Changeset 206289 in webkit

Timestamp:

Sep 22, 2016 8:50:22 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

[JSC] Use an inline cache to generate op_negate
​https://bugs.webkit.org/show_bug.cgi?id=162371

Patch by Benjamin Poulain <​bpoulain@apple.com> on 2016-09-22
Reviewed by Saam Barati.

JSTests:

• stress/op-negate-inline-cache.js: Added.

Source/JavaScriptCore:

Use an inline cache to reduce the amount of code
required to implement op_negate.

For pure integer negate, the generated asm shrinks
from 147 bytes to 125 bytes (14%).
For double negate, the generated asm shrinks
to 130 bytes (11%).
The average size on Sunspider is 100bytes, this is due
to the op_negates that are never executed and do not
generate much.

• bytecode/ArithProfile.h:

(JSC::ArithProfile::ArithProfile):
(JSC::ArithProfile::observeLHS):
(JSC::ArithProfile::observeLHSAndRHS):

• bytecode/BytecodeList.json:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::addJITNegIC):

• bytecode/CodeBlock.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitUnaryOp):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::UnaryOpNode::emitBytecode):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileMathIC):

• dfg/DFGSpeculativeJIT.h:
• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileMathIC):

• jit/CCallHelpers.h:

(JSC::CCallHelpers::setupArgumentsWithExecState):

• jit/JIT.h:
• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_negate):
(JSC::JIT::emitSlow_op_negate):
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):

• jit/JITInlines.h:

(JSC::JIT::callOperation):

• jit/JITMathIC.h:

(JSC::JITMathIC::generateInline):
(JSC::canGenerateWithBinaryProfile):
(JSC::canGenerateWithUnaryProfile):

• jit/JITMathICForwards.h:
• jit/JITNegGenerator.cpp:

(JSC::JITNegGenerator::generateInline):
(JSC::JITNegGenerator::generateFastPath):

• jit/JITNegGenerator.h:

(JSC::JITNegGenerator::JITNegGenerator):
(JSC::JITNegGenerator::arithProfile):
(JSC::JITNegGenerator::didEmitFastPath): Deleted.
(JSC::JITNegGenerator::endJumpList): Deleted.
(JSC::JITNegGenerator::slowPathJumpList): Deleted.

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::updateArithProfileForUnaryArithOp):
(JSC::SLOW_PATH_DECL):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/op-negate-inline-cache.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/ArithProfile.h (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/BytecodeList.json (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (6 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (3 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/CCallHelpers.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITArithmetic.cpp (modified) (7 diffs)
• Source/JavaScriptCore/jit/JITInlines.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITMathIC.h (modified) (5 diffs)
• Source/JavaScriptCore/jit/JITMathICForwards.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITNegGenerator.cpp (modified) (6 diffs)
• Source/JavaScriptCore/jit/JITNegGenerator.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-09-22  Benjamin Poulain  <bpoulain@apple.com>
+
+        [JSC] Use an inline cache to generate op_negate
+        https://bugs.webkit.org/show_bug.cgi?id=162371
+
+        Reviewed by Saam Barati.
+
+        * stress/op-negate-inline-cache.js: Added.
+
 2016-09-22  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-09-22  Benjamin Poulain  <bpoulain@apple.com>
+
+        [JSC] Use an inline cache to generate op_negate
+        https://bugs.webkit.org/show_bug.cgi?id=162371
+
+        Reviewed by Saam Barati.
+
+        Use an inline cache to reduce the amount of code
+        required to implement op_negate.
+
+        For pure integer negate, the generated asm shrinks
+        from 147 bytes to 125 bytes (14%).
+        For double negate, the generated asm shrinks
+        to 130 bytes (11%).
+        The average size on Sunspider is 100bytes, this is due
+        to the op_negates that are never executed and do not
+        generate much.
+
+        * bytecode/ArithProfile.h:
+        (JSC::ArithProfile::ArithProfile):
+        (JSC::ArithProfile::observeLHS):
+        (JSC::ArithProfile::observeLHSAndRHS):
+        * bytecode/BytecodeList.json:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::addJITNegIC):
+        * bytecode/CodeBlock.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitUnaryOp):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::UnaryOpNode::emitBytecode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileMathIC):
+        * dfg/DFGSpeculativeJIT.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgumentsWithExecState):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_negate):
+        (JSC::JIT::emitSlow_op_negate):
+        (JSC::JIT::emitMathICFast):
+        (JSC::JIT::emitMathICSlow):
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation):
+        * jit/JITMathIC.h:
+        (JSC::JITMathIC::generateInline):
+        (JSC::canGenerateWithBinaryProfile):
+        (JSC::canGenerateWithUnaryProfile):
+        * jit/JITMathICForwards.h:
+        * jit/JITNegGenerator.cpp:
+        (JSC::JITNegGenerator::generateInline):
+        (JSC::JITNegGenerator::generateFastPath):
+        * jit/JITNegGenerator.h:
+        (JSC::JITNegGenerator::JITNegGenerator):
+        (JSC::JITNegGenerator::arithProfile):
+        (JSC::JITNegGenerator::didEmitFastPath): Deleted.
+        (JSC::JITNegGenerator::endJumpList): Deleted.
+        (JSC::JITNegGenerator::slowPathJumpList): Deleted.
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::updateArithProfileForUnaryArithOp):
+        (JSC::SLOW_PATH_DECL):
+
 2016-09-22  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/ArithProfile.h

@@ -88 +88 @@
     static_assert(specialFastPathBit > ~clearLhsObservedTypeBitMask, "These bits should not intersect and specialFastPathBit should be a higher bit.");
 
+    ArithProfile(ResultType arg)
+    {
+        m_bits = (arg.bits() << lhsResultTypeShift);
+        ASSERT(lhsResultType().bits() == arg.bits());
+        ASSERT(lhsObservedType().isEmpty());
+        ASSERT(rhsObservedType().isEmpty());
+    }
+
     ArithProfile(ResultType lhs, ResultType rhs)
     {
@@ -95 +103 @@
         ASSERT(rhsObservedType().isEmpty());
     }
-    ArithProfile() { }
+    ArithProfile() = default;
 
     static ArithProfile fromInt(uint32_t bits)
@@ -171 +179 @@
     void rhsSawNonNumber() { setRhsObservedType(rhsObservedType().withNonNumber()); }
 
-    void observeLHSAndRHS(JSValue lhs, JSValue rhs)
+    void observeLHS(JSValue lhs)
     {
         ArithProfile newProfile = *this;
@@ -182 +190 @@
             newProfile.lhsSawNonNumber();
 
+        m_bits = newProfile.bits();
+    }
+
+    void observeLHSAndRHS(JSValue lhs, JSValue rhs)
+    {
+        observeLHS(lhs);
+
+        ArithProfile newProfile = *this;
         if (rhs.isNumber()) {
             if (rhs.isInt32())

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -34 +34 @@
             { "name" : "op_to_number", "length" : 4 },
             { "name" : "op_to_string", "length" : 3 },
-            { "name" : "op_negate", "length" : 3 },
+            { "name" : "op_negate", "length" : 4 },
             { "name" : "op_add", "length" : 5 },
             { "name" : "op_mul", "length" : 5 },

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -3014 +3014 @@
 {
     return m_subICs.add();
+}
+
+JITNegIC* CodeBlock::addJITNegIC()
+{
+    return m_negICs.add();
 }
 
@@ -4355 +4360 @@
 ArithProfile* CodeBlock::arithProfileForBytecodeOffset(int bytecodeOffset)
 {
-    auto opcodeID = vm()->interpreter->getOpcodeID(instructions()[bytecodeOffset].u.opcode);
+    return arithProfileForPC(instructions().begin() + bytecodeOffset);
+}
+
+ArithProfile* CodeBlock::arithProfileForPC(Instruction* pc)
+{
+    auto opcodeID = vm()->interpreter->getOpcodeID(pc[0].u.opcode);
     switch (opcodeID) {
+    case op_negate:
+        return bitwise_cast<ArithProfile*>(&pc[3].u.operand);
     case op_bitor:
     case op_bitand:
@@ -4364 +4376 @@
     case op_sub:
     case op_div:
+        return bitwise_cast<ArithProfile*>(&pc[4].u.operand);
+    default:
         break;
-    default:
-        return nullptr;
-    }
-
-    return &arithProfileForPC(instructions().begin() + bytecodeOffset);
-}
-
-ArithProfile& CodeBlock::arithProfileForPC(Instruction* pc)
-{
-    if (!ASSERT_DISABLED) {
-        ASSERT(pc >= instructions().begin() && pc < instructions().end());
-        auto opcodeID = vm()->interpreter->getOpcodeID(pc[0].u.opcode);
-        switch (opcodeID) {
-        case op_bitor:
-        case op_bitand:
-        case op_bitxor:
-        case op_add:
-        case op_mul:
-        case op_sub:
-        case op_div:
-            break;
-        default:
-            ASSERT_NOT_REACHED();
-        }
-    }
-
-    return *bitwise_cast<ArithProfile*>(&pc[4].u.operand);
+    }
+
+    return nullptr;
 }
 
@@ -4563 +4553 @@
     double numMuls = 0.0;
     double totalMulSize = 0.0;
+    double numNegs = 0.0;
+    double totalNegSize = 0.0;
     double numSubs = 0.0;
     double totalSubSize = 0.0;
@@ -4575 +4567 @@
             numMuls++;
             totalMulSize += mulIC->codeSize();
+        }
+
+        for (JITNegIC* negIC : codeBlock->m_negICs) {
+            numNegs++;
+            totalNegSize += negIC->codeSize();
         }
 
@@ -4594 +4591 @@
     dataLog("Average Mul size: ", totalMulSize / numMuls, "\n");
     dataLog("\n");
+    dataLog("Num Negs: ", numNegs, "\n");
+    dataLog("Total Neg size in bytes: ", totalNegSize, "\n");
+    dataLog("Average Neg size: ", totalNegSize / numNegs, "\n");
+    dataLog("\n");
     dataLog("Num Subs: ", numSubs, "\n");
     dataLog("Total Sub size in bytes: ", totalSubSize, "\n");

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -246 +246 @@
     JITAddIC* addJITAddIC();
     JITMulIC* addJITMulIC();
+    JITNegIC* addJITNegIC();
     JITSubIC* addJITSubIC();
     Bag<StructureStubInfo>::iterator stubInfoBegin() { return m_stubInfos.begin(); }
@@ -448 +449 @@
 
     ArithProfile* arithProfileForBytecodeOffset(int bytecodeOffset);
-    ArithProfile& arithProfileForPC(Instruction*);
+    ArithProfile* arithProfileForPC(Instruction*);
 
     bool couldTakeSpecialFastCase(int bytecodeOffset);
@@ -998 +999 @@
     Bag<JITAddIC> m_addICs;
     Bag<JITMulIC> m_mulICs;
+    Bag<JITNegIC> m_negICs;
     Bag<JITSubIC> m_subICs;
     Bag<ByValInfo> m_byValInfos;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1580 +1580 @@
 RegisterID* BytecodeGenerator::emitUnaryOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src)
 {
-    ASSERT_WITH_MESSAGE(op_to_number != opcodeID, "op_to_number is profiled.");
+    ASSERT_WITH_MESSAGE(op_to_number != opcodeID, "op_to_number has a Value Profile.");
+    ASSERT_WITH_MESSAGE(op_negate != opcodeID, "op_negate has an Arith Profile.");
     emitOpcode(opcodeID);
     instructions().append(dst->index());
     instructions().append(src->index());
+
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitUnaryOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src, OperandTypes types)
+{
+    ASSERT_WITH_MESSAGE(op_to_number != opcodeID, "op_to_number has a Value Profile.");
+    emitOpcode(opcodeID);
+    instructions().append(dst->index());
+    instructions().append(src->index());
+
+    if (opcodeID == op_negate)
+        instructions().append(ArithProfile(types.first()).bits());
     return dst;
 }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -512 +512 @@
 
         RegisterID* emitUnaryOp(OpcodeID, RegisterID* dst, RegisterID* src);
+        RegisterID* emitUnaryOp(OpcodeID, RegisterID* dst, RegisterID* src, OperandTypes);
         RegisterID* emitUnaryOpProfiled(OpcodeID, RegisterID* dst, RegisterID* src);
         RegisterID* emitBinaryOp(OpcodeID, RegisterID* dst, RegisterID* src1, RegisterID* src2, OperandTypes);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1607 +1607 @@
     RefPtr<RegisterID> src = generator.emitNode(m_expr);
     generator.emitExpressionInfo(position(), position(), position());
-    return generator.emitUnaryOp(opcodeID(), generator.finalDestination(dst), src.get());
+    return generator.emitUnaryOp(opcodeID(), generator.finalDestination(dst), src.get(), OperandTypes(m_expr->resultDescriptor()));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -3433 +3433 @@
 
 template <typename Generator, typename RepatchingFunction, typename NonRepatchingFunction>
-void SpeculativeJIT::compileMathIC(Node* node, JITMathIC<Generator>* mathIC, bool needsScratchGPRReg, bool needsScratchFPRReg, RepatchingFunction repatchingFunction, NonRepatchingFunction nonRepatchingFunction)
+void SpeculativeJIT::compileMathIC(Node* node, JITBinaryMathIC<Generator>* mathIC, bool needsScratchGPRReg, bool needsScratchFPRReg, RepatchingFunction repatchingFunction, NonRepatchingFunction nonRepatchingFunction)
 {
     Edge& leftChild = node->child1();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -2516 +2516 @@
 
     template <typename Generator, typename RepatchingFunction, typename NonRepatchingFunction>
-    void compileMathIC(Node*, JITMathIC<Generator>*, bool needsScratchGPRReg, bool needsScratchFPRReg, RepatchingFunction, NonRepatchingFunction);
+    void compileMathIC(Node*, JITBinaryMathIC<Generator>*, bool needsScratchGPRReg, bool needsScratchFPRReg, RepatchingFunction, NonRepatchingFunction);
 
     void compileArithDoubleUnaryOp(Node*, double (*doubleFunction)(double), double (*operation)(ExecState*, EncodedJSValue));

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -1561 +1561 @@
 
     template <typename Generator>
-    void compileMathIC(JITMathIC<Generator>* mathIC, FunctionPtr repatchingFunction, FunctionPtr nonRepatchingFunction)
+    void compileMathIC(JITBinaryMathIC<Generator>* mathIC, FunctionPtr repatchingFunction, FunctionPtr nonRepatchingFunction)
     {
         Node* node = m_node;

trunk/Source/JavaScriptCore/jit/CCallHelpers.h

@@ -353 +353 @@
 
     ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, GPRReg arg2, TrustedImmPtr arg3, TrustedImm32 arg4)
+    {
+        resetCallArguments();
+        addCallArgument(GPRInfo::callFrameRegister);
+        addCallArgument(arg1);
+        addCallArgument(arg2);
+        addCallArgument(arg3);
+        addCallArgument(arg4);
+    }
+
+    ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, GPRReg arg2, TrustedImmPtr arg3, TrustedImmPtr arg4)
     {
         resetCallArguments();
@@ -2267 +2277 @@
     }
 #endif
+
+    void setupArgumentsWithExecState(JSValueRegs arg)
+    {
+#if USE(JSVALUE64)
+        setupArgumentsWithExecState(arg.gpr());
+#else
+        setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg.payloadGPR(), arg.tagGPR());
+#endif
+    }
     
     void setupArgumentsWithExecState(JSValueRegs arg1, JSValueRegs arg2)
@@ -2277 +2296 @@
     }
 
+    void setupArgumentsWithExecState(JSValueRegs arg1, TrustedImmPtr arg2)
+    {
+#if USE(JSVALUE64)
+        setupArgumentsWithExecState(arg1.gpr(), arg2);
+#else
+        setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1.payloadGPR(), arg1.tagGPR(), arg2);
+#endif
+    }
+
     void setupArgumentsWithExecState(JSValueRegs arg1, JSValueRegs arg2, TrustedImmPtr arg3)
     {
@@ -2292 +2320 @@
 #else
         setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1.payloadGPR(), arg1.tagGPR(), arg2.payloadGPR(), arg2.tagGPR(), arg3, arg4);
+#endif
+    }
+
+    void setupArgumentsWithExecState(JSValueRegs arg1, TrustedImmPtr arg2, TrustedImmPtr arg3)
+    {
+#if USE(JSVALUE64)
+        setupArgumentsWithExecState(arg1.gpr(), arg2, arg3);
+#else
+        setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1.payloadGPR(), arg1.tagGPR(), arg2, arg3);
 #endif
     }

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -698 +698 @@
 
         template <typename Generator, typename ProfiledFunction, typename NonProfiledFunction>
-        void emitMathICFast(JITMathIC<Generator>*, Instruction*, ProfiledFunction, NonProfiledFunction);
+        void emitMathICFast(JITUnaryMathIC<Generator>*, Instruction*, ProfiledFunction, NonProfiledFunction);
+        template <typename Generator, typename ProfiledFunction, typename NonProfiledFunction>
+        void emitMathICFast(JITBinaryMathIC<Generator>*, Instruction*, ProfiledFunction, NonProfiledFunction);
 
         template <typename Generator, typename ProfiledRepatchFunction, typename ProfiledFunction, typename RepatchFunction>
-        void emitMathICSlow(JITMathIC<Generator>*, Instruction*, ProfiledRepatchFunction, ProfiledFunction, RepatchFunction);
+        void emitMathICSlow(JITBinaryMathIC<Generator>*, Instruction*, ProfiledRepatchFunction, ProfiledFunction, RepatchFunction);
+        template <typename Generator, typename ProfiledRepatchFunction, typename ProfiledFunction, typename RepatchFunction>
+        void emitMathICSlow(JITUnaryMathIC<Generator>*, Instruction*, ProfiledRepatchFunction, ProfiledFunction, RepatchFunction);
 
         Jump getSlowCase(Vector<SlowCaseEntry>::iterator& iter)
@@ -746 +750 @@
         MacroAssembler::Call callOperation(V_JITOperation_EC, JSCell*);
         MacroAssembler::Call callOperation(J_JITOperation_EJ, int, GPRReg);
+        MacroAssembler::Call callOperation(J_JITOperation_EJ, JSValueRegs, JSValueRegs);
 #if USE(JSVALUE64)
         MacroAssembler::Call callOperation(J_JITOperation_ESsiJI, int, StructureStubInfo*, GPRReg, UniquedStringImpl*);
@@ -755 +760 @@
         MacroAssembler::Call callOperation(J_JITOperation_EJI, int, GPRReg, UniquedStringImpl*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg);
+        MacroAssembler::Call callOperation(J_JITOperation_EJArp, JSValueRegs, JSValueRegs, ArithProfile*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJArp, JSValueRegs, JSValueRegs, JSValueRegs, ArithProfile*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJ, JSValueRegs, JSValueRegs, JSValueRegs);
         MacroAssembler::Call callOperation(J_JITOperation_EJJArpMic, JSValueRegs, JSValueRegs, JSValueRegs, ArithProfile*, TrustedImmPtr);
+        MacroAssembler::Call callOperation(J_JITOperation_EJMic, JSValueRegs, JSValueRegs, TrustedImmPtr);
         MacroAssembler::Call callOperation(J_JITOperation_EJJMic, JSValueRegs, JSValueRegs, JSValueRegs, TrustedImmPtr);
         MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, ArrayProfile*);

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp

@@ -470 +470 @@
 void JIT::emit_op_negate(Instruction* currentInstruction)
 {
-    int result = currentInstruction[1].u.operand;
-    int src = currentInstruction[2].u.operand;
-
-#if USE(JSVALUE64)
-    JSValueRegs srcRegs = JSValueRegs(regT0);
-    JSValueRegs resultRegs = srcRegs;
-    GPRReg scratchGPR = regT2;
-#else
-    JSValueRegs srcRegs = JSValueRegs(regT1, regT0);
-    JSValueRegs resultRegs = srcRegs;
-    GPRReg scratchGPR = regT4;
-#endif
-
-    emitGetVirtualRegister(src, srcRegs);
-
-    JITNegGenerator gen(resultRegs, srcRegs, scratchGPR);
-    gen.generateFastPath(*this);
-
-    ASSERT(gen.didEmitFastPath());
-    gen.endJumpList().link(this);
-    emitPutVirtualRegister(result, resultRegs);
-
-    addSlowCase(gen.slowPathJumpList());
+    JITNegIC* negateIC = m_codeBlock->addJITNegIC();
+    m_instructionToMathIC.add(currentInstruction, negateIC);
+    emitMathICFast(negateIC, currentInstruction, operationArithNegateProfiled, operationArithNegate);
 }
 
@@ -499 +479 @@
     linkAllSlowCasesForBytecodeOffset(m_slowCases, iter, m_bytecodeOffset);
 
-    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_negate);
-    slowPathCall.call();
+    JITNegIC* negIC = bitwise_cast<JITNegIC*>(m_instructionToMathIC.get(currentInstruction));
+    emitMathICSlow(negIC, currentInstruction, operationArithNegateProfiledOptimize, operationArithNegateProfiled, operationArithNegateOptimize);
 }
 
@@ -699 +679 @@
 
 template <typename Generator, typename ProfiledFunction, typename NonProfiledFunction>
-void JIT::emitMathICFast(JITMathIC<Generator>* mathIC, Instruction* currentInstruction, ProfiledFunction profiledFunction, NonProfiledFunction nonProfiledFunction)
+void JIT::emitMathICFast(JITUnaryMathIC<Generator>* mathIC, Instruction* currentInstruction, ProfiledFunction profiledFunction, NonProfiledFunction nonProfiledFunction)
+{
+    int result = currentInstruction[1].u.operand;
+    int operand = currentInstruction[2].u.operand;
+
+#if USE(JSVALUE64)
+    // ArithNegate benefits from using the same register as src and dst.
+    // Since regT1==argumentGPR1, using regT1 avoid shuffling register to call the slow path.
+    JSValueRegs srcRegs = JSValueRegs(regT1);
+    JSValueRegs resultRegs = JSValueRegs(regT1);
+    GPRReg scratchGPR = regT2;
+#else
+    JSValueRegs srcRegs = JSValueRegs(regT1, regT0);
+    JSValueRegs resultRegs = JSValueRegs(regT3, regT2);
+    GPRReg scratchGPR = regT4;
+#endif
+
+#if ENABLE(MATH_IC_STATS)
+    auto inlineStart = label();
+#endif
+
+    ArithProfile& arithProfile = *bitwise_cast<ArithProfile*>(&currentInstruction[3].u.operand);
+    mathIC->m_generator = Generator(resultRegs, srcRegs, scratchGPR, arithProfile);
+
+    emitGetVirtualRegister(operand, srcRegs);
+
+    MathICGenerationState& mathICGenerationState = m_instructionToMathICGenerationState.add(currentInstruction, MathICGenerationState()).iterator->value;
+
+    bool generatedInlineCode = mathIC->generateInline(*this, mathICGenerationState);
+    if (!generatedInlineCode) {
+        if (shouldEmitProfiling())
+            callOperation(profiledFunction, resultRegs, srcRegs, &arithProfile);
+        else
+            callOperation(nonProfiledFunction, resultRegs, srcRegs);
+    } else
+        addSlowCase(mathICGenerationState.slowPathJumps);
+
+#if ENABLE(MATH_IC_STATS)
+    auto inlineEnd = label();
+    addLinkTask([=] (LinkBuffer& linkBuffer) {
+        size_t size = static_cast<char*>(linkBuffer.locationOf(inlineEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(inlineStart).executableAddress());
+        mathIC->m_generatedCodeSize += size;
+    });
+#endif
+
+    emitPutVirtualRegister(result, resultRegs);
+}
+
+template <typename Generator, typename ProfiledFunction, typename NonProfiledFunction>
+void JIT::emitMathICFast(JITBinaryMathIC<Generator>* mathIC, Instruction* currentInstruction, ProfiledFunction profiledFunction, NonProfiledFunction nonProfiledFunction)
 {
     int result = currentInstruction[1].u.operand;
@@ -723 +752 @@
     ArithProfile* arithProfile = nullptr;
     if (shouldEmitProfiling())
-        arithProfile = &m_codeBlock->arithProfileForPC(currentInstruction);
+        arithProfile = m_codeBlock->arithProfileForPC(currentInstruction);
 
     SnippetOperand leftOperand(types.first());
@@ -775 +804 @@
 
 template <typename Generator, typename ProfiledRepatchFunction, typename ProfiledFunction, typename RepatchFunction>
-void JIT::emitMathICSlow(JITMathIC<Generator>* mathIC, Instruction* currentInstruction, ProfiledRepatchFunction profiledRepatchFunction, ProfiledFunction profiledFunction, RepatchFunction repatchFunction)
+void JIT::emitMathICSlow(JITUnaryMathIC<Generator>* mathIC, Instruction* currentInstruction, ProfiledRepatchFunction profiledRepatchFunction, ProfiledFunction profiledFunction, RepatchFunction repatchFunction)
+{
+    MathICGenerationState& mathICGenerationState = m_instructionToMathICGenerationState.find(currentInstruction)->value;
+    mathICGenerationState.slowPathStart = label();
+
+    int result = currentInstruction[1].u.operand;
+
+#if USE(JSVALUE64)
+    JSValueRegs srcRegs = JSValueRegs(regT1);
+    JSValueRegs resultRegs = JSValueRegs(regT0);
+#else
+    JSValueRegs srcRegs = JSValueRegs(regT1, regT0);
+    JSValueRegs resultRegs = JSValueRegs(regT3, regT2);
+#endif
+
+#if ENABLE(MATH_IC_STATS)
+    auto slowPathStart = label();
+#endif
+
+    if (shouldEmitProfiling()) {
+        ArithProfile* arithProfile = bitwise_cast<ArithProfile*>(&currentInstruction[3].u.operand);
+        if (mathICGenerationState.shouldSlowPathRepatch)
+            mathICGenerationState.slowPathCall = callOperation(reinterpret_cast<J_JITOperation_EJMic>(profiledRepatchFunction), resultRegs, srcRegs, TrustedImmPtr(mathIC));
+        else
+            mathICGenerationState.slowPathCall = callOperation(profiledFunction, resultRegs, srcRegs, arithProfile);
+    } else
+        mathICGenerationState.slowPathCall = callOperation(reinterpret_cast<J_JITOperation_EJMic>(repatchFunction), resultRegs, srcRegs, TrustedImmPtr(mathIC));
+
+#if ENABLE(MATH_IC_STATS)
+    auto slowPathEnd = label();
+    addLinkTask([=] (LinkBuffer& linkBuffer) {
+        size_t size = static_cast<char*>(linkBuffer.locationOf(slowPathEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(slowPathStart).executableAddress());
+        mathIC->m_generatedCodeSize += size;
+    });
+#endif
+
+    emitPutVirtualRegister(result, resultRegs);
+
+    addLinkTask([=] (LinkBuffer& linkBuffer) {
+        MathICGenerationState& mathICGenerationState = m_instructionToMathICGenerationState.find(currentInstruction)->value;
+        mathIC->finalizeInlineCode(mathICGenerationState, linkBuffer);
+    });
+}
+
+template <typename Generator, typename ProfiledRepatchFunction, typename ProfiledFunction, typename RepatchFunction>
+void JIT::emitMathICSlow(JITBinaryMathIC<Generator>* mathIC, Instruction* currentInstruction, ProfiledRepatchFunction profiledRepatchFunction, ProfiledFunction profiledFunction, RepatchFunction repatchFunction)
 {
     MathICGenerationState& mathICGenerationState = m_instructionToMathICGenerationState.find(currentInstruction)->value;
@@ -816 +890 @@
 
     if (shouldEmitProfiling()) {
-        ArithProfile& arithProfile = m_codeBlock->arithProfileForPC(currentInstruction);
+        ArithProfile& arithProfile = *m_codeBlock->arithProfileForPC(currentInstruction);
         if (mathICGenerationState.shouldSlowPathRepatch)
             mathICGenerationState.slowPathCall = callOperation(bitwise_cast<J_JITOperation_EJJArpMic>(profiledRepatchFunction), resultRegs, leftRegs, rightRegs, &arithProfile, TrustedImmPtr(mathIC));
@@ -863 +937 @@
     ArithProfile* arithProfile = nullptr;
     if (shouldEmitProfiling())
-        arithProfile = &m_codeBlock->arithProfileForPC(currentInstruction);
+        arithProfile = m_codeBlock->arithProfileForPC(currentInstruction);
 
     SnippetOperand leftOperand(types.first());

trunk/Source/JavaScriptCore/jit/JITInlines.h

@@ -417 +417 @@
 }
 
+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJ operation, JSValueRegs result, JSValueRegs arg)
+{
+    setupArgumentsWithExecState(arg);
+    Call call = appendCallWithExceptionCheck(operation);
+    setupResults(result);
+    return call;
+}
+
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJ operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2)
 {
@@ -425 +433 @@
 }
 
+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJArp operation, JSValueRegs result, JSValueRegs operand, ArithProfile* arithProfile)
+{
+    setupArgumentsWithExecState(operand, TrustedImmPtr(arithProfile));
+    Call call = appendCallWithExceptionCheck(operation);
+    setupResults(result);
+    return call;
+}
+
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJArp operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2, ArithProfile* arithProfile)
 {
@@ -436 +452 @@
 {
     setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(arithProfile), mathIC);
+    Call call = appendCallWithExceptionCheck(operation);
+    setupResults(result);
+    return call;
+}
+
+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJMic operation, JSValueRegs result, JSValueRegs arg, TrustedImmPtr mathIC)
+{
+    setupArgumentsWithExecState(arg, mathIC);
     Call call = appendCallWithExceptionCheck(operation);
     setupResults(result);

trunk/Source/JavaScriptCore/jit/JITMathIC.h

@@ -33 +33 @@
 #include "JITMathICInlineResult.h"
 #include "JITMulGenerator.h"
+#include "JITNegGenerator.h"
 #include "JITSubGenerator.h"
 #include "LinkBuffer.h"
@@ -53 +54 @@
 #define ENABLE_MATH_IC_STATS 0
 
-template <typename GeneratorType>
+template <typename GeneratorType, bool(*isProfileEmpty)(ArithProfile*)>
 class JITMathIC {
 public:
@@ -73 +74 @@
 
         if (ArithProfile* arithProfile = m_generator.arithProfile()) {
-            if (arithProfile->lhsObservedType().isEmpty() || arithProfile->rhsObservedType().isEmpty()) {
+            if (!isProfileEmpty(arithProfile)) {
                 // It looks like the MathIC has yet to execute. We don't want to emit code in this
                 // case for a couple reasons. First, the operation may never execute, so if we don't emit
                 // code, it's a win. Second, if the operation does execute, we can emit better code
-                // once we have an idea about the types of lhs and rhs.
+                // once we have an idea about the types.
                 state.slowPathJumps.append(jit.patchableJump());
                 size_t inlineSize = jit.m_assembler.buffer().codeSize() - startSize;
@@ -83 +84 @@
                 state.shouldSlowPathRepatch = true;
                 state.fastPathEnd = jit.label();
-                ASSERT(!m_generateFastPathOnRepatch); // We should have gathered some observed type info for lhs and rhs before trying to regenerate again.
+                ASSERT(!m_generateFastPathOnRepatch); // We should have gathered some observed type info about the types before trying to regenerate again.
                 m_generateFastPathOnRepatch = true;
                 return true;
@@ -244 +245 @@
 };
 
-typedef JITMathIC<JITAddGenerator> JITAddIC;
-typedef JITMathIC<JITMulGenerator> JITMulIC;
-typedef JITMathIC<JITSubGenerator> JITSubIC;
+inline bool canGenerateWithBinaryProfile(ArithProfile* arithProfile)
+{
+    return !arithProfile->lhsObservedType().isEmpty() && !arithProfile->rhsObservedType().isEmpty();
+}
+template <typename GeneratorType>
+class JITBinaryMathIC : public JITMathIC<GeneratorType, canGenerateWithBinaryProfile> { };
+
+typedef JITBinaryMathIC<JITAddGenerator> JITAddIC;
+typedef JITBinaryMathIC<JITMulGenerator> JITMulIC;
+typedef JITBinaryMathIC<JITSubGenerator> JITSubIC;
+
+
+inline bool canGenerateWithUnaryProfile(ArithProfile* arithProfile)
+{
+    return !arithProfile->lhsObservedType().isEmpty();
+}
+template <typename GeneratorType>
+class JITUnaryMathIC : public JITMathIC<GeneratorType, canGenerateWithUnaryProfile> { };
+
+typedef JITUnaryMathIC<JITNegGenerator> JITNegIC;
 
 } // namespace JSC

trunk/Source/JavaScriptCore/jit/JITMathICForwards.h

@@ -30 +30 @@
 namespace JSC {
 
-template <typename Generator> class JITMathIC;
+template <typename Generator> class JITBinaryMathIC;
+template <typename Generator> class JITUnaryMathIC;
 class JITAddGenerator;
 class JITMulGenerator;
+class JITNegGenerator;
 class JITSubGenerator;
 
-typedef JITMathIC<JITAddGenerator> JITAddIC;
-typedef JITMathIC<JITMulGenerator> JITMulIC;
-typedef JITMathIC<JITSubGenerator> JITSubIC;
+typedef JITBinaryMathIC<JITAddGenerator> JITAddIC;
+typedef JITBinaryMathIC<JITMulGenerator> JITMulIC;
+typedef JITUnaryMathIC<JITNegGenerator> JITNegIC;
+typedef JITBinaryMathIC<JITSubGenerator> JITSubIC;
 
 } // namespace JSC

trunk/Source/JavaScriptCore/jit/JITNegGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "JITNegGenerator.h"
 
+#include "ArithProfile.h"
+
 #if ENABLE(JIT)
 
 namespace JSC {
 
-void JITNegGenerator::generateFastPath(CCallHelpers& jit)
+JITMathICInlineResult JITNegGenerator::generateInline(CCallHelpers& jit, MathICGenerationState& state)
+{
+    ASSERT(m_scratchGPR != InvalidGPRReg);
+    ASSERT(m_scratchGPR != m_src.payloadGPR());
+    ASSERT(m_scratchGPR != m_result.payloadGPR());
+#if USE(JSVALUE32_64)
+    ASSERT(m_scratchGPR != m_src.tagGPR());
+    ASSERT(m_scratchGPR != m_result.tagGPR());
+#endif
+
+    ObservedType observedTypes = m_arithProfile->lhsObservedType();
+    ASSERT_WITH_MESSAGE(!observedTypes.isEmpty(), "We should not attempt to generate anything if we do not have a profile.");
+
+    if (observedTypes.isOnlyNonNumber())
+        return JITMathICInlineResult::DontGenerate;
+
+    if (observedTypes.isOnlyInt32()) {
+        jit.moveValueRegs(m_src, m_result);
+        state.slowPathJumps.append(jit.branchIfNotInt32(m_src));
+        state.slowPathJumps.append(jit.branchTest32(CCallHelpers::Zero, m_src.payloadGPR(), CCallHelpers::TrustedImm32(0x7fffffff)));
+        jit.neg32(m_result.payloadGPR());
+#if USE(JSVALUE64)
+        jit.boxInt32(m_result.payloadGPR(), m_result);
+#endif
+
+        return JITMathICInlineResult::GeneratedFastPath;
+    }
+    if (observedTypes.isOnlyNumber()) {
+        state.slowPathJumps.append(jit.branchIfInt32(m_src));
+        state.slowPathJumps.append(jit.branchIfNotNumber(m_src, m_scratchGPR));
+#if USE(JSVALUE64)
+        if (m_src.payloadGPR() != m_result.payloadGPR()) {
+            jit.move(CCallHelpers::TrustedImm64(static_cast<int64_t>(1ull << 63)), m_result.payloadGPR());
+            jit.xor64(m_src.payloadGPR(), m_result.payloadGPR());
+        } else {
+            jit.move(CCallHelpers::TrustedImm64(static_cast<int64_t>(1ull << 63)), m_scratchGPR);
+            jit.xor64(m_scratchGPR, m_result.payloadGPR());
+        }
+#else
+        jit.moveValueRegs(m_src, m_result);
+        jit.xor32(CCallHelpers::TrustedImm32(1 << 31), m_result.tagGPR());
+#endif
+        return JITMathICInlineResult::GeneratedFastPath;
+    }
+    return JITMathICInlineResult::GenerateFullSnippet;
+}
+
+bool JITNegGenerator::generateFastPath(CCallHelpers& jit, CCallHelpers::JumpList& endJumpList, CCallHelpers::JumpList& slowPathJumpList, bool)
 {
     ASSERT(m_scratchGPR != m_src.payloadGPR());
@@ -41 +90 @@
 #endif
 
-    m_didEmitFastPath = true;
-
     jit.moveValueRegs(m_src, m_result);
     CCallHelpers::Jump srcNotInt = jit.branchIfNotInt32(m_src);
@@ -48 +95 @@
     // -0 should produce a double, and hence cannot be negated as an int.
     // The negative int32 0x80000000 doesn't have a positive int32 representation, and hence cannot be negated as an int.
-    m_slowPathJumpList.append(jit.branchTest32(CCallHelpers::Zero, m_src.payloadGPR(), CCallHelpers::TrustedImm32(0x7fffffff)));
+    slowPathJumpList.append(jit.branchTest32(CCallHelpers::Zero, m_src.payloadGPR(), CCallHelpers::TrustedImm32(0x7fffffff)));
 
     jit.neg32(m_result.payloadGPR());
@@ -54 +101 @@
     jit.boxInt32(m_result.payloadGPR(), m_result);
 #endif
-    m_endJumpList.append(jit.jump());
+    endJumpList.append(jit.jump());
 
     srcNotInt.link(&jit);
-    m_slowPathJumpList.append(jit.branchIfNotNumber(m_src, m_scratchGPR));
+    slowPathJumpList.append(jit.branchIfNotNumber(m_src, m_scratchGPR));
 
     // For a double, all we need to do is to invert the sign bit.
@@ -66 +113 @@
     jit.xor32(CCallHelpers::TrustedImm32(1 << 31), m_result.tagGPR());
 #endif
+    return true;
 }
 

trunk/Source/JavaScriptCore/jit/JITNegGenerator.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 
 #include "CCallHelpers.h"
-#include "SnippetOperand.h"
+#include "JITMathIC.h"
+#include "JITMathICInlineResult.h"
 
 namespace JSC {
@@ -36 +37 @@
 class JITNegGenerator {
 public:
-    JITNegGenerator(JSValueRegs result, JSValueRegs src, GPRReg scratchGPR)
-        : m_result(result)
+    JITNegGenerator() = default;
+
+    JITNegGenerator(JSValueRegs result, JSValueRegs src, GPRReg scratchGPR, ArithProfile& arithProfile)
+        : m_arithProfile(&arithProfile)
+        , m_result(result)
         , m_src(src)
         , m_scratchGPR(scratchGPR)
     { }
 
-    void generateFastPath(CCallHelpers&);
+    JITMathICInlineResult generateInline(CCallHelpers&, MathICGenerationState&);
+    bool generateFastPath(CCallHelpers&, CCallHelpers::JumpList& endJumpList, CCallHelpers::JumpList& slowPathJumpList, bool shouldEmitProfiling);
 
-    bool didEmitFastPath() const { return m_didEmitFastPath; }
-    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
-    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
+    ArithProfile* arithProfile() const { return m_arithProfile; }
 
 private:
+    ArithProfile* m_arithProfile { nullptr };
     JSValueRegs m_result;
     JSValueRegs m_src;
     GPRReg m_scratchGPR;
-    bool m_didEmitFastPath { false };
-
-    CCallHelpers::JumpList m_endJumpList;
-    CCallHelpers::JumpList m_slowPathJumpList;
 };
 

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2470 +2470 @@
 }
 
+ALWAYS_INLINE static EncodedJSValue unprofiledNegate(ExecState* exec, EncodedJSValue encodedOperand)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    NativeCallFrameTracer tracer(&vm, exec);
+    
+    JSValue operand = JSValue::decode(encodedOperand);
+    double number = operand.toNumber(exec);
+    if (UNLIKELY(scope.exception()))
+        return JSValue::encode(JSValue());
+    return JSValue::encode(jsNumber(-number));
+}
+
+ALWAYS_INLINE static EncodedJSValue profiledNegate(ExecState* exec, EncodedJSValue encodedOperand, ArithProfile* arithProfile)
+{
+    ASSERT(arithProfile);
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    NativeCallFrameTracer tracer(&vm, exec);
+
+    JSValue operand = JSValue::decode(encodedOperand);
+    arithProfile->observeLHS(operand);
+    double number = operand.toNumber(exec);
+    if (UNLIKELY(scope.exception()))
+        return JSValue::encode(JSValue());
+    return JSValue::encode(jsNumber(-number));
+}
+
+EncodedJSValue JIT_OPERATION operationArithNegate(ExecState* exec, EncodedJSValue operand)
+{
+    return unprofiledNegate(exec, operand);
+}
+
+EncodedJSValue JIT_OPERATION operationArithNegateProfiled(ExecState* exec, EncodedJSValue operand, ArithProfile* arithProfile)
+{
+    return profiledNegate(exec, operand, arithProfile);
+}
+
+EncodedJSValue JIT_OPERATION operationArithNegateProfiledOptimize(ExecState* exec, EncodedJSValue encodedOperand, JITNegIC* negIC)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    NativeCallFrameTracer tracer(&vm, exec);
+    
+    JSValue operand = JSValue::decode(encodedOperand);
+
+    ArithProfile* arithProfile = negIC->m_generator.arithProfile();
+    ASSERT(arithProfile);
+    arithProfile->observeLHS(operand);
+    negIC->generateOutOfLine(vm, exec->codeBlock(), operationArithNegateProfiled);
+
+#if ENABLE(MATH_IC_STATS)
+    exec->codeBlock()->dumpMathICStats();
+#endif
+    
+    double number = operand.toNumber(exec);
+    if (UNLIKELY(scope.exception()))
+        return JSValue::encode(JSValue());
+    return JSValue::encode(jsNumber(-number));
+}
+
+EncodedJSValue JIT_OPERATION operationArithNegateOptimize(ExecState* exec, EncodedJSValue encodedOperand, JITNegIC* negIC)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    NativeCallFrameTracer tracer(&vm, exec);
+
+    JSValue operand = JSValue::decode(encodedOperand);
+
+    ArithProfile* arithProfile = negIC->m_generator.arithProfile();
+    ASSERT(arithProfile);
+    arithProfile->observeLHS(operand);
+    negIC->generateOutOfLine(vm, exec->codeBlock(), operationArithNegate);
+
+#if ENABLE(MATH_IC_STATS)
+    exec->codeBlock()->dumpMathICStats();
+#endif
+
+    double number = operand.toNumber(exec);
+    if (UNLIKELY(scope.exception()))
+        return JSValue::encode(JSValue());
+    return JSValue::encode(jsNumber(-number));
+}
+
 ALWAYS_INLINE static EncodedJSValue unprofiledSub(VM& vm, ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -141 +141 @@
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJC)(ExecState*, EncodedJSValue, JSCell*);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJA)(ExecState*, EncodedJSValue, JSArray*);
+typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJArp)(ExecState*, EncodedJSValue, ArithProfile*);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJI)(ExecState*, EncodedJSValue, UniquedStringImpl*);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
@@ -150 +151 @@
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJJArpMic)(ExecState*, EncodedJSValue, EncodedJSValue, ArithProfile*, void*);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJJMic)(ExecState*, EncodedJSValue, EncodedJSValue, void*);
+typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJMic)(ExecState*, EncodedJSValue, void*);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJssZ)(ExecState*, JSString*, int32_t);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJssReo)(ExecState*, JSString*, RegExpObject*);
@@ -438 +440 @@
 EncodedJSValue JIT_OPERATION operationValueMulProfiledNoOptimize(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ArithProfile*, JITMulIC*) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueMulProfiled(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ArithProfile*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationArithNegate(ExecState*, EncodedJSValue operand);
+EncodedJSValue JIT_OPERATION operationArithNegateProfiled(ExecState*, EncodedJSValue operand, ArithProfile*);
+EncodedJSValue JIT_OPERATION operationArithNegateProfiledOptimize(ExecState*, EncodedJSValue encodedOperand, JITNegIC*);
+EncodedJSValue JIT_OPERATION operationArithNegateOptimize(ExecState*, EncodedJSValue encodedOperand, JITNegIC*);
 EncodedJSValue JIT_OPERATION operationValueSub(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueSubProfiled(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, ArithProfile*) WTF_INTERNAL;

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -254 +254 @@
 
 # ArithProfile data
+const ArithProfileInt = 0x100000
 const ArithProfileIntInt = 0x120000
+const ArithProfileNumber = 0x200000
 const ArithProfileNumberInt = 0x220000
 const ArithProfileNumberNumber = 0x240000

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -949 +949 @@
     loadi 4[PC], t3
     loadConstantOrVariable(t0, t1, t2)
+    loadisFromInstruction(3, t0)
     bineq t1, Int32Tag, .opNegateSrcNotInt
     btiz t2, 0x7fffffff, .opNegateSlow
     negi t2
+    ori ArithProfileInt, t0
     storei Int32Tag, TagOffset[cfr, t3, 8]
+    storeisToInstruction(t0, 3)
     storei t2, PayloadOffset[cfr, t3, 8]
-    dispatch(3)
+    dispatch(4)
 .opNegateSrcNotInt:
     bia t1, LowestTag, .opNegateSlow
     xori 0x80000000, t1
+    ori ArithProfileNumber, t0
+    storei t2, PayloadOffset[cfr, t3, 8]
+    storeisToInstruction(t0, 3)
     storei t1, TagOffset[cfr, t3, 8]
-    storei t2, PayloadOffset[cfr, t3, 8]
-    dispatch(3)
+    dispatch(4)
 
 .opNegateSlow:
     callOpcodeSlowPath(_slow_path_negate)
-    dispatch(3)
+    dispatch(4)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -828 +828 @@
     loadisFromInstruction(2, t0)
     loadisFromInstruction(1, t1)
-    loadConstantOrVariable(t0, t2)
-    bqb t2, tagTypeNumber, .opNegateNotInt
-    btiz t2, 0x7fffffff, .opNegateSlow
-    negi t2
-    orq tagTypeNumber, t2
-    storeq t2, [cfr, t1, 8]
-    dispatch(3)
+    loadConstantOrVariable(t0, t3)
+    loadisFromInstruction(3, t2)
+    bqb t3, tagTypeNumber, .opNegateNotInt
+    btiz t3, 0x7fffffff, .opNegateSlow
+    negi t3
+    ori ArithProfileInt, t2
+    orq tagTypeNumber, t3
+    storeisToInstruction(t2, 3)
+    storeq t3, [cfr, t1, 8]
+    dispatch(4)
 .opNegateNotInt:
-    btqz t2, tagTypeNumber, .opNegateSlow
-    xorq 0x8000000000000000, t2
-    storeq t2, [cfr, t1, 8]
-    dispatch(3)
+    btqz t3, tagTypeNumber, .opNegateSlow
+    xorq 0x8000000000000000, t3
+    ori ArithProfileNumber, t2
+    storeq t3, [cfr, t1, 8]
+    storeisToInstruction(t2, 3)
+    dispatch(4)
 
 .opNegateSlow:
     callOpcodeSlowPath(_slow_path_negate)
-    dispatch(3)
+    dispatch(4)
 
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -351 +351 @@
 }
 
+#if ENABLE(JIT)
+static void updateArithProfileForUnaryArithOp(Instruction* pc, JSValue result, JSValue operand)
+{
+    ArithProfile& profile = *bitwise_cast<ArithProfile*>(&pc[3].u.operand);
+    profile.observeLHS(operand);
+    ASSERT(result.isNumber());
+    if (!result.isInt32()) {
+        if (operand.isInt32())
+            profile.setObservedInt32Overflow();
+
+        double doubleVal = result.asNumber();
+        if (!doubleVal && std::signbit(doubleVal))
+            profile.setObservedNegZeroDouble();
+        else {
+            profile.setObservedNonNegZeroDouble();
+
+            // The Int52 overflow check here intentionally omits 1ll << 51 as a valid negative Int52 value.
+            // Therefore, we will get a false positive if the result is that value. This is intentionally
+            // done to simplify the checking algorithm.
+            static const int64_t int52OverflowPoint = (1ll << 51);
+            int64_t int64Val = static_cast<int64_t>(std::abs(doubleVal));
+            if (int64Val >= int52OverflowPoint)
+                profile.setObservedInt52Overflow();
+        }
+    }
+}
+#else
+static void updateArithProfileForUnaryArithOp(Instruction*, JSValue, JSValue) { }
+#endif
+
 SLOW_PATH_DECL(slow_path_negate)
 {
     BEGIN();
-    RETURN(jsNumber(-OP_C(2).jsValue().toNumber(exec)));
+    JSValue operand = OP_C(2).jsValue();
+    JSValue result = jsNumber(-operand.toNumber(exec));
+    RETURN_WITH_PROFILING(result, {
+        updateArithProfileForUnaryArithOp(pc, result, operand);
+    });
 }
 
@@ -361 +395 @@
 {
     CodeBlock* codeBlock = exec->codeBlock();
-    ArithProfile& profile = codeBlock->arithProfileForPC(pc);
+    ArithProfile& profile = *codeBlock->arithProfileForPC(pc);
 
     if (result.isNumber()) {
@@ -405 +439 @@
     JSValue result;
 
-    ArithProfile& arithProfile = exec->codeBlock()->arithProfileForPC(pc);
+    ArithProfile& arithProfile = *exec->codeBlock()->arithProfileForPC(pc);
     arithProfile.observeLHSAndRHS(v1, v2);