Changeset 95672 in webkit

Timestamp:

Sep 21, 2011 3:17:06 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG does not support compiling functions as constructors
​https://bugs.webkit.org/show_bug.cgi?id=68500

Reviewed by Oliver Hunt.

This adds support for compiling constructors to the DFG. It's a
1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
It's also a 13% win on access-binary-trees, but it's neutral in
the SunSpider and Kraken averages.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.h:

(JSC::DFG::mightCompileFunctionForConstruct):
(JSC::DFG::canCompileOpcode):

• dfg/DFGNode.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::propagateNodePredictions):
(JSC::DFG::Propagator::performNodeCSE):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• runtime/Executable.cpp:

(JSC::FunctionExecutable::compileOptimizedForConstruct):
(JSC::FunctionExecutable::compileForConstructInternal):

• runtime/Executable.h:

(JSC::FunctionExecutable::compileForConstruct):
(JSC::FunctionExecutable::compileFor):
(JSC::FunctionExecutable::compileOptimizedFor):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCapabilities.h (modified) (2 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGPropagator.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• runtime/Executable.cpp (modified) (4 diffs)
• runtime/Executable.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-09-21  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG does not support compiling functions as constructors
+        https://bugs.webkit.org/show_bug.cgi?id=68500
+
+        Reviewed by Oliver Hunt.
+        
+        This adds support for compiling constructors to the DFG. It's a
+        1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
+        It's also a 13% win on access-binary-trees, but it's neutral in
+        the SunSpider and Kraken averages.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::mightCompileFunctionForConstruct):
+        (JSC::DFG::canCompileOpcode):
+        * dfg/DFGNode.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::propagateNodePredictions):
+        (JSC::DFG::Propagator::performNodeCSE):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * runtime/Executable.cpp:
+        (JSC::FunctionExecutable::compileOptimizedForConstruct):
+        (JSC::FunctionExecutable::compileForConstructInternal):
+        * runtime/Executable.h:
+        (JSC::FunctionExecutable::compileForConstruct):
+        (JSC::FunctionExecutable::compileFor):
+        (JSC::FunctionExecutable::compileOptimizedFor):
+
 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -729 +729 @@
             setThis(addToGraph(ConvertThis, op1));
             NEXT_OPCODE(op_convert_this);
+        }
+
+        case op_create_this: {
+            NodeIndex op1 = get(currentInstruction[2].u.operand);
+            set(currentInstruction[1].u.operand, addToGraph(CreateThis, op1));
+            NEXT_OPCODE(op_create_this);
+        }
+            
+        case op_get_callee: {
+            set(currentInstruction[1].u.operand, addToGraph(GetCallee));
+            NEXT_OPCODE(op_get_callee);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -38 +38 @@
 inline bool mightCompileProgram(CodeBlock*) { return true; }
 inline bool mightCompileFunctionForCall(CodeBlock*) { return true; }
-inline bool mightCompileFunctionForConstruct(CodeBlock*) { return false; }
+inline bool mightCompileFunctionForConstruct(CodeBlock*) { return true; }
 
 // Opcode checking.
@@ -46 +46 @@
     case op_enter:
     case op_convert_this:
+    case op_create_this:
+    case op_get_callee:
     case op_bitand:
     case op_bitor:

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -212 +212 @@
     /* Nodes for constants. */\
     macro(JSConstant, NodeResultJS) \
+    \
+    /* Nodes for handling functions (both as call and as construct). */\
     macro(ConvertThis, NodeResultJS) \
+    macro(CreateThis, NodeResultJS) /* Note this is not MustGenerate since we're returning it anyway. */ \
+    macro(GetCallee, NodeResultJS) \
     \
     /* Nodes for local variable access. */\

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -120 +120 @@
 }
 
+EncodedJSValue operationCreateThis(ExecState* exec, EncodedJSValue encodedOp)
+{
+    JSFunction* constructor = asFunction(exec->callee());
+    
+#if !ASSERT_DISABLED
+    ConstructData constructData;
+    ASSERT(constructor->getConstructData(constructData) == ConstructTypeJS);
+#endif
+    
+    JSGlobalData& globalData = exec->globalData();
+    
+    Structure* structure;
+    JSValue proto = JSValue::decode(encodedOp);
+    if (proto.isObject())
+        structure = asObject(proto)->inheritorID(globalData);
+    else
+        structure = constructor->scope()->globalObject->emptyObjectStructure();
+    
+    return JSValue::encode(constructEmptyObject(exec, structure));
+}
+
 EncodedJSValue operationValueAdd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -57 +57 @@
 // These routines are provide callbacks out to C++ implementations of operations too complex to JIT.
 EncodedJSValue operationConvertThis(ExecState*, EncodedJSValue encodedOp1);
+EncodedJSValue operationCreateThis(ExecState*, EncodedJSValue encodedOp1);
 EncodedJSValue operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
 EncodedJSValue operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -534 +534 @@
             break;
         }
+            
+        case GetCallee: {
+            changed |= setPrediction(makePrediction(PredictObjectOther, StrongPrediction));
+            break;
+        }
+            
+        case CreateThis: {
+            changed |= mergeUse(node.child1(), PredictObjectUnknown | StrongPredictionTag);
+            changed |= setPrediction(makePrediction(PredictFinalObject, StrongPrediction));
+            break;
+        }
 
 #ifndef NDEBUG
@@ -1019 +1030 @@
         case ArithMax:
         case ArithSqrt:
+        case GetCallee:
             setReplacement(pureCSE(node));
             break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1528 +1528 @@
         break;
     }
+        
+    case CreateThis: {
+        // Note that there is not so much profit to speculate here. The only things we
+        // speculate on are (1) that it's a cell, since that eliminates cell checks
+        // later if the proto is reused, and (2) if we have a FinalObject prediction
+        // then we speculate because we want to get recompiled if it isn't (since
+        // otherwise we'd start taking slow path a lot).
+        
+        SpeculateCellOperand proto(this, node.child1());
+        GPRTemporary result(this);
+        GPRTemporary scratch(this);
+        
+        GPRReg protoGPR = proto.gpr();
+        GPRReg resultGPR = result.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+        
+        proto.use();
+        
+        MacroAssembler::JumpList slowPath;
+        
+        // Need to verify that the prototype is an object. If we have reason to believe
+        // that it's a FinalObject then we speculate on that directly. Otherwise we
+        // do the slow (structure-based) check.
+        if (shouldSpeculateFinalObject(node.child1()))
+            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
+        else {
+            m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
+            slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
+        }
+        
+        // Load the inheritorID (the Structure that objects who have protoGPR as the prototype
+        // use to refer to that prototype). If the inheritorID is not set, go to slow path.
+        m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSObject::offsetOfInheritorID()), scratchGPR);
+        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));
+        
+        MarkedSpace::SizeClass* sizeClass = &m_jit.globalData()->heap.sizeClassForObject(sizeof(JSFinalObject));
+        
+        m_jit.loadPtr(&sizeClass->firstFreeCell, resultGPR);
+        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, resultGPR));
+        
+        // The object is half-allocated: we have what we know is a fresh object, but
+        // it's still on the GC's free list.
+        
+        // Ditch the inheritorID by placing it into the structure, so that we can reuse
+        // scratchGPR.
+        m_jit.storePtr(scratchGPR, MacroAssembler::Address(resultGPR, JSObject::structureOffset()));
+        
+        // Now that we have scratchGPR back, remove the object from the free list
+        m_jit.loadPtr(MacroAssembler::Address(resultGPR), scratchGPR);
+        m_jit.storePtr(scratchGPR, &sizeClass->firstFreeCell);
+        
+        // Initialize the object's vtable
+        m_jit.storePtr(MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr), MacroAssembler::Address(resultGPR));
+        
+        // Initialize the object's inheritorID.
+        m_jit.storePtr(MacroAssembler::TrustedImmPtr(0), MacroAssembler::Address(resultGPR, JSObject::offsetOfInheritorID()));
+        
+        // Initialize the object's property storage pointer.
+        m_jit.addPtr(MacroAssembler::TrustedImm32(sizeof(JSObject)), resultGPR, scratchGPR);
+        m_jit.storePtr(scratchGPR, MacroAssembler::Address(resultGPR, JSFinalObject::offsetOfPropertyStorage()));
+        
+        MacroAssembler::Jump done = m_jit.jump();
+        
+        slowPath.link(&m_jit);
+        
+        silentSpillAllRegisters(resultGPR);
+        m_jit.move(protoGPR, GPRInfo::argumentGPR1);
+        m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+        appendCallWithExceptionCheck(operationCreateThis);
+        m_jit.move(GPRInfo::returnValueGPR, resultGPR);
+        silentFillAllRegisters(resultGPR);
+        
+        done.link(&m_jit);
+        
+        cellResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+        break;
+    }
+        
+    case GetCallee: {
+        GPRTemporary result(this);
+        m_jit.loadPtr(JITCompiler::addressFor(static_cast<VirtualRegister>(RegisterFile::Callee)), result.gpr());
+        cellResult(result.gpr(), m_compileIndex);
+        break;
+    }
 
     case GetById: {

trunk/Source/JavaScriptCore/runtime/Executable.cpp

@@ -371 +371 @@
 }
 
-JSObject* FunctionExecutable::compileOptimizedForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode)
+JSObject* FunctionExecutable::compileOptimizedForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode, ExecState* calleeArgsExec)
 {
     ASSERT(exec->globalData().dynamicGlobalObject);
@@ -377 +377 @@
     JSObject* error = 0;
     if (m_codeBlockForConstruct->getJITType() != JITCode::topTierJIT())
-        error = compileForConstructInternal(exec, scopeChainNode, JITCode::nextTierJIT(m_codeBlockForConstruct->getJITType()));
+        error = compileForConstructInternal(exec, scopeChainNode, calleeArgsExec, JITCode::nextTierJIT(m_codeBlockForConstruct->getJITType()));
     ASSERT(!!m_codeBlockForConstruct);
     return error;
@@ -460 +460 @@
 }
 
-JSObject* FunctionExecutable::compileForConstructInternal(ExecState* exec, ScopeChainNode* scopeChainNode, JITCode::JITType jitType)
+JSObject* FunctionExecutable::compileForConstructInternal(ExecState* exec, ScopeChainNode* scopeChainNode, ExecState* calleeArgsExec, JITCode::JITType jitType)
 {
     UNUSED_PARAM(jitType);
@@ -499 +499 @@
     if (exec->globalData().canUseJIT()) {
         bool dfgCompiled = false;
-        // FIXME: Make it possible to compile constructors with DFG.
+        if (jitType == JITCode::DFGJIT)
+            dfgCompiled = DFG::tryCompileFunction(exec, calleeArgsExec, m_codeBlockForConstruct.get(), m_jitCodeForConstruct, m_jitCodeForConstructWithArityCheck);
         if (dfgCompiled) {
             if (m_codeBlockForConstruct->alternative())

trunk/Source/JavaScriptCore/runtime/Executable.h

@@ -488 +488 @@
         }
 
-        JSObject* compileForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode)
+        JSObject* compileForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode, ExecState* calleeArgsExec = 0)
         {
             ASSERT(exec->globalData().dynamicGlobalObject);
             JSObject* error = 0;
             if (!m_codeBlockForConstruct)
-                error = compileForConstructInternal(exec, scopeChainNode, JITCode::bottomTierJIT());
+                error = compileForConstructInternal(exec, scopeChainNode, calleeArgsExec, JITCode::bottomTierJIT());
             ASSERT(!error == !!m_codeBlockForConstruct);
             return error;
         }
 
-        JSObject* compileOptimizedForConstruct(ExecState*, ScopeChainNode*);
+        JSObject* compileOptimizedForConstruct(ExecState*, ScopeChainNode*, ExecState* calleeArgsExec = 0);
 
         bool isGeneratedForConstruct() const
@@ -522 +522 @@
                 return compileForCall(exec, scopeChainNode, exec);
             ASSERT(kind == CodeForConstruct);
-            return compileForConstruct(exec, scopeChainNode);
+            return compileForConstruct(exec, scopeChainNode, exec);
         }
         
@@ -536 +536 @@
                 return compileOptimizedForCall(exec, scopeChainNode, exec);
             ASSERT(kind == CodeForConstruct);
-            return compileOptimizedForConstruct(exec, scopeChainNode);
+            return compileOptimizedForConstruct(exec, scopeChainNode, exec);
         }
         
@@ -588 +588 @@
 
         JSObject* compileForCallInternal(ExecState*, ScopeChainNode*, ExecState* calleeArgsExec, JITCode::JITType);
-        JSObject* compileForConstructInternal(ExecState*, ScopeChainNode*, JITCode::JITType);
+        JSObject* compileForConstructInternal(ExecState*, ScopeChainNode*, ExecState* calleeArgsExec, JITCode::JITType);
         
         static const unsigned StructureFlags = OverridesVisitChildren | ScriptExecutable::StructureFlags;