Changeset 202363 in webkit
- Timestamp:
- Jun 22, 2016 6:39:01 PM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 1 added
- 20 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r202308 r202363 1 2016-06-22 Keith Miller <keith_miller@apple.com> 2 3 We should have a DFG intrinsic that checks if a value is a TypedArrayView 4 https://bugs.webkit.org/show_bug.cgi?id=159048 5 6 Reviewed by Saam Barati. 7 8 This patch adds a new DFG Intrinsic that checks if a value is a TypedArrayView. 9 The intrinsic, IsTypedArrayView, works in the same way that the other Is<insert-type> 10 DFG nodes work. Additionally, a new builtin function isTypedArrayView has been added. 11 These changes are needed to fix regressions in %TypedArray%.prototype.subarray. 12 13 * builtins/BuiltinNames.h: 14 * dfg/DFGAbstractInterpreterInlines.h: 15 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 16 * dfg/DFGByteCodeParser.cpp: 17 (JSC::DFG::ByteCodeParser::handleIntrinsicCall): 18 * dfg/DFGClobberize.h: 19 (JSC::DFG::clobberize): 20 * dfg/DFGDoesGC.cpp: 21 (JSC::DFG::doesGC): 22 * dfg/DFGFixupPhase.cpp: 23 (JSC::DFG::FixupPhase::fixupNode): 24 * dfg/DFGNodeType.h: 25 * dfg/DFGPredictionPropagationPhase.cpp: 26 * dfg/DFGSafeToExecute.h: 27 (JSC::DFG::safeToExecute): 28 * dfg/DFGSpeculativeJIT.cpp: 29 (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView): 30 * dfg/DFGSpeculativeJIT.h: 31 * dfg/DFGSpeculativeJIT32_64.cpp: 32 (JSC::DFG::SpeculativeJIT::compile): 33 * dfg/DFGSpeculativeJIT64.cpp: 34 (JSC::DFG::SpeculativeJIT::compile): 35 * ftl/FTLCapabilities.cpp: 36 (JSC::FTL::canCompile): 37 * ftl/FTLLowerDFGToB3.cpp: 38 (JSC::FTL::DFG::LowerDFGToB3::compileNode): 39 (JSC::FTL::DFG::LowerDFGToB3::compileIsTypedArrayView): 40 (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView): 41 * runtime/Intrinsic.h: 42 * runtime/JSGlobalObject.cpp: 43 (JSC::JSGlobalObject::init): 44 * runtime/JSTypedArrayViewPrototype.cpp: 45 (JSC::typedArrayViewPrivateFuncIsTypedArrayView): 46 * runtime/JSTypedArrayViewPrototype.h: 47 * tests/stress/istypedarrayview-intrinsic.js: Added. 48 (makeFn): 49 (typedArrays.forEach): 50 (let.test): 51 (test): 52 1 53 2016-06-21 Anders Carlsson <andersca@apple.com> 2 54 -
trunk/Source/JavaScriptCore/builtins/BuiltinNames.h
r202280 r202363 122 122 macro(newTargetLocal) \ 123 123 macro(derivedConstructor) \ 124 macro(isTypedArrayView) \ 124 125 macro(isBoundFunction) \ 125 126 macro(hasInstanceBoundFunction) \ -
trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
r202125 r202363 1036 1036 case IsObjectOrNull: 1037 1037 case IsFunction: 1038 case IsRegExpObject: { 1038 case IsRegExpObject: 1039 case IsTypedArrayView: { 1039 1040 AbstractValue child = forNode(node->child1()); 1040 1041 if (child.value()) { … … 1098 1099 setConstant(node, jsBoolean(child.value().isEmpty())); 1099 1100 break; 1101 case IsTypedArrayView: 1102 setConstant(node, jsBoolean(child.value().isObject() && isTypedView(child.value().getObject()->classInfo()->typedArrayStorageType))); 1103 break; 1100 1104 default: 1101 1105 constantWasSet = false; … … 1263 1267 } 1264 1268 if (!(child.m_type & SpecObject)) { 1269 setConstant(node, jsBoolean(false)); 1270 constantWasSet = true; 1271 break; 1272 } 1273 break; 1274 1275 case IsTypedArrayView: 1276 if (!(child.m_type & ~SpecTypedArrayView)) { 1277 setConstant(node, jsBoolean(true)); 1278 constantWasSet = true; 1279 break; 1280 } 1281 if (!(child.m_type & SpecTypedArrayView)) { 1265 1282 setConstant(node, jsBoolean(false)); 1266 1283 constantWasSet = true; -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r202125 r202363 2312 2312 Node* isRegExpObject = addToGraph(IsRegExpObject, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset))); 2313 2313 set(VirtualRegister(resultOperand), isRegExpObject); 2314 return true; 2315 } 2316 2317 case IsTypedArrayViewIntrinsic: { 2318 ASSERT(argumentCountIncludingThis == 2); 2319 2320 insertChecks(); 2321 set(VirtualRegister(resultOperand), addToGraph(IsTypedArrayView, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset)))); 2314 2322 return true; 2315 2323 } -
trunk/Source/JavaScriptCore/dfg/DFGClobberize.h
r202125 r202363 173 173 case IsObject: 174 174 case IsRegExpObject: 175 case IsTypedArrayView: 175 176 case LogicalNot: 176 177 case CheckInBounds: -
trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
r202125 r202363 166 166 case IsFunction: 167 167 case IsRegExpObject: 168 case IsTypedArrayView: 168 169 case TypeOf: 169 170 case LogicalNot: -
trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
r202125 r202363 1548 1548 case DeleteByVal: 1549 1549 case IsJSArray: 1550 case IsTypedArrayView: 1550 1551 case IsEmpty: 1551 1552 case IsUndefined: -
trunk/Source/JavaScriptCore/dfg/DFGNodeType.h
r202125 r202363 318 318 macro(IsFunction, NodeResultBoolean) \ 319 319 macro(IsRegExpObject, NodeResultBoolean) \ 320 macro(IsTypedArrayView, NodeResultBoolean) \ 320 321 macro(TypeOf, NodeResultJS) \ 321 322 macro(LogicalNot, NodeResultBoolean) \ -
trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
r202125 r202363 793 793 case IsObjectOrNull: 794 794 case IsFunction: 795 case IsRegExpObject: { 795 case IsRegExpObject: 796 case IsTypedArrayView: { 796 797 setPrediction(SpecBoolean); 797 798 break; -
trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
r202125 r202363 267 267 case IsFunction: 268 268 case IsRegExpObject: 269 case IsTypedArrayView: 269 270 case TypeOf: 270 271 case LogicalNot: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r202125 r202363 3445 3445 JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoTypeOffset()), 3446 3446 TrustedImm32(RegExpObjectType), 3447 resultGPR); 3448 blessBoolean(resultGPR); 3449 JITCompiler::Jump done = m_jit.jump(); 3450 3451 isNotCell.link(&m_jit); 3452 moveFalseTo(resultGPR); 3453 3454 done.link(&m_jit); 3455 blessedBooleanResult(resultGPR, node); 3456 } 3457 3458 void SpeculativeJIT::compileIsTypedArrayView(Node* node) 3459 { 3460 JSValueOperand value(this, node->child1()); 3461 #if USE(JSVALUE64) 3462 GPRTemporary result(this, Reuse, value); 3463 #else 3464 GPRTemporary result(this, Reuse, value, PayloadWord); 3465 #endif 3466 3467 JSValueRegs valueRegs = value.jsValueRegs(); 3468 GPRReg resultGPR = result.gpr(); 3469 3470 JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(valueRegs); 3471 3472 m_jit.load8(JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoTypeOffset()), resultGPR); 3473 m_jit.sub32(TrustedImm32(Int8ArrayType), resultGPR); 3474 m_jit.compare32(JITCompiler::BelowOrEqual, 3475 resultGPR, 3476 TrustedImm32(Float64ArrayType - Int8ArrayType), 3447 3477 resultGPR); 3448 3478 blessBoolean(resultGPR); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
r202125 r202363 755 755 void compileIsJSArray(Node*); 756 756 void compileIsRegExpObject(Node*); 757 void compileIsTypedArrayView(Node*); 757 758 758 759 void emitCall(Node*); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r202214 r202363 4734 4734 } 4735 4735 4736 case IsTypedArrayView: { 4737 compileIsTypedArrayView(node); 4738 break; 4739 } 4740 4736 4741 case TypeOf: { 4737 4742 compileTypeOf(node); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r202214 r202363 4659 4659 } 4660 4660 4661 case IsTypedArrayView: { 4662 compileIsTypedArrayView(node); 4663 break; 4664 } 4665 4661 4666 case TypeOf: { 4662 4667 compileTypeOf(node); -
trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
r202125 r202363 188 188 case IsFunction: 189 189 case IsRegExpObject: 190 case IsTypedArrayView: 190 191 case CheckTypeInfoFlags: 191 192 case OverridesHasInstance: -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r202214 r202363 900 900 case IsRegExpObject: 901 901 compileIsRegExpObject(); 902 break; 903 case IsTypedArrayView: 904 compileIsTypedArrayView(); 902 905 break; 903 906 case TypeOf: … … 6102 6105 LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation); 6103 6106 ValueFromBlock cellResult = m_out.anchor(isRegExpObject(value, provenType(m_node->child1()))); 6107 m_out.jump(continuation); 6108 6109 m_out.appendTo(continuation, lastNext); 6110 setBoolean(m_out.phi(m_out.boolean, notCellResult, cellResult)); 6111 } 6112 6113 void compileIsTypedArrayView() 6114 { 6115 LValue value = lowJSValue(m_node->child1()); 6116 6117 LBasicBlock isCellCase = m_out.newBlock(); 6118 LBasicBlock continuation = m_out.newBlock(); 6119 6120 ValueFromBlock notCellResult = m_out.anchor(m_out.booleanFalse); 6121 m_out.branch(isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(continuation)); 6122 6123 LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation); 6124 ValueFromBlock cellResult = m_out.anchor(isTypedArrayView(value, provenType(m_node->child1()))); 6104 6125 m_out.jump(continuation); 6105 6126 … … 10077 10098 m_out.constInt32(ArrayType)); 10078 10099 } 10100 10101 LValue isTypedArrayView(LValue cell, SpeculatedType type = SpecFullTop) 10102 { 10103 if (LValue proven = isProvenValue(type & SpecCell, SpecTypedArrayView)) 10104 return proven; 10105 LValue jsType = m_out.sub( 10106 m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType), 10107 m_out.constInt32(Int8ArrayType)); 10108 return m_out.belowOrEqual( 10109 jsType, 10110 m_out.constInt32(Float64ArrayType - Int8ArrayType)); 10111 } 10079 10112 10080 10113 LValue isObject(LValue cell, SpeculatedType type = SpecFullTop) -
trunk/Source/JavaScriptCore/runtime/Intrinsic.h
r201049 r202363 61 61 TruncIntrinsic, 62 62 IsRegExpObjectIntrinsic, 63 IsTypedArrayViewIntrinsic, 63 64 BoundThisNoArgsFunctionCallIntrinsic, 64 65 -
trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
r202280 r202363 656 656 JSFunction* privateFuncTypedArrayGetOriginalConstructor = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncGetOriginalConstructor); 657 657 JSFunction* privateFuncTypedArraySort = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSort); 658 JSFunction* privateFuncIsTypedArrayView = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncIsTypedArrayView, IsTypedArrayViewIntrinsic); 658 659 JSFunction* privateFuncIsBoundFunction = JSFunction::create(vm, this, 0, String(), isBoundFunction); 659 660 JSFunction* privateFuncHasInstanceBoundFunction = JSFunction::create(vm, this, 0, String(), hasInstanceBoundFunction); … … 704 705 GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArrayGetOriginalConstructorPrivateName(), privateFuncTypedArrayGetOriginalConstructor, DontEnum | DontDelete | ReadOnly), 705 706 GlobalPropertyInfo(vm.propertyNames->builtinNames().typedArraySortPrivateName(), privateFuncTypedArraySort, DontEnum | DontDelete | ReadOnly), 707 GlobalPropertyInfo(vm.propertyNames->builtinNames().isTypedArrayViewPrivateName(), privateFuncIsTypedArrayView, DontEnum | DontDelete | ReadOnly), 706 708 GlobalPropertyInfo(vm.propertyNames->builtinNames().isBoundFunctionPrivateName(), privateFuncIsBoundFunction, DontEnum | DontDelete | ReadOnly), 707 709 GlobalPropertyInfo(vm.propertyNames->builtinNames().hasInstanceBoundFunctionPrivateName(), privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly), -
trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp
r200422 r202363 64 64 RELEASE_ASSERT_NOT_REACHED(); \ 65 65 } while (false) 66 67 EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsTypedArrayView(ExecState* exec) 68 { 69 JSValue value = exec->uncheckedArgument(0); 70 return JSValue::encode(jsBoolean(value.isCell() && isTypedView(value.asCell()->classInfo()->typedArrayStorageType))); 71 } 66 72 67 73 EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(ExecState* exec) -
trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.h
r196950 r202363 47 47 }; 48 48 49 EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncIsTypedArrayView(ExecState*); 49 50 EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncSort(ExecState*); 50 51 EncodedJSValue JSC_HOST_CALL typedArrayViewPrivateFuncLength(ExecState*);
Note: See TracChangeset
for help on using the changeset viewer.