Changeset 220735 in webkit

Timestamp:

Aug 14, 2017 9:18:56 PM (7 years ago)

Author:

keith_miller@apple.com

Message:

Add testing tool to lie to the DFG about profiles
​https://bugs.webkit.org/show_bug.cgi?id=175487

Reviewed by Saam Barati.

JSTests:

• stress/compare-eq-incomplete-profile.js: Added.

(const.test.createBuiltin):

Source/JavaScriptCore:

This patch adds a new bytecode identity_with_profile that lets
us lie to the DFG about what profiles it has seen as the input to
another bytecode. Previously, there was no reliable way to force
a given profile when we tired up.

• bytecode/BytecodeDumper.cpp:

(JSC::BytecodeDumper<Block>::dumpBytecode):

• bytecode/BytecodeIntrinsicRegistry.h:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/SpeculatedType.cpp:

(JSC::speculationFromString):

• bytecode/SpeculatedType.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitIdWithProfile):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGMayExit.cpp:
• dfg/DFGNode.h:

(JSC::DFG::Node::getForcedPrediction):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGValidate.cpp:
• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_identity_with_profile):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_identity_with_profile):

• llint/LowLevelInterpreter.asm:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/compare-eq-incomplete-profile.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeDumper.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.json (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeUseDef.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGMayExit.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGValidate.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JIT.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-08-14  Keith Miller  <keith_miller@apple.com>
+
+        Add testing tool to lie to the DFG about profiles
+        https://bugs.webkit.org/show_bug.cgi?id=175487
+
+        Reviewed by Saam Barati.
+
+        * stress/compare-eq-incomplete-profile.js: Added.
+        (const.test.createBuiltin):
+
 2017-08-14  Robin Morisset  <rmorisset@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-14  Keith Miller  <keith_miller@apple.com>
+
+        Add testing tool to lie to the DFG about profiles
+        https://bugs.webkit.org/show_bug.cgi?id=175487
+
+        Reviewed by Saam Barati.
+
+        This patch adds a new bytecode identity_with_profile that lets
+        us lie to the DFG about what profiles it has seen as the input to
+        another bytecode. Previously, there was no reliable way to force
+        a given profile when we tired up.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper<Block>::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitIdWithProfile):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::getForcedPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_identity_with_profile):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_identity_with_profile):
+        * llint/LowLevelInterpreter.asm:
+
 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp

@@ -1570 +1570 @@
         break;
     }
+    case op_identity_with_profile: {
+        int r0 = (++it)->u.operand;
+        ++it; // Profile top half
+        ++it; // Profile bottom half
+        printLocationAndOp(out, location, it, "identity_with_profile");
+        out.printf("%s", registerName(r0).data());
+        break;
+    }
     case op_unreachable: {
         printLocationAndOp(out, location, it, "unreachable");

trunk/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h

@@ -42 +42 @@
     macro(argumentCount) \
     macro(assert) \
+    macro(idWithProfile) \
     macro(isObject) \
     macro(isJSArray) \

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -52 +52 @@
             { "name" : "op_bitor", "length" : 5 },
             { "name" : "op_overrides_has_instance", "length" : 4 },
+            { "name" : "op_identity_with_profile", "length" : 4 },
             { "name" : "op_instanceof", "length" : 4 },
             { "name" : "op_instanceof_custom", "length" : 5 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -61 +61 @@
     case op_to_this:
     case op_check_tdz:
+    case op_identity_with_profile:
     case op_profile_type:
     case op_throw:
@@ -424 +425 @@
     case op_get_by_val:
     case op_typeof:
+    case op_identity_with_profile:
     case op_is_empty:
     case op_is_undefined:

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp

@@ -660 +660 @@
 }
 
+SpeculatedType speculationFromString(const char* speculation)
+{
+    if (!strncmp(speculation, "SpecNone", strlen("SpecNone")))
+        return SpecNone;
+    if (!strncmp(speculation, "SpecFinalObject", strlen("SpecFinalObject")))
+        return SpecFinalObject;
+    if (!strncmp(speculation, "SpecArray", strlen("SpecArray")))
+        return SpecArray;
+    if (!strncmp(speculation, "SpecFunction", strlen("SpecFunction")))
+        return SpecFunction;
+    if (!strncmp(speculation, "SpecInt8Array", strlen("SpecInt8Array")))
+        return SpecInt8Array;
+    if (!strncmp(speculation, "SpecInt16Array", strlen("SpecInt16Array")))
+        return SpecInt16Array;
+    if (!strncmp(speculation, "SpecInt32Array", strlen("SpecInt32Array")))
+        return SpecInt32Array;
+    if (!strncmp(speculation, "SpecUint8Array", strlen("SpecUint8Array")))
+        return SpecUint8Array;
+    if (!strncmp(speculation, "SpecUint8ClampedArray", strlen("SpecUint8ClampedArray")))
+        return SpecUint8ClampedArray;
+    if (!strncmp(speculation, "SpecUint16Array", strlen("SpecUint16Array")))
+        return SpecUint16Array;
+    if (!strncmp(speculation, "SpecUint32Array", strlen("SpecUint32Array")))
+        return SpecUint32Array;
+    if (!strncmp(speculation, "SpecFloat32Array", strlen("SpecFloat32Array")))
+        return SpecFloat32Array;
+    if (!strncmp(speculation, "SpecFloat64Array", strlen("SpecFloat64Array")))
+        return SpecFloat64Array;
+    if (!strncmp(speculation, "SpecTypedArrayView", strlen("SpecTypedArrayView")))
+        return SpecTypedArrayView;
+    if (!strncmp(speculation, "SpecDirectArguments", strlen("SpecDirectArguments")))
+        return SpecDirectArguments;
+    if (!strncmp(speculation, "SpecScopedArguments", strlen("SpecScopedArguments")))
+        return SpecScopedArguments;
+    if (!strncmp(speculation, "SpecStringObject", strlen("SpecStringObject")))
+        return SpecStringObject;
+    if (!strncmp(speculation, "SpecRegExpObject", strlen("SpecRegExpObject")))
+        return SpecRegExpObject;
+    if (!strncmp(speculation, "SpecMapObject", strlen("SpecMapObject")))
+        return SpecMapObject;
+    if (!strncmp(speculation, "SpecSetObject", strlen("SpecSetObject")))
+        return SpecSetObject;
+    if (!strncmp(speculation, "SpecProxyObject", strlen("SpecProxyObject")))
+        return SpecProxyObject;
+    if (!strncmp(speculation, "SpecDerivedArray", strlen("SpecDerivedArray")))
+        return SpecDerivedArray;
+    if (!strncmp(speculation, "SpecObjectOther", strlen("SpecObjectOther")))
+        return SpecObjectOther;
+    if (!strncmp(speculation, "SpecObject", strlen("SpecObject")))
+        return SpecObject;
+    if (!strncmp(speculation, "SpecStringIdent", strlen("SpecStringIdent")))
+        return SpecStringIdent;
+    if (!strncmp(speculation, "SpecStringVar", strlen("SpecStringVar")))
+        return SpecStringVar;
+    if (!strncmp(speculation, "SpecString", strlen("SpecString")))
+        return SpecString;
+    if (!strncmp(speculation, "SpecSymbol", strlen("SpecSymbol")))
+        return SpecSymbol;
+    if (!strncmp(speculation, "SpecCellOther", strlen("SpecCellOther")))
+        return SpecCellOther;
+    if (!strncmp(speculation, "SpecCell", strlen("SpecCell")))
+        return SpecCell;
+    if (!strncmp(speculation, "SpecBoolInt32", strlen("SpecBoolInt32")))
+        return SpecBoolInt32;
+    if (!strncmp(speculation, "SpecNonBoolInt32", strlen("SpecNonBoolInt32")))
+        return SpecNonBoolInt32;
+    if (!strncmp(speculation, "SpecInt32Only", strlen("SpecInt32Only")))
+        return SpecInt32Only;
+    if (!strncmp(speculation, "SpecInt52Only", strlen("SpecInt52Only")))
+        return SpecInt52Only;
+    if (!strncmp(speculation, "SpecAnyInt", strlen("SpecAnyInt")))
+        return SpecAnyInt;
+    if (!strncmp(speculation, "SpecAnyIntAsDouble", strlen("SpecAnyIntAsDouble")))
+        return SpecAnyIntAsDouble;
+    if (!strncmp(speculation, "SpecNonIntAsDouble", strlen("SpecNonIntAsDouble")))
+        return SpecNonIntAsDouble;
+    if (!strncmp(speculation, "SpecDoubleReal", strlen("SpecDoubleReal")))
+        return SpecDoubleReal;
+    if (!strncmp(speculation, "SpecDoublePureNaN", strlen("SpecDoublePureNaN")))
+        return SpecDoublePureNaN;
+    if (!strncmp(speculation, "SpecDoubleImpureNaN", strlen("SpecDoubleImpureNaN")))
+        return SpecDoubleImpureNaN;
+    if (!strncmp(speculation, "SpecDoubleNaN", strlen("SpecDoubleNaN")))
+        return SpecDoubleNaN;
+    if (!strncmp(speculation, "SpecBytecodeDouble", strlen("SpecBytecodeDouble")))
+        return SpecBytecodeDouble;
+    if (!strncmp(speculation, "SpecFullDouble", strlen("SpecFullDouble")))
+        return SpecFullDouble;
+    if (!strncmp(speculation, "SpecBytecodeRealNumber", strlen("SpecBytecodeRealNumber")))
+        return SpecBytecodeRealNumber;
+    if (!strncmp(speculation, "SpecFullRealNumber", strlen("SpecFullRealNumber")))
+        return SpecFullRealNumber;
+    if (!strncmp(speculation, "SpecBytecodeNumber", strlen("SpecBytecodeNumber")))
+        return SpecBytecodeNumber;
+    if (!strncmp(speculation, "SpecFullNumber", strlen("SpecFullNumber")))
+        return SpecFullNumber;
+    if (!strncmp(speculation, "SpecBoolean", strlen("SpecBoolean")))
+        return SpecBoolean;
+    if (!strncmp(speculation, "SpecOther", strlen("SpecOther")))
+        return SpecOther;
+    if (!strncmp(speculation, "SpecMisc", strlen("SpecMisc")))
+        return SpecMisc;
+    if (!strncmp(speculation, "SpecHeapTop", strlen("SpecHeapTop")))
+        return SpecHeapTop;
+    if (!strncmp(speculation, "SpecPrimitive", strlen("SpecPrimitive")))
+        return SpecPrimitive;
+    if (!strncmp(speculation, "SpecEmpty", strlen("SpecEmpty")))
+        return SpecEmpty;
+    if (!strncmp(speculation, "SpecBytecodeTop", strlen("SpecBytecodeTop")))
+        return SpecBytecodeTop;
+    if (!strncmp(speculation, "SpecFullTop", strlen("SpecFullTop")))
+        return SpecFullTop;
+    if (!strncmp(speculation, "SpecCellCheck", strlen("SpecCellCheck")))
+        return SpecCellCheck;
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -499 +499 @@
 SpeculatedType typeOfDoubleUnaryOp(SpeculatedType);
 
+// This is mostly for debugging so we can fill profiles from strings.
+SpeculatedType speculationFromString(const char*);
+
 } // namespace JSC

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2975 +2975 @@
 }
 
+RegisterID* BytecodeGenerator::emitIdWithProfile(RegisterID* src, SpeculatedType profile)
+{
+    emitOpcode(op_identity_with_profile);
+    instructions().append(src->index());
+    instructions().append(static_cast<uint32_t>(profile >> 32));
+    instructions().append(static_cast<uint32_t>(profile));
+    return src;
+}
+
 void BytecodeGenerator::emitUnreachable()
 {

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -687 +687 @@
 
         RegisterID* emitAssert(RegisterID* condition, int line);
+        RegisterID* emitIdWithProfile(RegisterID* src, SpeculatedType profile);
         void emitUnreachable();
 

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1023 +1023 @@
 
     return generator.moveToDestinationIfNeeded(dst, generator.emitToString(generator.tempDestination(dst), src.get()));
+}
+
+RegisterID* BytecodeIntrinsicNode::emit_intrinsic_idWithProfile(BytecodeGenerator& generator, RegisterID* dst)
+{
+
+    ArgumentListNode* node = m_args->m_listNode;
+    RefPtr<RegisterID> idValue = generator.emitNode(node);
+    SpeculatedType speculation = SpecNone;
+    while (node->m_next) {
+        node = node->m_next;
+        ASSERT(node->m_expr->isString());
+        const Identifier& ident = static_cast<StringNode*>(node->m_expr)->value();
+        speculation |= speculationFromString(ident.utf8().data());
+    }
+
+    return generator.moveToDestinationIfNeeded(dst, generator.emitIdWithProfile(idValue.get(), speculation));
 }
     

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -200 +200 @@
         break;
     }
-        
+
+    case IdentityWithProfile:
     case Identity: {
         forNode(node) = forNode(node->child1());

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4458 +4458 @@
             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(OverridesHasInstance, OpInfo(m_graph.freeze(defaultHasInstanceSymbolFunction)), constructor, hasInstanceValue));
             NEXT_OPCODE(op_overrides_has_instance);
+        }
+
+        case op_identity_with_profile: {
+            Node* src = get(VirtualRegister(currentInstruction[1].u.operand));
+            SpeculatedType speculation = static_cast<SpeculatedType>(currentInstruction[2].u.operand) << 32 | static_cast<SpeculatedType>(currentInstruction[3].u.operand);
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IdentityWithProfile, OpInfo(speculation), src));
+            NEXT_OPCODE(op_identity_with_profile);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -136 +136 @@
     case op_mov:
     case op_overrides_has_instance:
+    case op_identity_with_profile:
     case op_instanceof:
     case op_instanceof_custom:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -138 +138 @@
 
     case Identity:
+    case IdentityWithProfile:
     case Phantom:
     case Check:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -50 +50 @@
     case LazyJSConstant:
     case Identity:
+    case IdentityWithProfile:
     case GetCallee:
     case GetArgumentCountIncludingThis:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1574 +1574 @@
             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
             break;
-        
+
         case PutGlobalVariable: {
             fixEdge<CellUse>(node->child1());
@@ -1927 +1927 @@
                 fixEdge<Int32Use>(node->child2());
 
+            break;
+        }
+
+        case IdentityWithProfile: {
+            node->clearFlags(NodeMustGenerate);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp

@@ -59 +59 @@
     case Check:
     case Identity:
+    case IdentityWithProfile:
     case GetLocal:
     case LoopHint:

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1536 +1536 @@
         m_opInfo2 = prediction;
     }
+
+    SpeculatedType getForcedPrediction()
+    {
+        ASSERT(op() == IdentityWithProfile);
+        return m_opInfo.as<SpeculatedType>();
+    }
     
     bool hasCellOperand()

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -48 +48 @@
     /* though it may choose not to if it would corrupt predictions (very rare). */\
     macro(Identity, NodeResultJS) \
+    /* Used for debugging to force a profile to appear as anything we want. */ \
+    macro(IdentityWithProfile, NodeResultJS | NodeMustGenerate) \
     \
     /* Nodes for handling functions (both as call and as construct). */\

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -986 +986 @@
             // its result.
             setPrediction(m_currentNode->getHeapPrediction());
+            break;
+        }
+
+        case IdentityWithProfile: {
+            setPrediction(m_currentNode->getForcedPrediction());
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -144 +144 @@
     case LazyJSConstant:
     case Identity:
+    case IdentityWithProfile:
     case ToThis:
     case CreateThis:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -5681 +5681 @@
     case AtomicsSub:
     case AtomicsXor:
+    case IdentityWithProfile:
         DFG_CRASH(m_jit.graph(), node, "unexpected node in DFG backend");
         break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -6122 +6122 @@
     case PhantomSpread:
     case PhantomNewArrayWithSpread:
+    case IdentityWithProfile:
         DFG_CRASH(m_jit.graph(), node, "Unexpected node");
         break;

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -223 +223 @@
                 switch (node->op()) {
                 case Identity:
+                case IdentityWithProfile:
                     VALIDATE((node), canonicalResultRepresentation(node->result()) == canonicalResultRepresentation(node->child1()->result()));
                     break;

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -290 +290 @@
         DEFINE_OP(op_check_tdz)
         DEFINE_OP(op_assert)
+        DEFINE_OP(op_identity_with_profile)
         DEFINE_OP(op_unreachable)
         DEFINE_OP(op_debug)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -489 +489 @@
         void emit_op_check_tdz(Instruction*);
         void emit_op_assert(Instruction*);
+        void emit_op_identity_with_profile(Instruction*);
         void emit_op_unreachable(Instruction*);
         void emit_op_debug(Instruction*);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -560 +560 @@
 }
 
+void JIT::emit_op_identity_with_profile(Instruction*)
+{
+    // We don't need to do anything here...
+}
+
 void JIT::emit_op_create_lexical_environment(Instruction* currentInstruction)
 {

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -860 +860 @@
 }
 
+void JIT::emit_op_identity_with_profile(Instruction*)
+{
+    // We don't need to do anything here...
+}
+
 void JIT::emit_op_create_lexical_environment(Instruction* currentInstruction)
 {

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -1724 +1724 @@
 
 
+_llint_op_identity_with_profile:
+    traceExecution()
+    dispatch(constexpr op_identity_with_profile_length)
+
+
 _llint_op_unreachable:
     traceExecution()