Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (155165 => 155166)
--- trunk/Source/_javascript_Core/ChangeLog 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-09-06 01:08:48 UTC (rev 155166)
@@ -23,46 +23,6 @@
(JSC::CodeBlock::printLocationAndOp):
(JSC::CodeBlock::printLocationOpAndRegisterOperand):
-2013-09-05 Filip Pizlo <[email protected]>
-
- REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
- https://bugs.webkit.org/show_bug.cgi?id=120781
-
- Reviewed by Mark Hahnenberg.
-
- - Use some method table hacks to detect if the CheckStructure optimization is
- valid for to_this.
-
- - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
-
- This looks like it might be perf-neutral on the major benchmarks, but it
- introduces some horrible performance cliffs. For example if you add methods to
- the Array prototype, you'll get horrible performance cliffs. As in virtual calls
- to C++ every time you call a JS function even if it's inlined.
- LongSpider/3d-cube appears to hit this.
-
- * dfg/DFGAbstractInterpreterInlines.h:
- (JSC::DFG::::executeEffects):
- * dfg/DFGByteCodeParser.cpp:
- (JSC::DFG::ByteCodeParser::parseBlock):
- * dfg/DFGFixupPhase.cpp:
- (JSC::DFG::FixupPhase::fixupNode):
- * dfg/DFGSafeToExecute.h:
- (JSC::DFG::SafeToExecuteEdge::operator()):
- * dfg/DFGSpeculativeJIT.cpp:
- (JSC::DFG::SpeculativeJIT::speculateFinalObject):
- (JSC::DFG::SpeculativeJIT::speculate):
- * dfg/DFGSpeculativeJIT.h:
- * dfg/DFGSpeculativeJIT32_64.cpp:
- (JSC::DFG::SpeculativeJIT::compile):
- * dfg/DFGSpeculativeJIT64.cpp:
- (JSC::DFG::SpeculativeJIT::compile):
- * dfg/DFGUseKind.cpp:
- (WTF::printInternal):
- * dfg/DFGUseKind.h:
- (JSC::DFG::typeFilterFor):
- (JSC::DFG::isCell):
-
2013-09-05 Anders Carlsson <[email protected]>
GCAssertions.h should use STL type traits and static_assert
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2013-09-06 01:08:48 UTC (rev 155166)
@@ -1086,7 +1086,7 @@
AbstractValue& destination = forNode(node);
destination = source;
- destination.merge(SpecObject);
+ destination.merge(SpecObjectOther);
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-09-06 01:08:48 UTC (rev 155166)
@@ -1902,8 +1902,7 @@
if (profile->m_singletonValueIsTop
|| !profile->m_singletonValue
|| !profile->m_singletonValue.isCell()
- || profile->m_singletonValue.asCell()->classInfo() != Structure::info()
- || static_cast<Structure*>(profile->m_singletonValue.asCell())->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis)
+ || profile->m_singletonValue.asCell()->classInfo() != Structure::info())
setThis(addToGraph(ToThis, op1));
else {
addToGraph(
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2013-09-06 01:08:48 UTC (rev 155166)
@@ -706,7 +706,7 @@
}
if (isFinalObjectSpeculation(node->child1()->prediction())) {
- setUseKindAndUnboxIfProfitable<FinalObjectUse>(node->child1());
+ setUseKindAndUnboxIfProfitable<ObjectUse>(node->child1());
node->convertToIdentity();
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2013-09-06 01:08:48 UTC (rev 155166)
@@ -53,7 +53,6 @@
case BooleanUse:
case CellUse:
case ObjectUse:
- case FinalObjectUse:
case ObjectOrOtherUse:
case StringIdentUse:
case StringUse:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2013-09-06 01:08:48 UTC (rev 155166)
@@ -4612,23 +4612,6 @@
MacroAssembler::TrustedImmPtr(m_jit.vm()->stringStructure.get())));
}
-void SpeculativeJIT::speculateFinalObject(Edge edge)
-{
- if (!needsTypeCheck(edge, SpecFinalObject))
- return;
-
- SpeculateCellOperand operand(this, edge);
- GPRTemporary structure(this);
- GPRReg gpr = operand.gpr();
- GPRReg structureGPR = structure.gpr();
- m_jit.loadPtr(MacroAssembler::Address(gpr, JSCell::structureOffset()), structureGPR);
- DFG_TYPE_CHECK(
- JSValueSource::unboxedCell(gpr), edge, SpecFinalObject, m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(structureGPR, Structure::typeInfoTypeOffset()),
- TrustedImm32(FinalObjectType)));
-}
-
void SpeculativeJIT::speculateObjectOrOther(Edge edge)
{
if (!needsTypeCheck(edge, SpecObject | SpecOther))
@@ -4865,9 +4848,6 @@
case ObjectUse:
speculateObject(edge);
break;
- case FinalObjectUse:
- speculateFinalObject(edge);
- break;
case ObjectOrOtherUse:
speculateObjectOrOther(edge);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2013-09-06 01:08:48 UTC (rev 155166)
@@ -2118,7 +2118,6 @@
void speculateBoolean(Edge);
void speculateCell(Edge);
void speculateObject(Edge);
- void speculateFinalObject(Edge);
void speculateObjectOrOther(Edge);
void speculateString(Edge edge, GPRReg cell);
void speculateStringIdentAndLoadStorage(Edge edge, GPRReg string, GPRReg storage);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2013-09-06 01:08:48 UTC (rev 155166)
@@ -3649,26 +3649,18 @@
case ToThis: {
ASSERT(node->child1().useKind() == UntypedUse);
+
JSValueOperand thisValue(this, node->child1());
- GPRTemporary temp(this);
- GPRReg thisValuePayloadGPR = thisValue.payloadGPR();
GPRReg thisValueTagGPR = thisValue.tagGPR();
- GPRReg tempGPR = temp.gpr();
+ GPRReg thisValuePayloadGPR = thisValue.payloadGPR();
- MacroAssembler::JumpList slowCases;
- slowCases.append(m_jit.branch32(
- MacroAssembler::NotEqual, thisValueTagGPR, TrustedImm32(JSValue::CellTag)));
- m_jit.loadPtr(
- MacroAssembler::Address(thisValuePayloadGPR, JSCell::structureOffset()), tempGPR);
- slowCases.append(m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(tempGPR, Structure::typeInfoTypeOffset()),
- TrustedImm32(FinalObjectType)));
- m_jit.move(thisValuePayloadGPR, tempGPR);
- addSlowPathGenerator(
- slowPathCall(slowCases, this, operationToThis, tempGPR, thisValueTagGPR, thisValuePayloadGPR));
-
- cellResult(tempGPR, node);
+ flushRegisters();
+
+ GPRResult2 resultTag(this);
+ GPRResult resultPayload(this);
+ callOperation(operationToThis, resultTag.gpr(), resultPayload.gpr(), thisValueTagGPR, thisValuePayloadGPR);
+
+ cellResult(resultPayload.gpr(), node);
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2013-09-06 01:08:48 UTC (rev 155166)
@@ -3570,24 +3570,14 @@
case ToThis: {
ASSERT(node->child1().useKind() == UntypedUse);
JSValueOperand thisValue(this, node->child1());
- GPRTemporary temp(this);
GPRReg thisValueGPR = thisValue.gpr();
- GPRReg tempGPR = temp.gpr();
- MacroAssembler::JumpList slowCases;
- slowCases.append(m_jit.branchTest64(
- MacroAssembler::NonZero, thisValueGPR, GPRInfo::tagMaskRegister));
- m_jit.loadPtr(
- MacroAssembler::Address(thisValueGPR, JSCell::structureOffset()), tempGPR);
- slowCases.append(m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(tempGPR, Structure::typeInfoTypeOffset()),
- TrustedImm32(FinalObjectType)));
- m_jit.move(thisValueGPR, tempGPR);
- addSlowPathGenerator(
- slowPathCall(slowCases, this, operationToThis, tempGPR, thisValueGPR));
+ flushRegisters();
+
+ GPRResult result(this);
+ callOperation(operationToThis, result.gpr(), thisValueGPR);
- cellResult(tempGPR, node);
+ cellResult(result.gpr(), node);
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGUseKind.cpp (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGUseKind.cpp 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGUseKind.cpp 2013-09-06 01:08:48 UTC (rev 155166)
@@ -65,9 +65,6 @@
case ObjectUse:
out.print("Object");
break;
- case FinalObjectUse:
- out.print("FinalObject");
- break;
case ObjectOrOtherUse:
out.print("ObjectOrOther");
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGUseKind.h (155165 => 155166)
--- trunk/Source/_javascript_Core/dfg/DFGUseKind.h 2013-09-06 00:55:42 UTC (rev 155165)
+++ trunk/Source/_javascript_Core/dfg/DFGUseKind.h 2013-09-06 01:08:48 UTC (rev 155166)
@@ -46,7 +46,6 @@
CellUse,
KnownCellUse,
ObjectUse,
- FinalObjectUse,
ObjectOrOtherUse,
StringIdentUse,
StringUse,
@@ -78,8 +77,6 @@
return SpecCell;
case ObjectUse:
return SpecObject;
- case FinalObjectUse:
- return SpecFinalObject;
case ObjectOrOtherUse:
return SpecObject | SpecOther;
case StringIdentUse:
@@ -153,7 +150,6 @@
case CellUse:
case KnownCellUse:
case ObjectUse:
- case FinalObjectUse:
case StringIdentUse:
case StringUse:
case KnownStringUse:
