Changeset 202363 in webkit


Ignore:
Timestamp:
Jun 22, 2016 6:39:01 PM (8 years ago)
Author:
keith_miller@apple.com
Message:

We should have a DFG intrinsic that checks if a value is a TypedArrayView
https://bugs.webkit.org/show_bug.cgi?id=159048

Reviewed by Saam Barati.

This patch adds a new DFG Intrinsic that checks if a value is a TypedArrayView.
The intrinsic, IsTypedArrayView, works in the same way that the other Is<insert-type>
DFG nodes work. Additionally, a new builtin function isTypedArrayView has been added.
These changes are needed to fix regressions in %TypedArray%.prototype.subarray.

  • builtins/BuiltinNames.h:
  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGNodeType.h:
  • dfg/DFGPredictionPropagationPhase.cpp:
  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):

  • dfg/DFGSpeculativeJIT.h:
  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileIsTypedArrayView):
(JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):

  • runtime/Intrinsic.h:
  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

  • runtime/JSTypedArrayViewPrototype.cpp:

(JSC::typedArrayViewPrivateFuncIsTypedArrayView):

  • runtime/JSTypedArrayViewPrototype.h:
  • tests/stress/istypedarrayview-intrinsic.js: Added.

(makeFn):
(typedArrays.forEach):
(let.test):
(test):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
20 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r202308 r202363  
     12016-06-22  Keith Miller  <keith_miller@apple.com>
     2
     3        We should have a DFG intrinsic that checks if a value is a TypedArrayView
     4        https://bugs.webkit.org/show_bug.cgi?id=159048
     5
     6        Reviewed by Saam Barati.
     7
     8        This patch adds a new DFG Intrinsic that checks if a value is a TypedArrayView.
     9        The intrinsic, IsTypedArrayView, works in the same way that the other Is<insert-type>
     10        DFG nodes work. Additionally, a new builtin function isTypedArrayView has been added.
     11        These changes are needed to fix regressions in %TypedArray%.prototype.subarray.
     12
     13        * builtins/BuiltinNames.h:
     14        * dfg/DFGAbstractInterpreterInlines.h:
     15        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     16        * dfg/DFGByteCodeParser.cpp:
     17        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
     18        * dfg/DFGClobberize.h:
     19        (JSC::DFG::clobberize):
     20        * dfg/DFGDoesGC.cpp:
     21        (JSC::DFG::doesGC):
     22        * dfg/DFGFixupPhase.cpp:
     23        (JSC::DFG::FixupPhase::fixupNode):
     24        * dfg/DFGNodeType.h:
     25        * dfg/DFGPredictionPropagationPhase.cpp:
     26        * dfg/DFGSafeToExecute.h:
     27        (JSC::DFG::safeToExecute):
     28        * dfg/DFGSpeculativeJIT.cpp:
     29        (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
     30        * dfg/DFGSpeculativeJIT.h:
     31        * dfg/DFGSpeculativeJIT32_64.cpp:
     32        (JSC::DFG::SpeculativeJIT::compile):
     33        * dfg/DFGSpeculativeJIT64.cpp:
     34        (JSC::DFG::SpeculativeJIT::compile):
     35        * ftl/FTLCapabilities.cpp:
     36        (JSC::FTL::canCompile):
     37        * ftl/FTLLowerDFGToB3.cpp:
     38        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
     39        (JSC::FTL::DFG::LowerDFGToB3::compileIsTypedArrayView):
     40        (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
     41        * runtime/Intrinsic.h:
     42        * runtime/JSGlobalObject.cpp:
     43        (JSC::JSGlobalObject::init):
     44        * runtime/JSTypedArrayViewPrototype.cpp:
     45        (JSC::typedArrayViewPrivateFuncIsTypedArrayView):
     46        * runtime/JSTypedArrayViewPrototype.h:
     47        * tests/stress/istypedarrayview-intrinsic.js: Added.
     48        (makeFn):
     49        (typedArrays.forEach):
     50        (let.test):
     51        (test):
     52
    1532016-06-21  Anders Carlsson  <andersca@apple.com>
    254
  • trunk/Source/JavaScriptCore/builtins/BuiltinNames.h

    r202280 r202363  
    122122    macro(newTargetLocal) \
    123123    macro(derivedConstructor) \
     124    macro(isTypedArrayView) \
    124125    macro(isBoundFunction) \
    125126    macro(hasInstanceBoundFunction) \
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r202125 r202363  
    10361036    case IsObjectOrNull:
    10371037    case IsFunction:
    1038     case IsRegExpObject: {
     1038    case IsRegExpObject:
     1039    case IsTypedArrayView: {
    10391040        AbstractValue child = forNode(node->child1());
    10401041        if (child.value()) {
     
    10981099                setConstant(node, jsBoolean(child.value().isEmpty()));
    10991100                break;
     1101            case IsTypedArrayView:
     1102                setConstant(node, jsBoolean(child.value().isObject() && isTypedView(child.value().getObject()->classInfo()->typedArrayStorageType)));
     1103                break;
    11001104            default:
    11011105                constantWasSet = false;
     
    12631267            }
    12641268            if (!(child.m_type & SpecObject)) {
     1269                setConstant(node, jsBoolean(false));
     1270                constantWasSet = true;
     1271                break;
     1272            }
     1273            break;
     1274
     1275        case IsTypedArrayView:
     1276            if (!(child.m_type & ~SpecTypedArrayView)) {
     1277                setConstant(node, jsBoolean(true));
     1278                constantWasSet = true;
     1279                break;
     1280            }
     1281            if (!(child.m_type & SpecTypedArrayView)) {
    12651282                setConstant(node, jsBoolean(false));
    12661283                constantWasSet = true;
  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r202125 r202363  
    23122312        Node* isRegExpObject = addToGraph(IsRegExpObject, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset)));
    23132313        set(VirtualRegister(resultOperand), isRegExpObject);
     2314        return true;
     2315    }
     2316
     2317    case IsTypedArrayViewIntrinsic: {
     2318        ASSERT(argumentCountIncludingThis == 2);
     2319
     2320        insertChecks();
     2321        set(VirtualRegister(resultOperand), addToGraph(IsTypedArrayView, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset))));
    23142322        return true;
    23152323    }
  • trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

    r202125 r202363  
    173173    case IsObject:
    174174    case IsRegExpObject:
     175    case IsTypedArrayView:
    175176    case LogicalNot:
    176177    case CheckInBounds:
  • trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

    r202125 r202363  
    166166    case IsFunction:
    167167    case IsRegExpObject:
     168    case IsTypedArrayView:
    168169    case TypeOf:
    169170    case LogicalNot:
  • trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

    r202125 r202363  
    15481548        case DeleteByVal:
    15491549        case IsJSArray:
     1550        case IsTypedArrayView:
    15501551        case IsEmpty:
    15511552        case IsUndefined:
  • trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

    r202125 r202363  
    318318    macro(IsFunction, NodeResultBoolean) \
    319319    macro(IsRegExpObject, NodeResultBoolean) \
     320    macro(IsTypedArrayView, NodeResultBoolean) \
    320321    macro(TypeOf, NodeResultJS) \
    321322    macro(LogicalNot, NodeResultBoolean) \
  • trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

    r202125 r202363  
    793793        case IsObjectOrNull:
    794794        case IsFunction:
    795         case IsRegExpObject: {
     795        case IsRegExpObject:
     796        case IsTypedArrayView: {
    796797            setPrediction(SpecBoolean);
    797798            break;
  • trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

    r202125 r202363  
    267267    case IsFunction:
    268268    case IsRegExpObject:
     269    case IsTypedArrayView:
    269270    case TypeOf:
    270271    case LogicalNot:
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r202125 r202363  
    34453445        JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoTypeOffset()),
    34463446        TrustedImm32(RegExpObjectType),
     3447        resultGPR);
     3448    blessBoolean(resultGPR);
     3449    JITCompiler::Jump done = m_jit.jump();
     3450
     3451    isNotCell.link(&m_jit);
     3452    moveFalseTo(resultGPR);
     3453
     3454    done.link(&m_jit);
     3455    blessedBooleanResult(resultGPR, node);
     3456}
     3457
     3458void SpeculativeJIT::compileIsTypedArrayView(Node* node)
     3459{
     3460    JSValueOperand value(this, node->child1());
     3461#if USE(JSVALUE64)
     3462    GPRTemporary result(this, Reuse, value);
     3463#else
     3464    GPRTemporary result(this, Reuse, value, PayloadWord);
     3465#endif
     3466
     3467    JSValueRegs valueRegs = value.jsValueRegs();
     3468    GPRReg resultGPR = result.gpr();
     3469
     3470    JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(valueRegs);
     3471
     3472    m_jit.load8(JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoTypeOffset()), resultGPR);
     3473    m_jit.sub32(TrustedImm32(Int8ArrayType), resultGPR);
     3474    m_jit.compare32(JITCompiler::BelowOrEqual,
     3475        resultGPR,
     3476        TrustedImm32(Float64ArrayType - Int8ArrayType),
    34473477        resultGPR);
    34483478    blessBoolean(resultGPR);
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

    r202125 r202363  
    755755    void compileIsJSArray(Node*);
    756756    void compileIsRegExpObject(Node*);
     757    void compileIsTypedArrayView(Node*);
    757758
    758759    void emitCall(Node*);
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

    r202214 r202363  
    47344734    }
    47354735
     4736    case IsTypedArrayView: {
     4737        compileIsTypedArrayView(node);
     4738        break;
     4739    }
     4740
    47364741    case TypeOf: {
    47374742        compileTypeOf(node);
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r202214 r202363  
    46594659    }
    46604660
     4661    case IsTypedArrayView: {
     4662        compileIsTypedArrayView(node);
     4663        break;
     4664    }
     4665
    46614666    case TypeOf: {
    46624667        compileTypeOf(node);
  • trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

    r202125 r202363  
    188188    case IsFunction:
    189189    case IsRegExpObject:
     190    case IsTypedArrayView:
    190191    case CheckTypeInfoFlags:
    191192    case OverridesHasInstance:
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r202214 r202363  
    900900        case IsRegExpObject:
    901901            compileIsRegExpObject();
     902            break;
     903        case IsTypedArrayView:
     904            compileIsTypedArrayView();
    902905            break;
    903906        case TypeOf:
     
    61026105        LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation);
    61036106        ValueFromBlock cellResult = m_out.anchor(isRegExpObject(value, provenType(m_node->child1())));
     6107        m_out.jump(continuation);
     6108
     6109        m_out.appendTo(continuation, lastNext);
     6110        setBoolean(m_out.phi(m_out.boolean, notCellResult, cellResult));
     6111    }
     6112
     6113    void compileIsTypedArrayView()
     6114    {
     6115        LValue value = lowJSValue(m_node->child1());
     6116
     6117        LBasicBlock isCellCase = m_out.newBlock();
     6118        LBasicBlock continuation = m_out.newBlock();
     6119
     6120        ValueFromBlock notCellResult = m_out.anchor(m_out.booleanFalse);
     6121        m_out.branch(isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(continuation));
     6122
     6123        LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation);
     6124        ValueFromBlock cellResult = m_out.anchor(isTypedArrayView(value, provenType(m_node->child1())));
    61046125        m_out.jump(continuation);
    61056126
     
    1007710098            m_out.constInt32(ArrayType));
    1007810099    }
     10100
     10101    LValue isTypedArrayView(LValue cell, SpeculatedType type = SpecFullTop)
     10102    {
     10103        if (LValue proven = isProvenValue(type & SpecCell, SpecTypedArrayView))
     10104            return proven;
     10105        LValue jsType = m_out.sub(
     10106            m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
     10107            m_out.constInt32(Int8ArrayType));
     10108        return m_out.belowOrEqual(
     10109            jsType,
     10110            m_out.constInt32(Float64ArrayType - Int8ArrayType));
     10111    }
    1007910112   
    1008010113    LValue isObject(LValue cell, SpeculatedType type = SpecFullTop)
  • trunk/Source/JavaScriptCore/runtime/Intrinsic.h

    r201049 r202363  
    6161    TruncIntrinsic,
    6262    IsRegExpObjectIntrinsic,
     63    IsTypedArrayViewIntrinsic,
    6364    BoundThisNoArgsFunctionCallIntrinsic,
    6465
  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

    r202280 r202363  
    656656    JSFunction* privateFuncTypedArrayGetOriginalConstructor = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncGetOriginalConstructor);
    657657    JSFunction* privateFuncTypedArraySort = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSort);
     658    JSFunction* privateFuncIsTypedArrayView = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncIsTypedArrayView, IsTypedArrayViewIntrinsic);
    658659    JSFunction* privateFuncIsBoundFunction = JSFunction::create(vm, this, 0, String(), isBoundFunction);
    659660    JSFunction* privateFuncHasInstanceBoundFunction = JSFunction::create(vm, this, 0, String(), hasInstanceBoundFunction);
     
    704705        GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArrayGetOriginalConstructorPrivateName(), privateFuncTypedArrayGetOriginalConstructor, DontEnum | DontDelete | ReadOnly),
    705706        GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArraySortPrivateName(), privateFuncTypedArraySort, DontEnum | DontDelete | ReadOnly),
     707        GlobalPropertyInfo(vm.propertyNames->builtinNames().isTypedArrayViewPrivateName(), privateFuncIsTypedArrayView, DontEnum | DontDelete | ReadOnly),
    706708        GlobalPropertyInfo(vm.propertyNames->builtinNames().isBoundFunctionPrivateName(), privateFuncIsBoundFunction, DontEnum | DontDelete | ReadOnly),
    707709        GlobalPropertyInfo(vm.propertyNames->builtinNames().hasInstanceBoundFunctionPrivateName(), privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly),
  • trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp

    r200422 r202363  
    6464    RELEASE_ASSERT_NOT_REACHED();                                                               \
    6565} while (false)
     66
     67EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsTypedArrayView(ExecState* exec)
     68{
     69    JSValue value = exec->uncheckedArgument(0);
     70    return JSValue::encode(jsBoolean(value.isCell() && isTypedView(value.asCell()->classInfo()->typedArrayStorageType)));
     71}
    6672
    6773EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(ExecState* exec)
  • trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.h

    r196950 r202363  
    4747};
    4848
     49EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsTypedArrayView(ExecState*);
    4950EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncSort(ExecState*);
    5051EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(ExecState*);
Note: See TracChangeset for help on using the changeset viewer.