Changeset 207239 in webkit

Timestamp:

Oct 12, 2016 1:47:51 PM (8 years ago)

Author:

Yusuke Suzuki

Message:

[DOMJIT][JSC] Explore the way to embed nodeType into JSC::JSType in WebCore
​https://bugs.webkit.org/show_bug.cgi?id=163245

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We reserve the highest bit of JSC::JSType for extensions outside JSC.
JSC does not use JSType bits so many: only 52 types are defined.

And we extend CallDOM patchpoint to claim that it does not require a global object.
This global object is used to generate a DOM wrapper. However, nodeType does not require
it since it just returns integer. In the future, we will extend CallDOM to claim
its result type. And we can decide this requireGlobalObject condition automatically
according to the result type.

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleDOMJITGetter):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.h:
• dfg/DFGNode.h:

(JSC::DFG::Node::hasCheckDOMPatchpoint):
(JSC::DFG::Node::checkDOMPatchpoint):
(JSC::DFG::Node::hasCallDOMPatchpoint):
(JSC::DFG::Node::callDOMPatchpoint):
(JSC::DFG::Node::hasDOMJIT): Deleted.
(JSC::DFG::Node::domJIT): Deleted.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):

• domjit/DOMJITCallDOMPatchpoint.h: Copied from Source/JavaScriptCore/domjit/DOMJITGetterSetter.h.

(JSC::DOMJIT::CallDOMPatchpoint::create):

• domjit/DOMJITGetterSetter.h:
• domjit/DOMJITPatchpoint.h:
• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):

• jsc.cpp:
• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LowLevelInterpreter.asm:
• runtime/JSType.h:

Source/WebCore:

Node.nodeType accessor is so frequently called. For example, jQuery's $ function uses
this to distinguish DOM objects from the other JS objects. So every time you call $(dom),
nodeType accessor is called. In addition to that, jQuery's prev, next, parent etc. also uses
this nodeType. And Ember.js also uses it. And ... So this function is super critical for DOM
performance.

The challenge is that there is no room for putting NodeType into C++ Node class. Node class
has a 32bit field to store some data. However, these bits are already exhausted. Extending
Node class is unacceptable since it significantly enlarges memory consumption of WebKit (Node
is everywhere!). Unfortunately, current Node::nodeType is implemented as a virtual function
even though this function is frequently called from JS world.

Interestingly, we already store some duplicate data in JSObject, JSC::JSType. WebCore already
extends it with JSElementType, JSNodeType, and JSDocumentWrapperType. And these types are
corresponding to specific NodeTypes. For example, JSElementType should have ELEMENT_NODE type.

This patch further extends this JSC::JSType in WebCore side safely. We embed NodeType bits into
JSC::JSType. This design offers significantly faster nodeType implementation. Furthermore, it
makes DOMJIT easy for nodeType accessor.

Even without the IC change[1], Dromaeo dom-query shows 8 - 10% improvement,
1452.96 runs/s vs 1578.56 runs/s. We can expect that this improvement will be applied to the
other benchmarks / real applications when the IC change is landed.

[1]: ​https://bugs.webkit.org/show_bug.cgi?id=163226

• WebCore.xcodeproj/project.pbxproj:
• bindings/js/JSDOMWrapper.h:
• bindings/js/JSNodeCustom.h:

(WebCore::JSNode::nodeType):

• bindings/scripts/CodeGeneratorJS.pm:

(GetJSTypeForNode):
(GenerateHeader):

• dom/Node.idl:
• dom/NodeConstants.h: Copied from Source/JavaScriptCore/domjit/DOMJITGetterSetter.h.
• domjit/JSNodeDOMJIT.cpp:

(WebCore::createCallDOMForOffsetAccess):
(WebCore::NodeFirstChildDOMJIT::callDOM):
(WebCore::NodeLastChildDOMJIT::callDOM):
(WebCore::NodeNextSiblingDOMJIT::callDOM):
(WebCore::NodePreviousSiblingDOMJIT::callDOM):
(WebCore::NodeParentNodeDOMJIT::callDOM):
(WebCore::NodeNodeTypeDOMJIT::checkDOM):
(WebCore::NodeNodeTypeDOMJIT::callDOM):

LayoutTests:

• js/dom/domjit-accessor-node-type.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/dom/domjit-accessor-node-type.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (4 diffs)
• Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h (copied) (copied from trunk/Source/JavaScriptCore/domjit/DOMJITGetterSetter.h) (1 diff)
• Source/JavaScriptCore/domjit/DOMJITGetterSetter.h (modified) (2 diffs)
• Source/JavaScriptCore/domjit/DOMJITPatchpoint.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jsc.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntData.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSType.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/WebCore/bindings/js/JSDOMWrapper.h (modified) (2 diffs)
• Source/WebCore/bindings/js/JSNodeCustom.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (3 diffs)
• Source/WebCore/dom/Node.idl (modified) (1 diff)
• Source/WebCore/dom/NodeConstants.h (copied) (copied from trunk/Source/JavaScriptCore/domjit/DOMJITGetterSetter.h) (1 diff)
• Source/WebCore/domjit/JSNodeDOMJIT.cpp (modified) (6 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT][JSC] Explore the way to embed nodeType into JSC::JSType in WebCore
+        https://bugs.webkit.org/show_bug.cgi?id=163245
+
+        Reviewed by Filip Pizlo.
+
+        * js/dom/domjit-accessor-node-type.html: Added.
+
 2016-10-12  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT][JSC] Explore the way to embed nodeType into JSC::JSType in WebCore
+        https://bugs.webkit.org/show_bug.cgi?id=163245
+
+        Reviewed by Filip Pizlo.
+
+        We reserve the highest bit of JSC::JSType for extensions outside JSC.
+        JSC does not use JSType bits so many: only 52 types are defined.
+
+        And we extend CallDOM patchpoint to claim that it does not require a global object.
+        This global object is used to generate a DOM wrapper. However, nodeType does not require
+        it since it just returns integer. In the future, we will extend CallDOM to claim
+        its result type. And we can decide this `requireGlobalObject` condition automatically
+        according to the result type.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasCheckDOMPatchpoint):
+        (JSC::DFG::Node::checkDOMPatchpoint):
+        (JSC::DFG::Node::hasCallDOMPatchpoint):
+        (JSC::DFG::Node::callDOMPatchpoint):
+        (JSC::DFG::Node::hasDOMJIT): Deleted.
+        (JSC::DFG::Node::domJIT): Deleted.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCallDOM):
+        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
+        * domjit/DOMJITCallDOMPatchpoint.h: Copied from Source/JavaScriptCore/domjit/DOMJITGetterSetter.h.
+        (JSC::DOMJIT::CallDOMPatchpoint::create):
+        * domjit/DOMJITGetterSetter.h:
+        * domjit/DOMJITPatchpoint.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
+        * jsc.cpp:
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/JSType.h:
+
 2016-10-12  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -2097 +2097 @@
                 E33F50871B8449EF00413856 /* JSInternalPromiseConstructor.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = E33F50861B8449EF00413856 /* JSInternalPromiseConstructor.lut.h */; };
                 E354622B1B6065D100545386 /* ConstructAbility.h in Headers */ = {isa = PBXBuildFile; fileRef = E354622A1B6065D100545386 /* ConstructAbility.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                E3555B8A1DAE03A500F36921 /* DOMJITCallDOMPatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = E3555B891DAE03A200F36921 /* DOMJITCallDOMPatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E355F3521B7DC85300C50DC5 /* ModuleLoaderPrototype.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E355F3501B7DC85300C50DC5 /* ModuleLoaderPrototype.cpp */; };
                 E355F3531B7DC85300C50DC5 /* ModuleLoaderPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = E355F3511B7DC85300C50DC5 /* ModuleLoaderPrototype.h */; };
@@ -4400 +4401 @@
                 E33F50881B844A1A00413856 /* InternalPromiseConstructor.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; path = InternalPromiseConstructor.js; sourceTree = "<group>"; };
                 E354622A1B6065D100545386 /* ConstructAbility.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ConstructAbility.h; sourceTree = "<group>"; };
+                E3555B891DAE03A200F36921 /* DOMJITCallDOMPatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITCallDOMPatchpoint.h; sourceTree = "<group>"; };
                 E355F3501B7DC85300C50DC5 /* ModuleLoaderPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ModuleLoaderPrototype.cpp; sourceTree = "<group>"; };
                 E355F3511B7DC85300C50DC5 /* ModuleLoaderPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ModuleLoaderPrototype.h; sourceTree = "<group>"; };
@@ -7196 +7198 @@
                         isa = PBXGroup;
                         children = (
+                                E3555B891DAE03A200F36921 /* DOMJITCallDOMPatchpoint.h */,
                                 E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */,
                                 E3C08E3B1DA41B7B0039478F /* DOMJITPatchpoint.h */,
@@ -8073 +8076 @@
                                 BC18C4270E16F5CD00B34460 /* JSString.h in Headers */,
                                 86E85539111B9968001AF51E /* JSStringBuilder.h in Headers */,
+                                E3555B8A1DAE03A500F36921 /* DOMJITCallDOMPatchpoint.h in Headers */,
                                 70EC0EC31AA0D7DA00B6AAFA /* JSStringIterator.h in Headers */,
                                 0F070A471D543A8B006E7232 /* CellContainer.h in Headers */,

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2688 +2688 @@
     addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.structureSet())), thisNode);
 
+    Ref<DOMJIT::Patchpoint> checkDOMPatchpoint = domJIT->checkDOM();
+    m_graph.m_domJITPatchpoints.append(checkDOMPatchpoint.ptr());
     // We do not need to emit CheckCell thingy here. When the custom accessor is replaced to different one, Structure transition occurs.
-    addToGraph(CheckDOM, OpInfo(domJIT), OpInfo(domJIT->thisClassInfo()), thisNode);
-    Node* globalObject = addToGraph(GetGlobalObject, thisNode);
-    addVarArgChild(globalObject); // GlobalObject of thisNode is always used to create a DOMWrapper.
+    addToGraph(CheckDOM, OpInfo(checkDOMPatchpoint.ptr()), OpInfo(domJIT->thisClassInfo()), thisNode);
+
+    Ref<DOMJIT::CallDOMPatchpoint> callDOMPatchpoint = domJIT->callDOM();
+    m_graph.m_domJITPatchpoints.append(callDOMPatchpoint.ptr());
+    if (callDOMPatchpoint->requireGlobalObject) {
+        Node* globalObject = addToGraph(GetGlobalObject, thisNode);
+        addVarArgChild(globalObject); // GlobalObject of thisNode is always used to create a DOMWrapper.
+    }
     addVarArgChild(thisNode);
-    set(VirtualRegister(resultOperand), addToGraph(Node::VarArg, CallDOM, OpInfo(domJIT), OpInfo(prediction)));
+    set(VirtualRegister(resultOperand), addToGraph(Node::VarArg, CallDOM, OpInfo(callDOMPatchpoint.ptr()), OpInfo(prediction)));
     return true;
 }

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1704 +1704 @@
             break;
 
-        case CallDOM:
-            fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0)); // GlobalObject.
-            fixEdge<CellUse>(m_graph.varArgChild(node, 1)); // DOM.
-            break;
+        case CallDOM: {
+            int childIndex = 0;
+            DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMPatchpoint();
+            if (patchpoint->requireGlobalObject)
+                fixEdge<KnownCellUse>(m_graph.varArgChild(node, childIndex++)); // GlobalObject.
+            fixEdge<CellUse>(m_graph.varArgChild(node, childIndex++)); // DOM.
+            break;
+        }
 
 #if !ASSERT_DISABLED

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -905 +905 @@
     HashSet<std::pair<JSObject*, PropertyOffset>> m_safeToLoad;
     HashMap<PropertyTypeKey, InferredType::Descriptor> m_inferredTypes;
+    Vector<RefPtr<DOMJIT::Patchpoint>> m_domJITPatchpoints;
     std::unique_ptr<Dominators> m_dominators;
     std::unique_ptr<PrePostNumbering> m_prePostNumbering;

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -60 +60 @@
 
 namespace DOMJIT {
-class GetterSetter;
+class Patchpoint;
+class CallDOMPatchpoint;
 }
 
@@ -2315 +2316 @@
     }
 
-    bool hasDOMJIT() const
-    {
-        return op() == CheckDOM || op() == CallDOM;
-    }
-
-    DOMJIT::GetterSetter* domJIT()
-    {
-        ASSERT(hasDOMJIT());
-        return m_opInfo.as<DOMJIT::GetterSetter*>();
+    bool hasCheckDOMPatchpoint() const
+    {
+        return op() == CheckDOM;
+    }
+
+    DOMJIT::Patchpoint* checkDOMPatchpoint()
+    {
+        ASSERT(hasCheckDOMPatchpoint());
+        return m_opInfo.as<DOMJIT::Patchpoint*>();
+    }
+
+    bool hasCallDOMPatchpoint() const
+    {
+        return op() == CallDOM;
+    }
+
+    DOMJIT::CallDOMPatchpoint* callDOMPatchpoint()
+    {
+        ASSERT(hasCallDOMPatchpoint());
+        return m_opInfo.as<DOMJIT::CallDOMPatchpoint*>();
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -7131 +7131 @@
 void SpeculativeJIT::compileCallDOM(Node* node)
 {
-    Ref<DOMJIT::Patchpoint> patchpoint = node->domJIT()->callDOM();
+    DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMPatchpoint();
 
     Vector<GPRReg> gpScratch;
@@ -7137 +7137 @@
     Vector<DOMJIT::Value> regs;
 
-    // FIXME: patchpoint should have a way to tell this can reuse "base" register.
-    // Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
-    SpeculateCellOperand globalObject(this, m_jit.graph().varArgChild(node, 0));
-    SpeculateCellOperand base(this, m_jit.graph().varArgChild(node, 1));
     JSValueRegsTemporary result(this);
-
     regs.append(result.regs());
-    regs.append(DOMJIT::Value(globalObject.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 0)).value()));
-    regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 1)).value()));
-#if USE(JSVALUE64)
-    regs.append(static_cast<GPRReg>(GPRInfo::tagMaskRegister));
-    regs.append(static_cast<GPRReg>(GPRInfo::tagTypeNumberRegister));
-#endif
+
+    int childIndex = 0;
+
+    Optional<SpeculateCellOperand> globalObject;
+    if (patchpoint->requireGlobalObject) {
+        Edge& globalObjectEdge = m_jit.graph().varArgChild(node, childIndex++);
+        globalObject = SpeculateCellOperand(this, globalObjectEdge);
+        regs.append(DOMJIT::Value(globalObject->gpr(), m_state.forNode(globalObjectEdge).value()));
+    }
+
+    Edge& baseEdge = m_jit.graph().varArgChild(node, childIndex++);
+    SpeculateCellOperand base(this, baseEdge);
+    regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(baseEdge).value()));
 
     Vector<GPRTemporary> gpTempraries;
     Vector<FPRTemporary> fpTempraries;
-    allocateTemporaryRegistersForPatchpoint(this, gpTempraries, fpTempraries, gpScratch, fpScratch, patchpoint.get());
+    allocateTemporaryRegistersForPatchpoint(this, gpTempraries, fpTempraries, gpScratch, fpScratch, *patchpoint);
     DOMJITPatchpointParams params(this, WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch));
     patchpoint->generator()->run(m_jit, params);
@@ -7162 +7164 @@
 {
     // FIXME: We can add the fallback implementation that inlines jsDynamicCast things here.
-    Ref<DOMJIT::Patchpoint> patchpoint = node->domJIT()->checkDOM();
+    DOMJIT::Patchpoint* patchpoint = node->checkDOMPatchpoint();
 
     Vector<GPRReg> gpScratch;
@@ -7174 +7176 @@
     Vector<GPRTemporary> gpTempraries;
     Vector<FPRTemporary> fpTempraries;
-    allocateTemporaryRegistersForPatchpoint(this, gpTempraries, fpTempraries, gpScratch, fpScratch, patchpoint.get());
+    allocateTemporaryRegistersForPatchpoint(this, gpTempraries, fpTempraries, gpScratch, fpScratch, *patchpoint);
 
     DOMJITPatchpointParams params(this, WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch));

trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h

@@ -26 +26 @@
 #pragma once
 
+#if ENABLE(JIT)
+
 #include "DOMJITPatchpoint.h"
-#include "PropertySlot.h"
-#include "PutPropertySlot.h"
-#include "SpeculatedType.h"
+#include "RegisterSet.h"
 
 namespace JSC { namespace DOMJIT {
 
-class GetterSetter {
+class CallDOMPatchpoint : public Patchpoint {
 public:
-    typedef PropertySlot::GetValueFunc CustomGetter;
-    typedef PutPropertySlot::PutValueFunc CustomSetter;
-
-    GetterSetter(CustomGetter getter, CustomSetter setter, const ClassInfo* classInfo)
-        : m_getter(getter)
-        , m_setter(setter)
-        , m_thisClassInfo(classInfo)
+    static Ref<CallDOMPatchpoint> create()
     {
+        return adoptRef(*new CallDOMPatchpoint());
     }
 
-    virtual ~GetterSetter() { }
-
-    CustomGetter getter() const { return m_getter; }
-    CustomSetter setter() const { return m_setter; }
-    const ClassInfo* thisClassInfo() const { return m_thisClassInfo; }
-
-#if ENABLE(JIT)
-    virtual Ref<DOMJIT::Patchpoint> callDOM() = 0;
-    virtual Ref<DOMJIT::Patchpoint> checkDOM() = 0;
-#endif
+    // To look up DOMWrapper cache, GlobalObject is required.
+    // FIXME: Later, we will extend this patchpoint to represent the result type by DOMJIT::Signature.
+    // And after that, we will automatically pass a global object when the result type includes a DOM wrapper thing.
+    // https://bugs.webkit.org/show_bug.cgi?id=162980
+    bool requireGlobalObject { true };
 
 private:
-    CustomGetter m_getter;
-    CustomSetter m_setter;
-    const ClassInfo* m_thisClassInfo;
+    CallDOMPatchpoint() = default;
 };
 
 } }
+
+#endif

trunk/Source/JavaScriptCore/domjit/DOMJITGetterSetter.h

@@ -26 +26 @@
 #pragma once
 
-#include "DOMJITPatchpoint.h"
+#include "DOMJITCallDOMPatchpoint.h"
 #include "PropertySlot.h"
 #include "PutPropertySlot.h"
@@ -52 +52 @@
 
 #if ENABLE(JIT)
-    virtual Ref<DOMJIT::Patchpoint> callDOM() = 0;
+    virtual Ref<DOMJIT::CallDOMPatchpoint> callDOM() = 0;
     virtual Ref<DOMJIT::Patchpoint> checkDOM() = 0;
 #endif

trunk/Source/JavaScriptCore/domjit/DOMJITPatchpoint.h

@@ -63 +63 @@
     uint8_t numFPScratchRegisters { 0 };
 
-private:
+protected:
     Patchpoint() = default;
 
+private:
     RefPtr<PatchpointGenerator> m_generator;
 };

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -8725 +8725 @@
         LValue cell = lowCell(m_node->child1());
 
-        RefPtr<DOMJIT::Patchpoint> domJIT = m_node->domJIT()->checkDOM();
+        DOMJIT::Patchpoint* domJIT = m_node->checkDOMPatchpoint();
 
         PatchpointValue* patchpoint = m_out.patchpoint(Void);
@@ -8770 +8770 @@
     void compileCallDOM()
     {
-        LValue globalObject = lowCell(m_graph.varArgChild(m_node, 0));
-        LValue cell = lowCell(m_graph.varArgChild(m_node, 1));
-
-        RefPtr<DOMJIT::Patchpoint> domJIT = m_node->domJIT()->callDOM();
+        DOMJIT::CallDOMPatchpoint* domJIT = m_node->callDOMPatchpoint();
+        int childIndex = 0;
+
+        LValue globalObject;
+        JSValue globalObjectConstant;
+        if (domJIT->requireGlobalObject) {
+            Edge& globalObjectEdge = m_graph.varArgChild(m_node, childIndex++);
+            globalObject = lowCell(globalObjectEdge);
+            globalObjectConstant = m_state.forNode(globalObjectEdge).value();
+        }
+
+        Edge& baseEdge = m_graph.varArgChild(m_node, childIndex++);
+        LValue base = lowCell(baseEdge);
+        JSValue baseConstant = m_state.forNode(baseEdge).value();
+
         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
-        patchpoint->appendSomeRegister(globalObject);
-        patchpoint->appendSomeRegister(cell);
+        if (domJIT->requireGlobalObject)
+            patchpoint->appendSomeRegister(globalObject);
+        patchpoint->appendSomeRegister(base);
         patchpoint->append(m_tagMask, ValueRep::reg(GPRInfo::tagMaskRegister));
         patchpoint->append(m_tagTypeNumber, ValueRep::reg(GPRInfo::tagTypeNumberRegister));
@@ -8787 +8799 @@
         State* state = &m_ftlState;
         Node* node = m_node;
-        JSValue child1Constant = m_state.forNode(m_graph.varArgChild(m_node, 0)).value();
-        JSValue child2Constant = m_state.forNode(m_graph.varArgChild(m_node, 1)).value();
         patchpoint->setGenerator(
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
@@ -8797 +8807 @@
                 Vector<DOMJIT::Value> regs;
 
-                // FIXME: patchpoint should have a way to tell this can reuse "base" register.
-                // Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
+                int childIndex = 1;
                 regs.append(JSValueRegs(params[0].gpr()));
-                regs.append(DOMJIT::Value(params[1].gpr(), child1Constant));
-                regs.append(DOMJIT::Value(params[2].gpr(), child2Constant));
+                if (domJIT->requireGlobalObject)
+                    regs.append(DOMJIT::Value(params[childIndex++].gpr(), globalObjectConstant));
+                regs.append(DOMJIT::Value(params[childIndex++].gpr(), baseConstant));
 
                 for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)

trunk/Source/JavaScriptCore/jsc.cpp

@@ -621 +621 @@
         }
 
-        Ref<DOMJIT::Patchpoint> callDOM() override
+        Ref<DOMJIT::CallDOMPatchpoint> callDOM() override
         {
-            Ref<DOMJIT::Patchpoint> patchpoint = DOMJIT::Patchpoint::create();
+            Ref<DOMJIT::CallDOMPatchpoint> patchpoint = DOMJIT::CallDOMPatchpoint::create();
+            patchpoint->requireGlobalObject = false;
             patchpoint->setGenerator([=](CCallHelpers& jit, const DOMJIT::PatchpointParams& params) {
                 JSValueRegs results = params[0].jsValueRegs();
-                GPRReg dom = params[2].gpr();
+                GPRReg dom = params[1].gpr();
 
                 params.addSlowPathCall(jit.jump(), jit, static_cast<EncodedJSValue(*)(ExecState*, void*)>([](ExecState*, void* pointer) {

trunk/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -162 +162 @@
     STATIC_ASSERT(ArrayType == 31);
     STATIC_ASSERT(DerivedArrayType == 32);
-    STATIC_ASSERT(ProxyObjectType == 116);
-    STATIC_ASSERT(Int8ArrayType == 100);
-    STATIC_ASSERT(Int16ArrayType == 101);
-    STATIC_ASSERT(Int32ArrayType == 102);
-    STATIC_ASSERT(Uint8ArrayType == 103);
-    STATIC_ASSERT(Uint8ClampedArrayType == 104);
-    STATIC_ASSERT(Uint16ArrayType == 105);
-    STATIC_ASSERT(Uint32ArrayType == 106);
-    STATIC_ASSERT(Float32ArrayType == 107);
-    STATIC_ASSERT(Float64ArrayType == 108);
+    STATIC_ASSERT(ProxyObjectType == 49);
+    STATIC_ASSERT(Int8ArrayType == 33);
+    STATIC_ASSERT(Int16ArrayType == 34);
+    STATIC_ASSERT(Int32ArrayType == 35);
+    STATIC_ASSERT(Uint8ArrayType == 36);
+    STATIC_ASSERT(Uint8ClampedArrayType == 37);
+    STATIC_ASSERT(Uint16ArrayType == 38);
+    STATIC_ASSERT(Uint32ArrayType == 39);
+    STATIC_ASSERT(Float32ArrayType == 40);
+    STATIC_ASSERT(Float64ArrayType == 41);
     STATIC_ASSERT(MasqueradesAsUndefined == 1);
     STATIC_ASSERT(ImplementsDefaultHasInstance == 2);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -351 +351 @@
 const ArrayType = 31
 const DerivedArrayType = 32
-const ProxyObjectType = 116
+const ProxyObjectType = 49
 
 # The typed array types need to be numbered in a particular order because of the manually written
 # switch statement in get_by_val and put_by_val.
-const Int8ArrayType = 100
-const Int16ArrayType = 101
-const Int32ArrayType = 102
-const Uint8ArrayType = 103
-const Uint8ClampedArrayType = 104
-const Uint16ArrayType = 105
-const Uint32ArrayType = 106
-const Float32ArrayType = 107
-const Float64ArrayType = 108
+const Int8ArrayType = 33
+const Int16ArrayType = 34
+const Int32ArrayType = 35
+const Uint8ArrayType = 36
+const Uint8ClampedArrayType = 37
+const Uint16ArrayType = 38
+const Uint32ArrayType = 39
+const Float32ArrayType = 40
+const Float64ArrayType = 41
 
 const FirstArrayType = Int8ArrayType

trunk/Source/JavaScriptCore/runtime/JSType.h

@@ -66 +66 @@
     DerivedArrayType,
 
-    Int8ArrayType = 100,
+    Int8ArrayType,
     Int16ArrayType,
     Int32ArrayType,
@@ -88 +88 @@
 
     LastJSCObjectType = JSSetType,
+    MaxJSType = 0b11111111,
 };
 
-COMPILE_ASSERT(sizeof(JSType) == sizeof(uint8_t), sizeof_jstype_is_one_byte);
+static_assert(sizeof(JSType) == sizeof(uint8_t), "sizeof(JSType) is one byte.");
+static_assert(LastJSCObjectType < 128, "The highest bit is reserved for embedder's extension.");
 
 } // namespace JSC

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT][JSC] Explore the way to embed nodeType into JSC::JSType in WebCore
+        https://bugs.webkit.org/show_bug.cgi?id=163245
+
+        Reviewed by Filip Pizlo.
+
+        Node.nodeType accessor is so frequently called. For example, jQuery's $ function uses
+        this to distinguish DOM objects from the other JS objects. So every time you call `$(dom)`,
+        nodeType accessor is called. In addition to that, jQuery's prev, next, parent etc. also uses
+        this `nodeType`. And Ember.js also uses it. And ... So this function is super critical for DOM
+        performance.
+
+        The challenge is that there is no room for putting NodeType into C++ Node class. Node class
+        has a 32bit field to store some data. However, these bits are already exhausted. Extending
+        Node class is unacceptable since it significantly enlarges memory consumption of WebKit (Node
+        is everywhere!). Unfortunately, current Node::nodeType is implemented as a virtual function
+        even though this function is frequently called from JS world.
+
+        Interestingly, we already store some duplicate data in JSObject, JSC::JSType. WebCore already
+        extends it with JSElementType, JSNodeType, and JSDocumentWrapperType. And these types are
+        corresponding to specific NodeTypes. For example, JSElementType should have ELEMENT_NODE type.
+
+        This patch further extends this JSC::JSType in WebCore side safely. We embed NodeType bits into
+        JSC::JSType. This design offers significantly faster nodeType implementation. Furthermore, it
+        makes DOMJIT easy for nodeType accessor.
+
+        Even without the IC change[1], Dromaeo dom-query shows 8 - 10% improvement,
+        1452.96 runs/s vs 1578.56 runs/s. We can expect that this improvement will be applied to the
+        other benchmarks / real applications when the IC change is landed.
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=163226
+
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/js/JSDOMWrapper.h:
+        * bindings/js/JSNodeCustom.h:
+        (WebCore::JSNode::nodeType):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GetJSTypeForNode):
+        (GenerateHeader):
+        * dom/Node.idl:
+        * dom/NodeConstants.h: Copied from Source/JavaScriptCore/domjit/DOMJITGetterSetter.h.
+        * domjit/JSNodeDOMJIT.cpp:
+        (WebCore::createCallDOMForOffsetAccess):
+        (WebCore::NodeFirstChildDOMJIT::callDOM):
+        (WebCore::NodeLastChildDOMJIT::callDOM):
+        (WebCore::NodeNextSiblingDOMJIT::callDOM):
+        (WebCore::NodePreviousSiblingDOMJIT::callDOM):
+        (WebCore::NodeParentNodeDOMJIT::callDOM):
+        (WebCore::NodeNodeTypeDOMJIT::checkDOM):
+        (WebCore::NodeNodeTypeDOMJIT::callDOM):
+
 2016-10-12  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -6144 +6144 @@
                 E3150EA61DA7219000194012 /* JSNodeDOMJIT.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3AFA9641DA6E908002861BD /* JSNodeDOMJIT.cpp */; };
                 E3150EA71DA7219300194012 /* DOMJITHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = E3150EA51DA7218D00194012 /* DOMJITHelpers.h */; };
+                E377FE4D1DADE16500CDD025 /* NodeConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D049931DADC04500718F3C /* NodeConstants.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E38838981BAD145F00D62EE3 /* ScriptModuleLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E38838941BAD145F00D62EE3 /* ScriptModuleLoader.cpp */; };
                 E38838991BAD145F00D62EE3 /* ScriptModuleLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = E38838951BAD145F00D62EE3 /* ScriptModuleLoader.h */; };
@@ -13785 +13786 @@
                 E3B2F0E81D7F35EC00B0C9D1 /* LoadableScriptClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LoadableScriptClient.h; sourceTree = "<group>"; };
                 E3B2F0E91D7F3D3C00B0C9D1 /* LoadableScript.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LoadableScript.cpp; sourceTree = "<group>"; };
+                E3D049931DADC04500718F3C /* NodeConstants.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NodeConstants.h; sourceTree = "<group>"; };
                 E3FA38611D716E7600AA5950 /* PendingScriptClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PendingScriptClient.h; sourceTree = "<group>"; };
                 E401C27417CE53EC00C41A35 /* ElementIteratorAssertions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ElementIteratorAssertions.h; sourceTree = "<group>"; };
@@ -23276 +23278 @@
                                 E43105B716750F0C00DB2FB8 /* NodeTraversal.cpp */,
                                 E43105BA16750F1600DB2FB8 /* NodeTraversal.h */,
+                                E3D049931DADC04500718F3C /* NodeConstants.h */,
                                 9382AAB10D8C386100F357A6 /* NodeWithIndex.h */,
                                 E46B41F81CB24E70008F11DE /* NoEventDispatchAssertion.h */,
@@ -25848 +25851 @@
                                 5EA3D6DF1C859D7F00300BBB /* MockMediaEndpoint.h in Headers */,
                                 CDF2B0131820540600F2B424 /* MockMediaPlayerMediaSource.h in Headers */,
+                                E377FE4D1DADE16500CDD025 /* NodeConstants.h in Headers */,
                                 CDF2B0151820540600F2B424 /* MockMediaSourcePrivate.h in Headers */,
                                 07D6A4F41BED5F8800174146 /* MockRealtimeAudioSource.h in Headers */,

trunk/Source/WebCore/bindings/js/JSDOMWrapper.h

@@ -23 +23 @@
 
 #include "JSDOMGlobalObject.h"
+#include "NodeConstants.h"
 #include <runtime/JSDestructibleObject.h>
 
@@ -30 +31 @@
 class ScriptExecutionContext;
 
-static const uint8_t JSDOMWrapperType = JSC::LastJSCObjectType + 1;
-static const uint8_t JSNodeType = JSC::LastJSCObjectType + 2;
-static const uint8_t JSDocumentWrapperType = JSC::LastJSCObjectType + 3;
-static const uint8_t JSElementType = JSC::LastJSCObjectType + 4;
+// We encode Node type into JSType. The format is the following.
+// offset | 7 | 6 5 4 | 3 2 1 0  |
+// value  | 1 | Kind  | NodeType |
+static const uint8_t JSNodeTypeMask                  = 0b00001111;
+
+static const uint8_t JSDOMWrapperType                = 0b10000000;
+static const uint8_t JSNodeType                      = 0b10010000;
+static const uint8_t JSTextNodeType                  = JSNodeType | NodeConstants::TEXT_NODE;
+static const uint8_t JSProcessingInstructionNodeType = JSNodeType | NodeConstants::PROCESSING_INSTRUCTION_NODE;
+static const uint8_t JSDocumentTypeNodeType          = JSNodeType | NodeConstants::DOCUMENT_TYPE_NODE;
+static const uint8_t JSDocumentFragmentNodeType      = JSNodeType | NodeConstants::DOCUMENT_FRAGMENT_NODE;
+static const uint8_t JSDocumentWrapperType           = JSNodeType | NodeConstants::DOCUMENT_NODE;
+static const uint8_t JSCommentNodeType               = JSNodeType | NodeConstants::COMMENT_NODE;
+static const uint8_t JSCDATASectionNodeType          = JSNodeType | NodeConstants::CDATA_SECTION_NODE;
+static const uint8_t JSAttrNodeType                  = JSNodeType | NodeConstants::ATTRIBUTE_NODE;
+static const uint8_t JSElementType                   = 0b10100000 | NodeConstants::ELEMENT_NODE;
+
+static_assert(JSDOMWrapperType > JSC::LastJSCObjectType, "JSC::JSType offers the highest bit.");
+static_assert(NodeConstants::LastNodeType <= JSNodeTypeMask, "NodeType should be represented in 4bit.");
 
 class JSDOMObject : public JSC::JSDestructibleObject {

trunk/Source/WebCore/bindings/js/JSNodeCustom.h

@@ -86 +86 @@
 }
 
+ALWAYS_INLINE JSC::JSValue JSNode::nodeType(JSC::ExecState&) const
+{
+    return JSC::jsNumber(static_cast<uint8_t>(type()) & JSNodeTypeMask);
+}
+
 } // namespace WebCore

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -1169 +1169 @@
     }
     return $result;
+}
+
+sub GetJSTypeForNode
+{
+    my ($codeGenerator, $interface) = @_;
+
+    if ($codeGenerator->InheritsInterface($interface, "Document")) {
+        return "JSDocumentWrapperType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "DocumentFragment")) {
+        return "JSDocumentFragmentNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "DocumentType")) {
+        return "JSDocumentTypeNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "ProcessingInstruction")) {
+        return "JSProcessingInstructionNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "CDATASection")) {
+        return "JSCDATASectionNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "Attr")) {
+        return "JSAttrNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "Comment")) {
+        return "JSCommentNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "Text")) {
+        return "JSTextNodeType";
+    }
+    if ($codeGenerator->InheritsInterface($interface, "Element")) {
+        return "JSElementType";
+    }
+    return "JSNodeType";
 }
 
@@ -1369 +1403 @@
     if (IsDOMGlobalObject($interface)) {
         push(@headerContent, "        return JSC::Structure::create(vm, globalObject, prototype, JSC::TypeInfo(JSC::GlobalObjectType, StructureFlags), info());\n");
-    } elsif ($codeGenerator->InheritsInterface($interface, "Document")) {
-        push(@headerContent, "        return JSC::Structure::create(vm, globalObject, prototype, JSC::TypeInfo(JSC::JSType(JSDocumentWrapperType), StructureFlags), info());\n");
-    } elsif ($codeGenerator->InheritsInterface($interface, "Element")) {
-        push(@headerContent, "        return JSC::Structure::create(vm, globalObject, prototype, JSC::TypeInfo(JSC::JSType(JSElementType), StructureFlags), info());\n");
     } elsif ($codeGenerator->InheritsInterface($interface, "Node")) {
-        push(@headerContent, "        return JSC::Structure::create(vm, globalObject, prototype, JSC::TypeInfo(JSC::JSType(JSNodeType), StructureFlags), info());\n");
+        my $type = GetJSTypeForNode($codeGenerator, $interface);
+        push(@headerContent, "        return JSC::Structure::create(vm, globalObject, prototype, JSC::TypeInfo(JSC::JSType($type), StructureFlags), info());\n");
     } else {
         push(@headerContent, "        return JSC::Structure::create(vm, globalObject, prototype, JSC::TypeInfo(JSC::ObjectType, StructureFlags), info());\n");
@@ -1670 +1701 @@
             push(@headerContent, "#if ENABLE(JIT)\n");
             push(@headerContent, "    Ref<JSC::DOMJIT::Patchpoint> checkDOM() override;\n");
-            push(@headerContent, "    Ref<JSC::DOMJIT::Patchpoint> callDOM() override;\n");
+            push(@headerContent, "    Ref<JSC::DOMJIT::CallDOMPatchpoint> callDOM() override;\n");
             push(@headerContent, "#endif\n");
             push(@headerContent, "};\n\n");

trunk/Source/WebCore/dom/Node.idl

@@ -47 +47 @@
     [CEReactions, SetterMayThrowLegacyException] attribute DOMString? nodeValue;
 
-    readonly attribute unsigned short nodeType;
+    [DOMJIT, CustomGetter] readonly attribute unsigned short nodeType;
     [DOMJIT] readonly attribute Node? parentNode;
     readonly attribute NodeList childNodes;

trunk/Source/WebCore/dom/NodeConstants.h

@@ -26 +26 @@
 #pragma once
 
-#include "DOMJITPatchpoint.h"
-#include "PropertySlot.h"
-#include "PutPropertySlot.h"
-#include "SpeculatedType.h"
+namespace WebCore {
 
-namespace JSC { namespace DOMJIT {
+struct NodeConstants {
+    enum NodeType {
+        ELEMENT_NODE = 1,
+        ATTRIBUTE_NODE = 2,
+        TEXT_NODE = 3,
+        CDATA_SECTION_NODE = 4,
+        PROCESSING_INSTRUCTION_NODE = 7,
+        COMMENT_NODE = 8,
+        DOCUMENT_NODE = 9,
+        DOCUMENT_TYPE_NODE = 10,
+        DOCUMENT_FRAGMENT_NODE = 11,
+    };
 
-class GetterSetter {
-public:
-    typedef PropertySlot::GetValueFunc CustomGetter;
-    typedef PutPropertySlot::PutValueFunc CustomSetter;
+    enum DeprecatedNodeType {
+        ENTITY_REFERENCE_NODE = 5,
+        ENTITY_NODE = 6,
+        NOTATION_NODE = 12,
+    };
 
-    GetterSetter(CustomGetter getter, CustomSetter setter, const ClassInfo* classInfo)
-        : m_getter(getter)
-        , m_setter(setter)
-        , m_thisClassInfo(classInfo)
-    {
-    }
-
-    virtual ~GetterSetter() { }
-
-    CustomGetter getter() const { return m_getter; }
-    CustomSetter setter() const { return m_setter; }
-    const ClassInfo* thisClassInfo() const { return m_thisClassInfo; }
-
-#if ENABLE(JIT)
-    virtual Ref<DOMJIT::Patchpoint> callDOM() = 0;
-    virtual Ref<DOMJIT::Patchpoint> checkDOM() = 0;
-#endif
-
-private:
-    CustomGetter m_getter;
-    CustomSetter m_setter;
-    const ClassInfo* m_thisClassInfo;
+    static const uint8_t LastNodeType = NOTATION_NODE;
 };
 
-} }
+} // namespace WebCore::NodeType

trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp

@@ -51 +51 @@
 
 template<typename WrappedNode>
-static Ref<DOMJIT::Patchpoint> createCallDOMForOffsetAccess(ptrdiff_t offset, IsContainerGuardRequirement isContainerGuardRequirement)
+static Ref<DOMJIT::CallDOMPatchpoint> createCallDOMForOffsetAccess(ptrdiff_t offset, IsContainerGuardRequirement isContainerGuardRequirement)
 {
-    Ref<DOMJIT::Patchpoint> patchpoint = DOMJIT::Patchpoint::create();
+    Ref<DOMJIT::CallDOMPatchpoint> patchpoint = DOMJIT::CallDOMPatchpoint::create();
     patchpoint->numGPScratchRegisters = 1;
     patchpoint->setGenerator([=](CCallHelpers& jit, const DOMJIT::PatchpointParams& params) {
@@ -99 +99 @@
 }
 
-Ref<DOMJIT::Patchpoint> NodeFirstChildDOMJIT::callDOM()
+Ref<DOMJIT::CallDOMPatchpoint> NodeFirstChildDOMJIT::callDOM()
 {
     return createCallDOMForOffsetAccess<Node>(CAST_OFFSET(Node*, ContainerNode*) + ContainerNode::firstChildMemoryOffset(), IsContainerGuardRequirement::Required);
@@ -110 +110 @@
 }
 
-Ref<DOMJIT::Patchpoint> NodeLastChildDOMJIT::callDOM()
+Ref<DOMJIT::CallDOMPatchpoint> NodeLastChildDOMJIT::callDOM()
 {
     return createCallDOMForOffsetAccess<Node>(CAST_OFFSET(Node*, ContainerNode*) + ContainerNode::lastChildMemoryOffset(), IsContainerGuardRequirement::Required);
@@ -121 +121 @@
 }
 
-Ref<DOMJIT::Patchpoint> NodeNextSiblingDOMJIT::callDOM()
+Ref<DOMJIT::CallDOMPatchpoint> NodeNextSiblingDOMJIT::callDOM()
 {
     return createCallDOMForOffsetAccess<Node>(Node::nextSiblingMemoryOffset(), IsContainerGuardRequirement::NotRequired);
@@ -132 +132 @@
 }
 
-Ref<DOMJIT::Patchpoint> NodePreviousSiblingDOMJIT::callDOM()
+Ref<DOMJIT::CallDOMPatchpoint> NodePreviousSiblingDOMJIT::callDOM()
 {
     return createCallDOMForOffsetAccess<Node>(Node::previousSiblingMemoryOffset(), IsContainerGuardRequirement::NotRequired);
@@ -143 +143 @@
 }
 
-Ref<DOMJIT::Patchpoint> NodeParentNodeDOMJIT::callDOM()
+Ref<DOMJIT::CallDOMPatchpoint> NodeParentNodeDOMJIT::callDOM()
 {
     return createCallDOMForOffsetAccess<ContainerNode>(Node::parentNodeMemoryOffset(), IsContainerGuardRequirement::NotRequired);
+}
+
+// Node#nodeType.
+Ref<DOMJIT::Patchpoint> NodeNodeTypeDOMJIT::checkDOM()
+{
+    return checkNode();
+}
+
+Ref<DOMJIT::CallDOMPatchpoint> NodeNodeTypeDOMJIT::callDOM()
+{
+    Ref<DOMJIT::CallDOMPatchpoint> patchpoint = DOMJIT::CallDOMPatchpoint::create();
+    patchpoint->requireGlobalObject = false;
+    patchpoint->setGenerator([=](CCallHelpers& jit, const DOMJIT::PatchpointParams& params) {
+        JSValueRegs result = params[0].jsValueRegs();
+        GPRReg node = params[1].gpr();
+        jit.load8(CCallHelpers::Address(node, JSC::JSCell::typeInfoTypeOffset()), result.payloadGPR());
+        jit.and32(CCallHelpers::TrustedImm32(JSNodeTypeMask), result.payloadGPR());
+        jit.boxInt32(result.payloadGPR(), result);
+        return CCallHelpers::JumpList();
+    });
+    return patchpoint;
 }