
 #include "Structure.h"
+#include "TagRegistersMode.h"
 #include "WriteBarrier.h"
 #include <wtf/PrintStream.h>
@@ -40 +41 @@
 
 namespace JSC {
+
+class CCallHelpers;
 
 template<unsigned numberOfBucketsArgument>
@@ -219 +222 @@
 
     enum ObservedResults {
-        NegZeroDouble    = 1 << 0,
-        NonNumber        = 1 << 1,
-        Int32Overflow    = 1 << 2,
-        Int52Overflow    = 1 << 3,
+        NonNegZeroDouble = 1 << 0,
+        NegZeroDouble    = 1 << 1,
+        NonNumber        = 1 << 2,
+        Int32Overflow    = 1 << 3,
+        Int52Overflow    = 1 << 4,
     };
 
@@ -228 +232 @@
     unsigned specialFastPathCount() const { return m_specialFastPathCount; }
 
+    bool didObserveNonInt32() const { return hasBits(NonNegZeroDouble | NegZeroDouble | NonNumber); }
+    bool didObserveDouble() const { return hasBits(NonNegZeroDouble | NegZeroDouble); }
+    bool didObserveNonNegZeroDouble() const { return hasBits(NonNegZeroDouble); }
     bool didObserveNegZeroDouble() const { return hasBits(NegZeroDouble); }
     bool didObserveNonNumber() const { return hasBits(NonNumber); }
@@ -233 +240 @@
     bool didObserveInt52Overflow() const { return hasBits(Int52Overflow); }
 
+    void setObservedNonNegZeroDouble() { setBit(NonNegZeroDouble); }
     void setObservedNegZeroDouble() { setBit(NegZeroDouble); }
     void setObservedNonNumber() { setBit(NonNumber); }
@@ -240 +248 @@
     void* addressOfFlags() { return &m_bytecodeOffsetAndFlags; }
     void* addressOfSpecialFastPathCount() { return &m_specialFastPathCount; }
+    
+    // Sets (Int32Overflow | Int52Overflow | NonNegZeroDouble | NegZeroDouble) if it sees a
+    // double. Sets NonNumber if it sees a non-number.
+    void emitDetectNumericness(CCallHelpers&, JSValueRegs, TagRegistersMode = HaveTagRegisters);
+    
+    void detectNumericness(JSValue value)
+    {
+        if (value.isInt32())
+            return;
+        if (value.isNumber()) {
+            m_bytecodeOffsetAndFlags |= Int32Overflow | Int52Overflow | NonNegZeroDouble | NegZeroDouble;
+            return;
+        }
+        m_bytecodeOffsetAndFlags |= NonNumber;
+    }
+    
+    // Sets (Int32Overflow | Int52Overflow | NonNegZeroDouble | NegZeroDouble).
+    void emitSetDouble(CCallHelpers&);
+    
+    // Sets NonNumber.
+    void emitSetNonNumber(CCallHelpers&);
 
 private:

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -907 +907 @@
             return node;
 
-        if (!m_inlineStackTop->m_profiledBlock->likelyToTakeSlowCase(m_currentIndex))
-            return node;
-        
-        switch (node->op()) {
-        case UInt32ToNumber:
-        case ArithAdd:
-        case ArithSub:
-        case ValueAdd:
-        case ArithMod: // for ArithMod "MayOverflow" means we tried to divide by zero, or we saw double.
-            node->mergeFlags(NodeMayOverflowInt32InBaseline);
-            break;
-            
-        case ArithNegate:
-            // Currently we can't tell the difference between a negation overflowing
-            // (i.e. -(1 << 31)) or generating negative zero (i.e. -0). If it took slow
-            // path then we assume that it did both of those things.
-            node->mergeFlags(NodeMayOverflowInt32InBaseline);
-            node->mergeFlags(NodeMayNegZeroInBaseline);
-            break;
-
-        case ArithMul: {
-            ResultProfile& resultProfile = *m_inlineStackTop->m_profiledBlock->resultProfileForBytecodeOffset(m_currentIndex);
-            if (resultProfile.didObserveInt52Overflow())
-                node->mergeFlags(NodeMayOverflowInt52);
-            if (resultProfile.didObserveInt32Overflow() || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, Overflow))
+        ResultProfile* resultProfile = m_inlineStackTop->m_profiledBlock->resultProfileForBytecodeOffset(m_currentIndex);
+        if (resultProfile) {
+            switch (node->op()) {
+            case ArithAdd:
+            case ArithSub:
+            case ValueAdd:
+                if (resultProfile->didObserveDouble())
+                    node->mergeFlags(NodeMayHaveDoubleResult);
+                if (resultProfile->didObserveNonNumber())
+                    node->mergeFlags(NodeMayHaveNonNumberResult);
+                break;
+                
+            case ArithMul: {
+                if (resultProfile->didObserveInt52Overflow())
+                    node->mergeFlags(NodeMayOverflowInt52);
+                if (resultProfile->didObserveInt32Overflow() || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, Overflow))
+                    node->mergeFlags(NodeMayOverflowInt32InBaseline);
+                if (resultProfile->didObserveNegZeroDouble() || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, NegativeZero))
+                    node->mergeFlags(NodeMayNegZeroInBaseline);
+                if (resultProfile->didObserveDouble())
+                    node->mergeFlags(NodeMayHaveDoubleResult);
+                if (resultProfile->didObserveNonNumber())
+                    node->mergeFlags(NodeMayHaveNonNumberResult);
+                break;
+            }
+                
+            default:
+                break;
+            }
+        }
+        
+        if (m_inlineStackTop->m_profiledBlock->likelyToTakeSlowCase(m_currentIndex)) {
+            switch (node->op()) {
+            case UInt32ToNumber:
+            case ArithAdd:
+            case ArithSub:
+            case ValueAdd:
+            case ArithMod: // for ArithMod "MayOverflow" means we tried to divide by zero, or we saw double.
                 node->mergeFlags(NodeMayOverflowInt32InBaseline);
-            if (resultProfile.didObserveNegZeroDouble() || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, NegativeZero))
+                break;
+                
+            case ArithNegate:
+                // Currently we can't tell the difference between a negation overflowing
+                // (i.e. -(1 << 31)) or generating negative zero (i.e. -0). If it took slow
+                // path then we assume that it did both of those things.
+                node->mergeFlags(NodeMayOverflowInt32InBaseline);
                 node->mergeFlags(NodeMayNegZeroInBaseline);
-            break;
-        }
-
-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            break;
+                break;
+                
+            default:
+                break;
+            }
         }
         

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -193 +193 @@
         case ArithSub: {
             if (op == ArithSub
-                && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())
-                && m_graph.hasExitSite(node->origin.semantic, BadType)) {
-
+                && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
                 fixEdge<UntypedUse>(node->child1());
                 fixEdge<UntypedUse>(node->child2());
@@ -237 +235 @@
             Edge& leftChild = node->child1();
             Edge& rightChild = node->child2();
-            if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
-                && m_graph.hasExitSite(node->origin.semantic, BadType)) {
+            if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
                 fixEdge<UntypedUse>(leftChild);
                 fixEdge<UntypedUse>(rightChild);

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -1447 +1447 @@
 }
 
-ValueProfile* Graph::valueProfileFor(Node* node)
-{
-    if (!node)
-        return nullptr;
-        
-    CodeBlock* profiledBlock = baselineCodeBlockFor(node->origin.semantic);
-        
-    if (node->hasLocal(*this)) {
-        if (!node->local().isArgument())
-            return nullptr;
-        int argument = node->local().toArgument();
-        Node* argumentNode = m_arguments[argument];
-        if (!argumentNode)
-            return nullptr;
-        if (node->variableAccessData() != argumentNode->variableAccessData())
-            return nullptr;
-        return profiledBlock->valueProfileForArgument(argument);
-    }
-        
-    if (node->hasHeapPrediction())
-        return profiledBlock->valueProfileForBytecodeOffset(node->origin.semantic.bytecodeIndex);
-        
-    return nullptr;
-}
-
 MethodOfGettingAValueProfile Graph::methodOfGettingAValueProfileFor(Node* node)
 {
-    if (!node)
-        return MethodOfGettingAValueProfile();
-    
-    if (ValueProfile* valueProfile = valueProfileFor(node))
-        return MethodOfGettingAValueProfile(valueProfile);
-    
-    if (node->op() == GetLocal) {
+    while (node) {
         CodeBlock* profiledBlock = baselineCodeBlockFor(node->origin.semantic);
         
-        return MethodOfGettingAValueProfile::fromLazyOperand(
-            profiledBlock,
-            LazyOperandValueProfileKey(
-                node->origin.semantic.bytecodeIndex, node->local()));
+        if (node->hasLocal(*this)) {
+            ValueProfile* result = [&] () -> ValueProfile* {
+                if (!node->local().isArgument())
+                    return nullptr;
+                int argument = node->local().toArgument();
+                Node* argumentNode = m_arguments[argument];
+                if (!argumentNode)
+                    return nullptr;
+                if (node->variableAccessData() != argumentNode->variableAccessData())
+                    return nullptr;
+                return profiledBlock->valueProfileForArgument(argument);
+            }();
+            if (result)
+                return result;
+            
+            if (node->op() == GetLocal) {
+                return MethodOfGettingAValueProfile::fromLazyOperand(
+                    profiledBlock,
+                    LazyOperandValueProfileKey(
+                        node->origin.semantic.bytecodeIndex, node->local()));
+            }
+        }
+        
+        if (node->hasHeapPrediction())
+            return profiledBlock->valueProfileForBytecodeOffset(node->origin.semantic.bytecodeIndex);
+        
+        if (ResultProfile* result = profiledBlock->resultProfileForBytecodeOffset(node->origin.semantic.bytecodeIndex))
+            return result;
+        
+        switch (node->op()) {
+        case Identity:
+        case ValueRep:
+        case DoubleRep:
+        case Int52Rep:
+            node = node->child1().node();
+            break;
+        default:
+            node = nullptr;
+        }
     }
     

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -401 +401 @@
     }
     
-    ValueProfile* valueProfileFor(Node*);
     MethodOfGettingAValueProfile methodOfGettingAValueProfileFor(Node*);
     

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -951 +951 @@
             return result;
         return result & ~NodeBytecodeNeedsNegZero;
+    }
+
+    bool mayHaveNonIntResult()
+    {
+        return m_flags & NodeMayHaveNonIntResult;
+    }
+    
+    bool mayHaveDoubleResult()
+    {
+        return m_flags & NodeMayHaveDoubleResult;
+    }
+    
+    bool mayHaveNonNumberResult()
+    {
+        return m_flags & NodeMayHaveNonNumberResult;
     }
 

trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp

@@ -86 +86 @@
     }
 
+    if (flags & NodeMayHaveDoubleResult)
+        out.print(comma, "MayHaveDoubleResult");
+
+    if (flags & NodeMayHaveNonNumberResult)
+        out.print(comma, "MayHaveNonNumberResult");
+
     if (flags & NodeMayOverflowInt52)
         out.print(comma, "MayOverflowInt52");

trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h

@@ -49 +49 @@
     
 #define NodeBehaviorMask                 0x07e0
+#define NodeMayHaveDoubleResult          0x0020
 #define NodeMayOverflowInt52             0x0040
 #define NodeMayOverflowInt32InBaseline   0x0080
@@ -54 +55 @@
 #define NodeMayNegZeroInBaseline         0x0200
 #define NodeMayNegZeroInDFG              0x0400
+#define NodeMayHaveNonNumberResult       0x0800
+#define NodeMayHaveNonIntResult          (NodeMayHaveDoubleResult | NodeMayHaveNonNumberResult)
                                 
-#define NodeBytecodeBackPropMask         0xf800
-#define NodeBytecodeUseBottom            0x0000
-#define NodeBytecodeUsesAsNumber         0x0800 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results.
-#define NodeBytecodeNeedsNegZero         0x1000 // The result of this computation may be used in a context that observes -0.
-#define NodeBytecodeUsesAsOther          0x2000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
-#define NodeBytecodeUsesAsValue          (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther)
-#define NodeBytecodeUsesAsInt            0x4000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
-#define NodeBytecodeUsesAsArrayIndex     0x8000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
+#define NodeBytecodeBackPropMask        0x1f000
+#define NodeBytecodeUseBottom           0x00000
+#define NodeBytecodeUsesAsNumber        0x01000 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results.
+#define NodeBytecodeNeedsNegZero        0x02000 // The result of this computation may be used in a context that observes -0.
+#define NodeBytecodeUsesAsOther         0x04000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined).
+#define NodeBytecodeUsesAsValue         (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther)
+#define NodeBytecodeUsesAsInt           0x08000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values.
+#define NodeBytecodeUsesAsArrayIndex    0x10000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible.
 
 #define NodeArithFlagsMask               (NodeBehaviorMask | NodeBytecodeBackPropMask)
 
-#define NodeIsFlushed                   0x10000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
+#define NodeIsFlushed                   0x20000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush.
 
-#define NodeMiscFlag1                   0x20000
-#define NodeMiscFlag2                   0x40000
-#define NodeMiscFlag3                   0x80000
+#define NodeMiscFlag1                   0x40000
+#define NodeMiscFlag2                   0x80000
 
 typedef uint32_t NodeFlags;

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -129 +129 @@
         }
         
-        if (!!exit.m_valueProfile) {
-            EncodedJSValue* bucket = exit.m_valueProfile.getSpecFailBucket(0);
-        
+        if (MethodOfGettingAValueProfile profile = exit.m_valueProfile) {
             if (exit.m_jsValueSource.isAddress()) {
                 // Save a register so we can use it.
-                GPRReg scratch = AssemblyHelpers::selectScratchGPR(exit.m_jsValueSource.base());
-                
-                m_jit.push(scratch);
-
-                m_jit.load32(exit.m_jsValueSource.asAddress(OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)), scratch);
-                m_jit.store32(scratch, &bitwise_cast<EncodedValueDescriptor*>(bucket)->asBits.tag);
-                m_jit.load32(exit.m_jsValueSource.asAddress(OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)), scratch);
-                m_jit.store32(scratch, &bitwise_cast<EncodedValueDescriptor*>(bucket)->asBits.payload);
-                
-                m_jit.pop(scratch);
+                GPRReg scratchPayload = AssemblyHelpers::selectScratchGPR(exit.m_jsValueSource.base());
+                GPRReg scratchTag = AssemblyHelpers::selectScratchGPR(exit.m_jsValueSource.base(), scratchPayload);
+                m_jit.pushToSave(scratchPayload);
+                m_jit.pushToSave(scratchTag);
+
+                JSValueRegs scratch(scratchTag, scratchPayload);
+                
+                m_jit.loadValue(exit.m_jsValueSource.asAddress(), scratch);
+                profile.emitReportValue(m_jit, scratch);
+                
+                m_jit.popToRestore(scratchTag);
+                m_jit.popToRestore(scratchPayload);
             } else if (exit.m_jsValueSource.hasKnownTag()) {
-                m_jit.store32(AssemblyHelpers::TrustedImm32(exit.m_jsValueSource.tag()), &bitwise_cast<EncodedValueDescriptor*>(bucket)->asBits.tag);
-                m_jit.store32(exit.m_jsValueSource.payloadGPR(), &bitwise_cast<EncodedValueDescriptor*>(bucket)->asBits.payload);
-            } else {
-                m_jit.store32(exit.m_jsValueSource.tagGPR(), &bitwise_cast<EncodedValueDescriptor*>(bucket)->asBits.tag);
-                m_jit.store32(exit.m_jsValueSource.payloadGPR(), &bitwise_cast<EncodedValueDescriptor*>(bucket)->asBits.payload);
-            }
+                GPRReg scratchTag = AssemblyHelpers::selectScratchGPR(exit.m_jsValueSource.payloadGPR());
+                m_jit.pushToSave(scratchTag);
+                m_jit.move(AssemblyHelpers::TrustedImm32(exit.m_jsValueSource.tag()), scratchTag);
+                JSValueRegs value(scratchTag, exit.m_jsValueSource.payloadGPR());
+                profile.emitReportValue(m_jit, value);
+                m_jit.popToRestore(scratchTag);
+            } else
+                profile.emitReportValue(m_jit, exit.m_jsValueSource.regs());
         }
     }

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -135 +135 @@
         }
         
-        if (!!exit.m_valueProfile) {
-            EncodedJSValue* bucket = exit.m_valueProfile.getSpecFailBucket(0);
-            
+        if (MethodOfGettingAValueProfile profile = exit.m_valueProfile) {
             if (exit.m_jsValueSource.isAddress()) {
                 // We can't be sure that we have a spare register. So use the tagTypeNumberRegister,
                 // since we know how to restore it.
                 m_jit.load64(AssemblyHelpers::Address(exit.m_jsValueSource.asAddress()), GPRInfo::tagTypeNumberRegister);
-                m_jit.store64(GPRInfo::tagTypeNumberRegister, bucket);
+                profile.emitReportValue(m_jit, JSValueRegs(GPRInfo::tagTypeNumberRegister));
                 m_jit.move(AssemblyHelpers::TrustedImm64(TagTypeNumber), GPRInfo::tagTypeNumberRegister);
             } else
-                m_jit.store64(exit.m_jsValueSource.gpr(), bucket);
+                profile.emitReportValue(m_jit, JSValueRegs(exit.m_jsValueSource.gpr()));
         }
     }

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -279 +279 @@
 }
 
-EncodedJSValue JIT_OPERATION operationValueAdd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-    
-    return JSValue::encode(jsAdd(exec, op1, op2));
-}
-
 EncodedJSValue JIT_OPERATION operationValueAddNotNumber(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
@@ -317 +306 @@
     double b = op2.toNumber(exec);
     return JSValue::encode(jsNumber(a / b));
-}
-
-EncodedJSValue JIT_OPERATION operationValueMul(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-
-    double a = op1.toNumber(exec);
-    double b = op2.toNumber(exec);
-    return JSValue::encode(jsNumber(a * b));
-}
-
-EncodedJSValue JIT_OPERATION operationValueSub(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-
-    double a = op1.toNumber(exec);
-    double b = op2.toNumber(exec);
-    return JSValue::encode(jsNumber(a - b));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -52 +52 @@
 EncodedJSValue JIT_OPERATION operationValueBitRShift(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueBitURShift(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueDiv(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationValueMul(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationValueSub(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationGetByVal(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationGetByValCell(ExecState*, JSCell*, EncodedJSValue encodedProperty) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -192 +192 @@
                     else
                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
-                } else if (
-                    !(left & (SpecFullNumber | SpecBoolean))
-                    || !(right & (SpecFullNumber | SpecBoolean))) {
+                } else if (isStringOrStringObjectSpeculation(left) && isStringOrStringObjectSpeculation(right)) {
                     // left or right is definitely something other than a number.
                     changed |= mergePrediction(SpecString);
-                } else
-                    changed |= mergePrediction(SpecString | SpecInt32Only | SpecBytecodeDouble);
+                } else {
+                    changed |= mergePrediction(SpecInt32Only);
+                    if (node->mayHaveDoubleResult())
+                        changed |= mergePrediction(SpecBytecodeDouble);
+                    if (node->mayHaveNonNumberResult())
+                        changed |= mergePrediction(SpecString);
+                }
             }
             break;
@@ -212 +215 @@
                 else if (m_graph.addShouldSpeculateAnyInt(node))
                     changed |= mergePrediction(SpecInt52Only);
+                else if (isFullNumberOrBooleanSpeculation(left) && isFullNumberOrBooleanSpeculation(right))
+                    changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
+                else if (node->mayHaveNonIntResult() || (left & SpecBytecodeDouble) || (right & SpecBytecodeDouble))
+                    changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
                 else
-                    changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
+                    changed |= mergePrediction(SpecInt32Only);
             }
             break;
@@ -231 +238 @@
                     else
                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
-                } else
+                } else if (node->mayHaveNonIntResult() || (left & SpecBytecodeDouble) || (right & SpecBytecodeDouble))
                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
+                else
+                    changed |= mergePrediction(SpecInt32Only);
             }
             break;
@@ -268 +277 @@
             
             if (left && right) {
+                // FIXME: We're currently relying on prediction propagation and backwards propagation
+                // whenever we can, and only falling back on result flags if that fails. And the result
+                // flags logic doesn't know how to use backwards propagation. We should get rid of the
+                // prediction propagation logic and rely solely on the result type.
                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
@@ -276 +289 @@
                     else
                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
-                } else
-                    changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
+                } else {
+                    if (node->mayHaveNonIntResult()
+                        || (left & SpecBytecodeDouble)
+                        || (right & SpecBytecodeDouble))
+                        changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
+                    else
+                        changed |= mergePrediction(SpecInt32Only);
+                }
             }
             break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1688 +1688 @@
 #else // USE(JSVALUE32_64)
 
-// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
-// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
-#if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
-#define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
-#else
-#define EABI_32BIT_DUMMY_ARG
-#endif
-
-// JSVALUE32_64 is a 64-bit integer that cannot be put half in an argument register and half on stack when using SH4 architecture.
-// To avoid this, let's occupy the 4th argument register (r7) with a dummy argument when necessary. This must only be done when there
-// is no other 32-bit value argument behind this 64-bit JSValue.
-#if CPU(SH4)
-#define SH4_32BIT_DUMMY_ARG      TrustedImm32(0),
-#else
-#define SH4_32BIT_DUMMY_ARG
-#endif
-
     JITCompiler::Call callOperation(J_JITOperation_EJJI operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, UniquedStringImpl* uid)
     {
@@ -2145 +2128 @@
         return appendCall(operation);
     }
-#undef EABI_32BIT_DUMMY_ARG
-#undef SH4_32BIT_DUMMY_ARG
     
     template<typename FunctionType>

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -285 +285 @@
         }
 
-        if (!!exit.m_descriptor->m_valueProfile)
-            jit.store64(GPRInfo::regT0, exit.m_descriptor->m_valueProfile.getSpecFailBucket(0));
+        if (exit.m_descriptor->m_valueProfile)
+            exit.m_descriptor->m_valueProfile.emitReportValue(jit, JSValueRegs(GPRInfo::regT0));
     }
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -654 +654 @@
     }
 
-    enum TagRegistersMode {
-        DoNotHaveTagRegisters,
-        HaveTagRegisters
-    };
-
     Jump branchIfNotCell(GPRReg reg, TagRegistersMode mode = HaveTagRegisters)
     {
@@ -781 +776 @@
         add32(TrustedImm32(1), regs.tagGPR(), tempGPR);
         return branch32(AboveOrEqual, tempGPR, TrustedImm32(JSValue::LowestTag + 1));
+#endif
+    }
+
+    Jump branchIfNotDoubleKnownNotInt32(JSValueRegs regs, TagRegistersMode mode = HaveTagRegisters)
+    {
+#if USE(JSVALUE64)
+        if (mode == HaveTagRegisters)
+            return branchTest64(Zero, regs.gpr(), GPRInfo::tagTypeNumberRegister);
+        return branchTest64(Zero, regs.gpr(), TrustedImm64(TagTypeNumber));
+#else
+        UNUSED_PARAM(mode);
+        return branch32(AboveOrEqual, regs.tagGPR(), TrustedImm32(JSValue::LowestTag));
 #endif
     }
@@ -849 +856 @@
 
     JumpList branchIfNotType(
-        JSValueRegs, GPRReg tempGPR, const InferredType::Descriptor&, TagRegistersMode);
+        JSValueRegs, GPRReg tempGPR, const InferredType::Descriptor&,
+        TagRegistersMode = HaveTagRegisters);
 
     template<typename T>

trunk/Source/JavaScriptCore/jit/CCallHelpers.h

@@ -40 +40 @@
 #else
 #define POKE_ARGUMENT_OFFSET 0
+#endif
+
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
+// To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+#if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
+#define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
+#else
+#define EABI_32BIT_DUMMY_ARG
+#endif
+
+// JSVALUE32_64 is a 64-bit integer that cannot be put half in an argument register and half on stack when using SH4 architecture.
+// To avoid this, let's occupy the 4th argument register (r7) with a dummy argument when necessary. This must only be done when there
+// is no other 32-bit value argument behind this 64-bit JSValue.
+#if CPU(SH4)
+#define SH4_32BIT_DUMMY_ARG      TrustedImm32(0),
+#else
+#define SH4_32BIT_DUMMY_ARG
 #endif
 
@@ -2168 +2185 @@
 #endif
     
+    void setupArgumentsWithExecState(JSValueRegs arg1, JSValueRegs arg2, TrustedImmPtr arg3)
+    {
+#if USE(JSVALUE64)
+        setupArgumentsWithExecState(arg1.gpr(), arg2.gpr(), arg3);
+#else
+        setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1.payloadGPR(), arg1.tagGPR(), arg2.payloadGPR(), arg2.tagGPR(), arg3);
+#endif
+    }
+    
     void setupArguments(JSValueRegs arg1)
     {

trunk/Source/JavaScriptCore/jit/GPRInfo.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -140 +140 @@
     }
     
+    JSValueRegs regs() const
+    {
+        return JSValueRegs(gpr());
+    }
+    
     MacroAssembler::Address asAddress() const { return MacroAssembler::Address(base(), offset()); }
     
@@ -305 +310 @@
     {
         return static_cast<int32_t>(m_tagType);
+    }
+    
+    JSValueRegs regs() const
+    {
+        return JSValueRegs(tagGPR(), payloadGPR());
     }
     

trunk/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -79 +79 @@
     case TypedArrayLengthIntrinsic: {
         jit.load32(MacroAssembler::Address(state.baseGPR, JSArrayBufferView::offsetOfLength()), valueGPR);
-        jit.boxInt32(valueGPR, valueRegs, CCallHelpers::DoNotHaveTagRegisters);
+        jit.boxInt32(valueGPR, valueRegs);
         state.succeed();
         return;
@@ -94 +94 @@
         }
 
-        jit.boxInt32(valueGPR, valueRegs, CCallHelpers::DoNotHaveTagRegisters);
+        jit.boxInt32(valueGPR, valueRegs);
         state.succeed();
         return;
@@ -120 +120 @@
         done.link(&jit);
         
-        jit.boxInt32(valueGPR, valueRegs, CCallHelpers::DoNotHaveTagRegisters);
+        jit.boxInt32(valueGPR, valueRegs);
         state.succeed();
         return;

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -757 +757 @@
         MacroAssembler::Call callOperation(J_JITOperation_EJI, int, GPRReg, UniquedStringImpl*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg);
+        MacroAssembler::Call callOperation(J_JITOperation_EJJRp, JSValueRegs, JSValueRegs, JSValueRegs, ResultProfile*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, ArrayProfile*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, ByValInfo*);

trunk/Source/JavaScriptCore/jit/JITAddGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -129 +129 @@
     // Do doubleVar + doubleVar.
     jit.addDouble(m_rightFPR, m_leftFPR);
+    if (m_resultProfile)
+        m_resultProfile->emitSetDouble(jit);
+        
     jit.boxDouble(m_leftFPR, m_result);
 }

trunk/Source/JavaScriptCore/jit/JITAddGenerator.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38 +38 @@
     JITAddGenerator(SnippetOperand leftOperand, SnippetOperand rightOperand,
         JSValueRegs result, JSValueRegs left, JSValueRegs right,
-        FPRReg leftFPR, FPRReg rightFPR, GPRReg scratchGPR, FPRReg scratchFPR)
+        FPRReg leftFPR, FPRReg rightFPR, GPRReg scratchGPR, FPRReg scratchFPR,
+        ResultProfile* resultProfile = nullptr)
         : m_leftOperand(leftOperand)
         , m_rightOperand(rightOperand)
@@ -48 +49 @@
         , m_scratchGPR(scratchGPR)
         , m_scratchFPR(scratchFPR)
+        , m_resultProfile(resultProfile)
     {
         ASSERT(!m_leftOperand.isConstInt32() || !m_rightOperand.isConstInt32());
@@ -68 +70 @@
     GPRReg m_scratchGPR;
     FPRReg m_scratchFPR;
+    ResultProfile* m_resultProfile;
     bool m_didEmitFastPath { false };
 

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -697 +697 @@
 #endif
 
+    ResultProfile* resultProfile = nullptr;
+    if (shouldEmitProfiling())
+        resultProfile = m_codeBlock->ensureResultProfile(m_bytecodeOffset);
+
     SnippetOperand leftOperand(types.first());
     SnippetOperand rightOperand(types.second());
@@ -713 +717 @@
 
     JITAddGenerator gen(leftOperand, rightOperand, resultRegs, leftRegs, rightRegs,
-        fpRegT0, fpRegT1, scratchGPR, scratchFPR);
+        fpRegT0, fpRegT1, scratchGPR, scratchFPR, resultProfile);
 
     gen.generateFastPath(*this);
@@ -725 +729 @@
         ASSERT(gen.endJumpList().empty());
         ASSERT(gen.slowPathJumpList().empty());
+        if (resultProfile) {
+            if (leftOperand.isConst())
+                emitGetVirtualRegister(op1, leftRegs);
+            if (rightOperand.isConst())
+                emitGetVirtualRegister(op2, rightRegs);
+            callOperation(operationValueAddProfiled, resultRegs, leftRegs, rightRegs, resultProfile);
+            emitPutVirtualRegister(result, resultRegs);
+        } else {
+            JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_add);
+            slowPathCall.call();
+        }
+    }
+}
+
+void JIT::emitSlow_op_add(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkAllSlowCasesForBytecodeOffset(m_slowCases, iter, m_bytecodeOffset);
+
+    int result = currentInstruction[1].u.operand;
+    int op1 = currentInstruction[2].u.operand;
+    int op2 = currentInstruction[3].u.operand;
+    OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
+
+#if USE(JSVALUE64)
+    JSValueRegs leftRegs = JSValueRegs(regT0);
+    JSValueRegs rightRegs = JSValueRegs(regT1);
+    JSValueRegs resultRegs = leftRegs;
+#else
+    JSValueRegs leftRegs = JSValueRegs(regT1, regT0);
+    JSValueRegs rightRegs = JSValueRegs(regT3, regT2);
+    JSValueRegs resultRegs = leftRegs;
+#endif
+    
+    SnippetOperand leftOperand(types.first());
+    SnippetOperand rightOperand(types.second());
+
+    if (isOperandConstantInt(op1))
+        leftOperand.setConstInt32(getOperandConstantInt(op1));
+    else if (isOperandConstantInt(op2))
+        rightOperand.setConstInt32(getOperandConstantInt(op2));
+
+    if (shouldEmitProfiling()) {
+        if (leftOperand.isConst())
+            emitGetVirtualRegister(op1, leftRegs);
+        if (rightOperand.isConst())
+            emitGetVirtualRegister(op2, rightRegs);
+        ResultProfile* resultProfile = m_codeBlock->ensureResultProfile(m_bytecodeOffset);
+        callOperation(operationValueAddProfiled, resultRegs, leftRegs, rightRegs, resultProfile);
+        emitPutVirtualRegister(result, resultRegs);
+    } else {
         JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_add);
         slowPathCall.call();
     }
-}
-
-void JIT::emitSlow_op_add(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    linkAllSlowCasesForBytecodeOffset(m_slowCases, iter, m_bytecodeOffset);
-
-    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_add);
-    slowPathCall.call();
 }
 
@@ -865 +911 @@
         ASSERT(gen.endJumpList().empty());
         ASSERT(gen.slowPathJumpList().empty());
+        if (resultProfile) {
+            if (leftOperand.isPositiveConstInt32())
+                emitGetVirtualRegister(op1, leftRegs);
+            if (rightOperand.isPositiveConstInt32())
+                emitGetVirtualRegister(op2, rightRegs);
+            callOperation(operationValueMulProfiled, resultRegs, leftRegs, rightRegs, resultProfile);
+            emitPutVirtualRegister(result, resultRegs);
+        } else {
+            JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_mul);
+            slowPathCall.call();
+        }
+    }
+}
+
+void JIT::emitSlow_op_mul(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkAllSlowCasesForBytecodeOffset(m_slowCases, iter, m_bytecodeOffset);
+    
+    int result = currentInstruction[1].u.operand;
+    int op1 = currentInstruction[2].u.operand;
+    int op2 = currentInstruction[3].u.operand;
+    OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
+
+#if USE(JSVALUE64)
+    JSValueRegs leftRegs = JSValueRegs(regT0);
+    JSValueRegs rightRegs = JSValueRegs(regT1);
+    JSValueRegs resultRegs = leftRegs;
+#else
+    JSValueRegs leftRegs = JSValueRegs(regT1, regT0);
+    JSValueRegs rightRegs = JSValueRegs(regT3, regT2);
+    JSValueRegs resultRegs = leftRegs;
+#endif
+
+    SnippetOperand leftOperand(types.first());
+    SnippetOperand rightOperand(types.second());
+
+    if (isOperandConstantInt(op1))
+        leftOperand.setConstInt32(getOperandConstantInt(op1));
+    else if (isOperandConstantInt(op2))
+        rightOperand.setConstInt32(getOperandConstantInt(op2));
+
+    if (shouldEmitProfiling()) {
+        if (leftOperand.isPositiveConstInt32())
+            emitGetVirtualRegister(op1, leftRegs);
+        if (rightOperand.isPositiveConstInt32())
+            emitGetVirtualRegister(op2, rightRegs);
+        ResultProfile* resultProfile = m_codeBlock->ensureResultProfile(m_bytecodeOffset);
+        callOperation(operationValueMulProfiled, resultRegs, leftRegs, rightRegs, resultProfile);
+        emitPutVirtualRegister(result, resultRegs);
+    } else {
         JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_mul);
         slowPathCall.call();
     }
-}
-
-void JIT::emitSlow_op_mul(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    linkAllSlowCasesForBytecodeOffset(m_slowCases, iter, m_bytecodeOffset);
-    
-    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_mul);
-    slowPathCall.call();
 }
 
@@ -899 +987 @@
 #endif
 
+    ResultProfile* resultProfile = nullptr;
+    if (shouldEmitProfiling())
+        resultProfile = m_codeBlock->ensureResultProfile(m_bytecodeOffset);
+
     SnippetOperand leftOperand(types.first());
     SnippetOperand rightOperand(types.second());
@@ -906 +998 @@
 
     JITSubGenerator gen(leftOperand, rightOperand, resultRegs, leftRegs, rightRegs,
-        fpRegT0, fpRegT1, scratchGPR, scratchFPR);
+        fpRegT0, fpRegT1, scratchGPR, scratchFPR, resultProfile);
 
     gen.generateFastPath(*this);
@@ -921 +1013 @@
     linkAllSlowCasesForBytecodeOffset(m_slowCases, iter, m_bytecodeOffset);
 
-    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_sub);
-    slowPathCall.call();
+    int result = currentInstruction[1].u.operand;
+#if USE(JSVALUE64)
+    JSValueRegs leftRegs = JSValueRegs(regT0);
+    JSValueRegs rightRegs = JSValueRegs(regT1);
+    JSValueRegs resultRegs = leftRegs;
+#else
+    JSValueRegs leftRegs = JSValueRegs(regT1, regT0);
+    JSValueRegs rightRegs = JSValueRegs(regT3, regT2);
+    JSValueRegs resultRegs = leftRegs;
+#endif
+
+    if (shouldEmitProfiling()) {
+        ResultProfile* resultProfile = m_codeBlock->ensureResultProfile(m_bytecodeOffset);
+        callOperation(operationValueSubProfiled, resultRegs, leftRegs, rightRegs, resultProfile);
+        emitPutVirtualRegister(result, resultRegs);
+    } else {
+        JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_sub);
+        slowPathCall.call();
+    }
 }
 

trunk/Source/JavaScriptCore/jit/JITInlines.h

@@ -417 +417 @@
 }
 
+inline MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJRp operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2, ResultProfile* resultProfile)
+{
+    setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(resultProfile));
+    Call call = appendCallWithExceptionCheck(operation);
+    setupResults(result);
+    return call;
+}
+
 #if USE(JSVALUE64)
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJZZ operation, GPRReg arg1, int32_t arg2, int32_t arg3)
@@ -603 +611 @@
 #else // USE(JSVALUE32_64)
 
-// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
-// To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
-#if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
-#define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
-#else
-#define EABI_32BIT_DUMMY_ARG
-#endif
-
-// JSVALUE32_64 is a 64-bit integer that cannot be put half in an argument register and half on stack when using SH4 architecture.
-// To avoid this, let's occupy the 4th argument register (r7) with a dummy argument when necessary. This must only be done when there
-// is no other 32-bit value argument behind this 64-bit JSValue.
-#if CPU(SH4)
-#define SH4_32BIT_DUMMY_ARG      TrustedImm32(0),
-#else
-#define SH4_32BIT_DUMMY_ARG
-#endif
-
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperationNoExceptionCheck(V_JITOperation_EJ operation, GPRReg arg1Tag, GPRReg arg1Payload)
 {
@@ -800 +791 @@
     return appendCallWithExceptionCheckSetJSValueResult(operation, dst);
 }
-
-#undef EABI_32BIT_DUMMY_ARG
-#undef SH4_32BIT_DUMMY_ARG
 
 #endif // USE(JSVALUE32_64)

trunk/Source/JavaScriptCore/jit/JITMulGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -154 +154 @@
 
         notNegativeZero.link(&jit);
+        jit.or32(CCallHelpers::TrustedImm32(ResultProfile::NonNegZeroDouble), CCallHelpers::AbsoluteAddress(m_resultProfile->addressOfFlags()));
 
         jit.move(m_result.payloadGPR(), m_scratchGPR);
@@ -175 +176 @@
 
         notNegativeZero.link(&jit);
+        jit.or32(CCallHelpers::TrustedImm32(ResultProfile::NonNegZeroDouble), CCallHelpers::AbsoluteAddress(m_resultProfile->addressOfFlags()));
 
         jit.move(m_result.tagGPR(), m_scratchGPR);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2244 +2244 @@
 }
 
+EncodedJSValue JIT_OPERATION operationValueAdd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+    
+    return JSValue::encode(jsAdd(exec, op1, op2));
+}
+
+EncodedJSValue JIT_OPERATION operationValueAddProfiled(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ResultProfile* resultProfile)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+    
+    JSValue result = jsAdd(exec, op1, op2);
+    resultProfile->detectNumericness(result);
+    return JSValue::encode(result);
+}
+
+EncodedJSValue JIT_OPERATION operationValueMul(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    double a = op1.toNumber(exec);
+    double b = op2.toNumber(exec);
+    return JSValue::encode(jsNumber(a * b));
+}
+
+EncodedJSValue JIT_OPERATION operationValueMulProfiled(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ResultProfile* resultProfile)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    double a = op1.toNumber(exec);
+    double b = op2.toNumber(exec);
+    
+    JSValue result = jsNumber(a * b);
+    resultProfile->detectNumericness(result);
+    return JSValue::encode(result);
+}
+
+EncodedJSValue JIT_OPERATION operationValueSub(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    double a = op1.toNumber(exec);
+    double b = op2.toNumber(exec);
+    return JSValue::encode(jsNumber(a - b));
+}
+
+EncodedJSValue JIT_OPERATION operationValueSubProfiled(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ResultProfile* resultProfile)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    double a = op1.toNumber(exec);
+    double b = op2.toNumber(exec);
+    
+    JSValue result = jsNumber(a - b);
+    resultProfile->detectNumericness(result);
+    return JSValue::encode(result);
+}
+
 void JIT_OPERATION operationProcessTypeProfilerLog(ExecState* exec)
 {

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -54 +54 @@
 struct ByValInfo;
 struct InlineCallFrame;
+struct ResultProfile;
 
 typedef ExecState CallFrame;
@@ -97 +98 @@
     R: Register
     Reo: RegExpObject*
+    Rp: ResultProfile*
     S: size_t
     Sprt: SlowPathReturnType
@@ -137 +139 @@
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJBy)(ExecState*, EncodedJSValue, EncodedJSValue, ByValInfo*);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJRp)(ExecState*, EncodedJSValue, EncodedJSValue, ResultProfile*);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJssZ)(ExecState*, JSString*, int32_t);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJssReo)(ExecState*, JSString*, RegExpObject*);
@@ -410 +413 @@
 JSCell* JIT_OPERATION operationToIndexString(ExecState*, int32_t);
 
+EncodedJSValue JIT_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueAddProfiled(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ResultProfile*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueMul(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueMulProfiled(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ResultProfile*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueSub(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueSubProfiled(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ResultProfile*) WTF_INTERNAL;
+
 void JIT_OPERATION operationProcessTypeProfilerLog(ExecState*) WTF_INTERNAL;
 void JIT_OPERATION operationProcessShadowChickenLog(ExecState*) WTF_INTERNAL;

trunk/Source/JavaScriptCore/jit/JITSubGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -84 +84 @@
 
     jit.subDouble(m_rightFPR, m_leftFPR);
+    if (m_resultProfile)
+        m_resultProfile->emitSetDouble(jit);
+
     jit.boxDouble(m_leftFPR, m_result);
 }

trunk/Source/JavaScriptCore/jit/JITSubGenerator.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38 +38 @@
     JITSubGenerator(SnippetOperand leftOperand, SnippetOperand rightOperand,
         JSValueRegs result, JSValueRegs left, JSValueRegs right,
-        FPRReg leftFPR, FPRReg rightFPR, GPRReg scratchGPR, FPRReg scratchFPR)
+        FPRReg leftFPR, FPRReg rightFPR, GPRReg scratchGPR, FPRReg scratchFPR,
+        ResultProfile* resultProfile = nullptr)
         : m_leftOperand(leftOperand)
         , m_rightOperand(rightOperand)
@@ -48 +49 @@
         , m_scratchGPR(scratchGPR)
         , m_scratchFPR(scratchFPR)
+        , m_resultProfile(resultProfile)
     { }
 
@@ -66 +68 @@
     GPRReg m_scratchGPR;
     FPRReg m_scratchFPR;
+    ResultProfile* m_resultProfile;
     bool m_didEmitFastPath { false };
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -379 +379 @@
                 profile->setObservedNegZeroDouble();
             else {
+                profile->setObservedNonNegZeroDouble();
+
                 // The Int52 overflow check here intentionally omits 1ll << 51 as a valid negative Int52 value.
                 // Therefore, we will get a false positive if the result is that value. This is intentionally

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -176 +176 @@
     v(bool, reportFTLCompileTimes, false, Normal, "dumps JS function signature and the time it took to FTL compile") \
     v(bool, reportTotalCompileTimes, false, Normal, nullptr) \
+    v(bool, verboseExitProfile, false, Normal, nullptr) \
     v(bool, verboseCFA, false, Normal, nullptr) \
     v(bool, verboseFTLToJSThunk, false, Normal, nullptr) \