Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (207165 => 207166)
--- trunk/Source/_javascript_Core/ChangeLog 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-10-11 21:33:11 UTC (rev 207166)
@@ -1,3 +1,49 @@
+2016-10-11 Yusuke Suzuki <[email protected]>
+
+ [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
+ https://bugs.webkit.org/show_bug.cgi?id=163224
+
+ Reviewed by Filip Pizlo.
+
+ We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
+ This global object is necessary to check whether the world is normal before entering
+ the fast path of looking up the DOM wrapper cache.
+ We can sometimes constant-fold this GetGlobalObject. For example, if we performed
+ CheckStructure, the structure can offer the information about the possible result
+ of GetGlobalObject. By using this constant-folded global object, we can drop some
+ checks.
+
+ This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
+ We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
+ This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
+ constant value, this JSValue is filled with it.
+
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * dfg/DFGDOMJITPatchpointParams.h:
+ (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCallDOM):
+ (JSC::DFG::SpeculativeJIT::compileCheckDOM):
+ * domjit/DOMJITPatchpointParams.h:
+ (JSC::DOMJIT::PatchpointParams::at):
+ (JSC::DOMJIT::PatchpointParams::operator[]):
+ (JSC::DOMJIT::PatchpointParams::PatchpointParams):
+ * domjit/DOMJITValue.h: Copied from Source/_javascript_Core/dfg/DFGDOMJITPatchpointParams.h.
+ (JSC::DOMJIT::Value::Value):
+ (JSC::DOMJIT::Value::isGPR):
+ (JSC::DOMJIT::Value::isFPR):
+ (JSC::DOMJIT::Value::isJSValueRegs):
+ (JSC::DOMJIT::Value::gpr):
+ (JSC::DOMJIT::Value::fpr):
+ (JSC::DOMJIT::Value::jsValueRegs):
+ (JSC::DOMJIT::Value::reg):
+ (JSC::DOMJIT::Value::value):
+ * ftl/FTLDOMJITPatchpointParams.h:
+ (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
+
2016-10-10 Filip Pizlo <[email protected]>
Air should be able to replace constant materializations with adds
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (207165 => 207166)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2016-10-11 21:33:11 UTC (rev 207166)
@@ -2115,6 +2115,7 @@
E3EF88741B66DF23003F26CB /* JSPropertyNameIterator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3EF88721B66DF23003F26CB /* JSPropertyNameIterator.cpp */; };
E3EF88751B66DF23003F26CB /* JSPropertyNameIterator.h in Headers */ = {isa = PBXBuildFile; fileRef = E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */; settings = {ATTRIBUTES = (Private, ); }; };
E3FF75331D9CEA1800C7E16D /* DOMJITGetterSetter.h in Headers */ = {isa = PBXBuildFile; fileRef = E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E3FFC8531DAD7D1500DEA53E /* DOMJITValue.h in Headers */ = {isa = PBXBuildFile; fileRef = E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
E49DC16B12EF293E00184A1F /* SourceProviderCache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E49DC15512EF277200184A1F /* SourceProviderCache.cpp */; };
E49DC16C12EF294E00184A1F /* SourceProviderCache.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC15112EF272200184A1F /* SourceProviderCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4424,6 +4425,7 @@
E3EF88721B66DF23003F26CB /* JSPropertyNameIterator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPropertyNameIterator.cpp; sourceTree = "<group>"; };
E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPropertyNameIterator.h; sourceTree = "<group>"; };
E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITGetterSetter.h; sourceTree = "<group>"; };
+ E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITValue.h; sourceTree = "<group>"; };
E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCacheItem.h; sourceTree = "<group>"; };
E49DC15112EF272200184A1F /* SourceProviderCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCache.h; sourceTree = "<group>"; };
E49DC15512EF277200184A1F /* SourceProviderCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SourceProviderCache.cpp; sourceTree = "<group>"; };
@@ -7198,6 +7200,7 @@
E37AD83A1DA4928000F3D412 /* DOMJITPatchpointParams.h */,
E37AD83B1DA4928000F3D412 /* DOMJITReg.h */,
E3CB1E241DA7540A00FA1E56 /* DOMJITSlowPathCalls.h */,
+ E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */,
);
path = domjit;
sourceTree = "<group>";
@@ -7512,6 +7515,7 @@
0FFFC95814EF90A200C72532 /* DFGCFAPhase.h in Headers */,
0F338DFE1BED51270013C88F /* AirSimplifyCFG.h in Headers */,
0F3B3A281544C997003ED0FF /* DFGCFGSimplificationPhase.h in Headers */,
+ E3FFC8531DAD7D1500DEA53E /* DOMJITValue.h in Headers */,
0F9D36951AE9CC33000D4DFB /* DFGCleanUpPhase.h in Headers */,
A77A424017A0BBFD00A8DB81 /* DFGClobberize.h in Headers */,
0F37308D1C0BD29100052BFA /* B3PhiChildren.h in Headers */,
Modified: trunk/Source/_javascript_Core/dfg/DFGDOMJITPatchpointParams.h (207165 => 207166)
--- trunk/Source/_javascript_Core/dfg/DFGDOMJITPatchpointParams.h 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/dfg/DFGDOMJITPatchpointParams.h 2016-10-11 21:33:11 UTC (rev 207166)
@@ -35,7 +35,7 @@
class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
public:
- DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+ DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
: DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
, m_jit(jit)
{
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (207165 => 207166)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-10-11 21:33:11 UTC (rev 207166)
@@ -7134,7 +7134,7 @@
Vector<GPRReg> gpScratch;
Vector<FPRReg> fpScratch;
- Vector<DOMJIT::Reg> regs;
+ Vector<DOMJIT::Value> regs;
// FIXME: patchpoint should have a way to tell this can reuse "base" register.
// Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
@@ -7143,8 +7143,8 @@
JSValueRegsTemporary result(this);
regs.append(result.regs());
- regs.append(globalObject.gpr());
- regs.append(base.gpr());
+ regs.append(DOMJIT::Value(globalObject.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 0)).value()));
+ regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 1)).value()));
#if USE(JSVALUE64)
regs.append(static_cast<GPRReg>(GPRInfo::tagMaskRegister));
regs.append(static_cast<GPRReg>(GPRInfo::tagTypeNumberRegister));
@@ -7165,11 +7165,11 @@
Vector<GPRReg> gpScratch;
Vector<FPRReg> fpScratch;
- Vector<DOMJIT::Reg> regs;
+ Vector<DOMJIT::Value> regs;
SpeculateCellOperand base(this, node->child1());
GPRReg baseGPR = base.gpr();
- regs.append(baseGPR);
+ regs.append(DOMJIT::Value(baseGPR, m_state.forNode(node->child1()).value()));
Vector<GPRTemporary> gpTempraries;
Vector<FPRTemporary> fpTempraries;
Modified: trunk/Source/_javascript_Core/domjit/DOMJITPatchpointParams.h (207165 => 207166)
--- trunk/Source/_javascript_Core/domjit/DOMJITPatchpointParams.h 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/domjit/DOMJITPatchpointParams.h 2016-10-11 21:33:11 UTC (rev 207166)
@@ -28,8 +28,8 @@
#if ENABLE(JIT)
#include "CCallHelpers.h"
-#include "DOMJITReg.h"
#include "DOMJITSlowPathCalls.h"
+#include "DOMJITValue.h"
#include "JITOperations.h"
#include "RegisterSet.h"
@@ -41,13 +41,13 @@
virtual ~PatchpointParams() { }
unsigned size() const { return m_regs.size(); }
- const Reg& at(unsigned index) const { return m_regs[index]; }
- const Reg& operator[](unsigned index) const { return at(index); }
+ const Value& at(unsigned index) const { return m_regs[index]; }
+ const Value& operator[](unsigned index) const { return at(index); }
GPRReg gpScratch(unsigned index) const { return m_gpScratch[index]; }
FPRReg fpScratch(unsigned index) const { return m_fpScratch[index]; }
- PatchpointParams(Vector<Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+ PatchpointParams(Vector<Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
: m_regs(WTFMove(regs))
, m_gpScratch(WTFMove(gpScratch))
, m_fpScratch(WTFMove(fpScratch))
@@ -65,7 +65,7 @@
DOMJIT_SLOW_PATH_CALLS(JSC_DEFINE_CALL_OPERATIONS)
#undef JSC_DEFINE_CALL_OPERATIONS
- Vector<Reg> m_regs;
+ Vector<Value> m_regs;
Vector<GPRReg> m_gpScratch;
Vector<FPRReg> m_fpScratch;
};
Copied: trunk/Source/_javascript_Core/domjit/DOMJITValue.h (from rev 207165, trunk/Source/_javascript_Core/dfg/DFGDOMJITPatchpointParams.h) (0 => 207166)
--- trunk/Source/_javascript_Core/domjit/DOMJITValue.h (rev 0)
+++ trunk/Source/_javascript_Core/domjit/DOMJITValue.h 2016-10-11 21:33:11 UTC (rev 207166)
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "DOMJITReg.h"
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+class Value {
+public:
+ Value(Reg reg)
+ : m_reg(reg)
+ {
+ }
+
+ Value(Reg reg, JSValue value)
+ : m_reg(reg)
+ , m_value(value)
+ {
+ }
+
+ bool isGPR() const { return m_reg.isGPR(); }
+ bool isFPR() const { return m_reg.isFPR(); }
+ bool isJSValueRegs() const { return m_reg.isJSValueRegs(); }
+ GPRReg gpr() const { return m_reg.gpr(); }
+ FPRReg fpr() const { return m_reg.fpr(); }
+ JSValueRegs jsValueRegs() const { return m_reg.jsValueRegs(); }
+
+ Reg reg() const
+ {
+ return m_reg;
+ }
+
+ JSValue value() const
+ {
+ return m_value;
+ }
+
+private:
+ Reg m_reg;
+ JSValue m_value;
+};
+
+} }
+
+#endif
Modified: trunk/Source/_javascript_Core/ftl/FTLDOMJITPatchpointParams.h (207165 => 207166)
--- trunk/Source/_javascript_Core/ftl/FTLDOMJITPatchpointParams.h 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/ftl/FTLDOMJITPatchpointParams.h 2016-10-11 21:33:11 UTC (rev 207166)
@@ -36,7 +36,7 @@
class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
public:
- DOMJITPatchpointParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+ DOMJITPatchpointParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<DOMJIT::Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
: DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
, m_state(state)
, m_params(params)
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (207165 => 207166)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-10-11 21:33:11 UTC (rev 207166)
@@ -8739,14 +8739,15 @@
unsigned osrExitArgumentOffset = patchpoint->numChildren();
OSRExitDescriptor* exitDescriptor = appendOSRExitDescriptor(jsValueValue(cell), m_node->child1().node());
patchpoint->appendColdAnys(buildExitArguments(exitDescriptor, origin.forExit, jsValueValue(cell)));
+ JSValue child1Constant = m_state.forNode(m_node->child1()).value();
patchpoint->setGenerator(
[=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
Vector<GPRReg> gpScratch;
Vector<FPRReg> fpScratch;
- Vector<DOMJIT::Reg> regs;
+ Vector<DOMJIT::Value> regs;
- regs.append(params[0].gpr());
+ regs.append(DOMJIT::Value(params[0].gpr(), child1Constant));
for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)
gpScratch.append(params.gpScratch(i));
@@ -8785,6 +8786,8 @@
State* state = &m_ftlState;
Node* node = m_node;
+ JSValue child1Constant = m_state.forNode(m_graph.varArgChild(m_node, 0)).value();
+ JSValue child2Constant = m_state.forNode(m_graph.varArgChild(m_node, 1)).value();
patchpoint->setGenerator(
[=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
@@ -8791,13 +8794,13 @@
Vector<GPRReg> gpScratch;
Vector<FPRReg> fpScratch;
- Vector<DOMJIT::Reg> regs;
+ Vector<DOMJIT::Value> regs;
// FIXME: patchpoint should have a way to tell this can reuse "base" register.
// Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
regs.append(JSValueRegs(params[0].gpr()));
- regs.append(params[1].gpr());
- regs.append(params[2].gpr());
+ regs.append(DOMJIT::Value(params[1].gpr(), child1Constant));
+ regs.append(DOMJIT::Value(params[2].gpr(), child2Constant));
for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)
gpScratch.append(params.gpScratch(i));
Modified: trunk/Source/WebCore/ChangeLog (207165 => 207166)
--- trunk/Source/WebCore/ChangeLog 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/WebCore/ChangeLog 2016-10-11 21:33:11 UTC (rev 207166)
@@ -1,3 +1,15 @@
+2016-10-11 Yusuke Suzuki <[email protected]>
+
+ [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
+ https://bugs.webkit.org/show_bug.cgi?id=163224
+
+ Reviewed by Filip Pizlo.
+
+ * domjit/DOMJITHelpers.h:
+ (WebCore::DOMJITHelpers::toWrapper):
+ * domjit/JSNodeDOMJIT.cpp:
+ (WebCore::createCallDOMForOffsetAccess):
+
2016-10-11 Alex Christensen <[email protected]>
Enable URLParser by default
Modified: trunk/Source/WebCore/domjit/DOMJITHelpers.h (207165 => 207166)
--- trunk/Source/WebCore/domjit/DOMJITHelpers.h 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/WebCore/domjit/DOMJITHelpers.h 2016-10-11 21:33:11 UTC (rev 207166)
@@ -59,13 +59,22 @@
}
template<typename WrappedType, typename ToJSFunction>
-void toWrapper(CCallHelpers& jit, const JSC::DOMJIT::PatchpointParams& params, GPRReg wrapped, GPRReg globalObject, JSValueRegs result, ToJSFunction function)
+void toWrapper(CCallHelpers& jit, const JSC::DOMJIT::PatchpointParams& params, GPRReg wrapped, GPRReg globalObject, JSValueRegs result, ToJSFunction function, JSC::JSValue globalObjectConstant)
{
ASSERT(wrapped != result.payloadGPR());
ASSERT(globalObject != result.payloadGPR());
GPRReg payloadGPR = result.payloadGPR();
CCallHelpers::JumpList slowCases;
- slowCases.append(branchIfNotWorldIsNormal(jit, globalObject));
+
+ if (globalObjectConstant) {
+ if (!JSC::jsCast<JSDOMGlobalObject*>(globalObjectConstant)->worldIsNormal()) {
+ slowCases.append(jit.jump());
+ params.addSlowPathCall(slowCases, jit, function, result, globalObject, wrapped);
+ return;
+ }
+ } else
+ slowCases.append(branchIfNotWorldIsNormal(jit, globalObject));
+
tryLookUpWrapperCache<WrappedType>(jit, slowCases, wrapped, payloadGPR);
jit.boxCell(payloadGPR, result);
params.addSlowPathCall(slowCases, jit, function, result, globalObject, wrapped);
Modified: trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp (207165 => 207166)
--- trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp 2016-10-11 21:24:35 UTC (rev 207165)
+++ trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp 2016-10-11 21:33:11 UTC (rev 207166)
@@ -70,7 +70,7 @@
jit.loadPtr(CCallHelpers::Address(scratch, offset), scratch);
nullCases.append(jit.branchTestPtr(CCallHelpers::Zero, scratch));
- DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>);
+ DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>, params[1].value());
CCallHelpers::Jump done = jit.jump();
nullCases.link(&jit);
