Changeset 220735 in webkit
- Timestamp:
- Aug 14, 2017 9:18:56 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 30 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r220724 r220735 1 2017-08-14 Keith Miller <keith_miller@apple.com> 2 3 Add testing tool to lie to the DFG about profiles 4 https://bugs.webkit.org/show_bug.cgi?id=175487 5 6 Reviewed by Saam Barati. 7 8 * stress/compare-eq-incomplete-profile.js: Added. 9 (const.test.createBuiltin): 10 1 11 2017-08-14 Robin Morisset <rmorisset@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r220734 r220735 1 2017-08-14 Keith Miller <keith_miller@apple.com> 2 3 Add testing tool to lie to the DFG about profiles 4 https://bugs.webkit.org/show_bug.cgi?id=175487 5 6 Reviewed by Saam Barati. 7 8 This patch adds a new bytecode identity_with_profile that lets 9 us lie to the DFG about what profiles it has seen as the input to 10 another bytecode. Previously, there was no reliable way to force 11 a given profile when we tired up. 12 13 * bytecode/BytecodeDumper.cpp: 14 (JSC::BytecodeDumper<Block>::dumpBytecode): 15 * bytecode/BytecodeIntrinsicRegistry.h: 16 * bytecode/BytecodeList.json: 17 * bytecode/BytecodeUseDef.h: 18 (JSC::computeUsesForBytecodeOffset): 19 (JSC::computeDefsForBytecodeOffset): 20 * bytecode/SpeculatedType.cpp: 21 (JSC::speculationFromString): 22 * bytecode/SpeculatedType.h: 23 * bytecompiler/BytecodeGenerator.cpp: 24 (JSC::BytecodeGenerator::emitIdWithProfile): 25 * bytecompiler/BytecodeGenerator.h: 26 * bytecompiler/NodesCodegen.cpp: 27 (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile): 28 * dfg/DFGAbstractInterpreterInlines.h: 29 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 30 * dfg/DFGByteCodeParser.cpp: 31 (JSC::DFG::ByteCodeParser::parseBlock): 32 * dfg/DFGCapabilities.cpp: 33 (JSC::DFG::capabilityLevel): 34 * dfg/DFGClobberize.h: 35 (JSC::DFG::clobberize): 36 * dfg/DFGDoesGC.cpp: 37 (JSC::DFG::doesGC): 38 * dfg/DFGFixupPhase.cpp: 39 (JSC::DFG::FixupPhase::fixupNode): 40 * dfg/DFGMayExit.cpp: 41 * dfg/DFGNode.h: 42 (JSC::DFG::Node::getForcedPrediction): 43 * dfg/DFGNodeType.h: 44 * dfg/DFGPredictionPropagationPhase.cpp: 45 * dfg/DFGSafeToExecute.h: 46 (JSC::DFG::safeToExecute): 47 * dfg/DFGSpeculativeJIT32_64.cpp: 48 (JSC::DFG::SpeculativeJIT::compile): 49 * dfg/DFGSpeculativeJIT64.cpp: 50 (JSC::DFG::SpeculativeJIT::compile): 51 * dfg/DFGValidate.cpp: 52 * jit/JIT.cpp: 53 (JSC::JIT::privateCompileMainPass): 54 * jit/JIT.h: 55 * jit/JITOpcodes.cpp: 56 (JSC::JIT::emit_op_identity_with_profile): 57 * jit/JITOpcodes32_64.cpp: 58 (JSC::JIT::emit_op_identity_with_profile): 59 * llint/LowLevelInterpreter.asm: 60 1 61 2017-08-14 Simon Fraser <simon.fraser@apple.com> 2 62 -
trunk/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp
r218412 r220735 1570 1570 break; 1571 1571 } 1572 case op_identity_with_profile: { 1573 int r0 = (++it)->u.operand; 1574 ++it; // Profile top half 1575 ++it; // Profile bottom half 1576 printLocationAndOp(out, location, it, "identity_with_profile"); 1577 out.printf("%s", registerName(r0).data()); 1578 break; 1579 } 1572 1580 case op_unreachable: { 1573 1581 printLocationAndOp(out, location, it, "unreachable"); -
trunk/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
r218861 r220735 42 42 macro(argumentCount) \ 43 43 macro(assert) \ 44 macro(idWithProfile) \ 44 45 macro(isObject) \ 45 46 macro(isJSArray) \ -
trunk/Source/JavaScriptCore/bytecode/BytecodeList.json
r217840 r220735 52 52 { "name" : "op_bitor", "length" : 5 }, 53 53 { "name" : "op_overrides_has_instance", "length" : 4 }, 54 { "name" : "op_identity_with_profile", "length" : 4 }, 54 55 { "name" : "op_instanceof", "length" : 4 }, 55 56 { "name" : "op_instanceof_custom", "length" : 5 }, -
trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
r218794 r220735 61 61 case op_to_this: 62 62 case op_check_tdz: 63 case op_identity_with_profile: 63 64 case op_profile_type: 64 65 case op_throw: … … 424 425 case op_get_by_val: 425 426 case op_typeof: 427 case op_identity_with_profile: 426 428 case op_is_empty: 427 429 case op_is_undefined: -
trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp
r218794 r220735 660 660 } 661 661 662 SpeculatedType speculationFromString(const char* speculation) 663 { 664 if (!strncmp(speculation, "SpecNone", strlen("SpecNone"))) 665 return SpecNone; 666 if (!strncmp(speculation, "SpecFinalObject", strlen("SpecFinalObject"))) 667 return SpecFinalObject; 668 if (!strncmp(speculation, "SpecArray", strlen("SpecArray"))) 669 return SpecArray; 670 if (!strncmp(speculation, "SpecFunction", strlen("SpecFunction"))) 671 return SpecFunction; 672 if (!strncmp(speculation, "SpecInt8Array", strlen("SpecInt8Array"))) 673 return SpecInt8Array; 674 if (!strncmp(speculation, "SpecInt16Array", strlen("SpecInt16Array"))) 675 return SpecInt16Array; 676 if (!strncmp(speculation, "SpecInt32Array", strlen("SpecInt32Array"))) 677 return SpecInt32Array; 678 if (!strncmp(speculation, "SpecUint8Array", strlen("SpecUint8Array"))) 679 return SpecUint8Array; 680 if (!strncmp(speculation, "SpecUint8ClampedArray", strlen("SpecUint8ClampedArray"))) 681 return SpecUint8ClampedArray; 682 if (!strncmp(speculation, "SpecUint16Array", strlen("SpecUint16Array"))) 683 return SpecUint16Array; 684 if (!strncmp(speculation, "SpecUint32Array", strlen("SpecUint32Array"))) 685 return SpecUint32Array; 686 if (!strncmp(speculation, "SpecFloat32Array", strlen("SpecFloat32Array"))) 687 return SpecFloat32Array; 688 if (!strncmp(speculation, "SpecFloat64Array", strlen("SpecFloat64Array"))) 689 return SpecFloat64Array; 690 if (!strncmp(speculation, "SpecTypedArrayView", strlen("SpecTypedArrayView"))) 691 return SpecTypedArrayView; 692 if (!strncmp(speculation, "SpecDirectArguments", strlen("SpecDirectArguments"))) 693 return SpecDirectArguments; 694 if (!strncmp(speculation, "SpecScopedArguments", strlen("SpecScopedArguments"))) 695 return SpecScopedArguments; 696 if (!strncmp(speculation, "SpecStringObject", strlen("SpecStringObject"))) 697 return SpecStringObject; 698 if (!strncmp(speculation, "SpecRegExpObject", strlen("SpecRegExpObject"))) 699 return SpecRegExpObject; 700 if (!strncmp(speculation, "SpecMapObject", strlen("SpecMapObject"))) 701 return SpecMapObject; 702 if (!strncmp(speculation, "SpecSetObject", strlen("SpecSetObject"))) 703 return SpecSetObject; 704 if (!strncmp(speculation, "SpecProxyObject", strlen("SpecProxyObject"))) 705 return SpecProxyObject; 706 if (!strncmp(speculation, "SpecDerivedArray", strlen("SpecDerivedArray"))) 707 return SpecDerivedArray; 708 if (!strncmp(speculation, "SpecObjectOther", strlen("SpecObjectOther"))) 709 return SpecObjectOther; 710 if (!strncmp(speculation, "SpecObject", strlen("SpecObject"))) 711 return SpecObject; 712 if (!strncmp(speculation, "SpecStringIdent", strlen("SpecStringIdent"))) 713 return SpecStringIdent; 714 if (!strncmp(speculation, "SpecStringVar", strlen("SpecStringVar"))) 715 return SpecStringVar; 716 if (!strncmp(speculation, "SpecString", strlen("SpecString"))) 717 return SpecString; 718 if (!strncmp(speculation, "SpecSymbol", strlen("SpecSymbol"))) 719 return SpecSymbol; 720 if (!strncmp(speculation, "SpecCellOther", strlen("SpecCellOther"))) 721 return SpecCellOther; 722 if (!strncmp(speculation, "SpecCell", strlen("SpecCell"))) 723 return SpecCell; 724 if (!strncmp(speculation, "SpecBoolInt32", strlen("SpecBoolInt32"))) 725 return SpecBoolInt32; 726 if (!strncmp(speculation, "SpecNonBoolInt32", strlen("SpecNonBoolInt32"))) 727 return SpecNonBoolInt32; 728 if (!strncmp(speculation, "SpecInt32Only", strlen("SpecInt32Only"))) 729 return SpecInt32Only; 730 if (!strncmp(speculation, "SpecInt52Only", strlen("SpecInt52Only"))) 731 return SpecInt52Only; 732 if (!strncmp(speculation, "SpecAnyInt", strlen("SpecAnyInt"))) 733 return SpecAnyInt; 734 if (!strncmp(speculation, "SpecAnyIntAsDouble", strlen("SpecAnyIntAsDouble"))) 735 return SpecAnyIntAsDouble; 736 if (!strncmp(speculation, "SpecNonIntAsDouble", strlen("SpecNonIntAsDouble"))) 737 return SpecNonIntAsDouble; 738 if (!strncmp(speculation, "SpecDoubleReal", strlen("SpecDoubleReal"))) 739 return SpecDoubleReal; 740 if (!strncmp(speculation, "SpecDoublePureNaN", strlen("SpecDoublePureNaN"))) 741 return SpecDoublePureNaN; 742 if (!strncmp(speculation, "SpecDoubleImpureNaN", strlen("SpecDoubleImpureNaN"))) 743 return SpecDoubleImpureNaN; 744 if (!strncmp(speculation, "SpecDoubleNaN", strlen("SpecDoubleNaN"))) 745 return SpecDoubleNaN; 746 if (!strncmp(speculation, "SpecBytecodeDouble", strlen("SpecBytecodeDouble"))) 747 return SpecBytecodeDouble; 748 if (!strncmp(speculation, "SpecFullDouble", strlen("SpecFullDouble"))) 749 return SpecFullDouble; 750 if (!strncmp(speculation, "SpecBytecodeRealNumber", strlen("SpecBytecodeRealNumber"))) 751 return SpecBytecodeRealNumber; 752 if (!strncmp(speculation, "SpecFullRealNumber", strlen("SpecFullRealNumber"))) 753 return SpecFullRealNumber; 754 if (!strncmp(speculation, "SpecBytecodeNumber", strlen("SpecBytecodeNumber"))) 755 return SpecBytecodeNumber; 756 if (!strncmp(speculation, "SpecFullNumber", strlen("SpecFullNumber"))) 757 return SpecFullNumber; 758 if (!strncmp(speculation, "SpecBoolean", strlen("SpecBoolean"))) 759 return SpecBoolean; 760 if (!strncmp(speculation, "SpecOther", strlen("SpecOther"))) 761 return SpecOther; 762 if (!strncmp(speculation, "SpecMisc", strlen("SpecMisc"))) 763 return SpecMisc; 764 if (!strncmp(speculation, "SpecHeapTop", strlen("SpecHeapTop"))) 765 return SpecHeapTop; 766 if (!strncmp(speculation, "SpecPrimitive", strlen("SpecPrimitive"))) 767 return SpecPrimitive; 768 if (!strncmp(speculation, "SpecEmpty", strlen("SpecEmpty"))) 769 return SpecEmpty; 770 if (!strncmp(speculation, "SpecBytecodeTop", strlen("SpecBytecodeTop"))) 771 return SpecBytecodeTop; 772 if (!strncmp(speculation, "SpecFullTop", strlen("SpecFullTop"))) 773 return SpecFullTop; 774 if (!strncmp(speculation, "SpecCellCheck", strlen("SpecCellCheck"))) 775 return SpecCellCheck; 776 RELEASE_ASSERT_NOT_REACHED(); 777 } 778 662 779 } // namespace JSC 663 780 -
trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h
r218137 r220735 499 499 SpeculatedType typeOfDoubleUnaryOp(SpeculatedType); 500 500 501 // This is mostly for debugging so we can fill profiles from strings. 502 SpeculatedType speculationFromString(const char*); 503 501 504 } // namespace JSC -
trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
r219981 r220735 2975 2975 } 2976 2976 2977 RegisterID* BytecodeGenerator::emitIdWithProfile(RegisterID* src, SpeculatedType profile) 2978 { 2979 emitOpcode(op_identity_with_profile); 2980 instructions().append(src->index()); 2981 instructions().append(static_cast<uint32_t>(profile >> 32)); 2982 instructions().append(static_cast<uint32_t>(profile)); 2983 return src; 2984 } 2985 2977 2986 void BytecodeGenerator::emitUnreachable() 2978 2987 { -
trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
r218957 r220735 687 687 688 688 RegisterID* emitAssert(RegisterID* condition, int line); 689 RegisterID* emitIdWithProfile(RegisterID* src, SpeculatedType profile); 689 690 void emitUnreachable(); 690 691 -
trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
r220068 r220735 1023 1023 1024 1024 return generator.moveToDestinationIfNeeded(dst, generator.emitToString(generator.tempDestination(dst), src.get())); 1025 } 1026 1027 RegisterID* BytecodeIntrinsicNode::emit_intrinsic_idWithProfile(BytecodeGenerator& generator, RegisterID* dst) 1028 { 1029 1030 ArgumentListNode* node = m_args->m_listNode; 1031 RefPtr<RegisterID> idValue = generator.emitNode(node); 1032 SpeculatedType speculation = SpecNone; 1033 while (node->m_next) { 1034 node = node->m_next; 1035 ASSERT(node->m_expr->isString()); 1036 const Identifier& ident = static_cast<StringNode*>(node->m_expr)->value(); 1037 speculation |= speculationFromString(ident.utf8().data()); 1038 } 1039 1040 return generator.moveToDestinationIfNeeded(dst, generator.emitIdWithProfile(idValue.get(), speculation)); 1025 1041 } 1026 1042 -
trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
r220724 r220735 200 200 break; 201 201 } 202 202 203 case IdentityWithProfile: 203 204 case Identity: { 204 205 forNode(node) = forNode(node->child1()); -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r220724 r220735 4458 4458 set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(OverridesHasInstance, OpInfo(m_graph.freeze(defaultHasInstanceSymbolFunction)), constructor, hasInstanceValue)); 4459 4459 NEXT_OPCODE(op_overrides_has_instance); 4460 } 4461 4462 case op_identity_with_profile: { 4463 Node* src = get(VirtualRegister(currentInstruction[1].u.operand)); 4464 SpeculatedType speculation = static_cast<SpeculatedType>(currentInstruction[2].u.operand) << 32 | static_cast<SpeculatedType>(currentInstruction[3].u.operand); 4465 set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IdentityWithProfile, OpInfo(speculation), src)); 4466 NEXT_OPCODE(op_identity_with_profile); 4460 4467 } 4461 4468 -
trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
r220724 r220735 136 136 case op_mov: 137 137 case op_overrides_has_instance: 138 case op_identity_with_profile: 138 139 case op_instanceof: 139 140 case op_instanceof_custom: -
trunk/Source/JavaScriptCore/dfg/DFGClobberize.h
r220724 r220735 138 138 139 139 case Identity: 140 case IdentityWithProfile: 140 141 case Phantom: 141 142 case Check: -
trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
r220724 r220735 50 50 case LazyJSConstant: 51 51 case Identity: 52 case IdentityWithProfile: 52 53 case GetCallee: 53 54 case GetArgumentCountIncludingThis: -
trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
r220724 r220735 1574 1574 DFG_CRASH(m_graph, node, "Unexpected node during fixup"); 1575 1575 break; 1576 1576 1577 1577 case PutGlobalVariable: { 1578 1578 fixEdge<CellUse>(node->child1()); … … 1927 1927 fixEdge<Int32Use>(node->child2()); 1928 1928 1929 break; 1930 } 1931 1932 case IdentityWithProfile: { 1933 node->clearFlags(NodeMustGenerate); 1929 1934 break; 1930 1935 } -
trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp
r209764 r220735 59 59 case Check: 60 60 case Identity: 61 case IdentityWithProfile: 61 62 case GetLocal: 62 63 case LoopHint: -
trunk/Source/JavaScriptCore/dfg/DFGNode.h
r219981 r220735 1536 1536 m_opInfo2 = prediction; 1537 1537 } 1538 1539 SpeculatedType getForcedPrediction() 1540 { 1541 ASSERT(op() == IdentityWithProfile); 1542 return m_opInfo.as<SpeculatedType>(); 1543 } 1538 1544 1539 1545 bool hasCellOperand() -
trunk/Source/JavaScriptCore/dfg/DFGNodeType.h
r220724 r220735 48 48 /* though it may choose not to if it would corrupt predictions (very rare). */\ 49 49 macro(Identity, NodeResultJS) \ 50 /* Used for debugging to force a profile to appear as anything we want. */ \ 51 macro(IdentityWithProfile, NodeResultJS | NodeMustGenerate) \ 50 52 \ 51 53 /* Nodes for handling functions (both as call and as construct). */\ -
trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
r220724 r220735 986 986 // its result. 987 987 setPrediction(m_currentNode->getHeapPrediction()); 988 break; 989 } 990 991 case IdentityWithProfile: { 992 setPrediction(m_currentNode->getForcedPrediction()); 988 993 break; 989 994 } -
trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
r220724 r220735 144 144 case LazyJSConstant: 145 145 case Identity: 146 case IdentityWithProfile: 146 147 case ToThis: 147 148 case CreateThis: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r220724 r220735 5681 5681 case AtomicsSub: 5682 5682 case AtomicsXor: 5683 case IdentityWithProfile: 5683 5684 DFG_CRASH(m_jit.graph(), node, "unexpected node in DFG backend"); 5684 5685 break; -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r220724 r220735 6122 6122 case PhantomSpread: 6123 6123 case PhantomNewArrayWithSpread: 6124 case IdentityWithProfile: 6124 6125 DFG_CRASH(m_jit.graph(), node, "Unexpected node"); 6125 6126 break; -
trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp
r219727 r220735 223 223 switch (node->op()) { 224 224 case Identity: 225 case IdentityWithProfile: 225 226 VALIDATE((node), canonicalResultRepresentation(node->result()) == canonicalResultRepresentation(node->child1()->result())); 226 227 break; -
trunk/Source/JavaScriptCore/jit/JIT.cpp
r220556 r220735 290 290 DEFINE_OP(op_check_tdz) 291 291 DEFINE_OP(op_assert) 292 DEFINE_OP(op_identity_with_profile) 292 293 DEFINE_OP(op_unreachable) 293 294 DEFINE_OP(op_debug) -
trunk/Source/JavaScriptCore/jit/JIT.h
r219043 r220735 489 489 void emit_op_check_tdz(Instruction*); 490 490 void emit_op_assert(Instruction*); 491 void emit_op_identity_with_profile(Instruction*); 491 492 void emit_op_unreachable(Instruction*); 492 493 void emit_op_debug(Instruction*); -
trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp
r218794 r220735 560 560 } 561 561 562 void JIT::emit_op_identity_with_profile(Instruction*) 563 { 564 // We don't need to do anything here... 565 } 566 562 567 void JIT::emit_op_create_lexical_environment(Instruction* currentInstruction) 563 568 { -
trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
r214571 r220735 860 860 } 861 861 862 void JIT::emit_op_identity_with_profile(Instruction*) 863 { 864 // We don't need to do anything here... 865 } 866 862 867 void JIT::emit_op_create_lexical_environment(Instruction* currentInstruction) 863 868 { -
trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
r220078 r220735 1724 1724 1725 1725 1726 _llint_op_identity_with_profile: 1727 traceExecution() 1728 dispatch(constexpr op_identity_with_profile_length) 1729 1730 1726 1731 _llint_op_unreachable: 1727 1732 traceExecution()
Note: See TracChangeset
for help on using the changeset viewer.