Title: [206098] trunk/Source/_javascript_Core
Revision
206098
Author
utatane....@gmail.com
Date
2016-09-19 10:00:25 -0700 (Mon, 19 Sep 2016)

Log Message

[JSC][LLInt] Introduce is_cell_with_type
https://bugs.webkit.org/show_bug.cgi?id=162132

Reviewed by Sam Weinig.

In this patch, we introduce is_cell_with_type bytecode. This bytecode can unify the following predicates,
op_is_string, op_is_jsarray, op_is_proxy_object, and op_is_derived_array!
And we now drop DFG node IsString since we can use IsCellWithType instead.
This automatically offers optimization to previous IsString node: dropping cell check by using CellUse edge filter.

Later, we are planning to use this is_cell_with_type to optimize @isRegExpObject, @isSet, and @isMap[1].

The performance results are neutral.

[1]: https://bugs.webkit.org/show_bug.cgi?id=162142

* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/SpeculatedType.cpp:
(JSC::speculationFromJSType):
* bytecode/SpeculatedType.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitEqualityOp):
(JSC::BytecodeGenerator::emitIsCellWithType):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitIsJSArray):
(JSC::BytecodeGenerator::emitIsProxyObject):
(JSC::BytecodeGenerator::emitIsDerivedArray):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupIsCellWithType):
* dfg/DFGNode.h:
(JSC::DFG::Node::speculatedTypeForQuery):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileIsString): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emitIsCellWithType): Deleted.
(JSC::JIT::emit_op_is_string): Deleted.
(JSC::JIT::emit_op_is_jsarray): Deleted.
(JSC::JIT::emit_op_is_proxy_object): Deleted.
(JSC::JIT::emit_op_is_derived_array): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emitIsCellWithType): Deleted.
(JSC::JIT::emit_op_is_string): Deleted.
(JSC::JIT::emit_op_is_jsarray): Deleted.
(JSC::JIT::emit_op_is_proxy_object): Deleted.
(JSC::JIT::emit_op_is_derived_array): Deleted.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (206097 => 206098)


--- trunk/Source/_javascript_Core/ChangeLog	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1,3 +1,88 @@
+2016-09-19  Yusuke Suzuki  <utatane....@gmail.com>
+
+        [JSC][LLInt] Introduce is_cell_with_type
+        https://bugs.webkit.org/show_bug.cgi?id=162132
+
+        Reviewed by Sam Weinig.
+
+        In this patch, we introduce is_cell_with_type bytecode. This bytecode can unify the following predicates,
+        op_is_string, op_is_jsarray, op_is_proxy_object, and op_is_derived_array!
+        And we now drop DFG node IsString since we can use IsCellWithType instead.
+        This automatically offers optimization to previous IsString node: dropping cell check by using CellUse edge filter.
+
+        Later, we are planning to use this is_cell_with_type to optimize @isRegExpObject, @isSet, and @isMap[1].
+
+        The performance results are neutral.
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=162142
+
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromJSType):
+        * bytecode/SpeculatedType.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEqualityOp):
+        (JSC::BytecodeGenerator::emitIsCellWithType):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::emitIsJSArray):
+        (JSC::BytecodeGenerator::emitIsProxyObject):
+        (JSC::BytecodeGenerator::emitIsDerivedArray):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupIsCellWithType):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::speculatedTypeForQuery):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsString): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emitIsCellWithType): Deleted.
+        (JSC::JIT::emit_op_is_string): Deleted.
+        (JSC::JIT::emit_op_is_jsarray): Deleted.
+        (JSC::JIT::emit_op_is_proxy_object): Deleted.
+        (JSC::JIT::emit_op_is_derived_array): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emitIsCellWithType): Deleted.
+        (JSC::JIT::emit_op_is_string): Deleted.
+        (JSC::JIT::emit_op_is_jsarray): Deleted.
+        (JSC::JIT::emit_op_is_proxy_object): Deleted.
+        (JSC::JIT::emit_op_is_derived_array): Deleted.
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2016-09-18  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Assert length of LLInt opcodes using isCellWithType is 3

Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.json (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecode/BytecodeList.json	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecode/BytecodeList.json	2016-09-19 17:00:25 UTC (rev 206098)
@@ -55,13 +55,10 @@
             { "name" : "op_is_undefined", "length" : 3 },
             { "name" : "op_is_boolean", "length" : 3 },
             { "name" : "op_is_number", "length" : 3 },
-            { "name" : "op_is_string", "length" : 3 },
-            { "name" : "op_is_jsarray", "length" : 3 },
-            { "name" : "op_is_proxy_object", "length" : 3 },
             { "name" : "op_is_object", "length" : 3 },
             { "name" : "op_is_object_or_null", "length" : 3 },
             { "name" : "op_is_function", "length" : 3 },
-            { "name" : "op_is_derived_array", "length" : 3 },
+            { "name" : "op_is_cell_with_type", "length" : 4 },
             { "name" : "op_in", "length" : 4 },
             { "name" : "op_get_array_length", "length" : 9 },
             { "name" : "op_get_by_id", "length" : 9  },

Modified: trunk/Source/_javascript_Core/bytecode/BytecodeUseDef.h (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecode/BytecodeUseDef.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecode/BytecodeUseDef.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -163,13 +163,10 @@
     case op_is_undefined:
     case op_is_boolean:
     case op_is_number:
-    case op_is_string:
-    case op_is_jsarray:
-    case op_is_proxy_object:
     case op_is_object:
     case op_is_object_or_null:
+    case op_is_cell_with_type:
     case op_is_function:
-    case op_is_derived_array:
     case op_to_number:
     case op_to_string:
     case op_negate:
@@ -398,13 +395,10 @@
     case op_is_undefined:
     case op_is_boolean:
     case op_is_number:
-    case op_is_string:
-    case op_is_jsarray:
-    case op_is_proxy_object:
     case op_is_object:
     case op_is_object_or_null:
+    case op_is_cell_with_type:
     case op_is_function:
-    case op_is_derived_array:
     case op_in:
     case op_to_number:
     case op_to_string:

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1102,18 +1102,14 @@
             printUnaryOp(out, exec, location, it, "is_number");
             break;
         }
-        case op_is_string: {
-            printUnaryOp(out, exec, location, it, "is_string");
+        case op_is_cell_with_type: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int type = (++it)->u.operand;
+            printLocationAndOp(out, exec, location, it, "is_cell_with_type");
+            out.printf("%s, %s, %d", registerName(r0).data(), registerName(r1).data(), type);
             break;
         }
-        case op_is_jsarray: {
-            printUnaryOp(out, exec, location, it, "is_jsarray");
-            break;
-        }
-        case op_is_proxy_object: {
-            printUnaryOp(out, exec, location, it, "is_proxy_object");
-            break;
-        }
         case op_is_object: {
             printUnaryOp(out, exec, location, it, "is_object");
             break;
@@ -1126,10 +1122,6 @@
             printUnaryOp(out, exec, location, it, "is_function");
             break;
         }
-        case op_is_derived_array: {
-            printUnaryOp(out, exec, location, it, "is_derived_array");
-            break;
-        }
         case op_in: {
             printBinaryOp(out, exec, location, it, "in");
             break;

Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -471,6 +471,25 @@
     return NotTypedArray;
 }
 
+SpeculatedType speculationFromJSType(JSType type)
+{
+    switch (type) {
+    case StringType:
+        return SpecString;
+    case ArrayType:
+        return SpecArray;
+    case DerivedArrayType:
+        return SpecDerivedArray;
+    case RegExpObjectType:
+        return SpecRegExpObject;
+    case ProxyObjectType:
+        return SpecProxyObject;
+    default:
+        ASSERT_NOT_REACHED();
+    }
+    return SpecNone;
+}
+
 SpeculatedType leastUpperBoundOfStrictlyEquivalentSpeculations(SpeculatedType type)
 {
     if (type & (SpecAnyInt | SpecAnyIntAsDouble))

Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.h (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -452,6 +452,7 @@
 SpeculatedType speculationFromStructure(Structure*);
 SpeculatedType speculationFromCell(JSCell*);
 SpeculatedType speculationFromValue(JSValue);
+SpeculatedType speculationFromJSType(JSType);
 
 SpeculatedType speculationFromTypedArrayType(TypedArrayType); // only valid for typed views.
 TypedArrayType typedArrayTypeFromSpeculation(SpeculatedType);

Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1659,9 +1659,10 @@
             }
             if (value == "string") {
                 rewindUnaryOp();
-                emitOpcode(op_is_string);
+                emitOpcode(op_is_cell_with_type);
                 instructions().append(dst->index());
                 instructions().append(srcIndex);
+                instructions().append(StringType);
                 return dst;
             }
             if (value == "object") {
@@ -4217,6 +4218,14 @@
     return dst;
 }
 
+RegisterID* BytecodeGenerator::emitIsCellWithType(RegisterID* dst, RegisterID* src, JSType type)
+{
+    emitOpcode(op_is_cell_with_type);
+    instructions().append(dst->index());
+    instructions().append(src->index());
+    instructions().append(type);
+    return dst;
+}
 
 RegisterID* BytecodeGenerator::emitIsObject(RegisterID* dst, RegisterID* src)
 {

Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h (206097 => 206098)


--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -630,12 +630,13 @@
         RegisterID* emitEnumeratorGenericPropertyName(RegisterID* dst, RegisterID* enumerator, RegisterID* index);
         RegisterID* emitToIndexString(RegisterID* dst, RegisterID* index);
 
-        RegisterID* emitIsJSArray(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_is_jsarray, dst, src); }
-        RegisterID* emitIsProxyObject(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_is_proxy_object, dst, src); }
+        RegisterID* emitIsCellWithType(RegisterID* dst, RegisterID* src, JSType);
+        RegisterID* emitIsJSArray(RegisterID* dst, RegisterID* src) { return emitIsCellWithType(dst, src, ArrayType); }
+        RegisterID* emitIsProxyObject(RegisterID* dst, RegisterID* src) { return emitIsCellWithType(dst, src, ProxyObjectType); }
         RegisterID* emitIsObject(RegisterID* dst, RegisterID* src);
         RegisterID* emitIsUndefined(RegisterID* dst, RegisterID* src);
         RegisterID* emitIsEmpty(RegisterID* dst, RegisterID* src);
-        RegisterID* emitIsDerivedArray(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_is_derived_array, dst, src); }
+        RegisterID* emitIsDerivedArray(RegisterID* dst, RegisterID* src) { return emitIsCellWithType(dst, src, DerivedArrayType); }
         void emitRequireObjectCoercible(RegisterID* value, const String& error);
 
         RegisterID* emitIteratorNext(RegisterID* dst, RegisterID* iterator, const ThrowableExpressionData* node);

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1013,7 +1013,6 @@
     case IsUndefined:
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:
     case IsFunction:
@@ -1038,9 +1037,6 @@
             case IsNumber:
                 setConstant(node, jsBoolean(child.value().isNumber()));
                 break;
-            case IsString:
-                setConstant(node, jsBoolean(isJSString(child.value())));
-                break;
             case IsObject:
                 setConstant(node, jsBoolean(child.value().isObject()));
                 break;
@@ -1148,20 +1144,6 @@
             }
             
             break;
-        case IsString:
-            if (!(child.m_type & ~SpecString)) {
-                setConstant(node, jsBoolean(true));
-                constantWasSet = true;
-                break;
-            }
-            
-            if (!(child.m_type & SpecString)) {
-                setConstant(node, jsBoolean(false));
-                constantWasSet = true;
-                break;
-            }
-            
-            break;
         case IsObject:
             if (!(child.m_type & ~SpecObject)) {
                 setConstant(node, jsBoolean(true));

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -2366,7 +2366,7 @@
         ASSERT(argumentCountIncludingThis == 2);
 
         insertChecks();
-        Node* isRegExpObject = addToGraph(IsCellWithType, OpInfo(RegExpObjectType), OpInfo(SpecRegExpObject), get(virtualRegisterForArgument(1, registerOffset)));
+        Node* isRegExpObject = addToGraph(IsCellWithType, OpInfo(RegExpObjectType), get(virtualRegisterForArgument(1, registerOffset)));
         set(VirtualRegister(resultOperand), isRegExpObject);
         return true;
     }
@@ -3970,24 +3970,13 @@
             NEXT_OPCODE(op_is_number);
         }
 
-        case op_is_string: {
+        case op_is_cell_with_type: {
+            JSType type = static_cast<JSType>(currentInstruction[3].u.operand);
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsString, value));
-            NEXT_OPCODE(op_is_string);
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(type), value));
+            NEXT_OPCODE(op_is_cell_with_type);
         }
 
-        case op_is_jsarray: {
-            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(ArrayType), OpInfo(SpecArray), value));
-            NEXT_OPCODE(op_is_jsarray);
-        }
-
-        case op_is_proxy_object: {
-            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(ProxyObjectType), OpInfo(SpecProxyObject), value));
-            NEXT_OPCODE(op_is_proxy_object);
-        }
-
         case op_is_object: {
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsObject, value));
@@ -4006,12 +3995,6 @@
             NEXT_OPCODE(op_is_function);
         }
 
-        case op_is_derived_array: {
-            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsCellWithType, OpInfo(DerivedArrayType), OpInfo(SpecDerivedArray), value));
-            NEXT_OPCODE(op_is_derived_array);
-        }
-
         case op_not: {
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(LogicalNot, value));

Modified: trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -140,13 +140,10 @@
     case op_is_undefined:
     case op_is_boolean:
     case op_is_number:
-    case op_is_string:
-    case op_is_jsarray:
-    case op_is_proxy_object:
     case op_is_object:
     case op_is_object_or_null:
+    case op_is_cell_with_type:
     case op_is_function:
-    case op_is_derived_array:
     case op_not:
     case op_less:
     case op_lesseq:

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -162,7 +162,6 @@
     case IsUndefined:
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsTypedArrayView:
     case LogicalNot:

Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -161,7 +161,6 @@
     case IsUndefined:
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:
     case IsFunction:

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1397,16 +1397,6 @@
             break;
         }
 
-        case IsString:
-            if (node->child1()->shouldSpeculateString()) {
-                m_insertionSet.insertNode(
-                    m_indexInBlock, SpecNone, Check, node->origin,
-                    Edge(node->child1().node(), StringUse));
-                m_graph.convertToConstant(node, jsBoolean(true));
-                observeUseKindOnNode<StringUse>(node);
-            }
-            break;
-
         case IsObject:
             if (node->child1()->shouldSpeculateObject()) {
                 m_insertionSet.insertNode(
@@ -1767,6 +1757,17 @@
     void fixupIsCellWithType(Node* node)
     {
         switch (node->speculatedTypeForQuery()) {
+        case SpecString:
+            if (node->child1()->shouldSpeculateString()) {
+                m_insertionSet.insertNode(
+                    m_indexInBlock, SpecNone, Check, node->origin,
+                    Edge(node->child1().node(), StringUse));
+                m_graph.convertToConstant(node, jsBoolean(true));
+                observeUseKindOnNode<StringUse>(node);
+                return;
+            }
+            break;
+
         case SpecProxyObject:
             if (node->child1()->shouldSpeculateProxyObject()) {
                 m_insertionSet.insertNode(

Modified: trunk/Source/_javascript_Core/dfg/DFGNode.h (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGNode.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1179,7 +1179,7 @@
 
     SpeculatedType speculatedTypeForQuery()
     {
-        return m_opInfo2.as<SpeculatedType>();
+        return speculationFromJSType(queriedType());
     }
     
     bool hasResult()

Modified: trunk/Source/_javascript_Core/dfg/DFGNodeType.h (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGNodeType.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGNodeType.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -314,7 +314,6 @@
     macro(IsUndefined, NodeResultBoolean) \
     macro(IsBoolean, NodeResultBoolean) \
     macro(IsNumber, NodeResultBoolean) \
-    macro(IsString, NodeResultBoolean) \
     macro(IsObject, NodeResultBoolean) \
     macro(IsObjectOrNull, NodeResultBoolean) \
     macro(IsFunction, NodeResultBoolean) \

Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -797,7 +797,6 @@
         case IsUndefined:
         case IsBoolean:
         case IsNumber:
-        case IsString:
         case IsObject:
         case IsObjectOrNull:
         case IsFunction:

Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -267,7 +267,6 @@
     case IsUndefined:
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:
     case IsFunction:

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -4640,26 +4640,6 @@
         break;
     }
 
-    case IsString: {
-        JSValueOperand value(this, node->child1());
-        GPRTemporary result(this, Reuse, value, TagWord);
-        
-        JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(value.jsValueRegs());
-        
-        m_jit.compare8(JITCompiler::Equal, 
-            JITCompiler::Address(value.payloadGPR(), JSCell::typeInfoTypeOffset()), 
-            TrustedImm32(StringType), 
-            result.gpr());
-        JITCompiler::Jump done = m_jit.jump();
-        
-        isNotCell.link(&m_jit);
-        m_jit.move(TrustedImm32(0), result.gpr());
-        
-        done.link(&m_jit);
-        booleanResult(result.gpr(), node);
-        break;
-    }
-
     case IsObject: {
         JSValueOperand value(this, node->child1());
         GPRTemporary result(this, Reuse, value, TagWord);

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -4611,27 +4611,6 @@
         break;
     }
         
-    case IsString: {
-        JSValueOperand value(this, node->child1());
-        GPRTemporary result(this, Reuse, value);
-        
-        JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(value.jsValueRegs());
-        
-        m_jit.compare8(JITCompiler::Equal, 
-            JITCompiler::Address(value.gpr(), JSCell::typeInfoTypeOffset()), 
-            TrustedImm32(StringType), 
-            result.gpr());
-        m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-        JITCompiler::Jump done = m_jit.jump();
-        
-        isNotCell.link(&m_jit);
-        m_jit.move(TrustedImm32(ValueFalse), result.gpr());
-        
-        done.link(&m_jit);
-        jsValueResult(result.gpr(), node, DataFormatJSBoolean);
-        break;
-    }
-
     case MapHash: {
         JSValueOperand input(this, node->child1());
         GPRTemporary temp(this);

Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -190,7 +190,6 @@
     case IsUndefined:
     case IsBoolean:
     case IsNumber:
-    case IsString:
     case IsObject:
     case IsObjectOrNull:
     case IsFunction:

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -896,9 +896,6 @@
         case IsNumber:
             compileIsNumber();
             break;
-        case IsString:
-            compileIsString();
-            break;
         case IsCellWithType:
             compileIsCellWithType();
             break;
@@ -6264,25 +6261,6 @@
         setBoolean(isNumber(lowJSValue(m_node->child1()), provenType(m_node->child1())));
     }
     
-    void compileIsString()
-    {
-        LValue value = lowJSValue(m_node->child1());
-        
-        LBasicBlock isCellCase = m_out.newBlock();
-        LBasicBlock continuation = m_out.newBlock();
-        
-        ValueFromBlock notCellResult = m_out.anchor(m_out.booleanFalse);
-        m_out.branch(
-            isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(continuation));
-        
-        LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation);
-        ValueFromBlock cellResult = m_out.anchor(isString(value, provenType(m_node->child1())));
-        m_out.jump(continuation);
-        
-        m_out.appendTo(continuation, lastNext);
-        setBoolean(m_out.phi(Int32, notCellResult, cellResult));
-    }
-
     void compileIsCellWithType()
     {
         if (m_node->child1().useKind() == UntypedUse) {

Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/jit/JIT.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -268,11 +268,8 @@
         DEFINE_OP(op_is_undefined)
         DEFINE_OP(op_is_boolean)
         DEFINE_OP(op_is_number)
-        DEFINE_OP(op_is_string)
-        DEFINE_OP(op_is_jsarray)
-        DEFINE_OP(op_is_proxy_object)
         DEFINE_OP(op_is_object)
-        DEFINE_OP(op_is_derived_array)
+        DEFINE_OP(op_is_cell_with_type)
         DEFINE_OP(op_jeq_null)
         DEFINE_OP(op_jfalse)
         DEFINE_OP(op_jmp)

Modified: trunk/Source/_javascript_Core/jit/JIT.h (206097 => 206098)


--- trunk/Source/_javascript_Core/jit/JIT.h	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/jit/JIT.h	2016-09-19 17:00:25 UTC (rev 206098)
@@ -401,8 +401,6 @@
         int32_t getOperandConstantInt(int src);
         double getOperandConstantDouble(int src);
 
-        void emitIsCellWithType(Instruction*, JSType);
-
 #if USE(JSVALUE32_64)
         bool getOperandConstantInt(int op1, int op2, int& op, int32_t& constant);
 
@@ -516,11 +514,8 @@
         void emit_op_is_undefined(Instruction*);
         void emit_op_is_boolean(Instruction*);
         void emit_op_is_number(Instruction*);
-        void emit_op_is_string(Instruction*);
-        void emit_op_is_jsarray(Instruction*);
-        void emit_op_is_proxy_object(Instruction*);
         void emit_op_is_object(Instruction*);
-        void emit_op_is_derived_array(Instruction*);
+        void emit_op_is_cell_with_type(Instruction*);
         void emit_op_jeq_null(Instruction*);
         void emit_op_jfalse(Instruction*);
         void emit_op_jmp(Instruction*);

Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -243,10 +243,11 @@
     emitPutVirtualRegister(dst);
 }
 
-void JIT::emitIsCellWithType(Instruction* currentInstruction, JSType type)
+void JIT::emit_op_is_cell_with_type(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;
     int value = currentInstruction[2].u.operand;
+    int type = currentInstruction[3].u.operand;
 
     emitGetVirtualRegister(value, regT0);
     Jump isNotCell = emitJumpIfNotJSCell(regT0);
@@ -262,26 +263,6 @@
     emitPutVirtualRegister(dst);
 }
 
-void JIT::emit_op_is_string(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, StringType);
-}
-
-void JIT::emit_op_is_jsarray(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ArrayType);
-}
-
-void JIT::emit_op_is_proxy_object(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ProxyObjectType);
-}
-
-void JIT::emit_op_is_derived_array(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, DerivedArrayType);
-}
-
 void JIT::emit_op_is_object(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;

Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -354,10 +354,11 @@
     emitStoreBool(dst, regT0);
 }
 
-void JIT::emitIsCellWithType(Instruction* currentInstruction, JSType type)
+void JIT::emit_op_is_cell_with_type(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;
     int value = currentInstruction[2].u.operand;
+    int type = currentInstruction[3].u.operand;
 
     emitLoad(value, regT1, regT0);
     Jump isNotCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
@@ -372,26 +373,6 @@
     emitStoreBool(dst, regT0);
 }
 
-void JIT::emit_op_is_string(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, StringType);
-}
-
-void JIT::emit_op_is_jsarray(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ArrayType);
-}
-
-void JIT::emit_op_is_proxy_object(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, ProxyObjectType);
-}
-
-void JIT::emit_op_is_derived_array(Instruction* currentInstruction)
-{
-    emitIsCellWithType(currentInstruction, DerivedArrayType);
-}
-
 void JIT::emit_op_is_object(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;

Modified: trunk/Source/_javascript_Core/llint/LLIntData.cpp (206097 => 206098)


--- trunk/Source/_javascript_Core/llint/LLIntData.cpp	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/llint/LLIntData.cpp	2016-09-19 17:00:25 UTC (rev 206098)
@@ -217,11 +217,6 @@
 
     ASSERT(bitwise_cast<uintptr_t>(ShadowChicken::Packet::tailMarker()) == static_cast<uintptr_t>(0x7a11));
 
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_string) == 3);
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_jsarray) == 3);
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_proxy_object) == 3);
-    STATIC_ASSERT(OPCODE_LENGTH(op_is_derived_array) == 3);
-
     // FIXME: make these assertions less horrible.
 #if !ASSERT_DISABLED
     Vector<int> testVector;

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (206097 => 206098)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1257,41 +1257,22 @@
     dispatch(3)
 
 
-macro isCellWithType(type)
+_llint_op_is_cell_with_type:
+    traceExecution()
     loadi 8[PC], t1
     loadi 4[PC], t2
     loadConstantOrVariable(t1, t0, t3)
     storei BooleanTag, TagOffset[cfr, t2, 8]
     bineq t0, CellTag, .notCellCase
-    cbeq JSCell::m_type[t3], type, t1
+    loadi 12[PC], t0
+    cbeq JSCell::m_type[t3], t0, t1
     storei t1, PayloadOffset[cfr, t2, 8]
-    dispatch(3)
+    dispatch(4)
 .notCellCase:
     storep 0, PayloadOffset[cfr, t2, 8]
-    dispatch(3)
-end
+    dispatch(4)
 
 
-_llint_op_is_string:
-    traceExecution()
-    isCellWithType(StringType)
-
-
-_llint_op_is_jsarray:
-    traceExecution()
-    isCellWithType(ArrayType)
-
-
-_llint_op_is_proxy_object:
-    traceExecution()
-    isCellWithType(ProxyObjectType)
-
-
-_llint_op_is_derived_array:
-    traceExecution()
-    isCellWithType(DerivedArrayType)
-
-
 _llint_op_is_object:
     traceExecution()
     loadi 8[PC], t1

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (206097 => 206098)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2016-09-19 16:01:08 UTC (rev 206097)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2016-09-19 17:00:25 UTC (rev 206098)
@@ -1146,41 +1146,22 @@
     dispatch(3)
 
 
-macro isCellWithType(type)
+_llint_op_is_cell_with_type:
+    traceExecution()
+    loadisFromInstruction(3, t3)
     loadisFromInstruction(2, t1)
     loadisFromInstruction(1, t2)
     loadConstantOrVariable(t1, t0)
     btqnz t0, tagMask, .notCellCase
-    cbeq JSCell::m_type[t0], type, t1
+    cbeq JSCell::m_type[t0], t3, t1
     orq ValueFalse, t1
     storeq t1, [cfr, t2, 8]
-    dispatch(3)
+    dispatch(4)
 .notCellCase:
     storeq ValueFalse, [cfr, t2, 8]
-    dispatch(3)
-end
+    dispatch(4)
 
 
-_llint_op_is_string:
-    traceExecution()
-    isCellWithType(StringType)
-
-
-_llint_op_is_jsarray:
-    traceExecution()
-    isCellWithType(ArrayType)
-
-
-_llint_op_is_proxy_object:
-    traceExecution()
-    isCellWithType(ProxyObjectType)
-
-
-_llint_op_is_derived_array:
-    traceExecution()
-    isCellWithType(DerivedArrayType)
-
-
 _llint_op_is_object:
     traceExecution()
     loadisFromInstruction(2, t1)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to