Changeset 247387 in webkit

Timestamp:

Jul 12, 2019 7:47:36 AM (5 years ago)

Author:

Caio Lima

Message:

[BigInt] Add ValueBitLShift into DFG
​https://bugs.webkit.org/show_bug.cgi?id=192664

Reviewed by Saam Barati.

JSTests:

We are adding tests to cover ValueBitwise operations AI changes.

• stress/big-int-left-shift-untyped.js: Added.
• stress/bit-op-with-object-returning-int32.js:
• stress/value-bit-and-ai-rule.js: Added.
• stress/value-bit-lshift-ai-rule.js: Added.
• stress/value-bit-or-ai-rule.js: Added.
• stress/value-bit-xor-ai-rule.js: Added.

PerformanceTests:

• BigIntBench/big-int-simple-lshift.js: Added.

Source/JavaScriptCore:

This patch is splitting the BitLShift into ArithBitLShift and
ValueBitLShift to handle BigInt speculation more efficiently during
DFG and FTL layers. Following the same approach of other ValueBitOps,
ValueBitLShift handles Untyped and BigInt speculations, while
ArithBitLShift handles number and boolean operands and always results into
Int32.

• bytecode/BytecodeList.rb:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• bytecode/Opcode.h:
• dfg/DFGAbstractInterpreter.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

We moved BitLShift constant fold rules to a new method
handleConstantBinaryBitwiseOp to be reused by ArithBitLShift and
ValueBitLShift. This also enables support of constant folding on other
bitwise operations like ValueBitAnd, ValueBitOr and ValueBitXor, when
their binary use kind is UntypedUse. Such cases can happen on those
nodes because fixup phase is conservative.

• dfg/DFGBackwardsPropagationPhase.cpp:

(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
(JSC::DFG::BackwardsPropagationPhase::propagate):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
(JSC::DFG::ByteCodeParser::parseBlock):

We parse op_lshift as ArithBitLShift when its operands are numbers.
Otherwise, we fallback to ValueBitLShift and rely on fixup phase to
convert ValueBitLShift into ArithBitLShift when possible.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

ArithBitLShift has the same clobberize rules as former BitLShift.
ValueBitLShift only clobberize world when it is UntypedUse.

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

ValueBitLShift can GC when BigIntUse because it allocates new
JSBigInts to perform this operation. It also can GC on UntypedUse
because of observable user code.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

ValueBitLShift and ArithBitLShift has the same fixup rules of
other binary bitwise operations. In the case of ValueBitLShift
We check if we should speculate on BigInt or Untyped and fallback to
ArithBitLShift when both cheks fail.

• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:

We updated operationValueBitLShift to handle BigInt cases. Also, we
added operationBitLShiftBigInt that is used when we compile
ValueBitLValueBitLShift(BigIntUse).

• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

ValueBitLShift's prediction propagation rules differs from other
bitwise operations, because using only heap prediction for this node causes
significant performance regression on Octane's zlib and mandreel.
The reason is because of cases where a function is compiled but the
instruction op_lshift was never executed before. If we use
getPrediction() we will emit a ForceOSRExit, resulting in more OSR
than desired. To solve such issue, we are then using
getPredictionWithoutOSR() and falling back to getHeapPrediction()
only on cases where we can't rely on node's input types.

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
(JSC::DFG::SpeculativeJIT::compileShiftOp):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::shiftOp):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStrengthReductionPhase.cpp:

(JSC::DFG::StrengthReductionPhase::handleNode):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
(JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
(JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted.

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/big-int-left-shift-untyped.js (added)
• JSTests/stress/bit-op-with-object-returning-int32.js (modified) (1 diff)
• JSTests/stress/value-bit-and-ai-rule.js (added)
• JSTests/stress/value-bit-lshift-ai-rule.js (added)
• JSTests/stress/value-bit-or-ai-rule.js (added)
• JSTests/stress/value-bit-xor-ai-rule.js (added)
• PerformanceTests/BigIntBench/big-int-simple-lshift.js (added)
• PerformanceTests/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.rb (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/Opcode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-07-12  Caio Lima  <ticaiolima@gmail.com>
+
+        [BigInt] Add ValueBitLShift into DFG
+        https://bugs.webkit.org/show_bug.cgi?id=192664
+
+        Reviewed by Saam Barati.
+
+        We are adding tests to cover ValueBitwise operations AI changes.
+
+        * stress/big-int-left-shift-untyped.js: Added.
+        * stress/bit-op-with-object-returning-int32.js:
+        * stress/value-bit-and-ai-rule.js: Added.
+        * stress/value-bit-lshift-ai-rule.js: Added.
+        * stress/value-bit-or-ai-rule.js: Added.
+        * stress/value-bit-xor-ai-rule.js: Added.
+
 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
 

trunk/JSTests/stress/bit-op-with-object-returning-int32.js

@@ -47 +47 @@
 assert(numberOfDFGCompiles(bitNot) <= 1, true);
 
+function bitLShift(a, b) {
+    return a << b;
+}
+noInline(bitLShift);
+
+for (var i = 0; i < 10000; i++)
+    assert(bitLShift(o, 3), 0b1101000);
+
+assert(numberOfDFGCompiles(bitLShift) <= 1, true);
+

trunk/PerformanceTests/ChangeLog

@@ +1 @@
+2019-07-12  Caio Lima  <ticaiolima@gmail.com>
+
+        [BigInt] Add ValueBitLShift into DFG
+        https://bugs.webkit.org/show_bug.cgi?id=192664
+
+        Reviewed by Saam Barati.
+
+        * BigIntBench/big-int-simple-lshift.js: Added.
+
 2019-06-28  Konstantin Tokarev  <annulen@yandex.ru>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-07-12  Caio Lima  <ticaiolima@gmail.com>
+
+        [BigInt] Add ValueBitLShift into DFG
+        https://bugs.webkit.org/show_bug.cgi?id=192664
+
+        Reviewed by Saam Barati.
+
+        This patch is splitting the `BitLShift` into `ArithBitLShift` and
+        `ValueBitLShift` to handle BigInt speculation more efficiently during
+        DFG and FTL layers. Following the same approach of other `ValueBitOps`,
+        `ValueBitLShift` handles Untyped and BigInt speculations, while
+        `ArithBitLShift` handles number and boolean operands and always results into
+        Int32. 
+
+        * bytecode/BytecodeList.rb:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/Opcode.h:
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+        We moved `BitLShift` constant fold rules to a new method
+        `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and
+        `ValueBitLShift`. This also enables support of constant folding on other
+        bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when
+        their binary use kind is UntypedUse. Such cases can happen on those
+        nodes because fixup phase is conservative.
+
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+        We parse `op_lshift` as `ArithBitLShift` when its operands are numbers.
+        Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to
+        convert `ValueBitLShift` into `ArithBitLShift` when possible.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+        `ArithBitLShift` has the same clobberize rules as former `BitLShift`.
+        `ValueBitLShift` only clobberize world when it is UntypedUse.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+        `ValueBitLShift` can GC when `BigIntUse` because it allocates new
+        JSBigInts to perform this operation. It also can GC on UntypedUse
+        because of observable user code.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+        `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of
+        other binary bitwise operations. In the case of `ValueBitLShift`
+        We check if we should speculate on BigInt or Untyped and fallback to
+        `ArithBitLShift` when both cheks fail.
+
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+
+        We updated `operationValueBitLShift` to handle BigInt cases. Also, we
+        added `operationBitLShiftBigInt` that is used when we compile
+        `ValueBitLValueBitLShift(BigIntUse)`.
+
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+
+        `ValueBitLShift`'s prediction propagation rules differs from other
+        bitwise operations, because using only heap prediction for this node causes
+        significant performance regression on Octane's zlib and mandreel.
+        The reason is because of cases where a function is compiled but the
+        instruction `op_lshift` was never executed before. If we use
+        `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR
+        than desired. To solve such issue, we are then using
+        `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()`
+        only on cases where we can't rely on node's input types.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
+        (JSC::DFG::SpeculativeJIT::compileShiftOp):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::shiftOp):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
+        (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted.
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2019-07-12  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.rb

@@ -227 +227 @@
         :mod,
         :pow,
-        :lshift,
         :rshift,
         :urshift,
@@ -262 +261 @@
         :bitor,
         :bitxor,
+        :lshift,
     ],
     args: {

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -546 +546 @@
         LINK(OpBitnot, profile)
         LINK(OpBitxor, profile)
+        LINK(OpLshift, profile)
 
         LINK(OpGetById, profile)

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -108 +108 @@
     macro(OpBitnot) \
     macro(OpBitxor) \
+    macro(OpLshift) \
 
 #define FOR_EACH_OPCODE_WITH_ARRAY_PROFILE(macro) \

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

@@ -219 +219 @@
     void didFoldClobberWorld();
     
+    bool handleConstantBinaryBitwiseOp(Node*);
+
     template<typename Functor>
     void forAllValues(unsigned indexInBlock, Functor&);

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -235 +235 @@
 
 template<typename AbstractStateType>
+bool AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp(Node* node)
+{
+    JSValue left = forNode(node->child1()).value();
+    JSValue right = forNode(node->child2()).value();
+    if (left && right && left.isInt32() && right.isInt32()) {
+        int32_t a = left.asInt32();
+        int32_t b = right.asInt32();
+        if (node->isBinaryUseKind(UntypedUse))
+            didFoldClobberWorld();
+        NodeType op = node->op();
+        switch (op) {
+        case ValueBitAnd:
+        case ArithBitAnd:
+            setConstant(node, JSValue(a & b));
+            break;
+        case ValueBitOr:
+        case ArithBitOr:
+            setConstant(node, JSValue(a | b));
+            break;
+        case ValueBitXor:
+        case ArithBitXor:
+            setConstant(node, JSValue(a ^ b));
+            break;
+        case BitRShift:
+            setConstant(node, JSValue(a >> (static_cast<uint32_t>(b) & 0x1f)));
+            break;
+        case ValueBitLShift:
+        case ArithBitLShift:
+            setConstant(node, JSValue(a << (static_cast<uint32_t>(b) & 0x1f)));
+            break;
+        case BitURShift:
+            setConstant(node, JSValue(static_cast<int32_t>(static_cast<uint32_t>(a) >> (static_cast<uint32_t>(b) & 0x1f))));
+            break;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+
+        return true;
+    }
+
+    return false;
+}
+
+template<typename AbstractStateType>
 bool AbstractInterpreter<AbstractStateType>::handleConstantDivOp(Node* node)
 {
@@ -464 +509 @@
     case ValueBitAnd:
     case ValueBitOr:
+    case ValueBitLShift: {
+        if (handleConstantBinaryBitwiseOp(node))
+            break;
+
         if (node->binaryUseKind() == BigIntUse)
             setTypeForNode(node, SpecBigInt);
@@ -471 +520 @@
         }
         break;
+    }
             
     case ArithBitAnd:
@@ -476 +526 @@
     case ArithBitXor:
     case BitRShift:
-    case BitLShift:
+    case ArithBitLShift:
     case BitURShift: {
         if (node->child1().useKind() == UntypedUse || node->child2().useKind() == UntypedUse) {
@@ -484 +534 @@
         }
 
-        JSValue left = forNode(node->child1()).value();
-        JSValue right = forNode(node->child2()).value();
-        if (left && right && left.isInt32() && right.isInt32()) {
-            int32_t a = left.asInt32();
-            int32_t b = right.asInt32();
-            switch (node->op()) {
-            case ArithBitAnd:
-                setConstant(node, JSValue(a & b));
-                break;
-            case ArithBitOr:
-                setConstant(node, JSValue(a | b));
-                break;
-            case ArithBitXor:
-                setConstant(node, JSValue(a ^ b));
-                break;
-            case BitRShift:
-                setConstant(node, JSValue(a >> (static_cast<uint32_t>(b) & 0x1f)));
-                break;
-            case BitLShift:
-                setConstant(node, JSValue(a << (static_cast<uint32_t>(b) & 0x1f)));
-                break;
-            case BitURShift:
-                setConstant(node, JSValue(static_cast<int32_t>(static_cast<uint32_t>(a) >> (static_cast<uint32_t>(b) & 0x1f))));
-                break;
-            default:
-                RELEASE_ASSERT_NOT_REACHED();
-                break;
-            }
-            break;
-        }
+        if (handleConstantBinaryBitwiseOp(node))
+            break;
         
         if (node->op() == ArithBitAnd

trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp

@@ -124 +124 @@
         case ValueBitOr:
         case ValueBitXor:
-        case BitLShift: {
+        case ValueBitLShift:
+        case ArithBitLShift: {
             return power > 31;
         }
@@ -227 +228 @@
         case ValueBitXor:
         case BitRShift:
-        case BitLShift:
+        case ValueBitLShift:
+        case ArithBitLShift:
         case BitURShift:
         case ArithIMul: {

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3510 +3510 @@
         // that overflows int32.
         Node* shiftNode = jsConstant(jsNumber(logSize));
-        set(result, addToGraph(BitLShift, lengthNode, shiftNode));
+        set(result, addToGraph(ArithBitLShift, lengthNode, shiftNode));
 
         return true;
@@ -5032 +5032 @@
             Node* op1 = get(bytecode.m_lhs);
             Node* op2 = get(bytecode.m_rhs);
-            set(bytecode.m_dst, addToGraph(BitLShift, op1, op2));
+            if (op1->hasNumberOrAnyIntResult() && op2->hasNumberOrAnyIntResult())
+                set(bytecode.m_dst, addToGraph(ArithBitLShift, op1, op2));
+            else {
+                SpeculatedType prediction = getPredictionWithoutOSRExit();
+                set(bytecode.m_dst, addToGraph(ValueBitLShift, OpInfo(), OpInfo(prediction), op1, op2));
+            }
             NEXT_OPCODE(op_lshift);
         }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -281 +281 @@
     case ArithBitOr:
     case ArithBitXor:
-    case BitLShift:
+    case ArithBitLShift:
     case BitRShift:
     case BitURShift:
@@ -683 +683 @@
     case ValueMod:
     case ValuePow:
+    case ValueBitLShift:
         if (node->isBinaryUseKind(BigIntUse)) {
             def(PureValue(node));

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -85 +85 @@
     case ArithBitOr:
     case ArithBitXor:
-    case BitLShift:
+    case ArithBitLShift:
     case BitRShift:
     case BitURShift:
@@ -376 +376 @@
     case ValueBitOr:
     case ValueBitXor:
+    case ValueBitLShift:
     case ValueAdd:
     case ValueSub:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -216 +216 @@
         }
 
+        case ValueBitLShift:
         case ValueBitXor:
         case ValueBitOr:
@@ -222 +223 @@
                 fixEdge<BigIntUse>(node->child1());
                 fixEdge<BigIntUse>(node->child2());
+                node->clearFlags(NodeMustGenerate);
                 break;
             }
@@ -230 +232 @@
                 break;
             }
-
-            // In such case, we need to fallback to ArithBitOp
+            
             switch (op) {
             case ValueBitXor:
@@ -241 +242 @@
             case ValueBitAnd:
                 node->setOp(ArithBitAnd);
+                break;
+            case ValueBitLShift:
+                node->setOp(ArithBitLShift);
                 break;
             default:
@@ -278 +282 @@
         }
 
+        case ArithBitLShift: 
         case ArithBitXor:
         case ArithBitOr:
@@ -287 +292 @@
 
         case BitRShift:
-        case BitLShift:
         case BitURShift: {
             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1695 +1695 @@
         case ValueBitXor:
         case ValueBitNot:
+        case ValueBitLShift:
         case CallObjectConstructor:
         case LoadKeyFromMapBucket:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -122 +122 @@
     macro(ValueBitXor, NodeResultJS | NodeMustGenerate) \
     macro(ArithBitXor, NodeResultInt32) \
-    macro(BitLShift, NodeResultInt32) \
+    macro(ArithBitLShift, NodeResultInt32) \
+    macro(ValueBitLShift, NodeResultJS | NodeMustGenerate) \
     macro(BitRShift, NodeResultInt32) \
     macro(BitURShift, NodeResultInt32) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -479 +479 @@
 EncodedJSValue JIT_OPERATION operationValueBitLShift(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(*vm);
-
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-
-    int32_t a = op1.toInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    scope.release();
-    uint32_t b = op2.toUInt32(exec);
-    return JSValue::encode(jsNumber(a << (b & 0x1f)));
+    auto bigIntOp = [] (ExecState* exec, JSBigInt* left, JSBigInt* right) -> JSBigInt* {
+        return JSBigInt::leftShift(exec, left, right);
+    };
+
+    auto int32Op = [] (int32_t left, int32_t right) -> int32_t {
+        return left << (right & 0x1f);
+    };
+
+    return bitwiseBinaryOp(exec, encodedOp1, encodedOp2, bigIntOp, int32Op, "Invalid mix of BigInt and other type in left shift operation."_s);
 }
 
@@ -1430 +1427 @@
 
     return JSBigInt::bitwiseAnd(exec, leftOperand, rightOperand);
+}
+
+JSCell* JIT_OPERATION operationBitLShiftBigInt(ExecState* exec, JSCell* op1, JSCell* op2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSBigInt* leftOperand = jsCast<JSBigInt*>(op1);
+    JSBigInt* rightOperand = jsCast<JSBigInt*>(op2);
+
+    return JSBigInt::leftShift(exec, leftOperand, rightOperand);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -177 +177 @@
 JSCell* JIT_OPERATION operationBitNotBigInt(ExecState*, JSCell* op1) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationBitOrBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationBitLShiftBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationAddBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationBitXorBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -177 +177 @@
             else
                 changed |= mergePrediction(SpecBytecodeNumber);
+            break;
+        }
+
+        case ValueBitLShift: {
+            SpeculatedType left = node->child1()->prediction();
+            SpeculatedType right = node->child2()->prediction();
+
+            if (left && right) {
+                if (isBigIntSpeculation(left) && isBigIntSpeculation(right))
+                    changed |= mergePrediction(SpecBigInt);
+                else if (isFullNumberOrBooleanSpeculationExpectingDefined(left) && isFullNumberOrBooleanSpeculationExpectingDefined(right))
+                    changed |= mergePrediction(SpecInt32Only);
+                else
+                    changed |= mergePrediction(node->getHeapPrediction());
+            }
+
             break;
         }
@@ -769 +785 @@
         case ArithBitXor:
         case BitRShift:
-        case BitLShift:
+        case ArithBitLShift:
         case BitURShift:
         case ArithIMul:
@@ -1138 +1154 @@
         case ValueMod:
         case ValuePow:
+        case ValueBitLShift:
         case ArithAdd:
         case ArithSub:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -204 +204 @@
     case ArithBitOr:
     case ArithBitXor:
-    case BitLShift:
+    case ArithBitLShift:
     case BitRShift:
     case BitURShift:
@@ -234 +234 @@
     case ValueBitOr:
     case ValueBitNot:
+    case ValueBitLShift:
     case ValueNegate:
     case ValueAdd:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -3862 +3862 @@
 }
 
+void SpeculativeJIT::compileValueLShiftOp(Node* node)
+{
+    Edge& leftChild = node->child1();
+    Edge& rightChild = node->child2();
+
+    if (node->binaryUseKind() == BigIntUse) {
+        SpeculateCellOperand left(this, leftChild);
+        SpeculateCellOperand right(this, rightChild);
+        GPRReg leftGPR = left.gpr();
+        GPRReg rightGPR = right.gpr();
+
+        speculateBigInt(leftChild, leftGPR);
+        speculateBigInt(rightChild, rightGPR);
+
+        flushRegisters();
+        GPRFlushedCallResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        callOperation(operationBitLShiftBigInt, resultGPR, leftGPR, rightGPR);
+        m_jit.exceptionCheck();
+        cellResult(resultGPR, node);
+        return;
+    }
+
+    ASSERT(leftChild.useKind() == UntypedUse && rightChild.useKind() == UntypedUse);
+    emitUntypedBitOp<JITLeftShiftGenerator, operationValueBitLShift>(node);
+}
+
 void SpeculativeJIT::compileShiftOp(Node* node)
 {
@@ -3870 +3898 @@
     if (leftChild.useKind() == UntypedUse || rightChild.useKind() == UntypedUse) {
         switch (op) {
-        case BitLShift:
-            emitUntypedBitOp<JITLeftShiftGenerator, operationValueBitLShift>(node);
-            return;
         case BitRShift:
         case BitURShift:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -664 +664 @@
             m_jit.rshift32(op1, Imm32(shiftAmount), result);
             break;
-        case BitLShift:
+        case ArithBitLShift:
             m_jit.lshift32(op1, Imm32(shiftAmount), result);
             break;
@@ -680 +680 @@
             m_jit.rshift32(op1, shiftAmount, result);
             break;
-        case BitLShift:
+        case ArithBitLShift:
             m_jit.lshift32(op1, shiftAmount, result);
             break;
@@ -1335 +1335 @@
 
     void emitUntypedRightShiftBitOp(Node*);
+    void compileValueLShiftOp(Node*);
     void compileShiftOp(Node*);
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2002 +2002 @@
         break;
 
+    case ValueBitLShift:
+        compileValueLShiftOp(node);
+        break;
+
     case BitRShift:
-    case BitLShift:
+    case ArithBitLShift:
     case BitURShift:
         compileShiftOp(node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2101 +2101 @@
         break;
 
+    case ValueBitLShift:
+        compileValueLShiftOp(node);
+        break;
+
     case BitRShift:
-    case BitLShift:
+    case ArithBitLShift:
     case BitURShift:
         compileShiftOp(node);

trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

@@ -93 +93 @@
             break;
             
-        case BitLShift:
+        case ArithBitLShift:
         case BitRShift:
         case BitURShift:

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -65 +65 @@
     case ArithBitXor:
     case BitRShift:
-    case BitLShift:
+    case ArithBitLShift:
     case BitURShift:
     case CheckStructure:
@@ -94 +94 @@
     case ValueBitOr:
     case ValueBitNot:
+    case ValueBitLShift:
     case ValueNegate:
     case ValueAdd:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -854 +854 @@
             compileBitRShift();
             break;
-        case BitLShift:
-            compileBitLShift();
+        case ArithBitLShift:
+            compileArithBitLShift();
+            break;
+        case ValueBitLShift:
+            compileValueBitLShift();
             break;
         case BitURShift:
@@ -3185 +3188 @@
     }
     
-    void compileBitLShift()
-    {
-        if (m_node->isBinaryUseKind(UntypedUse)) {
-            emitBinaryBitOpSnippet<JITLeftShiftGenerator>(operationValueBitLShift);
-            return;
-        }
+    void compileArithBitLShift()
+    {
         setInt32(m_out.shl(
             lowInt32(m_node->child1()),
@@ -3196 +3195 @@
     }
     
+    void compileValueBitLShift()
+    {
+        if (m_node->isBinaryUseKind(BigIntUse)) {
+            LValue left = lowBigInt(m_node->child1());
+            LValue right = lowBigInt(m_node->child2());
+            
+            LValue result = vmCall(pointerType(), m_out.operation(operationBitLShiftBigInt), m_callFrame, left, right);
+            setJSValue(result);
+            return;
+        }
+
+        ASSERT(m_node->isBinaryUseKind(UntypedUse));
+        emitBinaryBitOpSnippet<JITLeftShiftGenerator>(operationValueBitLShift);
+    }
+
     void compileBitURShift()
     {

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1171 +1171 @@
 
 
-bitOp(lshift, OpLshift,
+bitOpProfiled(lshift, OpLshift,
     macro (left, right) lshifti left, right end)
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1147 +1147 @@
 end
 
-bitOp(lshift, OpLshift,
+bitOpProfiled(lshift, OpLshift,
     macro (left, right) lshifti left, right end)
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -675 +675 @@
             JSBigInt* result = JSBigInt::leftShift(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
             CHECK_EXCEPTION();
-            RETURN(result);
+            RETURN_PROFILED(result);
         }
 
@@ -681 +681 @@
     }
 
-    RETURN(jsNumber(WTF::get<int32_t>(leftNumeric) << (WTF::get<int32_t>(rightNumeric) & 31)));
+    RETURN_PROFILED(jsNumber(WTF::get<int32_t>(leftNumeric) << (WTF::get<int32_t>(rightNumeric) & 31)));
 }