Changeset 97030 in webkit

Timestamp:

Oct 9, 2011 1:07:36 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG should not always speculate that a ByVal access has an integer index
​https://bugs.webkit.org/show_bug.cgi?id=69716

Reviewed by Oliver Hunt.

1% win on SunSpider, neutral elsewhere.

• dfg/DFGJITCodeGenerator.h:

(JSC::DFG::callOperation):

• dfg/DFGNode.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::byValHasIntBase):
(JSC::DFG::Propagator::clobbersWorld):
(JSC::DFG::Propagator::getMethodLoadElimination):
(JSC::DFG::Propagator::checkStructureLoadElimination):
(JSC::DFG::Propagator::getByOffsetLoadElimination):
(JSC::DFG::Propagator::getPropertyStorageLoadElimination):
(JSC::DFG::Propagator::performNodeCSE):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGJITCodeGenerator.h (modified) (4 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (2 diffs)
• dfg/DFGOperations.h (modified) (4 diffs)
• dfg/DFGPropagator.cpp (modified) (7 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-10-09  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should not always speculate that a ByVal access has an integer index
+        https://bugs.webkit.org/show_bug.cgi?id=69716
+
+        Reviewed by Oliver Hunt.
+        
+        1% win on SunSpider, neutral elsewhere.
+
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::callOperation):
+        * dfg/DFGNode.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::byValHasIntBase):
+        (JSC::DFG::Propagator::clobbersWorld):
+        (JSC::DFG::Propagator::getMethodLoadElimination):
+        (JSC::DFG::Propagator::checkStructureLoadElimination):
+        (JSC::DFG::Propagator::getByOffsetLoadElimination):
+        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
+        (JSC::DFG::Propagator::performNodeCSE):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
 

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -1155 +1155 @@
         m_jit.move(GPRInfo::returnValueGPR, result);
     }
+    void callOperation(J_DFGOperation_ECJ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+    {
+        setupStubArguments(arg1, arg2);
+        m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+
+        appendCallWithExceptionCheck(operation);
+        m_jit.move(GPRInfo::returnValueGPR, result);
+    }
     void callOperation(V_DFGOperation_EJJP operation, GPRReg arg1, GPRReg arg2, void* pointer)
     {
@@ -1168 +1176 @@
     }
     void callOperation(V_DFGOperation_EJJJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+    {
+        setupStubArguments(arg1, arg2, arg3);
+        m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+
+        appendCallWithExceptionCheck(operation);
+    }
+    void callOperation(V_DFGOperation_ECJJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3)
     {
         setupStubArguments(arg1, arg2, arg3);
@@ -1329 +1344 @@
         setupResults(resultTag, resultPayload);
     }
+    void callOperation(J_DFGOperation_ECJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload)
+    {
+        m_jit.push(arg2Tag);
+        m_jit.push(arg2Payload);
+        m_jit.push(arg1);
+        m_jit.push(GPRInfo::callFrameRegister);
+
+        appendCallWithExceptionCheck(operation);
+        setupResults(resultTag, resultPayload);
+    }
     void callOperation(V_DFGOperation_EJJP operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, void* pointer)
     {
@@ -1352 +1377 @@
         m_jit.push(arg1Tag);
         m_jit.push(arg1Payload);
+        m_jit.push(GPRInfo::callFrameRegister);
+
+        appendCallWithExceptionCheck(operation);
+    }
+    void callOperation(V_DFGOperation_ECJJ operation, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload, GPRReg arg3Tag, GPRReg arg3Payload)
+    {
+        m_jit.push(arg3Tag);
+        m_jit.push(arg3Payload);
+        m_jit.push(arg2Tag);
+        m_jit.push(arg2Payload);
+        m_jit.push(arg1);
         m_jit.push(GPRInfo::callFrameRegister);
 

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -322 +322 @@
     /* Since a put to 'length' may invalidate optimizations here, */\
     /* this must be the directly subsequent property put. */\
-    macro(GetByVal, NodeResultJS | NodeMustGenerate) \
+    macro(GetByVal, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
     macro(PutByVal, NodeMustGenerate | NodeClobbersWorld) \
     macro(PutByValAlias, NodeMustGenerate | NodeClobbersWorld) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -264 +264 @@
 }
 
+EncodedJSValue DFG_OPERATION operationGetByValCell(ExecState* exec, JSCell* base, EncodedJSValue encodedProperty)
+{
+    JSValue property = JSValue::decode(encodedProperty);
+
+    if (property.isUInt32())
+        return getByVal(exec, base, property.asUInt32());
+    if (property.isDouble()) {
+        double propertyAsDouble = property.asDouble();
+        uint32_t propertyAsUInt32 = static_cast<uint32_t>(propertyAsDouble);
+        if (propertyAsUInt32 == propertyAsDouble)
+            return getByVal(exec, base, propertyAsUInt32);
+    } else if (property.isString()) {
+        if (JSValue result = base->fastGetOwnProperty(exec, asString(property)->value(exec)))
+            return JSValue::encode(result);
+    }
+
+    Identifier ident(exec, property.toString(exec));
+    return JSValue::encode(JSValue(base).get(exec, ident));
+}
+
 EncodedJSValue DFG_OPERATION operationGetById(ExecState* exec, EncodedJSValue encodedBase, Identifier* propertyName)
 {
@@ -365 +385 @@
 {
     operationPutByValInternal<false>(exec, encodedBase, encodedProperty, encodedValue);
+}
+
+void DFG_OPERATION operationPutByValCellStrict(ExecState* exec, JSCell* cell, EncodedJSValue encodedProperty, EncodedJSValue encodedValue)
+{
+    operationPutByValInternal<true>(exec, JSValue::encode(cell), encodedProperty, encodedValue);
+}
+
+void DFG_OPERATION operationPutByValCellNonStrict(ExecState* exec, JSCell* cell, EncodedJSValue encodedProperty, EncodedJSValue encodedValue)
+{
+    operationPutByValInternal<false>(exec, JSValue::encode(cell), encodedProperty, encodedValue);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -55 +55 @@
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EA)(ExecState*, JSArray*);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EJA)(ExecState*, EncodedJSValue, JSArray*);
+typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ECJ)(ExecState*, JSCell*, EncodedJSValue);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EJ)(ExecState*, EncodedJSValue);
@@ -66 +67 @@
 typedef RegisterSizedBoolean DFG_OPERATION (*Z_DFGOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
 typedef void DFG_OPERATION (*V_DFGOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
+typedef void DFG_OPERATION (*V_DFGOperation_ECJJ)(ExecState*, JSCell*, EncodedJSValue, EncodedJSValue);
 typedef void DFG_OPERATION (*V_DFGOperation_EJJP)(ExecState*, EncodedJSValue, EncodedJSValue, void*);
 typedef void DFG_OPERATION (*V_DFGOperation_EJJI)(ExecState*, EncodedJSValue, EncodedJSValue, Identifier*);
@@ -83 +85 @@
 EncodedJSValue DFG_OPERATION operationArithMod(EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
 EncodedJSValue DFG_OPERATION operationGetByVal(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty);
+EncodedJSValue DFG_OPERATION operationGetByValCell(ExecState*, JSCell*, EncodedJSValue encodedProperty);
 EncodedJSValue DFG_OPERATION operationGetById(ExecState*, EncodedJSValue encodedBase, Identifier*);
 EncodedJSValue DFG_OPERATION operationGetByIdBuildList(ExecState*, EncodedJSValue encodedBase, Identifier*);
@@ -101 +104 @@
 void DFG_OPERATION operationPutByValStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue);
 void DFG_OPERATION operationPutByValNonStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue);
+void DFG_OPERATION operationPutByValCellStrict(ExecState*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue);
+void DFG_OPERATION operationPutByValCellNonStrict(ExecState*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue);
 void DFG_OPERATION operationPutByValBeyondArrayBounds(ExecState*, JSArray*, int32_t index, EncodedJSValue encodedValue);
 EncodedJSValue DFG_OPERATION operationArrayPush(ExecState*, EncodedJSValue encodedValue, JSArray*);

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -881 +881 @@
     }
     
+    bool byValHasIntBase(Node& node)
+    {
+        PredictedType prediction = m_graph[node.child2()].prediction();
+        return (prediction & PredictInt32) || !prediction;
+    }
+    
     bool clobbersWorld(NodeIndex nodeIndex)
     {
@@ -898 +904 @@
         case LogicalNot:
             return !logicalNotIsPure(node);
+        case GetByVal:
+            return !byValHasIntBase(node);
         default:
             ASSERT_NOT_REACHED();
@@ -1012 +1020 @@
             case PutByVal:
             case PutByValAlias:
-                // PutByVal currently always speculates that it's accessing an array with an
-                // integer index, which means that it's impossible for it to cause a structure
-                // change.
-                break;
+                if (byValHasIntBase(node)) {
+                    // If PutByVal speculates that it's accessing an array with an
+                    // integer index, then it's impossible for it to cause a structure
+                    // change.
+                    break;
+                }
+                return NoNode;
                 
             case ArrayPush:
@@ -1077 +1088 @@
             case PutByVal:
             case PutByValAlias:
-                // PutByVal currently always speculates that it's accessing an array with an
-                // integer index, which means that it's impossible for it to cause a structure
-                // change.
-                break;
+                if (byValHasIntBase(node)) {
+                    // If PutByVal speculates that it's accessing an array with an
+                    // integer index, then it's impossible for it to cause a structure
+                    // change.
+                    break;
+                }
+                return false;
                 
             default:
@@ -1117 +1131 @@
             case PutByVal:
             case PutByValAlias:
-                // PutByVal currently always speculates that it's accessing an array with an
-                // integer index, which means that it's impossible for it to cause a structure
-                // change.
-                break;
+                if (byValHasIntBase(node)) {
+                    // If PutByVal speculates that it's accessing an array with an
+                    // integer index, then it's impossible for it to cause a structure
+                    // change.
+                    break;
+                }
+                return NoNode;
                 
             default:
@@ -1150 +1167 @@
             case PutByVal:
             case PutByValAlias:
-                // PutByVal currently always speculates that it's accessing an array with an
-                // integer index, which means that it's impossible for it to cause a structure
-                // change.
-                break;
+                if (byValHasIntBase(node)) {
+                    // If PutByVal speculates that it's accessing an array with an
+                    // integer index, then it's impossible for it to cause a structure
+                    // change.
+                    break;
+                }
+                return NoNode;
                 
             default:
@@ -1322 +1342 @@
             
         case GetByVal:
-            setReplacement(getByValLoadElimination(node.child1(), node.child2()));
+            if (byValHasIntBase(node))
+                setReplacement(getByValLoadElimination(node.child1(), node.child2()));
             break;
             
         case PutByVal:
-            if (getByValLoadElimination(node.child1(), node.child2()) != NoNode)
+            if (byValHasIntBase(node) && getByValLoadElimination(node.child1(), node.child2()) != NoNode)
                 node.op = PutByValAlias;
             break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1273 +1273 @@
 
     case GetByVal: {
+        PredictedType basePrediction = at(node.child2()).prediction();
+        if (!(basePrediction & PredictInt32) && basePrediction) {
+            SpeculateCellOperand base(this, node.child1()); // Save a register, speculate cell. We'll probably be right.
+            JSValueOperand property(this, node.child2());
+            GPRReg baseGPR = base.gpr();
+            GPRReg propertyTagGPR = property.tagGPR();
+            GPRReg propertyPayloadGPR = property.payloadGPR();
+            
+            flushRegisters();
+            GPRResult2 resultTag(this);
+            GPRResult resultPayload(this);
+            callOperation(operationGetByValCell, resultTag.gpr(), resultPayload.gpr(), baseGPR, propertyTagGPR, propertyPayloadGPR);
+            
+            jsValueResult(resultTag.gpr(), resultPayload.gpr(), m_compileIndex);
+            break;
+        }
+
         if (at(node.child1()).prediction() == PredictString) {
             compileGetByValOnString(node);
@@ -1315 +1332 @@
 
     case PutByVal: {
+        PredictedType basePrediction = at(node.child2()).prediction();
+        if (!(basePrediction & PredictInt32) && basePrediction) {
+            SpeculateCellOperand base(this, node.child1()); // Save a register, speculate cell. We'll probably be right.
+            JSValueOperand property(this, node.child2());
+            JSValueOperand value(this, node.child3());
+            GPRReg baseGPR = base.gpr();
+            GPRReg propertyTagGPR = property.tagGPR();
+            GPRReg propertyPayloadGPR = property.payloadGPR();
+            GPRReg valueTagGPR = value.tagGPR();
+            GPRReg valuePayloadGPR = value.payloadGPR();
+            
+            flushRegisters();
+            callOperation(m_jit.codeBlock()->isStrictMode() ? operationPutByValCellStrict : operationPutByValCellNonStrict, baseGPR, propertyTagGPR, propertyPayloadGPR, valueTagGPR, valuePayloadGPR);
+            
+            noResult(m_compileIndex);
+            break;
+        }
+
         SpeculateCellOperand base(this, node.child1());
         SpeculateStrictInt32Operand property(this, node.child2());

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -1384 +1384 @@
 
     case GetByVal: {
+        PredictedType basePrediction = at(node.child2()).prediction();
+        if (!(basePrediction & PredictInt32) && basePrediction) {
+            JSValueOperand base(this, node.child1());
+            JSValueOperand property(this, node.child2());
+            GPRReg baseGPR = base.gpr();
+            GPRReg propertyGPR = property.gpr();
+            
+            flushRegisters();
+            GPRResult result(this);
+            callOperation(operationGetByVal, result.gpr(), baseGPR, propertyGPR);
+            
+            jsValueResult(result.gpr(), m_compileIndex);
+            break;
+        }
+        
         if (at(node.child1()).prediction() == PredictString) {
             compileGetByValOnString(node);
@@ -1425 +1440 @@
 
     case PutByVal: {
+        PredictedType basePrediction = at(node.child2()).prediction();
+        if (!(basePrediction & PredictInt32) && basePrediction) {
+            JSValueOperand arg1(this, node.child1());
+            JSValueOperand arg2(this, node.child2());
+            JSValueOperand arg3(this, node.child3());
+            GPRReg arg1GPR = arg1.gpr();
+            GPRReg arg2GPR = arg2.gpr();
+            GPRReg arg3GPR = arg3.gpr();
+            flushRegisters();
+            
+            callOperation(m_jit.codeBlock()->isStrictMode() ? operationPutByValStrict : operationPutByValNonStrict, arg1GPR, arg2GPR, arg3GPR);
+            
+            noResult(m_compileIndex);
+            break;
+        }
+
         SpeculateCellOperand base(this, node.child1());
         SpeculateStrictInt32Operand property(this, node.child2());
@@ -1489 +1520 @@
 
     case PutByValAlias: {
+        PredictedType basePrediction = at(node.child2()).prediction();
+        ASSERT_UNUSED(basePrediction, (basePrediction & PredictInt32) || !basePrediction);
+            
         SpeculateCellOperand base(this, node.child1());
         SpeculateStrictInt32Operand property(this, node.child2());