Changeset 240114 in webkit

Timestamp:

Jan 17, 2019 9:50:27 AM (5 years ago)

Author:

sbarati@apple.com

Message:

StringObjectUse should not be a structure check for the original string object structure
​https://bugs.webkit.org/show_bug.cgi?id=193483
<rdar://problem/47280522>

Reviewed by Yusuke Suzuki.

JSTests:

• stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.

(foo):
(a.valueOf.0):

Source/JavaScriptCore:

Prior to this patch, the use kind for StringObjectUse implied that we
do a StructureCheck on the input operand for the *original* StringObject
structure. This is generally not how we use UseKinds, so it's no surprise
that this is buggy. A UseKind should map to a set of SpeculatedTypes, not an
actual set of structures. This patch changes the meaning of StringObjectUse
to mean an object where jsDynamicCast<StringObject*> would succeed.

This patch also fixes a bug that was caused by the old and weird usage of the
UseKind to mean StructureCheck. Consider a program like this:
`
S1 = Original StringObject structure
S2 = Original StringObject structure with the field "f" added

a: GetLocal()
b: CheckStructure(@a, {S2})
c: ToString(StringObject:@a)
`

According to AI, in the above program, we would exit at @c, since
StringObject:@a implies a structure check of {S1}, and the intersection
of {S1} and {S2} is {}. So, we'd convert the program to be:
`
a: GetLocal()
b: CheckStructure(@a, {S2})
c: Check(StringObject:@a)
d: Unreachable
`

However, AI would set the proof status of the StringObject:@a edge
to be proven, since the SpeculatedType for @a is SpecStringObject.
This was incorrect of AI to do because the SpeculatedType itself
didn't capture the full power of StringObjectUse. However, having
a UseKind mean CheckStructure is weird precisely because what AI was
doing is a natural fit to how we typically we think about UseKinds.

So the above program would then incorrectly be converted to this, and
we'd crash when reaching the Unreachable node:
`
a: GetLocal()
b: CheckStructure(@a, {S2})
d: Unreachable
`

This patch makes it so that StringObjectUse just means that the object that
filters through a StringObjectUse check must !!jsDynamicCast<StringObject*>.
This is now in line with all other UseKinds. It also lets us simplify a bunch
of other code that had weird checks for the StringObjectUse UseKind.

This patch also makes it so that anywhere where we used to rely on
StringObjectUse implying a structure check we actually emit an explicit
CheckStructure node.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/ExitKind.cpp:

(JSC::exitKindToString):

• bytecode/ExitKind.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGCSEPhase.cpp:
• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGEdgeUsesStructure.h: Removed.
• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
(JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
(JSC::DFG::FixupPhase::fixupToPrimitive):
(JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
(JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
(JSC::DFG::FixupPhase::isStringObjectUse): Deleted.

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::canOptimizeStringObjectAccess):

• dfg/DFGMayExit.cpp:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
(JSC::DFG::SpeculativeJIT::speculateStringObject):
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): Deleted.

• dfg/DFGUseKind.h:

(JSC::DFG::alreadyChecked):
(JSC::DFG::usesStructure): Deleted.

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringObject):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForCell):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForStructureID): Deleted.

• runtime/JSType.cpp:

(WTF::printInternal):

• runtime/JSType.h:
• runtime/StringObject.h:

(JSC::StringObject::createStructure):

• runtime/StringPrototype.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/ExitKind.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/ExitKind.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGCSEPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGEdgeUsesStructure.h (deleted)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGGraph.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGMayExit.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGUseKind.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSType.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSType.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringPrototype.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-01-17  Saam barati  <sbarati@apple.com>
+
+        StringObjectUse should not be a structure check for the original string object structure
+        https://bugs.webkit.org/show_bug.cgi?id=193483
+        <rdar://problem/47280522>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
+        (foo):
+        (a.valueOf.0):
+
 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-01-17  Saam barati  <sbarati@apple.com>
+
+        StringObjectUse should not be a structure check for the original string object structure
+        https://bugs.webkit.org/show_bug.cgi?id=193483
+        <rdar://problem/47280522>
+
+        Reviewed by Yusuke Suzuki.
+
+        Prior to this patch, the use kind for StringObjectUse implied that we
+        do a StructureCheck on the input operand for the *original* StringObject
+        structure. This is generally not how we use UseKinds, so it's no surprise
+        that this is buggy. A UseKind should map to a set of SpeculatedTypes, not an
+        actual set of structures. This patch changes the meaning of StringObjectUse
+        to mean an object where jsDynamicCast<StringObject*> would succeed.
+        
+        This patch also fixes a bug that was caused by the old and weird usage of the
+        UseKind to mean StructureCheck. Consider a program like this:
+        ```
+        S1 = Original StringObject structure
+        S2 = Original StringObject structure with the field "f" added
+        
+        a: GetLocal()
+        b: CheckStructure(@a, {S2})
+        c: ToString(StringObject:@a)
+        ```
+        
+        According to AI, in the above program, we would exit at @c, since
+        StringObject:@a implies a structure check of {S1}, and the intersection
+        of {S1} and {S2} is {}. So, we'd convert the program to be:
+        ```
+        a: GetLocal()
+        b: CheckStructure(@a, {S2})
+        c: Check(StringObject:@a)
+        d: Unreachable
+        ```
+        
+        However, AI would set the proof status of the StringObject:@a edge
+        to be proven, since the SpeculatedType for @a is SpecStringObject.
+        This was incorrect of AI to do because the SpeculatedType itself
+        didn't capture the full power of StringObjectUse. However, having
+        a UseKind mean CheckStructure is weird precisely because what AI was
+        doing is a natural fit to how we typically we think about UseKinds.
+        
+        So the above program would then incorrectly be converted to this, and
+        we'd crash when reaching the Unreachable node:
+        ```
+        a: GetLocal()
+        b: CheckStructure(@a, {S2})
+        d: Unreachable
+        ```
+        
+        This patch makes it so that StringObjectUse just means that the object that
+        filters through a StringObjectUse check must !!jsDynamicCast<StringObject*>.
+        This is now in line with all other UseKinds. It also lets us simplify a bunch
+        of other code that had weird checks for the StringObjectUse UseKind.
+        
+        This patch also makes it so that anywhere where we used to rely on
+        StringObjectUse implying a structure check we actually emit an explicit
+        CheckStructure node.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString):
+        * bytecode/ExitKind.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGEdgeUsesStructure.h: Removed.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
+        (JSC::DFG::FixupPhase::addCheckStructureForOriginalStringObjectUse):
+        (JSC::DFG::FixupPhase::fixupToPrimitive):
+        (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
+        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
+        (JSC::DFG::FixupPhase::isStringObjectUse): Deleted.
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
+        (JSC::DFG::SpeculativeJIT::speculateStringObject):
+        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): Deleted.
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::alreadyChecked):
+        (JSC::DFG::usesStructure): Deleted.
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForCell):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringObjectForStructureID): Deleted.
+        * runtime/JSType.cpp:
+        (WTF::printInternal):
+        * runtime/JSType.h:
+        * runtime/StringObject.h:
+        (JSC::StringObject::createStructure):
+        * runtime/StringPrototype.h:
+
 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1465 +1465 @@
                 A790DD6E182F499700588807 /* SetIteratorPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = A790DD68182F499700588807 /* SetIteratorPrototype.h */; };
                 A790DD70182F499700588807 /* JSSetIterator.h in Headers */ = {isa = PBXBuildFile; fileRef = A790DD6A182F499700588807 /* JSSetIterator.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                A7986D5717A0BB1E00A95DD0 /* DFGEdgeUsesStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = A7986D5617A0BB1E00A95DD0 /* DFGEdgeUsesStructure.h */; };
                 A79D3ED9C5064DD0A8466A3A /* ModuleScopeData.h in Headers */ = {isa = PBXBuildFile; fileRef = 000BEAF0DF604481AF6AB68C /* ModuleScopeData.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A7A8AF3517ADB5F3005AB174 /* ArrayBuffer.h in Headers */ = {isa = PBXBuildFile; fileRef = A7A8AF2617ADB5F3005AB174 /* ArrayBuffer.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4269 +4268 @@
                 A790DD69182F499700588807 /* JSSetIterator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSetIterator.cpp; sourceTree = "<group>"; };
                 A790DD6A182F499700588807 /* JSSetIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSetIterator.h; sourceTree = "<group>"; };
-                A7986D5617A0BB1E00A95DD0 /* DFGEdgeUsesStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGEdgeUsesStructure.h; path = dfg/DFGEdgeUsesStructure.h; sourceTree = "<group>"; };
                 A79E781E15EECBA80047C855 /* UnlinkedCodeBlock.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = UnlinkedCodeBlock.cpp; sourceTree = "<group>"; };
                 A79E781F15EECBA80047C855 /* UnlinkedCodeBlock.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UnlinkedCodeBlock.h; sourceTree = "<group>"; };
@@ -7370 +7368 @@
                                 0F66E16914DF3F1300B7B2E4 /* DFGEdge.h */,
                                 A7D9A29117A0BC7400EE2618 /* DFGEdgeDominates.h */,
-                                A7986D5617A0BB1E00A95DD0 /* DFGEdgeUsesStructure.h */,
                                 0F8F142F1ADF090100ED792C /* DFGEpoch.cpp */,
                                 0F8F14301ADF090100ED792C /* DFGEpoch.h */,
@@ -8751 +8748 @@
                                 0F66E16C14DF3F1600B7B2E4 /* DFGEdge.h in Headers */,
                                 A7D9A29617A0BC7400EE2618 /* DFGEdgeDominates.h in Headers */,
-                                A7986D5717A0BB1E00A95DD0 /* DFGEdgeUsesStructure.h in Headers */,
                                 0F8F14341ADF090100ED792C /* DFGEpoch.h in Headers */,
                                 0FBC0AE81496C7C700D4FBDD /* DFGExitProfile.h in Headers */,

trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp

@@ -71 +71 @@
     case ExoticObjectMode:
         return "ExoticObjectMode";
-    case NotStringObject:
-        return "NotStringObject";
     case VarargsOverflow:
         return "VarargsOverflow";

trunk/Source/JavaScriptCore/bytecode/ExitKind.h

@@ -47 +47 @@
     ArgumentsEscaped, // We exited because arguments escaped but we didn't expect them to.
     ExoticObjectMode, // We exited because some exotic object that we were accessing was in an exotic mode (like Arguments with slow arguments).
-    NotStringObject, // We exited because we shouldn't have attempted to optimize string object access.
     VarargsOverflow, // We exited because a varargs call passed more arguments than we expected.
     TDZFailure, // We exited because we were in the TDZ and accessed the variable.

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2422 +2422 @@
         switch (node->child1().useKind()) {
         case StringObjectUse:
-            // This also filters that the StringObject has the primordial StringObject
-            // structure.
-            filter(
-                node->child1(),
-                m_graph.registerStructure(m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure()));
-            break;
         case StringOrStringObjectUse:
         case Int32Use:

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

@@ -34 +34 @@
 #include "DFGClobberize.h"
 #include "DFGDominators.h"
-#include "DFGEdgeUsesStructure.h"
 #include "DFGGraph.h"
 #include "DFGPhase.h"

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -29 +29 @@
 
 #include "DFGAbstractHeap.h"
-#include "DFGEdgeUsesStructure.h"
 #include "DFGGraph.h"
 #include "DFGHeapLocation.h"
@@ -108 +107 @@
     // just ignore def() by using a NoOpClobberize functor.
 
-    if (edgesUseStructure(graph, node))
-        read(JSCell_structureID);
-    
     // We allow the runtime to perform a stack scan at any time. We don't model which nodes get implemented
     // by calls into the runtime. For debugging we might replace the implementation of any node with a call
@@ -1654 +1650 @@
     case CallStringConstructor:
         switch (node->child1().useKind()) {
+        case CellUse:
+        case UntypedUse:
+            read(World);
+            write(Heap);
+            return;
+
         case StringObjectUse:
         case StringOrStringObjectUse:
-            // These don't def a pure value, unfortunately. I'll avoid load-eliminating these for
-            // now.
-            return;
-            
-        case CellUse:
-        case UntypedUse:
-            read(World);
-            write(Heap);
-            return;
+            // These two StringObjectUse's are pure because if we emit this node with either
+            // of these UseKinds, we'll first emit a StructureCheck ensuring that we're the
+            // original String or StringObject structure. Therefore, we don't have an overridden
+            // valueOf, etc.
 
         case Int32Use:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -2455 +2455 @@
             return;
         
+        addCheckStructureForOriginalStringObjectUse(useKind, node->origin, node->child1().node());
         createToString<useKind>(node, node->child1());
         arrayMode = ArrayMode(Array::String, Array::Read);
     }
-    
-    template<UseKind useKind>
-    bool isStringObjectUse()
-    {
-        switch (useKind) {
-        case StringObjectUse:
-        case StringOrStringObjectUse:
-            return true;
-        default:
-            return false;
-        }
+
+    void addCheckStructureForOriginalStringObjectUse(UseKind useKind, const NodeOrigin& origin, Node* node)
+    {
+        RELEASE_ASSERT(useKind == StringObjectUse || StringOrStringObjectUse);
+
+        StructureSet set;
+        set.add(m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
+        if (useKind == StringOrStringObjectUse)
+            set.add(vm().stringStructure.get());
+
+        m_insertionSet.insertNode(
+            m_indexInBlock, SpecNone, CheckStructure, origin,
+            OpInfo(m_graph.addStructureSet(set)), Edge(node, CellUse));
     }
     
@@ -2750 +2753 @@
         if (node->child1()->shouldSpeculateStringObject()
             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
+            addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
             fixEdge<StringObjectUse>(node->child1());
             node->convertToToString();
@@ -2757 +2761 @@
         if (node->child1()->shouldSpeculateStringOrStringObject()
             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
+            addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
             fixEdge<StringOrStringObjectUse>(node->child1());
             node->convertToToString();
@@ -2872 +2877 @@
         if (node->child1()->shouldSpeculateStringObject()
             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
+            addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
             fixEdge<StringObjectUse>(node->child1());
             return;
@@ -2878 +2884 @@
         if (node->child1()->shouldSpeculateStringOrStringObject()
             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
+            addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
             fixEdge<StringOrStringObjectUse>(node->child1());
             return;
@@ -2976 +2983 @@
                     return;
                 }
-                ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
+                if (!Options::useConcurrentJIT())
+                    ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
                 if (edge->shouldSpeculateStringObject()) {
+                    addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, edge.node());
                     convertStringAddUse<StringObjectUse>(node, edge);
                     return;
                 }
                 if (edge->shouldSpeculateStringOrStringObject()) {
+                    addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, edge.node());
                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
                     return;

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -1691 +1691 @@
 bool Graph::canOptimizeStringObjectAccess(const CodeOrigin& codeOrigin)
 {
-    if (hasExitSite(codeOrigin, NotStringObject))
+    if (hasExitSite(codeOrigin, BadCache) || hasExitSite(codeOrigin, BadConstantCache))
         return false;
 

trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp

@@ -176 +176 @@
                 break;
                 
-            // These are shady because they check the structure even if the type of the child node
-            // passes the StringObject type filter.
-            case StringObjectUse:
-            case StringOrStringObjectUse:
-                result = Exits;
-                break;
-                
             default:
                 break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -9469 +9469 @@
         
         speculateStringObject(node->child1(), op1GPR);
-        m_interpreter.filter(node->child1(), SpecStringObject);
 
         m_jit.loadPtr(JITCompiler::Address(op1GPR, JSWrapperObject::internalValueCellOffset()), resultGPR);
@@ -9480 +9479 @@
         GPRReg resultGPR = result.gpr();
 
-        m_jit.load32(JITCompiler::Address(op1GPR, JSCell::structureIDOffset()), resultGPR);
-        JITCompiler::Jump isString = m_jit.branchWeakStructure(
-            JITCompiler::Equal,
-            resultGPR,
-            m_jit.graph().registerStructure(m_jit.vm()->stringStructure.get()));
-
-        speculateStringObjectForStructure(node->child1(), resultGPR);
-        
+        m_jit.load8(JITCompiler::Address(op1GPR, JSCell::typeInfoTypeOffset()), resultGPR);
+        JITCompiler::Jump isString = m_jit.branch32(JITCompiler::Equal, resultGPR, TrustedImm32(StringType));
+
+        speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), node->child1().node(), m_jit.branch32(JITCompiler::NotEqual, resultGPR, TrustedImm32(StringObjectType)));
         m_jit.loadPtr(JITCompiler::Address(op1GPR, JSWrapperObject::internalValueCellOffset()), resultGPR);
-        
         JITCompiler::Jump done = m_jit.jump();
+
         isString.link(&m_jit);
         m_jit.move(op1GPR, resultGPR);
@@ -10193 +10188 @@
 }
 
-void SpeculativeJIT::speculateStringObject(Edge edge, GPRReg gpr)
-{
-    speculateStringObjectForStructure(edge, JITCompiler::Address(gpr, JSCell::structureIDOffset()));
+void SpeculativeJIT::speculateStringObject(Edge edge, GPRReg cellGPR)
+{
+    DFG_TYPE_CHECK(JSValueSource::unboxedCell(cellGPR), edge, ~SpecCellCheck | SpecStringObject, m_jit.branchIfNotType(cellGPR, StringObjectType));
 }
 
@@ -10205 +10200 @@
     SpeculateCellOperand operand(this, edge);
     GPRReg gpr = operand.gpr();
-    if (!needsTypeCheck(edge, SpecStringObject))
-        return;
-    
     speculateStringObject(edge, gpr);
-    m_interpreter.filter(edge, SpecStringObject);
 }
 
@@ -10222 +10213 @@
         return;
 
-    GPRTemporary structureID(this);
-    GPRReg structureIDGPR = structureID.gpr();
-
-    m_jit.load32(JITCompiler::Address(gpr, JSCell::structureIDOffset()), structureIDGPR); 
-    JITCompiler::Jump isString = m_jit.branchWeakStructure(
-        JITCompiler::Equal,
-        structureIDGPR, 
-        m_jit.graph().registerStructure(m_jit.vm()->stringStructure.get()));
-    
-    speculateStringObjectForStructure(edge, structureIDGPR);
-    
+    GPRTemporary typeTemp(this);
+    GPRReg typeGPR = typeTemp.gpr();
+
+    m_jit.load8(JITCompiler::Address(gpr, JSCell::typeInfoTypeOffset()), typeGPR);
+
+    JITCompiler::Jump isString = m_jit.branch32(JITCompiler::Equal, typeGPR, TrustedImm32(StringType));
+    speculationCheck(BadType, JSValueSource::unboxedCell(gpr), edge.node(), m_jit.branch32(JITCompiler::NotEqual, typeGPR, TrustedImm32(StringObjectType)));
     isString.link(&m_jit);
     

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1632 +1632 @@
     void speculateNotStringVar(Edge);
     void speculateNotSymbol(Edge);
-    template<typename StructureLocationType>
-    void speculateStringObjectForStructure(Edge, StructureLocationType);
     void speculateStringObject(Edge, GPRReg);
     void speculateStringObject(Edge);
@@ -2605 +2603 @@
 };
 
-template<typename StructureLocationType>
-void SpeculativeJIT::speculateStringObjectForStructure(Edge edge, StructureLocationType structureLocation)
-{
-    RegisteredStructure stringObjectStructure =
-        m_jit.graph().registerStructure(m_jit.globalObjectFor(m_currentNode->origin.semantic)->stringObjectStructure());
-    
-    if (!m_state.forNode(edge).m_structure.isSubsetOf(RegisteredStructureSet(stringObjectStructure))) {
-        speculationCheck(
-            NotStringObject, JSValueRegs(), 0,
-            m_jit.branchWeakStructure(
-                JITCompiler::NotEqual, structureLocation, stringObjectStructure));
-    }
-}
-
 #define DFG_TYPE_CHECK_WITH_EXIT_KIND(exitKind, source, edge, typesPassedThrough, jumpToFail) do { \
         JSValueSource _dtc_source = (source);                           \

trunk/Source/JavaScriptCore/dfg/DFGUseKind.h

@@ -269 +269 @@
 }
 
-// Returns true if it uses structure in a way that could be clobbered by
-// things that change the structure.
-inline bool usesStructure(UseKind kind)
-{
-    switch (kind) {
-    case StringObjectUse:
-    case StringOrStringObjectUse:
-        return true;
-    default:
-        return false;
-    }
-}
-
 // Returns true if we've already guaranteed the type 
 inline bool alreadyChecked(UseKind kind, SpeculatedType type)
 {
-    // If the check involves the structure then we need to know more than just the type to be sure
-    // that the check is done.
-    if (usesStructure(kind))
-        return false;
-    
     return !(type & ~typeFilterFor(kind));
 }

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -6327 +6327 @@
             LValue cell = lowCell(m_node->child1());
             speculateStringObjectForCell(m_node->child1(), cell);
-            m_interpreter.filter(m_node->child1(), SpecStringObject);
-            
             setJSValue(m_out.loadPtr(cell, m_heaps.JSWrapperObject_internalValue));
             return;
@@ -6335 +6333 @@
         case StringOrStringObjectUse: {
             LValue cell = lowCell(m_node->child1());
-            LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
+            LValue type = m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType);
             
             LBasicBlock notString = m_out.newBlock();
@@ -6342 +6340 @@
             ValueFromBlock simpleResult = m_out.anchor(cell);
             m_out.branch(
-                m_out.equal(structureID, m_out.constInt32(vm().stringStructure->id())),
+                m_out.equal(type, m_out.constInt32(StringType)),
                 unsure(continuation), unsure(notString));
             
             LBasicBlock lastNext = m_out.appendTo(notString, continuation);
-            speculateStringObjectForStructureID(m_node->child1(), structureID);
+            speculate(
+                BadType, jsValueValue(cell), m_node->child1().node(),
+                m_out.notEqual(type, m_out.constInt32(StringObjectType)));
             ValueFromBlock unboxedResult = m_out.anchor(
                 m_out.loadPtr(cell, m_heaps.JSWrapperObject_internalValue));
@@ -16052 +16052 @@
         
         speculateStringObjectForCell(edge, lowCell(edge));
-        m_interpreter.filter(edge, SpecStringObject);
     }
     
     void speculateStringOrStringObject(Edge edge)
     {
+        if (!m_interpreter.needsTypeCheck(edge, SpecString | SpecStringObject))
+            return;
+
+        LValue cellBase = lowCell(edge);
         if (!m_interpreter.needsTypeCheck(edge, SpecString | SpecStringObject))
             return;
@@ -16063 +16066 @@
         LBasicBlock continuation = m_out.newBlock();
         
-        LValue structureID = m_out.load32(lowCell(edge), m_heaps.JSCell_structureID);
+        LValue type = m_out.load8ZeroExt32(cellBase, m_heaps.JSCell_typeInfoType);
         m_out.branch(
-            m_out.equal(structureID, m_out.constInt32(vm().stringStructure->id())),
+            m_out.equal(type, m_out.constInt32(StringType)),
             unsure(continuation), unsure(notString));
         
         LBasicBlock lastNext = m_out.appendTo(notString, continuation);
-        speculateStringObjectForStructureID(edge, structureID);
+        speculate(
+            BadType, jsValueValue(cellBase), edge.node(),
+            m_out.notEqual(type, m_out.constInt32(StringObjectType)));
         m_out.jump(continuation);
         
         m_out.appendTo(continuation, lastNext);
-        
         m_interpreter.filter(edge, SpecString | SpecStringObject);
     }
@@ -16079 +16083 @@
     void speculateStringObjectForCell(Edge edge, LValue cell)
     {
-        speculateStringObjectForStructureID(edge, m_out.load32(cell, m_heaps.JSCell_structureID));
-    }
-    
-    void speculateStringObjectForStructureID(Edge edge, LValue structureID)
-    {
-        RegisteredStructure stringObjectStructure =
-            m_graph.registerStructure(m_graph.globalObjectFor(m_node->origin.semantic)->stringObjectStructure());
-
-        if (abstractStructure(edge).isSubsetOf(RegisteredStructureSet(stringObjectStructure)))
-            return;
-        
-        speculate(
-            NotStringObject, noValue(), 0,
-            m_out.notEqual(structureID, weakStructureID(stringObjectStructure)));
-    }
-
+        if (!m_interpreter.needsTypeCheck(edge, SpecStringObject))
+            return;
+
+        LValue type = m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType);
+        FTL_TYPE_CHECK(jsValueValue(cell), edge, SpecStringObject, m_out.notEqual(type, m_out.constInt32(StringObjectType)));
+    }
+    
     void speculateSymbol(Edge edge, LValue cell)
     {

trunk/Source/JavaScriptCore/runtime/JSType.cpp

@@ -101 +101 @@
     CASE(JSWeakSetType)
     CASE(WebAssemblyToJSCalleeType)
+    CASE(StringObjectType)
     CASE(MaxJSType)
     }

trunk/Source/JavaScriptCore/runtime/JSType.h

@@ -111 +111 @@
     JSWeakMapType,
     JSWeakSetType,
+    WebAssemblyToJSCalleeType,
+    StringObjectType,
 
-    WebAssemblyToJSCalleeType,
-
-    LastJSCObjectType = WebAssemblyToJSCalleeType, // This is the last "JSC" Object type. After this, we have embedder's (e.g., WebCore) extended object types.
+    LastJSCObjectType = StringObjectType, // This is the last "JSC" Object type. After this, we have embedder's (e.g., WebCore) extended object types.
     MaxJSType = 0b11111111,
 };

trunk/Source/JavaScriptCore/runtime/StringObject.h

@@ -64 +64 @@
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(StringObjectType, StructureFlags), info());
     }
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.h

@@ -42 +42 @@
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(StringObjectType, StructureFlags), info());
     }