DFG should inline new typedArray()
https://bugs.webkit.org/show_bug.cgi?id=120022
Source/JavaScriptCore:
Reviewed by Oliver Hunt.
Adds inlining of typed array allocations in the DFG. Any operation of the
form:
new foo(blah)
or:
foo(blah)
where 'foo' is a typed array constructor and 'blah' is exactly one argument,
is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
is predicted integer, we generate inline code for an allocation. Otherwise
it turns into a call to an operation that behaves like the constructor would
if it was passed one argument (i.e. it may wrap a buffer or it may create a
copy or another array, or it may allocate an array of that length).
- bytecode/SpeculatedType.cpp:
(JSC::speculationFromTypedArrayType):
(JSC::speculationFromClassInfo):
- bytecode/SpeculatedType.h:
- dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
- dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
- dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::clobberize):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::Graph::dump):
(JSC::DFG::Node::hasTypedArrayType):
(JSC::DFG::Node::typedArrayType):
- dfg/DFGNodeType.h:
- dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
(JSC::DFG::newTypedArrayWithOneArgument):
(JSC::DFG::operationNewTypedArrayWithSizeForType):
(JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
- dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::safeToExecute):
- dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArray):
(JSC::DFG::SpeculativeJIT::callOperation):
- dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
- dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_new_object):
(JSC::JSArray::allocationSize):
- runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::allocationSize):
- runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
(JSC::JSFinalObject::allocationSize):
- runtime/TypedArrayType.cpp:
(JSC::constructorClassInfoForType):
- runtime/TypedArrayType.h:
(JSC::indexToTypedArrayType):
LayoutTests:
Reviewed by Oliver Hunt.
- fast/js/regress/Float64Array-alloc-long-lived-expected.txt: Added.
- fast/js/regress/Float64Array-alloc-long-lived.html: Added.
- fast/js/regress/Int16Array-alloc-long-lived-expected.txt: Added.
- fast/js/regress/Int16Array-alloc-long-lived.html: Added.
- fast/js/regress/Int8Array-alloc-long-lived-expected.txt: Added.
- fast/js/regress/Int8Array-alloc-long-lived.html: Added.
- fast/js/regress/script-tests/Float64Array-alloc-long-lived.js: Added.
- fast/js/regress/script-tests/Int16Array-alloc-long-lived.js: Added.
- fast/js/regress/script-tests/Int32Array-alloc-long-lived.js:
- fast/js/regress/script-tests/Int8Array-alloc-long-lived.js: Added.
