Changeset 230516 in webkit

Timestamp:

Apr 10, 2018 10:49:31 PM (6 years ago)

Author:

Caio Lima

Message:

[ESNext][BigInt] Add support for BigInt in SpeculatedType
​https://bugs.webkit.org/show_bug.cgi?id=182470

Reviewed by Saam Barati.

JSTests:

• stress/big-int-spec-to-primitive.js: Added.
• stress/big-int-spec-to-this.js: Added.
• stress/big-int-strict-equals-jit.js: Added.
• stress/big-int-strict-spec-to-this.js: Added.
• stress/big-int-type-of-proven-type.js: Added.

Source/JavaScriptCore:

This patch introduces the SpecBigInt type to DFG to enable BigInt
speculation into DFG and FTL.

With SpecBigInt introduction, we can then specialize "===" operations
to BigInts. As we are doing for some cells, we first check if operands
are pointing to the same JSCell, and if it is false, we
fallback to "operationCompareStrictEqCell". The idea in further
patches is to implement BigInt equality check directly in
assembly.

We are also adding support for BigInt constant folding into
TypeOf operation.

• bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationFromClassInfo):
(JSC::speculationFromStructure):
(JSC::speculationFromJSType):
(JSC::speculationFromString):

• bytecode/SpeculatedType.h:

(JSC::isBigIntSpeculation):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::set):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):
(JSC::DFG::FixupPhase::observeUseKindOnNode):

• dfg/DFGInferredTypeCheck.cpp:

(JSC::DFG::insertInferredTypeCheck):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateBigInt):

• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateBigInt):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compileBigIntEquality):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileBigIntEquality):

• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
(JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::branchIfNotType):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::branchIfBigInt):
(JSC::AssemblyHelpers::branchIfNotBigInt):

• runtime/InferredType.cpp:

(JSC::InferredType::Descriptor::forValue):
(JSC::InferredType::Descriptor::putByIdFlags const):
(JSC::InferredType::Descriptor::merge):
(WTF::printInternal):

• runtime/InferredType.h:
• runtime/JSBigInt.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/big-int-spec-to-primitive.js (added)
• JSTests/stress/big-int-spec-to-this.js (added)
• JSTests/stress/big-int-strict-equals-jit.js (added)
• JSTests/stress/big-int-strict-spec-to-this.js (added)
• JSTests/stress/big-int-type-of-proven-type.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/SpeculatedType.cpp (modified) (6 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractValue.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGInferredTypeCheck.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGUseKind.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGUseKind.h (modified) (3 diffs)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (6 diffs)
• Source/JavaScriptCore/jit/AssemblyHelpers.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/InferredType.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/InferredType.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSBigInt.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-04-10  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Add support for BigInt in SpeculatedType
+        https://bugs.webkit.org/show_bug.cgi?id=182470
+
+        Reviewed by Saam Barati.
+
+        * stress/big-int-spec-to-primitive.js: Added.
+        * stress/big-int-spec-to-this.js: Added.
+        * stress/big-int-strict-equals-jit.js: Added.
+        * stress/big-int-strict-spec-to-this.js: Added.
+        * stress/big-int-type-of-proven-type.js: Added.
+
 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-04-10  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Add support for BigInt in SpeculatedType
+        https://bugs.webkit.org/show_bug.cgi?id=182470
+
+        Reviewed by Saam Barati.
+
+        This patch introduces the SpecBigInt type to DFG to enable BigInt
+        speculation into DFG and FTL.
+
+        With SpecBigInt introduction, we can then specialize "===" operations
+        to BigInts. As we are doing for some cells, we first check if operands
+        are pointing to the same JSCell, and if it is false, we
+        fallback to "operationCompareStrictEqCell". The idea in further
+        patches is to implement BigInt equality check directly in
+        assembly.
+
+        We are also adding support for BigInt constant folding into
+        TypeOf operation.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::dumpSpeculation):
+        (JSC::speculationFromClassInfo):
+        (JSC::speculationFromStructure):
+        (JSC::speculationFromJSType):
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        (JSC::isBigIntSpeculation):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::set):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToThis):
+        (JSC::DFG::FixupPhase::observeUseKindOnNode):
+        * dfg/DFGInferredTypeCheck.cpp:
+        (JSC::DFG::insertInferredTypeCheck):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::shouldSpeculateBigInt):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileStrictEq):
+        (JSC::DFG::SpeculativeJIT::speculateBigInt):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::isCell):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+        (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::branchIfNotType):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfBigInt):
+        (JSC::AssemblyHelpers::branchIfNotBigInt):
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::Descriptor::forValue):
+        (JSC::InferredType::Descriptor::putByIdFlags const):
+        (JSC::InferredType::Descriptor::merge):
+        (WTF::printInternal):
+        * runtime/InferredType.h:
+        * runtime/JSBigInt.h:
+
 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp

@@ -32 +32 @@
 #include "DirectArguments.h"
 #include "JSArray.h"
+#include "JSBigInt.h"
 #include "JSCInlines.h"
 #include "JSFunction.h"
@@ -220 +221 @@
         if (value & SpecSymbol)
             strOut.print("Symbol");
+        else
+            isTop = false;
+
+        if (value & SpecBigInt)
+            strOut.print("BigInt");
         else
             isTop = false;
@@ -390 +396 @@
     if (classInfo == Symbol::info())
         return SpecSymbol;
+    
+    if (classInfo == JSBigInt::info())
+        return SpecBigInt;
 
     if (classInfo == JSFinalObject::info())
@@ -445 +454 @@
     if (structure->typeInfo().type() == SymbolType)
         return SpecSymbol;
+    if (structure->typeInfo().type() == BigIntType)
+        return SpecBigInt;
     if (structure->typeInfo().type() == DerivedArrayType)
         return SpecDerivedArray;
@@ -527 +538 @@
     case SymbolType:
         return SpecSymbol;
+    case BigIntType:
+        return SpecBigInt;
     case ArrayType:
         return SpecArray;
@@ -744 +757 @@
     if (!strncmp(speculation, "SpecSymbol", strlen("SpecSymbol")))
         return SpecSymbol;
+    if (!strncmp(speculation, "SpecBigInt", strlen("SpecBigInt")))
+        return SpecBigInt;
     if (!strncmp(speculation, "SpecCellOther", strlen("SpecCellOther")))
         return SpecCellOther;

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -69 +69 @@
 static const SpeculatedType SpecString             = SpecStringIdent | SpecStringVar; // It's definitely a JSString.
 static const SpeculatedType SpecSymbol             = 1ull << 25; // It's definitely a Symbol.
-static const SpeculatedType SpecCellOther          = 1ull << 26; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol.
-static const SpeculatedType SpecCell               = SpecObject | SpecString | SpecSymbol | SpecCellOther; // It's definitely a JSCell.
+static const SpeculatedType SpecCellOther          = 1ull << 26; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString, BigInt, or Symbol.
 static const SpeculatedType SpecBoolInt32          = 1ull << 27; // It's definitely an Int32 with value 0 or 1.
 static const SpeculatedType SpecNonBoolInt32       = 1ull << 28; // It's definitely an Int32 with value other than 0 or 1.
@@ -91 +90 @@
 static const SpeculatedType SpecOther              = 1ull << 35; // It's definitely either Null or Undefined.
 static const SpeculatedType SpecMisc               = SpecBoolean | SpecOther; // It's definitely either a boolean, Null, or Undefined.
+static const SpeculatedType SpecEmpty              = 1ull << 36; // It's definitely an empty value marker.
+static const SpeculatedType SpecBigInt             = 1ull << 37; // It's definitely a BigInt.
+static const SpeculatedType SpecPrimitive          = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc | SpecBigInt; // It's any non-Object JSValue.
+static const SpeculatedType SpecCell               = SpecObject | SpecString | SpecSymbol | SpecCellOther | SpecBigInt; // It's definitely a JSCell.
 static const SpeculatedType SpecHeapTop            = SpecCell | SpecBytecodeNumber | SpecMisc; // It can be any of the above, except for SpecInt52Only and SpecDoubleImpureNaN.
-static const SpeculatedType SpecPrimitive          = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc; // It's any non-Object JSValue.
-static const SpeculatedType SpecEmpty              = 1ull << 36; // It's definitely an empty value marker.
 static const SpeculatedType SpecBytecodeTop        = SpecHeapTop | SpecEmpty; // It can be any of the above, except for SpecInt52Only and SpecDoubleImpureNaN. Corresponds to what could be found in a bytecode local.
 static const SpeculatedType SpecFullTop            = SpecBytecodeTop | SpecFullNumber; // It can be anything that bytecode could see plus exotic encodings of numbers.
@@ -173 +174 @@
 {
     return value == SpecSymbol;
+}
+
+inline bool isBigIntSpeculation(SpeculatedType value)
+{
+    return value == SpecBigInt;
 }
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1484 +1484 @@
         if (isSymbolSpeculation(abstractChild.m_type)) {
             setConstant(node, *m_graph.freeze(m_vm.smallStrings.symbolString()));
+            break;
+        }
+
+        if (isBigIntSpeculation(abstractChild.m_type)) {
+            setConstant(node, *m_graph.freeze(m_vm.smallStrings.bigintString()));
             break;
         }
@@ -2115 +2120 @@
         ASSERT(node->child1().useKind() == UntypedUse);
         
-        if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))) {
+        if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol | SpecBigInt))) {
             m_state.setFoundConstants(true);
             didFoldClobberWorld();

trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

@@ -151 +151 @@
         set(graph, graph.m_vm.symbolStructure.get());
         return;
+    case InferredType::BigInt:
+        set(graph, graph.m_vm.bigIntStructure.get());
+        return;
     case InferredType::ObjectWithStructure:
         set(graph, descriptor.structure());

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -616 +616 @@
 
             case ToPrimitive: {
-                if (m_state.forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))
+                if (m_state.forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol | SpecBigInt))
                     break;
                 

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -615 +615 @@
                 fixEdge<SymbolUse>(node->child1());
                 fixEdge<SymbolUse>(node->child2());
+                break;
+            }
+            if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
+                fixEdge<BigIntUse>(node->child1());
+                fixEdge<BigIntUse>(node->child2());
                 break;
             }
@@ -2498 +2503 @@
                 return;
             }
+            
+            if (node->child1()->shouldSpeculateBigInt()) {
+                fixEdge<BigIntUse>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
         }
 
@@ -2994 +3005 @@
         case KnownStringUse:
         case SymbolUse:
+        case BigIntUse:
         case StringObjectUse:
         case StringOrStringObjectUse:

trunk/Source/JavaScriptCore/dfg/DFGInferredTypeCheck.cpp

@@ -68 +68 @@
         return;
 
+    case InferredType::BigInt:
+        insertionSet.insertNode(nodeIndex, SpecNone, Check, origin, Edge(baseNode, BigIntUse));
+        return;
+
     case InferredType::ObjectWithStructure:
         insertionSet.insertNode(

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -2345 +2345 @@
     }
     
+    bool shouldSpeculateBigInt()
+    {
+        return isBigIntSpeculation(prediction());
+    }
+    
     bool shouldSpeculateFinalObject()
     {
@@ -2533 +2538 @@
     {
         return op1->shouldSpeculateSymbol() && op2->shouldSpeculateSymbol();
+    }
+    
+    static bool shouldSpeculateBigInt(Node* op1, Node* op2)
+    {
+        return op1->shouldSpeculateBigInt() && op2->shouldSpeculateBigInt();
     }
     

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1230 +1230 @@
 }
 
-size_t JIT_OPERATION operationCompareStrictEqCell(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-    
-    ASSERT(op1.isCell());
-    ASSERT(op2.isCell());
+size_t JIT_OPERATION operationCompareStrictEqCell(ExecState* exec, JSCell* op1, JSCell* op2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
     
     return JSValue::strictEqualSlowCaseInline(exec, op1, op2);

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -161 +161 @@
 size_t JIT_OPERATION operationRegExpTest(ExecState*, JSGlobalObject*, RegExpObject*, EncodedJSValue) WTF_INTERNAL;
 size_t JIT_OPERATION operationRegExpTestGeneric(ExecState*, JSGlobalObject*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
-size_t JIT_OPERATION operationCompareStrictEqCell(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+size_t JIT_OPERATION operationCompareStrictEqCell(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationCreateActivationDirect(ExecState*, Structure*, JSScope*, SymbolTable*, EncodedJSValue);
 JSCell* JIT_OPERATION operationCreateDirectArguments(ExecState*, Structure*, uint32_t length, uint32_t minCapacity);

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -423 +423 @@
                 if (node->child1()->shouldSpeculateSymbol()) {
                     changed |= mergePrediction(SpecSymbol);
+                    break;
+                }
+                
+                if (node->child1()->shouldSpeculateBigInt()) {
+                    changed |= mergePrediction(SpecBigInt);
                     break;
                 }

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -71 +71 @@
         case StringOrOtherUse:
         case SymbolUse:
+        case BigIntUse:
         case StringObjectUse:
         case StringOrStringObjectUse:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -5951 +5951 @@
     }
     
+    if (node->isBinaryUseKind(BigIntUse)) {
+        compileBigIntEquality(node);
+        return false;
+    }
+    
     if (node->isBinaryUseKind(SymbolUse, UntypedUse)) {
         compileSymbolUntypedEquality(node, node->child1(), node->child2());
@@ -9897 +9902 @@
 }
 
+void SpeculativeJIT::speculateBigInt(Edge edge, GPRReg cell)
+{
+    DFG_TYPE_CHECK(JSValueSource::unboxedCell(cell), edge, ~SpecCellCheck | SpecBigInt, m_jit.branchIfNotBigInt(cell));
+}
+
+void SpeculativeJIT::speculateBigInt(Edge edge)
+{
+    if (!needsTypeCheck(edge, SpecBigInt))
+        return;
+
+    SpeculateCellOperand operand(this, edge);
+    speculateBigInt(edge, operand.gpr());
+}
+
 void SpeculativeJIT::speculateNotCell(Edge edge, JSValueRegs regs)
 {
@@ -10062 +10081 @@
     case SymbolUse:
         speculateSymbol(edge);
+        break;
+    case BigIntUse:
+        speculateBigInt(edge);
         break;
     case StringObjectUse:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1262 +1262 @@
 
     void compileSymbolEquality(Node*);
+    void compileBigIntEquality(Node*);
     void compilePeepHoleSymbolEquality(Node*, Node* branchNode);
     void compileSymbolUntypedEquality(Node*, Edge symbolEdge, Edge untypedEdge);
@@ -1662 +1663 @@
     void speculateSymbol(Edge, GPRReg cell);
     void speculateSymbol(Edge);
+    void speculateBigInt(Edge, GPRReg cell);
+    void speculateBigInt(Edge);
     void speculateNotCell(Edge, JSValueRegs);
     void speculateNotCell(Edge);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -602 +602 @@
         
         silentSpillAllRegisters(resultPayloadGPR);
-        callOperation(operationCompareStrictEqCell, resultPayloadGPR, arg1Regs, arg2Regs);
+        callOperation(operationCompareStrictEqCell, resultPayloadGPR, arg1PayloadGPR, arg2PayloadGPR);
         m_jit.exceptionCheck();
         silentFillAllRegisters();
@@ -648 +648 @@
         
         silentSpillAllRegisters(resultPayloadGPR);
-        callOperation(operationCompareStrictEqCell, resultPayloadGPR, arg1Regs, arg2Regs);
+        callOperation(operationCompareStrictEqCell, resultPayloadGPR, arg1PayloadGPR, arg2PayloadGPR);
         m_jit.exceptionCheck();
         silentFillAllRegisters();
@@ -4759 +4759 @@
 }
 
+void SpeculativeJIT::compileBigIntEquality(Node* node)
+{
+    // FIXME: [ESNext][BigInt] Create specialized version of strict equals for BigIntUse
+    // https://bugs.webkit.org/show_bug.cgi?id=182895
+    SpeculateCellOperand left(this, node->child1());
+    SpeculateCellOperand right(this, node->child2());
+    GPRReg leftPayloadGPR = left.gpr();
+    GPRReg rightPayloadGPR = right.gpr();
+
+    GPRTemporary resultPayload(this, Reuse, left);
+    GPRReg resultPayloadGPR = resultPayload.gpr();
+
+    left.use();
+    right.use();
+
+    speculateBigInt(node->child1(), leftPayloadGPR);
+    speculateBigInt(node->child2(), rightPayloadGPR);
+
+    JITCompiler::Jump notEqualCase = m_jit.branchPtr(JITCompiler::NotEqual, leftPayloadGPR, rightPayloadGPR);
+
+    m_jit.move(JITCompiler::TrustedImm32(true), resultPayloadGPR);
+    JITCompiler::Jump done = m_jit.jump();
+
+    notEqualCase.link(&m_jit);
+
+    silentSpillAllRegisters(resultPayloadGPR);
+    callOperation(operationCompareStrictEqCell, resultPayloadGPR, leftPayloadGPR, rightPayloadGPR);
+    silentFillAllRegisters();
+
+    m_jit.andPtr(JITCompiler::TrustedImm32(1), resultPayloadGPR);
+
+    done.link(&m_jit);
+
+    booleanResult(resultPayloadGPR, node, UseChildrenCalledExplicitly);
+}
+
 void SpeculativeJIT::emitInitializeButterfly(GPRReg storageGPR, GPRReg sizeGPR, JSValueRegs emptyValueRegs, GPRReg scratchGPR)
 {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -5379 +5379 @@
 }
 
+void SpeculativeJIT::compileBigIntEquality(Node* node)
+{
+    // FIXME: [ESNext][BigInt] Create specialized version of strict equals for BigIntUse
+    // https://bugs.webkit.org/show_bug.cgi?id=182895
+    SpeculateCellOperand left(this, node->child1());
+    SpeculateCellOperand right(this, node->child2());
+    GPRTemporary result(this);
+    GPRReg leftGPR = left.gpr();
+    GPRReg rightGPR = right.gpr();
+    GPRReg resultGPR = result.gpr();
+
+    left.use();
+    right.use();
+
+    speculateBigInt(node->child1(), leftGPR);
+    speculateBigInt(node->child2(), rightGPR);
+
+    JITCompiler::Jump notEqualCase = m_jit.branch64(JITCompiler::NotEqual, leftGPR, rightGPR);
+
+    m_jit.move(JITCompiler::TrustedImm64(JSValue::encode(jsBoolean(true))), resultGPR);
+
+    JITCompiler::Jump done = m_jit.jump();
+
+    notEqualCase.link(&m_jit);
+
+    silentSpillAllRegisters(resultGPR);
+    callOperation(operationCompareStrictEqCell, resultGPR, leftGPR, rightGPR);
+    silentFillAllRegisters();
+
+    m_jit.and64(JITCompiler::TrustedImm32(1), resultGPR);
+    m_jit.or32(JITCompiler::TrustedImm32(ValueFalse), resultGPR);
+
+    done.link(&m_jit);
+
+    jsValueResult(resultGPR, m_currentNode, DataFormatJSBoolean, UseChildrenCalledExplicitly);
+}
+
 void SpeculativeJIT::compileAllocateNewArrayWithSize(JSGlobalObject* globalObject, GPRReg resultGPR, GPRReg sizeGPR, IndexingType indexingType, bool shouldConvertLargeSizeToArrayStorage)
 {

trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp

@@ -137 +137 @@
         out.print("Symbol");
         return;
+    case BigIntUse:
+        out.print("BigInt");
+        return;
     case StringObjectUse:
         out.print("StringObject");

trunk/Source/JavaScriptCore/dfg/DFGUseKind.h

@@ -66 +66 @@
     KnownPrimitiveUse, // This bizarre type arises for op_strcat, which has a bytecode guarantee that it will only see primitives (i.e. not objects).
     SymbolUse,
+    BigIntUse,
     MapObjectUse,
     SetObjectUse,
@@ -149 +150 @@
     case SymbolUse:
         return SpecSymbol;
+    case BigIntUse:
+        return SpecBigInt;
     case MapObjectUse:
         return SpecMapObject;
@@ -247 +250 @@
     case KnownStringUse:
     case SymbolUse:
+    case BigIntUse:
     case StringObjectUse:
     case StringOrStringObjectUse:

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -430 +430 @@
                 case StringOrStringObjectUse:
                 case SymbolUse:
+                case BigIntUse:
                 case MapObjectUse:
                 case SetObjectUse:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -6864 +6864 @@
         }
         
+        if (m_node->isBinaryUseKind(BigIntUse)) {
+            // FIXME: [ESNext][BigInt] Create specialized version of strict equals for BigIntUse
+            // https://bugs.webkit.org/show_bug.cgi?id=182895
+            LValue left = lowBigInt(m_node->child1());
+            LValue right = lowBigInt(m_node->child2());
+
+            LBasicBlock notTriviallyEqualCase = m_out.newBlock();
+            LBasicBlock continuation = m_out.newBlock();
+
+            ValueFromBlock fastResult = m_out.anchor(m_out.booleanTrue);
+            m_out.branch(m_out.equal(left, right), rarely(continuation), usually(notTriviallyEqualCase));
+
+            LBasicBlock lastNext = m_out.appendTo(notTriviallyEqualCase, continuation);
+
+            ValueFromBlock slowResult = m_out.anchor(m_out.notNull(vmCall(
+                pointerType(), m_out.operation(operationCompareStrictEq), m_callFrame, left, right)));
+            m_out.jump(continuation);
+
+            m_out.appendTo(continuation, lastNext);
+            setBoolean(m_out.phi(Int32, fastResult, slowResult));
+            return;
+        }
+
         if (m_node->isBinaryUseKind(SymbolUse, UntypedUse)
             || m_node->isBinaryUseKind(UntypedUse, SymbolUse)) {
@@ -11107 +11130 @@
             speculate(BadType, jsValueValue(value), edge.node(), isNotCell(value, provenType(edge)));
             speculate(BadType, jsValueValue(value), edge.node(), isNotSymbol(value, provenType(edge)));
+            return;
+
+        case InferredType::BigInt:
+            speculate(BadType, jsValueValue(value), edge.node(), isNotCell(value, provenType(edge)));
+            speculate(BadType, jsValueValue(value), edge.node(), isNotBigInt(value, provenType(edge)));
             return;
 
@@ -14258 +14286 @@
         return result;
     }
+
+    LValue lowBigInt(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
+    {
+        ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || edge.useKind() == BigIntUse);
+
+        LValue result = lowCell(edge, mode);
+        speculateBigInt(edge, result);
+        return result;
+    }
     
     LValue lowNonNullObject(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
@@ -14728 +14765 @@
             speculateBoolean(edge);
             break;
+        case BigIntUse:
+            speculateBigInt(edge);
+            break;
         case NotStringVarUse:
             speculateNotStringVar(edge);
@@ -14872 +14912 @@
     }
 
+    LValue isNotBigInt(LValue cell, SpeculatedType type = SpecFullTop)
+    {
+        if (LValue proven = isProvenValue(type & SpecCell, ~SpecBigInt))
+            return proven;
+        return m_out.notEqual(
+            m_out.load32(cell, m_heaps.JSCell_structureID),
+            m_out.constInt32(vm().bigIntStructure->id()));
+    }
+
     LValue isArrayTypeForArrayify(LValue cell, ArrayMode arrayMode)
     {
@@ -15287 +15336 @@
     {
         speculateSymbol(edge, lowCell(edge));
+    }
+
+    void speculateBigInt(Edge edge, LValue cell)
+    {
+        FTL_TYPE_CHECK(jsValueValue(cell), edge, SpecBigInt, isNotBigInt(cell));
+    }
+
+    void speculateBigInt(Edge edge)
+    {
+        speculateBigInt(edge, lowCell(edge));
     }
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -99 +99 @@
         result.append(branchIfNotCell(regs, mode));
         result.append(branchIfNotSymbol(regs.payloadGPR()));
+        break;
+
+    case InferredType::BigInt:
+        result.append(branchIfNotCell(regs, mode));
+        result.append(branchIfNotBigInt(regs.payloadGPR()));
         break;
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -900 +900 @@
     Jump branchIfSymbol(GPRReg cellGPR) { return branchIfType(cellGPR, SymbolType); }
     Jump branchIfNotSymbol(GPRReg cellGPR) { return branchIfNotType(cellGPR, SymbolType); }
+    Jump branchIfBigInt(GPRReg cellGPR) { return branchIfType(cellGPR, BigIntType); }
+    Jump branchIfNotBigInt(GPRReg cellGPR) { return branchIfNotType(cellGPR, BigIntType); }
     Jump branchIfFunction(GPRReg cellGPR) { return branchIfType(cellGPR, JSFunctionType); }
     Jump branchIfNotFunction(GPRReg cellGPR) { return branchIfNotType(cellGPR, JSFunctionType); }

trunk/Source/JavaScriptCore/runtime/InferredType.cpp

@@ -146 +146 @@
         if (cell->isSymbol())
             return Symbol;
+        if (cell->isBigInt())
+            return BigInt;
         if (cell->isObject()) {
             if (cell->structure()->transitionWatchpointSetIsStillValid())
@@ -185 +187 @@
     case Object:
         return static_cast<PutByIdFlags>(PutByIdPrimaryTypeSecondary | PutByIdSecondaryTypeObject);
+    case BigInt:
     case ObjectOrOther:
         return static_cast<PutByIdFlags>(PutByIdPrimaryTypeSecondary | PutByIdSecondaryTypeObjectOrOther);
@@ -215 +218 @@
     case String:
     case Symbol:
+    case BigInt:
         *this = Top;
         return;
@@ -534 +538 @@
         out.print("Symbol");
         return;
+    case InferredType::BigInt:
+        out.print("BigInt");
+        return;
     case InferredType::ObjectWithStructure:
         out.print("ObjectWithStructure");

trunk/Source/JavaScriptCore/runtime/InferredType.h

@@ -70 +70 @@
         String,
         Symbol,
+        BigInt,
         ObjectWithStructure,
         ObjectWithStructureOrOther,
@@ -137 +138 @@
             case Symbol:
                 return value.isSymbol();
+            case BigInt:
+                return value.isBigInt();
             case ObjectWithStructure:
                 return value.isCell() && value.asCell()->structure() == m_structure;

trunk/Source/JavaScriptCore/runtime/JSBigInt.h

@@ -38 +38 @@
 class JSBigInt final : public JSCell {
     using Base = JSCell;
+    static const unsigned StructureFlags = Base::StructureFlags | OverridesToThis;
 
 public: