Changeset 96184 in webkit
- Timestamp:
- Sep 27, 2011 8:39:36 PM (13 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r96178 r96184 1 2011-09-27 Filip Pizlo <fpizlo@apple.com> 2 3 DFG JIT should speculate more aggressively on reads of array.length 4 https://bugs.webkit.org/show_bug.cgi?id=68932 5 6 Reviewed by Oliver Hunt. 7 8 This is a 2% speed-up on Kraken, neutral elsewhere. 9 10 * dfg/DFGNode.h: 11 * dfg/DFGPropagator.cpp: 12 (JSC::DFG::Propagator::propagateNodePredictions): 13 (JSC::DFG::Propagator::fixupNode): 14 (JSC::DFG::Propagator::performNodeCSE): 15 * dfg/DFGSpeculativeJIT.cpp: 16 (JSC::DFG::SpeculativeJIT::compile): 17 1 18 2011-09-27 Gavin Barraclough <barraclough@apple.com> 2 19 -
trunk/Source/JavaScriptCore/dfg/DFGNode.h
r96175 r96184 267 267 macro(CheckStructure, NodeResultStorage | NodeMustGenerate) \ 268 268 macro(GetByOffset, NodeResultJS) \ 269 macro(GetArrayLength, NodeResultInt32) \ 269 270 macro(GetMethod, NodeResultJS | NodeMustGenerate) \ 270 271 macro(CheckMethod, NodeResultJS | NodeMustGenerate) \ -
trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp
r95930 r96184 376 376 } 377 377 378 case ValueToDouble: {379 // This node should never be visible at this stage of compilation. It is380 // inserted by fixup(), which follows this phase.381 ASSERT_NOT_REACHED();382 break;383 }384 385 378 case ValueAdd: { 386 379 PredictedType left = m_predictions[node.child1()]; … … 547 540 } 548 541 542 case ValueToDouble: 543 case GetArrayLength: { 544 // This node should never be visible at this stage of compilation. It is 545 // inserted by fixup(), which follows this phase. 546 ASSERT_NOT_REACHED(); 547 break; 548 } 549 549 550 #ifndef NDEBUG 550 551 // These get ignored because they don't return anything. … … 679 680 case ArithSqrt: { 680 681 toDouble(node.child1()); 682 break; 683 } 684 685 case GetById: { 686 if (!isArrayPrediction(m_predictions[node.child1()])) 687 break; 688 if (!isInt32Prediction(m_predictions[m_compileIndex])) 689 break; 690 if (m_codeBlock->identifier(node.identifierNumber()) != m_globalData.propertyNames->length) 691 break; 692 693 #if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE) 694 printf(" @%u -> GetArrayLength", nodeIndex); 695 #endif 696 node.op = GetArrayLength; 681 697 break; 682 698 } … … 1045 1061 case ArithSqrt: 1046 1062 case GetCallee: 1063 case GetArrayLength: 1047 1064 setReplacement(pureCSE(node)); 1048 1065 break; -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r96175 r96184 1832 1832 break; 1833 1833 } 1834 1835 case GetArrayLength: { 1836 Node& baseNode = m_jit.graph()[node.child1()]; 1837 SpeculateCellOperand base(this, node.child1()); 1838 GPRTemporary result(this); 1839 1840 GPRReg baseGPR = base.gpr(); 1841 GPRReg resultGPR = result.gpr(); 1842 1843 if (baseNode.op != GetLocal || !isArrayPrediction(m_jit.graph().getPrediction(baseNode.local()))) 1844 speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr))); 1845 1846 m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR); 1847 m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR); 1848 1849 speculationCheck(m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0))); 1850 1851 integerResult(resultGPR, m_compileIndex); 1852 break; 1853 } 1834 1854 1835 1855 case CheckStructure: {
Note: See TracChangeset
for help on using the changeset viewer.