Changeset 95484 in webkit

Timestamp:

Sep 19, 2011 3:27:38 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG speculation failures should act as additional value profiles
​https://bugs.webkit.org/show_bug.cgi?id=68335

Reviewed by Oliver Hunt.

This adds slow-case counters to the old JIT. It also ensures that
negative zero in multiply is handled carefully. The old JIT
previously took slow path if the result of a multiply was zero,
which, without any changes, would cause the DFG to think that
every such multiply produced a double result.

This also fixes a bug in the old JIT's handling of decrements. It
would take the slow path if the result was zero, but not if it
underflowed.

By itself, this would be a 1% slow-down on V8 and Kraken. But then
I wrote optimizations in the DFG that take advantage of this new
information. It's no longer the case that every multiply needs to
do a check for negative zero; it only happens if the negative
zero is ignored.

This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
speed-up in V8. It's mostly neutral on Kraken. I can see an
0.5% slow-down and it appears to be significant.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::resetRareCaseProfiles):
(JSC::CodeBlock::dumpValueProfiles):

• bytecode/CodeBlock.h:
• bytecode/ValueProfile.h:

(JSC::RareCaseProfile::RareCaseProfile):
(JSC::getRareCaseProfileBytecodeOffset):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::toInt32):
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGJITCodeGenerator.cpp:

(JSC::DFG::GPRTemporary::GPRTemporary):

• dfg/DFGJITCodeGenerator.h:
• dfg/DFGNode.h:
• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::propagateNode):
(JSC::DFG::Propagator::fixupNode):
(JSC::DFG::Propagator::clobbersWorld):
(JSC::DFG::Propagator::performNodeCSE):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

• jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:

(JSC::JIT::linkDummySlowCase):

• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_post_dec):
(JSC::JIT::emit_op_pre_dec):
(JSC::JIT::compileBinaryArithOp):
(JSC::JIT::emit_op_add):
(JSC::JIT::emitSlow_op_add):

• jit/JITInlineMethods.h:

(JSC::JIT::addSlowCase):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (2 diffs)
• bytecode/CodeBlock.h (modified) (2 diffs)
• bytecode/ValueProfile.h (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (14 diffs)
• dfg/DFGJITCodeGenerator.cpp (modified) (4 diffs)
• dfg/DFGJITCodeGenerator.h (modified) (2 diffs)
• dfg/DFGNode.h (modified) (2 diffs)
• dfg/DFGPropagator.cpp (modified) (7 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (9 diffs)
• jit/JIT.cpp (modified) (2 diffs)
• jit/JIT.h (modified) (2 diffs)
• jit/JITArithmetic.cpp (modified) (5 diffs)
• jit/JITInlineMethods.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-09-19  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG speculation failures should act as additional value profiles
+        https://bugs.webkit.org/show_bug.cgi?id=68335
+
+        Reviewed by Oliver Hunt.
+        
+        This adds slow-case counters to the old JIT. It also ensures that
+        negative zero in multiply is handled carefully. The old JIT
+        previously took slow path if the result of a multiply was zero,
+        which, without any changes, would cause the DFG to think that
+        every such multiply produced a double result.
+        
+        This also fixes a bug in the old JIT's handling of decrements. It
+        would take the slow path if the result was zero, but not if it
+        underflowed.
+        
+        By itself, this would be a 1% slow-down on V8 and Kraken. But then
+        I wrote optimizations in the DFG that take advantage of this new
+        information. It's no longer the case that every multiply needs to
+        do a check for negative zero; it only happens if the negative
+        zero is ignored.
+        
+        This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
+        speed-up in V8. It's mostly neutral on Kraken. I can see an
+        0.5% slow-down and it appears to be significant.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::resetRareCaseProfiles):
+        (JSC::CodeBlock::dumpValueProfiles):
+        * bytecode/CodeBlock.h:
+        * bytecode/ValueProfile.h:
+        (JSC::RareCaseProfile::RareCaseProfile):
+        (JSC::getRareCaseProfileBytecodeOffset):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::toInt32):
+        (JSC::DFG::ByteCodeParser::makeSafe):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::GPRTemporary::GPRTemporary):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGNode.h:
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::propagateNode):
+        (JSC::DFG::Propagator::fixupNode):
+        (JSC::DFG::Propagator::clobbersWorld):
+        (JSC::DFG::Propagator::performNodeCSE):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        (JSC::JIT::linkDummySlowCase):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_post_dec):
+        (JSC::JIT::emit_op_pre_dec):
+        (JSC::JIT::compileBinaryArithOp):
+        (JSC::JIT::emit_op_add):
+        (JSC::JIT::emitSlow_op_add):
+        * jit/JITInlineMethods.h:
+        (JSC::JIT::addSlowCase):
+
 2011-09-19  Adam Roben  <aroben@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1985 +1985 @@
 #endif
 
+#if ENABLE(VALUE_PROFILER)
+void CodeBlock::resetRareCaseProfiles()
+{
+    for (unsigned i = 0; i < numberOfSlowCaseProfiles(); ++i)
+        slowCaseProfile(i)->m_counter = 0;
+    for (unsigned i = 0; i < numberOfSpecialFastCaseProfiles(); ++i)
+        specialFastCaseProfile(i)->m_counter = 0;
+}
+#endif
+
 #if ENABLE(VERBOSE_VALUE_PROFILE)
 void CodeBlock::dumpValueProfiles()
@@ -2003 +2013 @@
         fprintf(stderr, "\n");
     }
+    fprintf(stderr, "SlowCaseProfile for %p:\n", this);
+    for (unsigned i = 0; i < numberOfSlowCaseProfiles(); ++i) {
+        SlowCaseProfile* profile = slowCaseProfile(i);
+        fprintf(stderr, "   bc = %d: %u\n", profile->m_bytecodeOffset, profile->m_counter);
+    }
 }
 #endif

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -489 +489 @@
             return result;
         }
+        
+        RareCaseProfile* addSlowCaseProfile(int bytecodeOffset)
+        {
+            m_slowCaseProfiles.append(RareCaseProfile(bytecodeOffset));
+            return &m_slowCaseProfiles.last();
+        }
+        unsigned numberOfSlowCaseProfiles() { return m_slowCaseProfiles.size(); }
+        RareCaseProfile* slowCaseProfile(int index) { return &m_slowCaseProfiles[index]; }
+        RareCaseProfile* slowCaseProfileForBytecodeOffset(int bytecodeOffset)
+        {
+            return WTF::genericBinarySearch<RareCaseProfile, int, getRareCaseProfileBytecodeOffset>(m_slowCaseProfiles, m_slowCaseProfiles.size(), bytecodeOffset);
+        }
+        
+        static uint32_t slowCaseThreshold() { return 100; }
+        bool likelyToTakeSlowCase(int bytecodeOffset)
+        {
+            return slowCaseProfileForBytecodeOffset(bytecodeOffset)->m_counter >= slowCaseThreshold();
+        }
+        
+        RareCaseProfile* addSpecialFastCaseProfile(int bytecodeOffset)
+        {
+            m_specialFastCaseProfiles.append(RareCaseProfile(bytecodeOffset));
+            return &m_specialFastCaseProfiles.last();
+        }
+        unsigned numberOfSpecialFastCaseProfiles() { return m_specialFastCaseProfiles.size(); }
+        RareCaseProfile* specialFastCaseProfile(int index) { return &m_specialFastCaseProfiles[index]; }
+        RareCaseProfile* specialFastCaseProfileForBytecodeOffset(int bytecodeOffset)
+        {
+            return WTF::genericBinarySearch<RareCaseProfile, int, getRareCaseProfileBytecodeOffset>(m_specialFastCaseProfiles, m_specialFastCaseProfiles.size(), bytecodeOffset);
+        }
+        
+        bool likelyToTakeDeepestSlowCase(int bytecodeOffset)
+        {
+            unsigned slowCaseCount = slowCaseProfileForBytecodeOffset(bytecodeOffset)->m_counter;
+            unsigned specialFastCaseCount = specialFastCaseProfileForBytecodeOffset(bytecodeOffset)->m_counter;
+            return (slowCaseCount - specialFastCaseCount) >= slowCaseThreshold();
+        }
+        
+        void resetRareCaseProfiles();
 #endif
 
@@ -792 +831 @@
 #if ENABLE(VALUE_PROFILER)
         SegmentedVector<ValueProfile, 8> m_valueProfiles;
+        SegmentedVector<RareCaseProfile, 8> m_slowCaseProfiles;
+        SegmentedVector<RareCaseProfile, 8> m_specialFastCaseProfiles;
 #endif
 

trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

@@ -360 +360 @@
     return valueProfile->m_bytecodeOffset;
 }
+
+// This is a mini value profile to catch pathologies. It is a counter that gets
+// incremented when we take the slow path on any instruction.
+struct RareCaseProfile {
+    RareCaseProfile(int bytecodeOffset)
+        : m_bytecodeOffset(bytecodeOffset)
+        , m_counter(0)
+    {
+    }
+    
+    int m_bytecodeOffset;
+    uint32_t m_counter;
+};
+
+inline int getRareCaseProfileBytecodeOffset(RareCaseProfile* rareCaseProfile)
+{
+    return rareCaseProfile->m_bytecodeOffset;
+}
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -194 +194 @@
             return node.child1();
 
+        if (node.op == UInt32ToNumberSafe)
+            return node.child1();
+
         // Check for numeric constants boxed as JSValues.
         if (node.op == JSConstant) {
@@ -484 +487 @@
             case ArithAdd:
             case ArithSub:
-            case ArithMul:
+            case ArithMulIgnoreZero:
+            case ArithMulSpecNotNegZero:
+            case ArithMulPossiblyNegZero:
+            case ArithMulSafe:
             case ValueAdd:
                 m_reusableNodeStack.append(&m_graph[nodePtr->child1()]);
@@ -518 +524 @@
     {
         stronglyPredict(nodeIndex, m_currentIndex);
+    }
+    
+    NodeType makeSafe(NodeType op)
+    {
+        if (!m_profiledBlock->likelyToTakeSlowCase(m_currentIndex))
+            return op;
+        
+#if ENABLE(DFG_DEBUG_VERBOSE)
+        printf("Making %s @%lu safe at bc#%u because slow-case counter is at %u\n", Graph::opName(op), m_graph.size(), m_currentIndex, m_profiledBlock->slowCaseProfileForBytecodeOffset(m_currentIndex)->m_counter);
+#endif
+        
+        switch (op) {
+        case UInt32ToNumber:
+            return UInt32ToNumberSafe;
+        case ArithAdd:
+            return ArithAddSafe;
+        case ArithSub:
+            return ArithSubSafe;
+            
+            // We initialize ArithMul to ArithMulIgnoreZero and push it towards
+            // safer variants as we learn more, unless we already know that it
+            // can overflow. If it doesn't overflow, we first turn it into
+            // PossiblyNegZero if we see that it had been -0 during old JIT
+            // execution.
+        case ArithMulIgnoreZero:
+            if (m_profiledBlock->likelyToTakeDeepestSlowCase(m_currentIndex))
+                return ArithMulSafe;
+            else
+                return ArithMulPossiblyNegZero;
+            
+        case ValueAdd:
+            return ValueAddSafe;
+        default:
+            ASSERT_NOT_REACHED();
+            return Phantom; // Have to return something.
+        }
+    }
+    
+    NodeIndex getTrueResult(NodeIndex nodeIndex)
+    {
+        switch (m_graph[nodeIndex].op) {
+        case ArithMulIgnoreZero:
+            m_graph[nodeIndex].op = ArithMulSpecNotNegZero;
+            break;
+        case ArithMulPossiblyNegZero:
+            m_graph[nodeIndex].op = ArithMulSafe;
+            break;
+        default:
+            break;
+        }
+        return nodeIndex;
+    }
+    
+    bool isMultiply(NodeIndex nodeIndex)
+    {
+        switch (m_graph[nodeIndex].op) {
+        case ArithMulSpecNotNegZero:
+        case ArithMulIgnoreZero:
+        case ArithMulPossiblyNegZero:
+        case ArithMulSafe:
+            return true;
+        default:
+            return false;
+        }
     }
 
@@ -788 +858 @@
                     result = addToGraph(BitURShift, op1, op2);
                 else
-                    result = addToGraph(UInt32ToNumber, op1);
+                    result = addToGraph(makeSafe(UInt32ToNumber), op1);
             }  else {
                 // Cannot optimize at this stage; shift & potentially rebox as a double.
                 result = addToGraph(BitURShift, op1, op2);
-                result = addToGraph(UInt32ToNumber, result);
+                result = addToGraph(makeSafe(UInt32ToNumber), result);
             }
             set(currentInstruction[1].u.operand, result, PredictInt32);
@@ -804 +874 @@
             NodeIndex op = getToNumber(srcDst);
             weaklyPredictInt32(op);
-            set(srcDst, addToGraph(ArithAdd, op, one()));
+            set(srcDst, addToGraph(makeSafe(ArithAdd), op, one()));
             NEXT_OPCODE(op_pre_inc);
         }
@@ -814 +884 @@
             weaklyPredictInt32(op);
             set(result, op);
-            set(srcDst, addToGraph(ArithAdd, op, one()));
+            set(srcDst, addToGraph(makeSafe(ArithAdd), op, one()));
             NEXT_OPCODE(op_post_inc);
         }
@@ -822 +892 @@
             NodeIndex op = getToNumber(srcDst);
             weaklyPredictInt32(op);
-            set(srcDst, addToGraph(ArithSub, op, one()));
+            set(srcDst, addToGraph(makeSafe(ArithSub), op, one()));
             NEXT_OPCODE(op_pre_dec);
         }
@@ -832 +902 @@
             weaklyPredictInt32(op);
             set(result, op);
-            set(srcDst, addToGraph(ArithSub, op, one()));
+            set(srcDst, addToGraph(makeSafe(ArithSub), op, one()));
             NEXT_OPCODE(op_post_dec);
         }
@@ -847 +917 @@
                 weaklyPredictInt32(op2);
             }
+            
+            // If both inputs are multiplies, then we need to make sure to play
+            // it safe with -0.
+            if (isMultiply(op1) && isMultiply(op2)) {
+                getTrueResult(op1);
+                getTrueResult(op2);
+            }
+            
             if (m_graph[op1].hasNumberResult() && m_graph[op2].hasNumberResult())
-                set(currentInstruction[1].u.operand, addToGraph(ArithAdd, toNumber(op1), toNumber(op2)));
+                set(currentInstruction[1].u.operand, addToGraph(makeSafe(ArithAdd), toNumber(op1), toNumber(op2)));
             else
-                set(currentInstruction[1].u.operand, addToGraph(ValueAdd, op1, op2));
+                set(currentInstruction[1].u.operand, addToGraph(makeSafe(ValueAdd), op1, op2));
             NEXT_OPCODE(op_add);
         }
@@ -861 +939 @@
                 weaklyPredictInt32(op2);
             }
-            set(currentInstruction[1].u.operand, addToGraph(ArithSub, op1, op2));
+            
+            // For the left child we need to be careful about negative zero,
+            // since -0 - 0 is -0.  If the right child is -0 then it doesn't
+            // matter, since 0 - -0 is 0 and 0 - 0 is 0.
+            getTrueResult(op1);
+            
+            set(currentInstruction[1].u.operand, addToGraph(makeSafe(ArithSub), op1, op2));
             NEXT_OPCODE(op_sub);
         }
 
         case op_mul: {
-            NodeIndex op1 = getToNumber(currentInstruction[2].u.operand);
-            NodeIndex op2 = getToNumber(currentInstruction[3].u.operand);
-            set(currentInstruction[1].u.operand, addToGraph(ArithMul, op1, op2));
+            // We could be fancy here and skip the getTrueResult, instead making
+            // getTrueResult operate transitively. But we do this the simple way, for
+            // now.
+            NodeIndex op1 = getTrueResult(getToNumber(currentInstruction[2].u.operand));
+            NodeIndex op2 = getTrueResult(getToNumber(currentInstruction[3].u.operand));
+            set(currentInstruction[1].u.operand, addToGraph(makeSafe(ArithMulIgnoreZero), op1, op2));
             NEXT_OPCODE(op_mul);
         }
@@ -1003 +1090 @@
             NodeIndex base = get(currentInstruction[1].u.operand);
             NodeIndex property = get(currentInstruction[2].u.operand);
-            NodeIndex value = get(currentInstruction[3].u.operand);
+            NodeIndex value = getTrueResult(get(currentInstruction[3].u.operand));
             weaklyPredictArray(base);
             weaklyPredictInt32(property);
@@ -1060 +1147 @@
 
         case op_put_by_id: {
-            NodeIndex value = get(currentInstruction[3].u.operand);
+            NodeIndex value = getTrueResult(get(currentInstruction[3].u.operand));
             NodeIndex base = get(currentInstruction[1].u.operand);
             unsigned identifier = currentInstruction[2].u.operand;
@@ -1081 +1168 @@
 
         case op_put_global_var: {
-            NodeIndex value = get(currentInstruction[2].u.operand);
+            NodeIndex value = getTrueResult(get(currentInstruction[2].u.operand));
             addToGraph(PutGlobalVar, OpInfo(currentInstruction[1].u.operand), value);
             NEXT_OPCODE(op_put_global_var);
@@ -1363 +1450 @@
 
             Node* phiNode = &m_graph[entry.m_phi];
-            if (phiNode->refCount())
+            if (phiNode->refCount()) {
+                if (m_graph[valueInPredecessor].op == SetLocal) {
+                    // Any live SetLocal should ensure that it gets the true value.
+                    // Currently this means that ArithMuls distinguish between
+                    // negative zero and positive zero.
+                    getTrueResult(m_graph[valueInPredecessor].child1());
+                }
                 m_graph.ref(valueInPredecessor);
+            }
 
             if (phiNode->child1() == NoNode) {

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp

@@ -34 +34 @@
 namespace JSC { namespace DFG {
 
-const double twoToThe32 = (double)0x100000000ull;
+const double JITCodeGenerator::twoToThe32 = (double)0x100000000ull;
 
 void JITCodeGenerator::clearGenerationInfo()
@@ -730 +730 @@
     }
         
-    case ArithMul: {
+    case ArithMulIgnoreZero:
+    case ArithMulPossiblyNegZero:
+    case ArithMulSpecNotNegZero:
+    case ArithMulSafe: {
         overflow.append(m_jit.branchMul32(MacroAssembler::Overflow, arg1GPR, arg2GPR, resultGPR));
         overflow.append(m_jit.branchTest32(MacroAssembler::Zero, resultGPR));
@@ -821 +824 @@
         break;
             
-    case ArithMul:
+    case ArithMulIgnoreZero:
+    case ArithMulPossiblyNegZero:
+    case ArithMulSpecNotNegZero:
+    case ArithMulSafe:
         m_jit.mulDouble(tmp2FPR, tmp1FPR);
         break;
@@ -1990 +1996 @@
 }
 
+GPRTemporary::GPRTemporary(JITCodeGenerator* jit, SpeculateStrictInt32Operand& op1)
+    : m_jit(jit)
+    , m_gpr(InvalidGPRReg)
+{
+    if (m_jit->canReuse(op1.index()))
+        m_gpr = m_jit->reuse(op1.gpr());
+    else
+        m_gpr = m_jit->allocate();
+}
+
 GPRTemporary::GPRTemporary(JITCodeGenerator* jit, IntegerOperand& op1)
     : m_jit(jit)

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -69 +69 @@
     
     enum UseChildrenMode { CallUseChildren, UseChildrenCalledExplicitly };
-
+    
+    static const double twoToThe32;
 
 public:
@@ -1174 +1175 @@
     GPRTemporary(JITCodeGenerator*, SpeculateIntegerOperand&);
     GPRTemporary(JITCodeGenerator*, SpeculateIntegerOperand&, SpeculateIntegerOperand&);
+    GPRTemporary(JITCodeGenerator*, SpeculateStrictInt32Operand&);
     GPRTemporary(JITCodeGenerator*, IntegerOperand&);
     GPRTemporary(JITCodeGenerator*, IntegerOperand&, IntegerOperand&);

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -148 +148 @@
     /* Used to box the result of URShift nodes (result has range 0..2^32-1). */\
     macro(UInt32ToNumber, NodeResultNumber) \
+    macro(UInt32ToNumberSafe, NodeResultNumber) \
     \
     /* Nodes for arithmetic operations. */\
     macro(ArithAdd, NodeResultNumber) \
     macro(ArithSub, NodeResultNumber) \
-    macro(ArithMul, NodeResultNumber) \
+    macro(ArithAddSafe, NodeResultNumber) /* Safe variants are those that are known to take old JIT slow path */\
+    macro(ArithSubSafe, NodeResultNumber) \
+    macro(ArithMulSpecNotNegZero, NodeResultNumber) /* Speculate that the result is not negative zero. */ \
+    macro(ArithMulIgnoreZero, NodeResultNumber) /* If it's negative zero, ignore it. */ \
+    macro(ArithMulPossiblyNegZero, NodeResultNumber) /* It definitely may be negative zero but we haven't decided what to do about it yet. No code generation for this node; it either turns into ArithMulIgnoreZero or ArithMulSafe. */ \
+    macro(ArithMulSafe, NodeResultNumber) /* It may be negative zero, or it may produce other forms of double, so speculate double. */\
     macro(ArithDiv, NodeResultNumber) \
     macro(ArithMod, NodeResultNumber) \
@@ -167 +173 @@
     /* Add of values may either be arithmetic, or result in string concatenation. */\
     macro(ValueAdd, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
+    macro(ValueAddSafe, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
     \
     /* Property access. */\

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -226 +226 @@
         case ArithAdd:
         case ArithSub:
-        case ArithMul:
+        case ArithMulIgnoreZero:
+        case ArithMulPossiblyNegZero:
+        case ArithMulSpecNotNegZero:
         case ArithMin:
         case ArithMax: {
@@ -251 +253 @@
             if (isStrongPrediction(child))
                 changed |= mergePrediction(child);
+            break;
+        }
+            
+        case ArithAddSafe:
+        case ArithSubSafe:
+        case ArithMulSafe:
+        case UInt32ToNumberSafe: {
+            changed |= setPrediction(makePrediction(PredictDouble, StrongPrediction));
+            break;
+        }
+
+        case ValueAddSafe: {
+            PredictedType left = m_predictions[node.child1()];
+            PredictedType right = m_predictions[node.child2()];
+            
+            if (isStrongPrediction(left) && isStrongPrediction(right)) {
+                if (isNumberPrediction(left) && isNumberPrediction(right))
+                    changed |= mergePrediction(makePrediction(PredictDouble, StrongPrediction));
+                else if (!(left & PredictNumber) || !(right & PredictNumber)) {
+                    // left or right is definitely something other than a number.
+                    changed |= mergePrediction(makePrediction(PredictString, StrongPrediction));
+                } else
+                    changed |= mergePrediction(makePrediction(PredictString | PredictInt32 | PredictDouble, StrongPrediction));
+            }
             break;
         }
@@ -409 +435 @@
         case ArithAdd:
         case ArithSub:
-        case ArithMul:
+        case ArithMulIgnoreZero:
+        case ArithMulPossiblyNegZero:
+        case ArithMulSpecNotNegZero:
         case ArithMin:
         case ArithMax: {
@@ -442 +470 @@
         }
             
+        case ArithAddSafe:
+        case ArithSubSafe:
+        case ArithMulSafe: {
+            toDouble(node.child1());
+            toDouble(node.child2());
+            break;
+        }
+            
+        case ValueAddSafe: {
+            PredictedType left = m_predictions[node.child1()];
+            PredictedType right = m_predictions[node.child2()];
+            
+            if (isStrongPrediction(left) && isStrongPrediction(right) && isNumberPrediction(left) && isNumberPrediction(right)) {
+                toDouble(node.child2());
+                toDouble(node.child1());
+            }
+            break;
+        }
+        
         default:
             break;
@@ -597 +644 @@
         switch (node.op) {
         case ValueAdd:
+        case ValueAddSafe:
         case CompareLess:
         case CompareLessEq:
@@ -744 +792 @@
         case ArithAdd:
         case ArithSub:
-        case ArithMul:
+        case ArithMulIgnoreZero:
+        case ArithMulPossiblyNegZero:
+        case ArithMulSpecNotNegZero:
         case ArithMod:
         case ArithDiv:
@@ -751 +801 @@
         case ArithMax:
         case ArithSqrt:
+        case ArithAddSafe:
+        case ArithSubSafe:
+        case ArithMulSafe:
             setReplacement(pureCSE(node));
             break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -841 +841 @@
         break;
     }
+        
+    case UInt32ToNumberSafe: {
+        // We know that this sometimes produces doubles. So produce a double every
+        // time. This at least allows subsequent code to not have weird conditionals.
+        
+        IntegerOperand op1(this, node.child1());
+        FPRTemporary result(this);
+        
+        GPRReg inputGPR = op1.gpr();
+        FPRReg outputFPR = result.fpr();
+        
+        m_jit.convertInt32ToDouble(inputGPR, outputFPR);
+        
+        JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, inputGPR, TrustedImm32(0));
+        m_jit.addDouble(JITCompiler::AbsoluteAddress(&twoToThe32), outputFPR);
+        positive.link(&m_jit);
+        
+        doubleResult(outputFPR, m_compileIndex);
+        break;
+    }
 
     case ValueToInt32: {
@@ -917 +937 @@
             break;
         }
-
+        
+        // Fall through to safe cases.
+    }
+        
+    case ValueAddSafe:
+    case ArithAddSafe: {
         if (shouldSpeculateNumber(node.child1(), node.child2())) {
             SpeculateDoubleOperand op1(this, node.child1());
@@ -931 +956 @@
         }
         
-        ASSERT(op == ValueAdd);
+        ASSERT(op == ValueAdd || op == ValueAddSafe);
         
         JSValueOperand op1(this, node.child1());
@@ -973 +998 @@
             break;
         }
-
+        
+        // Fall through to safe case.
+    }
+        
+    case ArithSubSafe: {
         SpeculateDoubleOperand op1(this, node.child1());
         SpeculateDoubleOperand op2(this, node.child2());
@@ -986 +1015 @@
     }
 
-    case ArithMul: {
+    case ArithMulSpecNotNegZero:
+    case ArithMulPossiblyNegZero:
+    case ArithMulIgnoreZero: {
         if (shouldSpeculateInteger(node.child1(), node.child2())) {
             SpeculateIntegerOperand op1(this, node.child1());
@@ -996 +1027 @@
             speculationCheck(m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
 
-            MacroAssembler::Jump resultNonZero = m_jit.branchTest32(MacroAssembler::NonZero, result.gpr());
-            speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg1, TrustedImm32(0)));
-            speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg2, TrustedImm32(0)));
-            resultNonZero.link(&m_jit);
+            // Only the ArithMulSpecNotNegZero opcode requires that we actually turn
+            // negative zero into a double. The other two mean that all users of this
+            // result don't care if it's a positive or negative zero.
+            if (op == ArithMulSpecNotNegZero) {
+                MacroAssembler::Jump resultNonZero = m_jit.branchTest32(MacroAssembler::NonZero, result.gpr());
+                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg1, TrustedImm32(0)));
+                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg2, TrustedImm32(0)));
+                resultNonZero.link(&m_jit);
+            }
 
             integerResult(result.gpr(), m_compileIndex);
             break;
         }
-
+        
+        // Fall through to safe case.
+    }
+
+    case ArithMulSafe: {
         SpeculateDoubleOperand op1(this, node.child1());
         SpeculateDoubleOperand op2(this, node.child2());
@@ -1088 +1128 @@
     case ArithMax: {
         if (shouldSpeculateInteger(node.child1(), node.child2())) {
-            SpeculateIntegerOperand op1(this, node.child1());
-            SpeculateIntegerOperand op2(this, node.child2());
+            SpeculateStrictInt32Operand op1(this, node.child1());
+            SpeculateStrictInt32Operand op2(this, node.child2());
             GPRTemporary result(this, op1);
             
@@ -1837 +1877 @@
         bool found = false;
         
-        if (nodePtr->op == UInt32ToNumber) {
+        if (nodePtr->op == UInt32ToNumber || nodePtr->op == UInt32ToNumberSafe) {
             NodeIndex nodeIndex = nodePtr->child1();
             nodePtr = &m_jit.graph()[nodeIndex];
@@ -1868 +1908 @@
                     break;
                 case UInt32ToNumber:
+                case UInt32ToNumberSafe:
                     uint32ToNumberIndex = info.nodeIndex();
                     break;

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -414 +414 @@
 #endif
         Instruction* currentInstruction = instructionsBegin + m_bytecodeOffset;
+        
+#if ENABLE(VALUE_PROFILER)
+        RareCaseProfile* slowCaseProfile = 0;
+        if (m_canBeOptimized)
+            slowCaseProfile = m_codeBlock->addSlowCaseProfile(m_bytecodeOffset);
+#endif
 
         switch (m_interpreter->getOpcodeID(currentInstruction->u.opcode)) {
@@ -486 +492 @@
         ASSERT_WITH_MESSAGE(iter == m_slowCases.end() || firstTo != iter->to,"Not enough jumps linked in slow case codegen.");
         ASSERT_WITH_MESSAGE(firstTo == (iter - 1)->to, "Too many jumps linked in slow case codegen.");
+        
+#if ENABLE(VALUE_PROFILER)
+        if (m_canBeOptimized)
+            add32(Imm32(1), AbsoluteAddress(&slowCaseProfile->m_counter));
+#endif
 
         emitJumpSlowToHot(jump(), 0);

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -296 +296 @@
         void addSlowCase(Jump);
         void addSlowCase(JumpList);
+        void addSlowCase();
         void addJump(Jump, int);
         void emitJumpSlowToHot(Jump, int);
@@ -973 +974 @@
             ++iter;
         }
+        void linkDummySlowCase(Vector<SlowCaseEntry>::iterator& iter)
+        {
+            ASSERT(!iter->from.isSet());
+            ++iter;
+        }
         void linkSlowCaseIfNotJSCell(Vector<SlowCaseEntry>::iterator&, int vReg);
 

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp

@@ -628 +628 @@
     move(regT0, regT1);
     emitJumpSlowCaseIfNotImmediateInteger(regT0);
-    addSlowCase(branchSub32(Zero, TrustedImm32(1), regT1));
+    addSlowCase(branchSub32(Overflow, TrustedImm32(1), regT1));
     emitFastArithIntToImmNoCheck(regT1, regT1);
     emitPutVirtualRegister(srcDst, regT1);
@@ -677 +677 @@
     emitGetVirtualRegister(srcDst, regT0);
     emitJumpSlowCaseIfNotImmediateInteger(regT0);
-    addSlowCase(branchSub32(Zero, TrustedImm32(1), regT0));
+    addSlowCase(branchSub32(Overflow, TrustedImm32(1), regT0));
     emitFastArithIntToImmNoCheck(regT0, regT0);
     emitPutVirtualRegister(srcDst);
@@ -785 +785 @@
     else {
         ASSERT(opcodeID == op_mul);
+#if ENABLE(VALUE_PROFILER)
+        if (m_canBeOptimized) {
+            // We want to be able to measure if this is taking the slow case just
+            // because of negative zero. If this produces positive zero, then we
+            // don't want the slow case to be taken because that will throw off
+            // speculative compilation.
+            move(regT0, regT2);
+            addSlowCase(branchMul32(Overflow, regT1, regT2));
+            JumpList done;
+            done.append(branchTest32(NonZero, regT2));
+            Jump negativeZero = branch32(LessThan, regT0, Imm32(0));
+            done.append(branch32(GreaterThanOrEqual, regT1, Imm32(0)));
+            negativeZero.link(this);
+            // We only get here if we have a genuine negative zero. Record this,
+            // so that the speculative JIT knows that we failed speculation
+            // because of a negative zero.
+            add32(Imm32(1), AbsoluteAddress(&m_codeBlock->addSpecialFastCaseProfile(m_bytecodeOffset)->m_counter));
+            addSlowCase(jump());
+            done.link(this);
+            move(regT2, regT0);
+        } else {
+            addSlowCase(branchMul32(Overflow, regT1, regT0));
+            addSlowCase(branchTest32(Zero, regT0));
+        }
+#else
         addSlowCase(branchMul32(Overflow, regT1, regT0));
         addSlowCase(branchTest32(Zero, regT0));
+#endif
     }
     emitFastArithIntToImmNoCheck(regT0, regT0);
@@ -888 +914 @@
 
     if (!types.first().mightBeNumber() || !types.second().mightBeNumber()) {
+        addSlowCase();
         JITStubCall stubCall(this, cti_op_add);
         stubCall.addArgument(op1, regT2);
@@ -918 +945 @@
     OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
 
-    if (!types.first().mightBeNumber() || !types.second().mightBeNumber())
+    if (!types.first().mightBeNumber() || !types.second().mightBeNumber()) {
+        linkDummySlowCase(iter);
         return;
+    }
 
     bool op1HasImmediateIntFastCase = isOperandConstantImmediateInt(op1);

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -300 +300 @@
 }
 
+ALWAYS_INLINE void JIT::addSlowCase()
+{
+    ASSERT(m_bytecodeOffset != (unsigned)-1); // This method should only be called during hot/cold path generation, so that m_bytecodeOffset is set.
+    
+    Jump emptyJump; // Doing it this way to make Windows happy.
+    m_slowCases.append(SlowCaseEntry(emptyJump, m_bytecodeOffset));
+}
+
 ALWAYS_INLINE void JIT::addJump(Jump jump, int relativeOffset)
 {