Changeset 232029 in webkit


Ignore:
Timestamp:
May 21, 2018 2:52:26 PM (6 years ago)
Author:
commit-queue@webkit.org
Message:

Unreviewed, rolling out r231998 and r232017.
https://bugs.webkit.org/show_bug.cgi?id=185842

causes crashes on 32 JSC bot (Requested by realdawei on
#webkit).

Reverted changesets:

"[JSC] JSC should have consistent InById IC"
https://bugs.webkit.org/show_bug.cgi?id=185682
https://trac.webkit.org/changeset/231998

"Unreviewed, fix 32bit and scope release"
https://bugs.webkit.org/show_bug.cgi?id=185682
https://trac.webkit.org/changeset/232017

Location:
trunk
Files:
6 deleted
50 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r231998 r232029  
     12018-05-21  Commit Queue  <commit-queue@webkit.org>
     2
     3        Unreviewed, rolling out r231998 and r232017.
     4        https://bugs.webkit.org/show_bug.cgi?id=185842
     5
     6        causes crashes on 32 JSC bot (Requested by realdawei on
     7        #webkit).
     8
     9        Reverted changesets:
     10
     11        "[JSC] JSC should have consistent InById IC"
     12        https://bugs.webkit.org/show_bug.cgi?id=185682
     13        https://trac.webkit.org/changeset/231998
     14
     15        "Unreviewed, fix 32bit and scope release"
     16        https://bugs.webkit.org/show_bug.cgi?id=185682
     17        https://trac.webkit.org/changeset/232017
     18
    1192018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
    220
  • trunk/Source/JavaScriptCore/ChangeLog

    r232024 r232029  
     12018-05-21  Commit Queue  <commit-queue@webkit.org>
     2
     3        Unreviewed, rolling out r231998 and r232017.
     4        https://bugs.webkit.org/show_bug.cgi?id=185842
     5
     6        causes crashes on 32 JSC bot (Requested by realdawei on
     7        #webkit).
     8
     9        Reverted changesets:
     10
     11        "[JSC] JSC should have consistent InById IC"
     12        https://bugs.webkit.org/show_bug.cgi?id=185682
     13        https://trac.webkit.org/changeset/231998
     14
     15        "Unreviewed, fix 32bit and scope release"
     16        https://bugs.webkit.org/show_bug.cgi?id=185682
     17        https://trac.webkit.org/changeset/232017
     18
    1192018-05-21  Jer Noble  <jer.noble@apple.com>
    220
  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r231998 r232029  
    118118    case CacheType::PutByIdReplace:
    119119        return AccessCase::create(vm, owner, Replace, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get());
    120 
    121     case CacheType::InByIdSelf:
    122         return AccessCase::create(vm, owner, InHit, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get());
    123120
    124121    default:
     
    559556       
    560557        CCallHelpers::Label loop(&jit);
    561         failAndIgnore = jit.branchIfType(valueGPR, ProxyObjectType);
     558        failAndIgnore = jit.branch8(
     559            CCallHelpers::Equal,
     560            CCallHelpers::Address(valueGPR, JSCell::typeInfoTypeOffset()),
     561            CCallHelpers::TrustedImm32(ProxyObjectType));
    562562       
    563563        jit.emitLoadStructure(vm, valueGPR, scratch2GPR, scratchGPR);
  • trunk/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp

    r231998 r232029  
    548548    }
    549549#else
    550     UNUSED_PARAM(map);
    551 #endif
    552 }
    553 
    554 template<class Block>
    555 void BytecodeDumper<Block>::printInByIdCacheStatus(PrintStream& out, int location, const StubInfoMap& map)
    556 {
    557     const auto* instruction = instructionsBegin() + location;
    558 
    559     const Identifier& ident = identifier(instruction[3].u.operand);
    560 
    561     UNUSED_PARAM(ident); // tell the compiler to shut up in certain platform configurations.
    562 
    563 #if ENABLE(JIT)
    564     if (StructureStubInfo* stubPtr = map.get(CodeOrigin(location))) {
    565         StructureStubInfo& stubInfo = *stubPtr;
    566         if (stubInfo.resetByGC)
    567             out.print(" (Reset By GC)");
    568 
    569         out.printf(" jit(");
    570 
    571         Structure* baseStructure = nullptr;
    572         PolymorphicAccess* stub = nullptr;
    573 
    574         switch (stubInfo.cacheType) {
    575         case CacheType::InByIdSelf:
    576             out.printf("self");
    577             baseStructure = stubInfo.u.byIdSelf.baseObjectStructure.get();
    578             break;
    579         case CacheType::Stub:
    580             out.printf("stub");
    581             stub = stubInfo.u.stub;
    582             break;
    583         case CacheType::Unset:
    584             out.printf("unset");
    585             break;
    586         default:
    587             RELEASE_ASSERT_NOT_REACHED();
    588             break;
    589         }
    590 
    591         if (baseStructure) {
    592             out.printf(", ");
    593             dumpStructure(out, "struct", baseStructure, ident);
    594         }
    595 
    596         if (stub)
    597             out.print(", ", *stub);
    598 
    599         out.printf(")");
    600     }
    601 #else
    602     UNUSED_PARAM(out);
    603550    UNUSED_PARAM(map);
    604551#endif
     
    10661013        break;
    10671014    }
    1068     case op_in_by_id: {
    1069         int r0 = (++it)->u.operand;
    1070         int r1 = (++it)->u.operand;
    1071         int id0 = (++it)->u.operand;
    1072         printLocationAndOp(out, location, it, "in_by_id");
    1073         out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), idName(id0, identifier(id0)).data());
    1074         printInByIdCacheStatus(out, location, stubInfos);
    1075         break;
    1076     }
    1077     case op_in_by_val: {
    1078         printBinaryOp(out, location, it, "in_by_val");
     1015    case op_in: {
     1016        printBinaryOp(out, location, it, "in");
    10791017        dumpArrayProfiling(out, it, hasPrintedProfiling);
    10801018        break;
  • trunk/Source/JavaScriptCore/bytecode/BytecodeDumper.h

    r231998 r232029  
    7272    void printGetByIdCacheStatus(PrintStream& out, int location, const StubInfoMap&);
    7373    void printPutByIdCacheStatus(PrintStream& out, int location, const StubInfoMap&);
    74     void printInByIdCacheStatus(PrintStream& out, int location, const StubInfoMap&);
    7574    enum CacheDumpMode { DumpCaches, DontDumpCaches };
    7675    void printCallOp(PrintStream& out, int location, const Instruction*& it, const char* op, CacheDumpMode, bool& hasPrintedProfiling, const CallLinkInfoMap&);
  • trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

    r231998 r232029  
    8181            { "name" : "op_is_function", "length" : 3 },
    8282            { "name" : "op_is_cell_with_type", "length" : 4 },
    83             { "name" : "op_in_by_val", "length" : 5 },
    84             { "name" : "op_in_by_id", "length" : 4 },
     83            { "name" : "op_in", "length" : 5 },
    8584            { "name" : "op_get_array_length", "length" : 9 },
    8685            { "name" : "op_get_by_id", "length" : 9  },
  • trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

    r231998 r232029  
    187187    case op_get_by_id_direct:
    188188    case op_get_array_length:
    189     case op_in_by_id:
    190189    case op_typeof:
    191190    case op_is_empty:
     
    228227    case op_enumerator_generic_pname:
    229228    case op_get_by_val:
    230     case op_in_by_val:
     229    case op_in:
    231230    case op_overrides_has_instance:
    232231    case op_instanceof:
     
    456455    case op_is_cell_with_type:
    457456    case op_is_function:
    458     case op_in_by_id:
    459     case op_in_by_val:
     457    case op_in:
    460458    case op_to_number:
    461459    case op_to_string:
  • trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

    r231998 r232029  
    590590        }
    591591
    592         case op_in_by_val:
     592        case op_in:
    593593        case op_put_by_val:
    594594        case op_put_by_val_direct: {
  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

    r231998 r232029  
    277277}
    278278
    279 bool InlineAccess::generateSelfInAccess(StructureStubInfo& stubInfo, Structure* structure)
    280 {
    281     CCallHelpers jit;
    282 
    283     GPRReg base = static_cast<GPRReg>(stubInfo.patch.baseGPR);
    284     JSValueRegs value = stubInfo.valueRegs();
    285 
    286     auto branchToSlowPath = jit.patchableBranch32(
    287         MacroAssembler::NotEqual,
    288         MacroAssembler::Address(base, JSCell::structureIDOffset()),
    289         MacroAssembler::TrustedImm32(bitwise_cast<uint32_t>(structure->id())));
    290     jit.boxBooleanPayload(true, value.payloadGPR());
    291 
    292     bool linkedCodeInline = linkCodeInline("in access", jit, stubInfo, [&] (LinkBuffer& linkBuffer) {
    293         linkBuffer.link(branchToSlowPath, stubInfo.slowPathStartLocation());
    294     });
    295     return linkedCodeInline;
    296 }
    297 
    298279void InlineAccess::rewireStubAsJump(StructureStubInfo& stubInfo, CodeLocationLabel<JITStubRoutinePtrTag> target)
    299280{
  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.h

    r231998 r232029  
    117117    static bool generateArrayLength(StructureStubInfo&, JSArray*);
    118118    static void rewireStubAsJump(StructureStubInfo&, CodeLocationLabel<JITStubRoutinePtrTag>);
    119     static bool generateSelfInAccess(StructureStubInfo&, Structure*);
    120119
    121120    // This is helpful when determining the size of an IC on
  • trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp

    r232000 r232029  
    8383}
    8484
    85 void StructureStubInfo::initInByIdSelf(CodeBlock* codeBlock, Structure* baseObjectStructure, PropertyOffset offset)
    86 {
    87     cacheType = CacheType::InByIdSelf;
    88 
    89     u.byIdSelf.baseObjectStructure.set(
    90         *codeBlock->vm(), codeBlock, baseObjectStructure);
    91     u.byIdSelf.offset = offset;
    92 }
    93 
    9485void StructureStubInfo::deref()
    9586{
     
    10192    case CacheType::GetByIdSelf:
    10293    case CacheType::PutByIdReplace:
    103     case CacheType::InByIdSelf:
    10494    case CacheType::ArrayLength:
    10595        return;
     
    118108    case CacheType::GetByIdSelf:
    119109    case CacheType::PutByIdReplace:
    120     case CacheType::InByIdSelf:
    121110    case CacheType::ArrayLength:
    122111        return;
     
    249238        break;
    250239    case AccessType::In:
    251         resetInByID(codeBlock, *this);
     240        resetIn(*this);
    252241        break;
    253242    case AccessType::InstanceOf:
     
    272261    case CacheType::GetByIdSelf:
    273262    case CacheType::PutByIdReplace:
    274     case CacheType::InByIdSelf:
    275263        if (Heap::isMarked(u.byIdSelf.baseObjectStructure.get()))
    276264            return;
     
    296284    case CacheType::GetByIdSelf:
    297285    case CacheType::PutByIdReplace:
    298     case CacheType::InByIdSelf:
    299286        return u.byIdSelf.baseObjectStructure->markIfCheap(visitor);
    300287    case CacheType::Stub:
  • trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h

    r232000 r232029  
    5959    GetByIdSelf,
    6060    PutByIdReplace,
    61     InByIdSelf,
    6261    Stub,
    6362    ArrayLength
     
    7473    void initArrayLength();
    7574    void initPutByIdReplace(CodeBlock*, Structure* baseObjectStructure, PropertyOffset);
    76     void initInByIdSelf(CodeBlock*, Structure* baseObjectStructure, PropertyOffset);
    7775
    7876    AccessGenerationResult addAccessCase(const GCSafeConcurrentJSLocker&, CodeBlock*, const Identifier&, std::unique_ptr<AccessCase>);
     
    179177   
    180178    struct {
    181         CodeLocationLabel<JITStubRoutinePtrTag> start; // This is either the start of the inline IC for *byId caches. or the location of patchable jump for 'instanceof' caches.
     179        CodeLocationLabel<JITStubRoutinePtrTag> start; // This is either the start of the inline IC for *byId caches, or the location of patchable jump for 'in' and 'instanceof' caches.
    182180        RegisterSet usedRegisters;
    183181        uint32_t inlineSize;
     
    200198    CodeLocationJump<JSInternalPtrTag> patchableJump()
    201199    {
    202         ASSERT(accessType == AccessType::InstanceOf);
     200        ASSERT(accessType == AccessType::In || accessType == AccessType::InstanceOf);
    203201        return patch.start.jumpAtOffset<JSInternalPtrTag>(0);
    204202    }
  • trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

    r231998 r232029  
    26682668}
    26692669
    2670 RegisterID* BytecodeGenerator::emitInByVal(RegisterID* dst, RegisterID* property, RegisterID* base)
     2670RegisterID* BytecodeGenerator::emitIn(RegisterID* dst, RegisterID* property, RegisterID* base)
    26712671{
    26722672    UnlinkedArrayProfile arrayProfile = newArrayProfile();
    2673     emitOpcode(op_in_by_val);
     2673    emitOpcode(op_in);
    26742674    instructions().append(dst->index());
    26752675    instructions().append(base->index());
    26762676    instructions().append(property->index());
    26772677    instructions().append(arrayProfile);
    2678     return dst;
    2679 }
    2680 
    2681 RegisterID* BytecodeGenerator::emitInById(RegisterID* dst, RegisterID* base, const Identifier& property)
    2682 {
    2683     emitOpcode(op_in_by_id);
    2684     instructions().append(dst->index());
    2685     instructions().append(base->index());
    2686     instructions().append(addConstant(property));
    26872678    return dst;
    26882679}
  • trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

    r231998 r232029  
    695695        RegisterID* emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue);
    696696        RegisterID* emitTypeOf(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_typeof, dst, src); }
    697         RegisterID* emitInByVal(RegisterID* dst, RegisterID* property, RegisterID* base);
    698         RegisterID* emitInById(RegisterID* dst, RegisterID* base, const Identifier& property);
     697        RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base);
    699698
    700699        RegisterID* emitTryGetById(RegisterID* dst, RegisterID* base, const Identifier& property);
  • trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r231998 r232029  
    22812281RegisterID* InNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    22822282{
    2283     if (isNonIndexStringElement(*m_expr1)) {
    2284         RefPtr<RegisterID> base = generator.emitNode(m_expr2);
    2285         generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    2286         return generator.emitInById(generator.finalDestination(dst, base.get()), base.get(), static_cast<StringNode*>(m_expr1)->value());
    2287     }
    2288 
    22892283    RefPtr<RegisterID> key = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
    22902284    RefPtr<RegisterID> base = generator.emitNode(m_expr2);
    22912285    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    2292     return generator.emitInByVal(generator.finalDestination(dst, key.get()), key.get(), base.get());
     2286    return generator.emitIn(generator.finalDestination(dst, key.get()), key.get(), base.get());
    22932287}
    22942288
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r232000 r232029  
    32603260        break;
    32613261       
    3262     case InById: {
     3262    case In: {
    32633263        // FIXME: We can determine when the property definitely exists based on abstract
    32643264        // value information.
    32653265        clobberWorld();
    3266         filter(node->child1(), SpecObject);
    3267         setNonCellTypeForNode(node, SpecBoolean);
    3268         break;
    3269     }
    3270 
    3271     case InByVal: {
    3272         AbstractValue& property = forNode(node->child2());
    3273         if (JSValue constant = property.value()) {
    3274             if (constant.isString()) {
    3275                 JSString* string = asString(constant);
    3276                 const StringImpl* impl = string->tryGetValueImpl();
    3277                 if (impl && impl->isAtomic())
    3278                     m_state.setFoundConstants(true);
    3279             }
    3280         }
    3281 
    3282         // FIXME: We can determine when the property definitely exists based on abstract
    3283         // value information.
    3284         clobberWorld();
    3285         filter(node->child1(), SpecObject);
    32863266        setNonCellTypeForNode(node, SpecBoolean);
    32873267        break;
  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r232000 r232029  
    63936393        }
    63946394
    6395         case op_in_by_val: {
    6396             ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in_by_val) - 1].u.arrayProfile);
     6395        case op_in: {
     6396            ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in) - 1].u.arrayProfile);
    63976397            set(VirtualRegister(currentInstruction[1].u.operand),
    6398                 addToGraph(InByVal, OpInfo(arrayMode.asWord()), get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand))));
    6399             NEXT_OPCODE(op_in_by_val);
    6400         }
    6401 
    6402         case op_in_by_id: {
    6403             Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
    6404             unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[3].u.operand];
    6405             set(VirtualRegister(currentInstruction[1].u.operand),
    6406                 addToGraph(InById, OpInfo(identifierNumber), base));
    6407             NEXT_OPCODE(op_in_by_id);
    6408             break;
     6398                addToGraph(In, OpInfo(arrayMode.asWord()), get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand))));
     6399            NEXT_OPCODE(op_in);
    64096400        }
    64106401
  • trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

    r231998 r232029  
    237237    case op_switch_imm:
    238238    case op_switch_char:
    239     case op_in_by_val:
    240     case op_in_by_id:
     239    case op_in:
    241240    case op_get_scope:
    242241    case op_get_from_scope:
  • trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

    r232000 r232029  
    624624    case ConstructForwardVarargs:
    625625    case ToPrimitive:
    626     case InByVal:
    627     case InById:
     626    case In:
    628627    case HasOwnProperty:
    629628    case ValueAdd:
  • trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

    r232002 r232029  
    652652            }
    653653
    654             case InByVal: {
    655                 AbstractValue& property = m_state.forNode(node->child2());
    656                 if (JSValue constant = property.value()) {
    657                     if (constant.isString()) {
    658                         JSString* string = asString(constant);
    659                         const StringImpl* impl = string->tryGetValueImpl();
    660                         if (impl && impl->isAtomic()) {
    661                             unsigned identifierNumber = m_graph.identifiers().ensure(const_cast<UniquedStringImpl*>(static_cast<const UniquedStringImpl*>(impl)));
    662                             node->convertToInById(identifierNumber);
    663                             changed = true;
    664                             break;
    665                         }
    666                     }
    667                 }
    668                 break;
    669             }
    670 
    671654            case ToPrimitive: {
    672655                if (m_state.forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol | SpecBigInt))
  • trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

    r232000 r232029  
    194194    case NumberToStringWithRadix:
    195195    case NumberToStringWithValidRadixConstant:
    196     case InByVal:
    197     case InById:
     196    case In:
    198197    case HasOwnProperty:
    199198    case Jump:
  • trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

    r232000 r232029  
    14771477            break;
    14781478
    1479         case InById: {
    1480             fixEdge<CellUse>(node->child1());
    1481             break;
    1482         }
    1483 
    1484         case InByVal: {
     1479        case In: {
    14851480            if (node->child2()->shouldSpeculateInt32()) {
    14861481                convertToHasIndexedProperty(node);
  • trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

    r231998 r232029  
    266266    finalizeInlineCaches(m_getByIdsWithThis, linkBuffer);
    267267    finalizeInlineCaches(m_putByIds, linkBuffer);
    268     finalizeInlineCaches(m_inByIds, linkBuffer);
    269268    finalizeInlineCaches(m_instanceOfs, linkBuffer);
    270269
     270    for (unsigned i = 0; i < m_ins.size(); ++i) {
     271        StructureStubInfo& info = *m_ins[i].m_stubInfo;
     272
     273        CodeLocationLabel<JITStubRoutinePtrTag> start = linkBuffer.locationOf<JITStubRoutinePtrTag>(m_ins[i].m_jump);
     274        info.patch.start = start;
     275
     276        ptrdiff_t inlineSize = MacroAssembler::differenceBetweenCodePtr(
     277            start, linkBuffer.locationOf<JSInternalPtrTag>(m_ins[i].m_done));
     278        RELEASE_ASSERT(inlineSize >= 0);
     279        info.patch.inlineSize = inlineSize;
     280
     281        info.patch.deltaFromStartToSlowPathCallLocation = MacroAssembler::differenceBetweenCodePtr(
     282            start, linkBuffer.locationOf<JSInternalPtrTag>(m_ins[i].m_slowPathGenerator->call()));
     283
     284        info.patch.deltaFromStartToSlowPathStart = MacroAssembler::differenceBetweenCodePtr(
     285            start, linkBuffer.locationOf<JSInternalPtrTag>(m_ins[i].m_slowPathGenerator->label()));
     286    }
     287   
    271288    auto linkCallThunk = FunctionPtr<NoPtrTag>(vm()->getCTIStub(linkCallThunkGenerator).retaggedCode<NoPtrTag>());
    272289    for (auto& record : m_jsCalls) {
  • trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

    r231998 r232029  
    7777};
    7878
     79struct InRecord {
     80    InRecord(
     81        MacroAssembler::PatchableJump jump, MacroAssembler::Label done,
     82        SlowPathGenerator* slowPathGenerator, StructureStubInfo* stubInfo)
     83        : m_jump(jump)
     84        , m_done(done)
     85        , m_slowPathGenerator(slowPathGenerator)
     86        , m_stubInfo(stubInfo)
     87    {
     88    }
     89   
     90    MacroAssembler::PatchableJump m_jump;
     91    MacroAssembler::Label m_done;
     92    SlowPathGenerator* m_slowPathGenerator;
     93    StructureStubInfo* m_stubInfo;
     94};
     95
    7996// === JITCompiler ===
    8097//
     
    193210    }
    194211
    195     void addInById(const JITInByIdGenerator& gen, SlowPathGenerator* slowPath)
    196     {
    197         m_inByIds.append(InlineCacheWrapper<JITInByIdGenerator>(gen, slowPath));
    198     }
    199 
     212    void addIn(const InRecord& record)
     213    {
     214        m_ins.append(record);
     215    }
     216   
    200217    void addJSCall(Call fastCall, Call slowCall, DataLabelPtr targetToCheck, CallLinkInfo* info)
    201218    {
     
    343360    Vector<InlineCacheWrapper<JITGetByIdWithThisGenerator>, 4> m_getByIdsWithThis;
    344361    Vector<InlineCacheWrapper<JITPutByIdGenerator>, 4> m_putByIds;
    345     Vector<InlineCacheWrapper<JITInByIdGenerator>, 4> m_inByIds;
    346362    Vector<InlineCacheWrapper<JITInstanceOfGenerator>, 4> m_instanceOfs;
     363    Vector<InRecord, 4> m_ins;
    347364    Vector<JSCallRecord, 4> m_jsCalls;
    348365    Vector<JSDirectCallRecord, 4> m_jsDirectCalls;
  • trunk/Source/JavaScriptCore/dfg/DFGNode.h

    r232000 r232029  
    753753        m_opInfo = false;
    754754    }
    755 
    756     void convertToInById(unsigned identifierNumber)
    757     {
    758         ASSERT(m_op == InByVal);
    759         setOpAndDefaultFlags(InById);
    760         children.setChild2(Edge());
    761         m_opInfo = identifierNumber;
    762         m_opInfo2 = OpInfoWrapper();
    763     }
    764755   
    765756    JSValue asJSValue()
     
    10291020        case PutGetterSetterById:
    10301021        case DeleteById:
    1031         case InById:
    10321022        case GetDynamicVar:
    10331023        case PutDynamicVar:
     
    19981988        case GetArrayLength:
    19991989        case GetVectorLength:
    2000         case InByVal:
     1990        case In:
    20011991        case PutByValDirect:
    20021992        case PutByVal:
  • trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

    r232000 r232029  
    371371    macro(NewStringObject, NodeResultJS) \
    372372    macro(MakeRope, NodeResultJS) \
    373     macro(InByVal, NodeResultBoolean | NodeMustGenerate) \
    374     macro(InById, NodeResultBoolean | NodeMustGenerate) \
     373    macro(In, NodeResultBoolean | NodeMustGenerate) \
    375374    macro(ProfileType, NodeMustGenerate) \
    376375    macro(ProfileControlFlow, NodeMustGenerate) \
  • trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

    r232000 r232029  
    982982            break;
    983983
    984         case InByVal:
    985         case InById:
     984        case In:
    986985            setPrediction(SpecBoolean);
    987986            break;
  • trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

    r232000 r232029  
    333333    case NewStringObject:
    334334    case MakeRope:
    335     case InByVal:
    336     case InById:
     335    case In:
    337336    case HasOwnProperty:
    338337    case PushWithScope:
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r232000 r232029  
    10571057}
    10581058
    1059 void SpeculativeJIT::compileInById(Node* node)
     1059void SpeculativeJIT::compileIn(Node* node)
    10601060{
    10611061    SpeculateCellOperand base(this, node->child1());
    1062     JSValueRegsTemporary result(this, Reuse, base, PayloadWord);
    1063 
    10641062    GPRReg baseGPR = base.gpr();
    1065     JSValueRegs resultRegs = result.regs();
    1066 
    1067     base.use();
    1068 
    1069     CodeOrigin codeOrigin = node->origin.semantic;
    1070     CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
    1071     RegisterSet usedRegisters = this->usedRegisters();
    1072     JITInByIdGenerator gen(
    1073         m_jit.codeBlock(), codeOrigin, callSite, usedRegisters, identifierUID(node->identifierNumber()),
    1074         JSValueRegs::payloadOnly(baseGPR), resultRegs);
    1075     gen.generateFastPath(m_jit);
    1076 
    1077     auto slowPath = slowPathCall(
    1078         gen.slowPathJump(), this, operationInByIdOptimize,
    1079         NeedToSpill, ExceptionCheckRequirement::CheckNeeded,
    1080         resultRegs, gen.stubInfo(), CCallHelpers::CellValue(baseGPR), identifierUID(node->identifierNumber()));
    1081 
    1082     m_jit.addInById(gen, slowPath.get());
    1083     addSlowPathGenerator(WTFMove(slowPath));
    1084 
    1085     blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
    1086 }
    1087 
    1088 void SpeculativeJIT::compileInByVal(Node* node)
    1089 {
    1090     SpeculateCellOperand base(this, node->child1());
     1063   
     1064    if (JSString* string = node->child2()->dynamicCastConstant<JSString*>(*m_jit.vm())) {
     1065        if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) {
     1066            StructureStubInfo* stubInfo = m_jit.codeBlock()->addStubInfo(AccessType::In);
     1067           
     1068            GPRTemporary result(this);
     1069            GPRReg resultGPR = result.gpr();
     1070
     1071            use(node->child2());
     1072           
     1073            MacroAssembler::PatchableJump jump = m_jit.patchableJump();
     1074            MacroAssembler::Label done = m_jit.label();
     1075           
     1076            // Since this block is executed only when the result of string->tryGetValueImpl() is atomic,
     1077            // we can cast it to const AtomicStringImpl* safely.
     1078            auto slowPath = slowPathCall(
     1079                jump.m_jump, this, operationInOptimize,
     1080                JSValueRegs::payloadOnly(resultGPR), stubInfo, baseGPR,
     1081                static_cast<const AtomicStringImpl*>(string->tryGetValueImpl()));
     1082           
     1083            stubInfo->callSiteIndex = m_jit.addCallSite(node->origin.semantic);
     1084            stubInfo->codeOrigin = node->origin.semantic;
     1085            stubInfo->patch.baseGPR = static_cast<int8_t>(baseGPR);
     1086            stubInfo->patch.valueGPR = static_cast<int8_t>(resultGPR);
     1087            stubInfo->patch.thisGPR = static_cast<int8_t>(InvalidGPRReg);
     1088#if USE(JSVALUE32_64)
     1089            stubInfo->patch.valueTagGPR = static_cast<int8_t>(InvalidGPRReg);
     1090            stubInfo->patch.baseTagGPR = static_cast<int8_t>(InvalidGPRReg);
     1091            stubInfo->patch.thisTagGPR = static_cast<int8_t>(InvalidGPRReg);
     1092#endif
     1093            stubInfo->patch.usedRegisters = usedRegisters();
     1094
     1095            m_jit.addIn(InRecord(jump, done, slowPath.get(), stubInfo));
     1096            addSlowPathGenerator(WTFMove(slowPath));
     1097
     1098            base.use();
     1099
     1100            blessedBooleanResult(resultGPR, node, UseChildrenCalledExplicitly);
     1101            return;
     1102        }
     1103    }
     1104
    10911105    JSValueOperand key(this, node->child2());
    1092 
    1093     GPRReg baseGPR = base.gpr();
    10941106    JSValueRegs regs = key.jsValueRegs();
    1095 
     1107       
     1108    GPRFlushedCallResult result(this);
     1109    GPRReg resultGPR = result.gpr();
     1110       
    10961111    base.use();
    10971112    key.use();
    1098 
     1113       
    10991114    flushRegisters();
    1100     JSValueRegsFlushedCallResult result(this);
    1101     JSValueRegs resultRegs = result.regs();
    1102     callOperation(operationInByVal, resultRegs, baseGPR, regs);
     1115    callOperation(
     1116        operationGenericIn, extractResult(JSValueRegs::payloadOnly(resultGPR)),
     1117        baseGPR, regs);
    11031118    m_jit.exceptionCheck();
    1104     blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
     1119    blessedBooleanResult(resultGPR, node, UseChildrenCalledExplicitly);
    11051120}
    11061121
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

    r232000 r232029  
    736736    void compileGetById(Node*, AccessType);
    737737    void compileGetByIdFlush(Node*, AccessType);
    738     void compileInById(Node*);
    739     void compileInByVal(Node*);
     738    void compileIn(Node*);
    740739   
    741740    void nonSpeculativeNonPeepholeCompareNullOrUndefined(Edge operand);
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

    r232000 r232029  
    37573757        break;
    37583758
    3759     case InById:
    3760         compileInById(node);
    3761         break;
    3762 
    3763     case InByVal:
    3764         compileInByVal(node);
     3759    case In:
     3760        compileIn(node);
    37653761        break;
    37663762
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r232000 r232029  
    43074307        break;
    43084308
    4309     case InById:
    4310         compileInById(node);
    4311         break;
    4312 
    4313     case InByVal:
    4314         compileInByVal(node);
     4309    case In:
     4310        compileIn(node);
    43154311        break;
    43164312
  • trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

    r232000 r232029  
    206206    case ThrowStaticError:
    207207    case Unreachable:
    208     case InByVal:
    209     case InById:
     208    case In:
    210209    case HasOwnProperty:
    211210    case IsCellWithType:
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r232000 r232029  
    709709            compileGetById(AccessType::GetDirect);
    710710            break;
    711         case InById:
    712             compileInById();
    713             break;
    714         case InByVal:
    715             compileInByVal();
     711        case In:
     712            compileIn();
    716713            break;
    717714        case HasOwnProperty:
     
    97179714    }
    97189715   
    9719     void compileInByVal()
    9720     {
    9721         setJSValue(vmCall(Int64, m_out.operation(operationInByVal), m_callFrame, lowCell(m_node->child1()), lowJSValue(m_node->child2())));
    9722     }
    9723 
    9724     void compileInById()
    9725     {
     9716    void compileIn()
     9717    {
     9718        DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == CellUse, m_node->child1().useKind());
     9719
    97269720        Node* node = m_node;
    9727         UniquedStringImpl* uid = m_graph.identifiers()[node->identifierNumber()];
    9728         LValue base = lowCell(m_node->child1());
    9729 
    9730         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
    9731         patchpoint->appendSomeRegister(base);
    9732         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
    9733         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
    9734 
    9735         patchpoint->clobber(RegisterSet::macroScratchRegisters());
    9736 
    9737         RefPtr<PatchpointExceptionHandle> exceptionHandle =
    9738             preparePatchpointForExceptions(patchpoint);
    9739 
    9740         State* state = &m_ftlState;
    9741         patchpoint->setGenerator(
    9742             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
    9743                 AllowMacroScratchRegisterUsage allowScratch(jit);
    9744 
    9745                 CallSiteIndex callSiteIndex =
    9746                     state->jitCode->common.addUniqueCallSiteIndex(node->origin.semantic);
    9747 
    9748                 // This is the direct exit target for operation calls.
    9749                 Box<CCallHelpers::JumpList> exceptions =
    9750                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
    9751 
    9752                 auto generator = Box<JITInByIdGenerator>::create(
    9753                     jit.codeBlock(), node->origin.semantic, callSiteIndex,
    9754                     params.unavailableRegisters(), uid, JSValueRegs(params[1].gpr()),
    9755                     JSValueRegs(params[0].gpr()));
    9756 
    9757                 generator->generateFastPath(jit);
    9758                 CCallHelpers::Label done = jit.label();
    9759 
    9760                 params.addLatePath(
    9761                     [=] (CCallHelpers& jit) {
     9721        Edge base = node->child1();
     9722        LValue cell = lowCell(base);
     9723        if (JSString* string = node->child2()->dynamicCastConstant<JSString*>(vm())) {
     9724            if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) {
     9725                UniquedStringImpl* str = bitwise_cast<UniquedStringImpl*>(string->tryGetValueImpl());
     9726                PatchpointValue* patchpoint = m_out.patchpoint(Int64);
     9727                patchpoint->appendSomeRegister(cell);
     9728                patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
     9729                patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
     9730                patchpoint->clobber(RegisterSet::macroScratchRegisters());
     9731
     9732                RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
     9733
     9734                State* state = &m_ftlState;
     9735                patchpoint->setGenerator(
     9736                    [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
    97629737                        AllowMacroScratchRegisterUsage allowScratch(jit);
    97639738
    9764                         generator->slowPathJump().link(&jit);
    9765                         CCallHelpers::Label slowPathBegin = jit.label();
    9766                         CCallHelpers::Call slowPathCall = callOperation(
    9767                             *state, params.unavailableRegisters(), jit, node->origin.semantic,
    9768                             exceptions.get(), operationInByIdOptimize, params[0].gpr(),
    9769                             CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(),
    9770                             CCallHelpers::TrustedImmPtr(uid)).call();
    9771                         jit.jump().linkTo(done, &jit);
    9772 
    9773                         generator->reportSlowPathCall(slowPathBegin, slowPathCall);
    9774 
    9775                         jit.addLinkTask(
    9776                             [=] (LinkBuffer& linkBuffer) {
    9777                                 generator->finalize(linkBuffer, linkBuffer);
     9739                        // This is the direct exit target for operation calls. We don't need a JS exceptionHandle because we don't
     9740                        // cache Proxy objects.
     9741                        Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
     9742
     9743                        GPRReg baseGPR = params[1].gpr();
     9744                        GPRReg resultGPR = params[0].gpr();
     9745
     9746                        StructureStubInfo* stubInfo =
     9747                            jit.codeBlock()->addStubInfo(AccessType::In);
     9748                        stubInfo->callSiteIndex =
     9749                            state->jitCode->common.addCodeOrigin(node->origin.semantic);
     9750                        stubInfo->codeOrigin = node->origin.semantic;
     9751                        stubInfo->patch.baseGPR = static_cast<int8_t>(baseGPR);
     9752                        stubInfo->patch.valueGPR = static_cast<int8_t>(resultGPR);
     9753                        stubInfo->patch.thisGPR = static_cast<int8_t>(InvalidGPRReg);
     9754                        stubInfo->patch.usedRegisters = params.unavailableRegisters();
     9755
     9756                        CCallHelpers::PatchableJump jump = jit.patchableJump();
     9757                        CCallHelpers::Label done = jit.label();
     9758
     9759                        params.addLatePath(
     9760                            [=] (CCallHelpers& jit) {
     9761                                AllowMacroScratchRegisterUsage allowScratch(jit);
     9762
     9763                                jump.m_jump.link(&jit);
     9764                                CCallHelpers::Label slowPathBegin = jit.label();
     9765                                CCallHelpers::Call slowPathCall = callOperation(
     9766                                    *state, params.unavailableRegisters(), jit,
     9767                                    node->origin.semantic, exceptions.get(), operationInOptimize,
     9768                                    resultGPR, CCallHelpers::TrustedImmPtr(stubInfo), baseGPR,
     9769                                    CCallHelpers::TrustedImmPtr(str)).call();
     9770                                jit.jump().linkTo(done, &jit);
     9771
     9772                                jit.addLinkTask(
     9773                                    [=] (LinkBuffer& linkBuffer) {
     9774                                        CodeLocationLabel<JITStubRoutinePtrTag> start = linkBuffer.locationOf<JITStubRoutinePtrTag>(jump);
     9775                                        stubInfo->patch.start = start;
     9776                                        ptrdiff_t inlineSize = MacroAssembler::differenceBetweenCodePtr(
     9777                                            start, linkBuffer.locationOf<NoPtrTag>(done));
     9778                                        RELEASE_ASSERT(inlineSize >= 0);
     9779                                        stubInfo->patch.inlineSize = inlineSize;
     9780
     9781                                        stubInfo->patch.deltaFromStartToSlowPathCallLocation = MacroAssembler::differenceBetweenCodePtr(
     9782                                            start, linkBuffer.locationOf<NoPtrTag>(slowPathCall));
     9783
     9784                                        stubInfo->patch.deltaFromStartToSlowPathStart = MacroAssembler::differenceBetweenCodePtr(
     9785                                            start, linkBuffer.locationOf<NoPtrTag>(slowPathBegin));
     9786
     9787                                    });
    97789788                            });
    97799789                    });
    9780             });
    9781 
    9782         setJSValue(patchpoint);
     9790
     9791                setJSValue(patchpoint);
     9792                return;
     9793            }
     9794        }
     9795
     9796        setJSValue(vmCall(Int64, m_out.operation(operationGenericIn), m_callFrame, cell, lowJSValue(m_node->child2())));
    97839797    }
    97849798
  • trunk/Source/JavaScriptCore/jit/ICStats.h

    r231998 r232029  
    5151    macro(OperationGetByIdOptimize) \
    5252    macro(OperationGetByIdWithThisOptimize) \
     53    macro(OperationInOptimize) \
     54    macro(OperationIn) \
    5355    macro(OperationGenericIn) \
    54     macro(OperationInById) \
    55     macro(OperationInByIdGeneric) \
    56     macro(OperationInByIdOptimize) \
    5756    macro(OperationPutByIdStrict) \
    5857    macro(OperationPutByIdNonStrict) \
     
    6968    macro(PutByIdAddAccessCase) \
    7069    macro(PutByIdReplaceWithJump) \
    71     macro(PutByIdSelfPatch) \
    72     macro(InByIdSelfPatch)
     70    macro(PutByIdSelfPatch)
    7371
    7472class ICEvent {
  • trunk/Source/JavaScriptCore/jit/JIT.cpp

    r231998 r232029  
    7979    , m_labels(codeBlock ? codeBlock->numberOfInstructions() : 0)
    8080    , m_bytecodeOffset(std::numeric_limits<unsigned>::max())
     81    , m_getByIdIndex(UINT_MAX)
     82    , m_getByIdWithThisIndex(UINT_MAX)
     83    , m_putByIdIndex(UINT_MAX)
     84    , m_byValInstructionIndex(UINT_MAX)
     85    , m_callLinkInfoIndex(UINT_MAX)
    8186    , m_pcToCodeOriginMapBuilder(*vm)
    8287    , m_canBeOptimized(false)
     
    273278
    274279        switch (opcodeID) {
    275         DEFINE_SLOW_OP(in_by_val)
     280        DEFINE_SLOW_OP(in)
    276281        DEFINE_SLOW_OP(less)
    277282        DEFINE_SLOW_OP(lesseq)
     
    337342        DEFINE_OP(op_beloweq)
    338343        DEFINE_OP(op_try_get_by_id)
    339         DEFINE_OP(op_in_by_id)
    340344        case op_get_array_length:
    341345        case op_get_by_id_proto_load:
     
    475479    m_getByIdWithThisIndex = 0;
    476480    m_putByIdIndex = 0;
    477     m_inByIdIndex = 0;
    478481    m_instanceOfIndex = 0;
    479482    m_byValInstructionIndex = 0;
     
    519522        DEFINE_SLOWCASE_OP(op_eq)
    520523        DEFINE_SLOWCASE_OP(op_try_get_by_id)
    521         DEFINE_SLOWCASE_OP(op_in_by_id)
    522524        case op_get_array_length:
    523525        case op_get_by_id_proto_load:
     
    599601    RELEASE_ASSERT(m_getByIdWithThisIndex == m_getByIdsWithThis.size());
    600602    RELEASE_ASSERT(m_putByIdIndex == m_putByIds.size());
    601     RELEASE_ASSERT(m_inByIdIndex == m_inByIds.size());
    602603    RELEASE_ASSERT(m_instanceOfIndex == m_instanceOfs.size());
    603604    RELEASE_ASSERT(m_callLinkInfoIndex == m_callCompilationInfo.size());
     
    842843    finalizeInlineCaches(m_getByIdsWithThis, patchBuffer);
    843844    finalizeInlineCaches(m_putByIds, patchBuffer);
    844     finalizeInlineCaches(m_inByIds, patchBuffer);
    845845    finalizeInlineCaches(m_instanceOfs, patchBuffer);
    846846
  • trunk/Source/JavaScriptCore/jit/JIT.h

    r231998 r232029  
    501501        void emit_op_get_by_val(Instruction*);
    502502        void emit_op_get_argument_by_val(Instruction*);
    503         void emit_op_in_by_id(Instruction*);
    504503        void emit_op_init_lazy_reg(Instruction*);
    505504        void emit_op_overrides_has_instance(Instruction*);
     
    613612        void emitSlow_op_get_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
    614613        void emitSlow_op_get_argument_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
    615         void emitSlow_op_in_by_id(Instruction*, Vector<SlowCaseEntry>::iterator&);
    616614        void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&);
    617615        void emitSlow_op_instanceof_custom(Instruction*, Vector<SlowCaseEntry>::iterator&);
     
    868866        Vector<JITGetByIdWithThisGenerator> m_getByIdsWithThis;
    869867        Vector<JITPutByIdGenerator> m_putByIds;
    870         Vector<JITInByIdGenerator> m_inByIds;
    871868        Vector<JITInstanceOfGenerator> m_instanceOfs;
    872869        Vector<ByValCompilationInfo> m_byValCompilationInfo;
     
    882879        Label m_exceptionHandler;
    883880
    884         unsigned m_getByIdIndex { UINT_MAX };
    885         unsigned m_getByIdWithThisIndex { UINT_MAX };
    886         unsigned m_putByIdIndex { UINT_MAX };
    887         unsigned m_inByIdIndex { UINT_MAX };
    888         unsigned m_instanceOfIndex { UINT_MAX };
    889         unsigned m_byValInstructionIndex { UINT_MAX };
    890         unsigned m_callLinkInfoIndex { UINT_MAX };
     881        unsigned m_getByIdIndex;
     882        unsigned m_getByIdWithThisIndex;
     883        unsigned m_putByIdIndex;
     884        unsigned m_instanceOfIndex;
     885        unsigned m_byValInstructionIndex;
     886        unsigned m_callLinkInfoIndex;
    891887       
    892888        Label m_arityCheck;
  • trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp

    r231998 r232029  
    167167}
    168168
    169 JITInByIdGenerator::JITInByIdGenerator(
    170     CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSite, const RegisterSet& usedRegisters,
    171     UniquedStringImpl* propertyName, JSValueRegs base, JSValueRegs value)
    172     : JITByIdGenerator(codeBlock, codeOrigin, callSite, AccessType::In, usedRegisters, base, value)
    173 {
    174     // FIXME: We are not supporting fast path for "length" property.
    175     UNUSED_PARAM(propertyName);
    176     RELEASE_ASSERT(base.payloadGPR() != value.tagGPR());
    177 }
    178 
    179 void JITInByIdGenerator::generateFastPath(MacroAssembler& jit)
    180 {
    181     generateFastCommon(jit, InlineAccess::sizeForPropertyAccess());
    182 }
    183 
    184169JITInstanceOfGenerator::JITInstanceOfGenerator(
    185170    CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSiteIndex,
  • trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h

    r231998 r232029  
    144144};
    145145
    146 class JITInByIdGenerator : public JITByIdGenerator {
    147 public:
    148     JITInByIdGenerator() { }
    149 
    150     JITInByIdGenerator(
    151         CodeBlock*, CodeOrigin, CallSiteIndex, const RegisterSet& usedRegisters, UniquedStringImpl* propertyName,
    152         JSValueRegs base, JSValueRegs value);
    153 
    154     void generateFastPath(MacroAssembler&);
    155 };
    156 
    157146class JITInstanceOfGenerator : public JITInlineCacheGenerator {
    158147public:
  • trunk/Source/JavaScriptCore/jit/JITOperations.cpp

    r232017 r232029  
    378378}
    379379
    380 EncodedJSValue JIT_OPERATION operationInById(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue base, UniquedStringImpl* uid)
     380EncodedJSValue JIT_OPERATION operationInOptimize(ExecState* exec, StructureStubInfo* stubInfo, JSCell* base, UniquedStringImpl* key)
    381381{
    382382    SuperSamplerScope superSamplerScope(false);
    383 
    384     VM& vm = exec->vm();
    385     NativeCallFrameTracer tracer(&vm, exec);
    386     auto scope = DECLARE_THROW_SCOPE(vm);
     383   
     384    VM* vm = &exec->vm();
     385    NativeCallFrameTracer tracer(vm, exec);
     386    auto scope = DECLARE_THROW_SCOPE(*vm);
     387
     388    if (!base->isObject()) {
     389        throwException(exec, scope, createInvalidInParameterError(exec, base));
     390        return JSValue::encode(jsUndefined());
     391    }
     392   
     393    AccessType accessType = static_cast<AccessType>(stubInfo->accessType);
     394
     395    Identifier ident = Identifier::fromUid(vm, key);
     396    LOG_IC((ICEvent::OperationInOptimize, base->classInfo(*vm), ident));
     397    PropertySlot slot(base, PropertySlot::InternalMethodType::HasProperty);
     398    bool result = asObject(base)->getPropertySlot(exec, ident, slot);
     399    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     400   
     401    RELEASE_ASSERT(accessType == stubInfo->accessType);
     402   
     403    if (stubInfo->considerCaching(exec->codeBlock(), asObject(base)->structure()))
     404        repatchIn(exec, base, ident, result, slot, *stubInfo);
     405   
     406    return JSValue::encode(jsBoolean(result));
     407}
     408
     409EncodedJSValue JIT_OPERATION operationIn(ExecState* exec, StructureStubInfo* stubInfo, JSCell* base, UniquedStringImpl* key)
     410{
     411    SuperSamplerScope superSamplerScope(false);
     412   
     413    VM* vm = &exec->vm();
     414    NativeCallFrameTracer tracer(vm, exec);
     415    auto scope = DECLARE_THROW_SCOPE(*vm);
    387416
    388417    stubInfo->tookSlowPath = true;
    389418
    390     Identifier ident = Identifier::fromUid(&vm, uid);
    391 
    392     JSValue baseValue = JSValue::decode(base);
    393     if (!baseValue.isObject()) {
    394         throwException(exec, scope, createInvalidInParameterError(exec, baseValue));
     419    if (!base->isObject()) {
     420        throwException(exec, scope, createInvalidInParameterError(exec, base));
    395421        return JSValue::encode(jsUndefined());
    396422    }
    397     JSObject* baseObject = asObject(baseValue);
    398 
    399     LOG_IC((ICEvent::OperationInById, baseObject->classInfo(vm), ident));
    400 
     423
     424    Identifier ident = Identifier::fromUid(vm, key);
     425    LOG_IC((ICEvent::OperationIn, base->classInfo(*vm), ident));
    401426    scope.release();
    402     PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty);
    403     return JSValue::encode(jsBoolean(baseObject->getPropertySlot(exec, ident, slot)));
    404 }
    405 
    406 EncodedJSValue JIT_OPERATION operationInByIdGeneric(ExecState* exec, EncodedJSValue base, UniquedStringImpl* uid)
     427    return JSValue::encode(jsBoolean(asObject(base)->hasProperty(exec, ident)));
     428}
     429
     430EncodedJSValue JIT_OPERATION operationGenericIn(ExecState* exec, JSCell* base, EncodedJSValue key)
    407431{
    408432    SuperSamplerScope superSamplerScope(false);
    409 
    410     VM& vm = exec->vm();
    411     NativeCallFrameTracer tracer(&vm, exec);
    412     auto scope = DECLARE_THROW_SCOPE(vm);
    413 
    414     Identifier ident = Identifier::fromUid(&vm, uid);
    415 
    416     JSValue baseValue = JSValue::decode(base);
    417     if (!baseValue.isObject()) {
    418         throwException(exec, scope, createInvalidInParameterError(exec, baseValue));
    419         return JSValue::encode(jsUndefined());
    420     }
    421     JSObject* baseObject = asObject(baseValue);
    422 
    423     LOG_IC((ICEvent::OperationInByIdGeneric, baseObject->classInfo(vm), ident));
    424 
    425     scope.release();
    426     PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty);
    427     return JSValue::encode(jsBoolean(baseObject->getPropertySlot(exec, ident, slot)));
    428 }
    429 
    430 EncodedJSValue JIT_OPERATION operationInByIdOptimize(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue base, UniquedStringImpl* uid)
    431 {
    432     SuperSamplerScope superSamplerScope(false);
    433 
    434     VM& vm = exec->vm();
    435     NativeCallFrameTracer tracer(&vm, exec);
    436     auto scope = DECLARE_THROW_SCOPE(vm);
    437 
    438     Identifier ident = Identifier::fromUid(&vm, uid);
    439 
    440     JSValue baseValue = JSValue::decode(base);
    441     if (!baseValue.isObject()) {
    442         throwException(exec, scope, createInvalidInParameterError(exec, baseValue));
    443         return JSValue::encode(jsUndefined());
    444     }
    445     JSObject* baseObject = asObject(baseValue);
    446 
    447     LOG_IC((ICEvent::OperationInByIdOptimize, baseObject->classInfo(vm), ident));
    448 
    449     scope.release();
    450     PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty);
    451     bool found = baseObject->getPropertySlot(exec, ident, slot);
    452     if (stubInfo->considerCaching(exec->codeBlock(), baseObject->structure(vm)))
    453         repatchInByID(exec, baseObject, ident, found, slot, *stubInfo);
    454     return JSValue::encode(jsBoolean(found));
    455 }
    456 
    457 EncodedJSValue JIT_OPERATION operationInByVal(ExecState* exec, JSCell* base, EncodedJSValue key)
    458 {
    459     SuperSamplerScope superSamplerScope(false);
    460    
    461     VM* vm = &exec->vm();
    462     NativeCallFrameTracer tracer(vm, exec);
    463 
    464     return JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(exec, base, JSValue::decode(key))));
     433   
     434    VM* vm = &exec->vm();
     435    NativeCallFrameTracer tracer(vm, exec);
     436
     437    return JSValue::encode(jsBoolean(CommonSlowPaths::opIn(exec, base, JSValue::decode(key))));
    465438}
    466439
  • trunk/Source/JavaScriptCore/jit/JITOperations.h

    r231998 r232029  
    372372EncodedJSValue JIT_OPERATION operationGetByIdDirectGeneric(ExecState*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
    373373EncodedJSValue JIT_OPERATION operationGetByIdDirectOptimize(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
    374 EncodedJSValue JIT_OPERATION operationInById(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
    375 EncodedJSValue JIT_OPERATION operationInByIdGeneric(ExecState*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
    376 EncodedJSValue JIT_OPERATION operationInByIdOptimize(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
    377374EncodedJSValue JIT_OPERATION operationInOptimize(ExecState*, StructureStubInfo*, JSCell*, UniquedStringImpl*) WTF_INTERNAL;
    378375EncodedJSValue JIT_OPERATION operationIn(ExecState*, StructureStubInfo*, JSCell*, UniquedStringImpl*) WTF_INTERNAL;
    379 EncodedJSValue JIT_OPERATION operationInByVal(ExecState*, JSCell*, EncodedJSValue) WTF_INTERNAL;
     376EncodedJSValue JIT_OPERATION operationGenericIn(ExecState*, JSCell*, EncodedJSValue) WTF_INTERNAL;
    380377void JIT_OPERATION operationPutByIdStrict(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
    381378void JIT_OPERATION operationPutByIdNonStrict(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r231998 r232029  
    748748
    749749    Call call = callOperation(gen.slowPathFunction(), gen.stubInfo(), regT1, regT0, ident->impl());
    750 
    751     gen.reportSlowPathCall(coldPathBegin, call);
    752 }
    753 
    754 void JIT::emit_op_in_by_id(Instruction* currentInstruction)
    755 {
    756     int resultVReg = currentInstruction[1].u.operand;
    757     int baseVReg = currentInstruction[2].u.operand;
    758     const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand));
    759 
    760     emitGetVirtualRegister(baseVReg, regT0);
    761 
    762     emitJumpSlowCaseIfNotJSCell(regT0, baseVReg);
    763 
    764     JITInByIdGenerator gen(
    765         m_codeBlock, CodeOrigin(m_bytecodeOffset), CallSiteIndex(m_bytecodeOffset), RegisterSet::stubUnavailableRegisters(),
    766         ident->impl(), JSValueRegs(regT0), JSValueRegs(regT0));
    767     gen.generateFastPath(*this);
    768     addSlowCase(gen.slowPathJump());
    769     m_inByIds.append(gen);
    770 
    771     emitPutVirtualRegister(resultVReg);
    772 }
    773 
    774 void JIT::emitSlow_op_in_by_id(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
    775 {
    776     linkAllSlowCases(iter);
    777 
    778     int resultVReg = currentInstruction[1].u.operand;
    779     const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand));
    780 
    781     JITInByIdGenerator& gen = m_inByIds[m_inByIdIndex++];
    782 
    783     Label coldPathBegin = label();
    784 
    785     Call call = callOperation(operationInByIdOptimize, resultVReg, gen.stubInfo(), regT0, ident->impl());
    786750
    787751    gen.reportSlowPathCall(coldPathBegin, call);
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

    r232017 r232029  
    769769        gen.slowPathFunction(), gen.stubInfo(), JSValueRegs(regT3, regT2), JSValueRegs(regT1, regT0), ident->impl());
    770770   
    771     gen.reportSlowPathCall(coldPathBegin, call);
    772 }
    773 
    774 void JIT::emit_op_in_by_id(Instruction* currentInstruction)
    775 {
    776     int dst = currentInstruction[1].u.operand;
    777     int base = currentInstruction[2].u.operand;
    778     const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand));
    779 
    780     emitLoad(base, regT1, regT0);
    781     emitJumpSlowCaseIfNotJSCell(base, regT1);
    782 
    783     JITInByIdGenerator gen(
    784         m_codeBlock, CodeOrigin(m_bytecodeOffset), CallSiteIndex(currentInstruction), RegisterSet::stubUnavailableRegisters(),
    785         ident->impl(), JSValueRegs::payloadOnly(regT0), JSValueRegs(regT1, regT0));
    786     gen.generateFastPath(*this);
    787     addSlowCase(gen.slowPathJump());
    788     m_inByIds.append(gen);
    789 
    790     emitStore(dst, regT1, regT0);
    791 }
    792 
    793 void JIT::emitSlow_op_in_by_id(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
    794 {
    795     linkAllSlowCases(iter);
    796 
    797     int resultVReg = currentInstruction[1].u.operand;
    798     const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand));
    799 
    800     JITInByIdGenerator& gen = m_inByIds[m_getByIdIndex++];
    801 
    802     Label coldPathBegin = label();
    803 
    804     Call call = callOperation(operationInByIdOptimize, resultVReg, gen.stubInfo(), JSValueRegs(regT1, regT0), ident->impl());
    805 
    806771    gen.reportSlowPathCall(coldPathBegin, call);
    807772}
  • trunk/Source/JavaScriptCore/jit/Repatch.cpp

    r231998 r232029  
    606606}
    607607
    608 static InlineCacheAction tryCacheInByID(
    609     ExecState* exec, JSObject* base, const Identifier& ident,
     608static InlineCacheAction tryCacheIn(
     609    ExecState* exec, JSCell* base, const Identifier& ident,
    610610    bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo)
    611611{
     
    632632        ObjectPropertyConditionSet conditionSet;
    633633        if (wasFound) {
    634             InlineCacheAction action = actionForCell(vm, base);
    635             if (action != AttemptToCache)
    636                 return action;
    637 
    638             // Optimize self access.
    639             if (stubInfo.cacheType == CacheType::Unset
    640                 && slot.isCacheableValue()
    641                 && slot.slotBase() == base
    642                 && !slot.watchpointSet()
    643                 && !structure->needImpurePropertyWatchpoint()) {
    644                 bool generatedCodeInline = InlineAccess::generateSelfInAccess(stubInfo, structure);
    645                 if (generatedCodeInline) {
    646                     LOG_IC((ICEvent::InByIdSelfPatch, structure->classInfo(), ident));
    647                     structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset());
    648                     ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), operationInByIdOptimize);
    649                     stubInfo.initInByIdSelf(codeBlock, structure, slot.cachedOffset());
    650                     return RetryCacheLater;
    651                 }
    652             }
    653 
    654634            if (slot.slotBase() != base) {
    655635                bool usesPolyProto;
     
    685665
    686666        std::unique_ptr<AccessCase> newCase = AccessCase::create(
    687             vm, codeBlock, wasFound ? AccessCase::InHit : AccessCase::InMiss, wasFound ? slot.cachedOffset() : invalidOffset, structure, conditionSet, WTFMove(prototypeAccessChain));
     667            vm, codeBlock, wasFound ? AccessCase::InHit : AccessCase::InMiss, invalidOffset, structure, conditionSet, WTFMove(prototypeAccessChain));
    688668
    689669        result = stubInfo.addAccessCase(locker, codeBlock, ident, WTFMove(newCase));
     
    693673           
    694674            RELEASE_ASSERT(result.code());
    695             InlineAccess::rewireStubAsJump(stubInfo, CodeLocationLabel<JITStubRoutinePtrTag>(result.code()));
     675
     676            MacroAssembler::repatchJump(
     677                stubInfo.patchableJump(),
     678                CodeLocationLabel<JITStubRoutinePtrTag>(result.code()));
    696679        }
    697680    }
     
    702685}
    703686
    704 void repatchInByID(ExecState* exec, JSObject* baseObject, const Identifier& propertyName, bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo)
     687void repatchIn(
     688    ExecState* exec, JSCell* base, const Identifier& ident, bool wasFound,
     689    const PropertySlot& slot, StructureStubInfo& stubInfo)
    705690{
    706691    SuperSamplerScope superSamplerScope(false);
    707 
    708     if (tryCacheInByID(exec, baseObject, propertyName, wasFound, slot, stubInfo) == GiveUpOnCache) {
    709         CodeBlock* codeBlock = exec->codeBlock();
    710         ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), operationInById);
    711     }
     692    if (tryCacheIn(exec, base, ident, wasFound, slot, stubInfo) == GiveUpOnCache)
     693        ftlThunkAwareRepatchCall(exec->codeBlock(), stubInfo.slowPathCallLocation(), operationIn);
    712694}
    713695
     
    12551237}
    12561238
    1257 void resetInByID(CodeBlock* codeBlock, StructureStubInfo& stubInfo)
    1258 {
    1259     ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), operationInByIdOptimize);
    1260     InlineAccess::rewireStubAsJump(stubInfo, stubInfo.slowPathStartLocation());
     1239void resetIn(StructureStubInfo& stubInfo)
     1240{
     1241    resetPatchableJump(stubInfo);
    12611242}
    12621243
  • trunk/Source/JavaScriptCore/jit/Repatch.h

    r231998 r232029  
    4545void repatchPutByID(ExecState*, JSValue, Structure*, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind);
    4646void buildPutByIdList(ExecState*, JSValue, Structure*, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind);
    47 void repatchInByID(ExecState*, JSObject*, const Identifier&, bool wasFound, const PropertySlot&, StructureStubInfo&);
     47void repatchIn(ExecState*, JSCell*, const Identifier&, bool wasFound, const PropertySlot&, StructureStubInfo&);
    4848void repatchInstanceOf(ExecState*, JSValue value, JSValue prototype, StructureStubInfo&, bool wasFound);
    4949void linkFor(ExecState*, CallLinkInfo&, CodeBlock*, JSObject* callee, MacroAssemblerCodePtr<JSEntryPtrTag>);
     
    5555void resetGetByID(CodeBlock*, StructureStubInfo&, GetByIDKind);
    5656void resetPutByID(CodeBlock*, StructureStubInfo&);
    57 void resetInByID(CodeBlock*, StructureStubInfo&);
     57void resetIn(StructureStubInfo&);
    5858void resetInstanceOf(StructureStubInfo&);
    5959void ftlThunkAwareRepatchCall(CodeBlock*, CodeLocationCall<JSInternalPtrTag>, FunctionPtr<CFunctionPtrTag> newCalleeFunction);
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

    r231998 r232029  
    15081508
    15091509
    1510 _llint_op_in_by_id:
    1511     traceExecution()
    1512     callSlowPath(_slow_path_in_by_id)
    1513     dispatch(constexpr op_in_by_id_length)
    1514 
    1515 
    1516 _llint_op_in_by_val:
    1517     traceExecution()
    1518     callSlowPath(_slow_path_in_by_val)
    1519     dispatch(constexpr op_in_by_val_length)
     1510_llint_op_in:
     1511    traceExecution()
     1512    callSlowPath(_slow_path_in)
     1513    dispatch(constexpr op_in_length)
    15201514
    15211515
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

    r231998 r232029  
    15521552    callSlowPath(_llint_slow_path_put_by_id)
    15531553    dispatch(constexpr op_put_by_id_length)
    1554 
    15551554
    15561555macro finishGetByVal(result, scratch)
  • trunk/Source/JavaScriptCore/parser/NodeConstructors.h

    r231998 r232029  
    624624
    625625    inline InNode::InNode(const JSTokenLocation& location, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments)
    626         : ThrowableBinaryOpNode(location, expr1, expr2, op_in_by_val, rightHasAssignments)
     626        : ThrowableBinaryOpNode(location, expr1, expr2, op_in, rightHasAssignments)
    627627    {
    628628    }
  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

    r231998 r232029  
    649649}
    650650
    651 SLOW_PATH_DECL(slow_path_in_by_val)
    652 {
    653     BEGIN();
    654     RETURN(jsBoolean(CommonSlowPaths::opInByVal(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), pc[4].u.arrayProfile)));
    655 }
    656 
    657 SLOW_PATH_DECL(slow_path_in_by_id)
    658 {
    659     BEGIN();
    660 
    661     JSValue baseValue = OP_C(2).jsValue();
    662     if (!baseValue.isObject())
    663         THROW(createInvalidInParameterError(exec, baseValue));
    664 
    665     RETURN(jsBoolean(asObject(baseValue)->hasProperty(exec, exec->codeBlock()->identifier(pc[3].u.operand))));
     651SLOW_PATH_DECL(slow_path_in)
     652{
     653    BEGIN();
     654    RETURN(jsBoolean(CommonSlowPaths::opIn(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), pc[4].u.arrayProfile)));
    666655}
    667656
  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

    r231998 r232029  
    8686}
    8787
    88 inline bool opInByVal(ExecState* exec, JSValue baseVal, JSValue propName, ArrayProfile* arrayProfile = nullptr)
     88inline bool opIn(ExecState* exec, JSValue baseVal, JSValue propName, ArrayProfile* arrayProfile = nullptr)
    8989{
    9090    VM& vm = exec->vm();
     
    309309SLOW_PATH_HIDDEN_DECL(slow_path_is_object_or_null);
    310310SLOW_PATH_HIDDEN_DECL(slow_path_is_function);
    311 SLOW_PATH_HIDDEN_DECL(slow_path_in_by_id);
    312 SLOW_PATH_HIDDEN_DECL(slow_path_in_by_val);
     311SLOW_PATH_HIDDEN_DECL(slow_path_in);
    313312SLOW_PATH_HIDDEN_DECL(slow_path_del_by_val);
    314313SLOW_PATH_HIDDEN_DECL(slow_path_strcat);
Note: See TracChangeset for help on using the changeset viewer.