Changeset 156029 in webkit for trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

Timestamp:

Sep 18, 2013, 12:25:52 AM (12 years ago)

Author:

[email protected]

Message:

Unreviewed, rolling out r156019 and r156020.
​http://trac.webkit.org/changeset/156019
​http://trac.webkit.org/changeset/156020
​https://bugs.webkit.org/show_bug.cgi?id=121540

Broke tests (Requested by ap on #webkit).

Source/JavaScriptCore:

• assembler/MacroAssemblerX86_64.h:
• assembler/X86Assembler.h:
• bytecode/DataFormat.h:

(JSC::dataFormatToString):

• bytecode/ExitKind.cpp:

(JSC::exitKindToString):

• bytecode/ExitKind.h:
• bytecode/OperandsInlines.h:

(JSC::::dumpInContext):

• bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):

• bytecode/SpeculatedType.h:

(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt48Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt48AsDoubleSpeculation):
(JSC::isRealNumberSpeculation):
(JSC::isNumberSpeculation):
(JSC::isNumberSpeculationExpectingDefined):

• bytecode/ValueRecovery.h:

(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):

• dfg/DFGAbstractInterpreter.h:

(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):

• dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::validateType):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine):

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::unboxDouble):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::makeSafe):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::canonicalize):
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGCommon.h:
• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):

• dfg/DFGFlushFormat.cpp:

(WTF::printInternal):

• dfg/DFGFlushFormat.h:

(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):

• dfg/DFGGenerationInfo.h:

(JSC::DFG::GenerationInfo::initInt32):
(JSC::DFG::GenerationInfo::fillInt32):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):

• dfg/DFGInPlaceAbstractState.cpp:

(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):

• dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::reconstruct):

• dfg/DFGMinifiedNode.h:

(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt48):

• dfg/DFGNodeFlags.h:

(JSC::DFG::nodeCanSpeculateInt48):

• dfg/DFGNodeType.h:

(JSC::DFG::forwardRewiringSelectionScore):

• dfg/DFGOSRExitCompiler.cpp:

(JSC::DFG::shortOperandsDump):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):

• dfg/DFGSilentRegisterSavePlan.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::boxDouble):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int32Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):

• dfg/DFGValueSource.cpp:

(JSC::DFG::ValueSource::dump):

• dfg/DFGValueSource.h:

(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):

• dfg/DFGVariableAccessData.h:

(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):

• ftl/FTLCArgumentGetter.cpp:

(JSC::FTL::CArgumentGetter::loadNextAndBox):

• ftl/FTLCArgumentGetter.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLExitValue.cpp:

(JSC::FTL::ExitValue::dumpInContext):

• ftl/FTLExitValue.h:
• ftl/FTLIntrinsicRepository.h:
• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt32):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• ftl/FTLOutput.h:

(JSC::FTL::Output::mulWithOverflow32):

• ftl/FTLValueFormat.cpp:

(WTF::printInternal):

• ftl/FTLValueFormat.h:
• ftl/FTLValueSource.cpp:

(JSC::FTL::ValueSource::dump):

• ftl/FTLValueSource.h:
• interpreter/Register.h:
• runtime/Arguments.cpp:

(JSC::Arguments::tearOffForInlineCallFrame):

• runtime/IndexingType.cpp:

(JSC::leastUpperBoundOfIndexingTypeAndType):

• runtime/JSCJSValue.h:
• runtime/JSCJSValueInlines.h:

Source/WTF:

• wtf/PrintStream.h:

Tools:

• Scripts/run-jsc-stress-tests:

LayoutTests:

• js/regress/large-int-captured-expected.txt: Removed.
• js/regress/large-int-captured.html: Removed.
• js/regress/large-int-expected.txt: Removed.
• js/regress/large-int-neg-expected.txt: Removed.
• js/regress/large-int-neg.html: Removed.
• js/regress/large-int.html: Removed.
• js/regress/marsaglia-larger-ints-expected.txt: Removed.
• js/regress/marsaglia-larger-ints.html: Removed.
• js/regress/script-tests/large-int-captured.js: Removed.
• js/regress/script-tests/large-int-neg.js: Removed.
• js/regress/script-tests/large-int.js: Removed.
• js/regress/script-tests/marsaglia-larger-ints.js: Removed.

File:

• trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (17 diffs)

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -65 +65 @@
         }
         
-        for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
-            fixupUntypedSetLocalsInBlock(m_graph.block(blockIndex));
-        
         return true;
     }
@@ -96 +93 @@
         case SetLocal: {
             // This gets handled by fixupSetLocalsInBlock().
-            return;
+            break;
         }
             
@@ -128 +125 @@
             }
             
-            if (node->child1()->shouldSpeculateMachineInt()) {
-                fixEdge<MachineIntUse>(node->child1());
-                break;
-            }
-            
             if (node->child1()->shouldSpeculateNumber()) {
                 fixEdge<NumberUse>(node->child1());
@@ -206 +198 @@
                 break;
             }
-            if (m_graph.negateShouldSpeculateMachineInt(node)) {
-                fixEdge<MachineIntUse>(node->child1());
-                break;
-            }
             fixEdge<NumberUse>(node->child1());
             break;
@@ -218 +206 @@
                 fixEdge<Int32Use>(node->child1());
                 fixEdge<Int32Use>(node->child2());
-                break;
-            }
-            if (m_graph.mulShouldSpeculateMachineInt(node)) {
-                fixEdge<MachineIntUse>(node->child1());
-                fixEdge<MachineIntUse>(node->child2());
                 break;
             }
@@ -318 +301 @@
                 break;
             }
-            if (enableInt52()
-                && Node::shouldSpeculateMachineInt(node->child1().node(), node->child2().node())) {
-                fixEdge<MachineIntUse>(node->child1());
-                fixEdge<MachineIntUse>(node->child2());
-                break;
-            }
             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
                 fixEdge<NumberUse>(node->child1());
@@ -377 +354 @@
                 fixEdge<Int32Use>(node->child1());
                 fixEdge<Int32Use>(node->child2());
-                break;
-            }
-            if (enableInt52()
-                && Node::shouldSpeculateMachineInt(node->child1().node(), node->child2().node())) {
-                fixEdge<MachineIntUse>(node->child1());
-                fixEdge<MachineIntUse>(node->child2());
                 break;
             }
@@ -506 +477 @@
                 fixEdge<Int32Use>(child2);
                 fixEdge<Int32Use>(child3);
-                if (child3->prediction() & SpecInt52)
-                    fixEdge<MachineIntUse>(child3);
-                else
-                    fixEdge<Int32Use>(child3);
                 break;
             case Array::Double:
@@ -527 +494 @@
                 if (child3->shouldSpeculateInt32())
                     fixEdge<Int32Use>(child3);
-                else if (child3->shouldSpeculateMachineInt())
-                    fixEdge<MachineIntUse>(child3);
                 else
                     fixEdge<NumberUse>(child3);
@@ -883 +848 @@
         case CheckTierUpAtReturn:
         case CheckTierUpAndOSREnter:
-        case Int52ToDouble:
-        case Int52ToValue:
             RELEASE_ASSERT_NOT_REACHED();
             break;
@@ -1227 +1190 @@
                 fixEdge<Int32Use>(node->child1());
                 break;
-            case FlushedInt52:
-                fixEdge<MachineIntUse>(node->child1());
-                break;
             case FlushedCell:
                 fixEdge<CellUse>(node->child1());
@@ -1240 +1200 @@
                 break;
             }
-        }
-        m_insertionSet.execute(block);
-    }
-    
-    void fixupUntypedSetLocalsInBlock(BasicBlock* block)
-    {
-        if (!block)
-            return;
-        ASSERT(block->isReachable);
-        m_block = block;
-        for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
-            Node* node = m_currentNode = block->at(m_indexInBlock);
-            if (node->op() != SetLocal)
-                continue;
-            
-            if (node->child1().useKind() == UntypedUse)
-                fixEdge<UntypedUse>(node->child1());
         }
         m_insertionSet.execute(block);
@@ -1362 +1305 @@
             return;
         
-        // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
-        // https://bugs.webkit.org/show_bug.cgi?id=121518
-        
         VariableAccessData* variable = node->variableAccessData();
         switch (useKind) {
@@ -1380 +1320 @@
             if (alwaysUnboxSimplePrimitives()
                 || isBooleanSpeculation(variable->prediction()))
-                m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
-            break;
-        case MachineIntUse:
-            if (isMachineIntSpeculation(variable->prediction()))
                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
             break;
@@ -1412 +1348 @@
     void fixEdge(Edge& edge, SpeculationDirection direction = BackwardSpeculation)
     {
-        if (isDouble(useKind)) {
-            if (edge->shouldSpeculateInt32ForArithmetic()) {
-                injectInt32ToDoubleNode(edge, useKind, direction);
-                return;
-            }
-            
-            if (enableInt52() && edge->shouldSpeculateMachineInt()) {
-                // Make all double uses of int52 values have an intermediate Int52ToDouble.
-                // This is for the same reason as Int52ToValue (see below) except that
-                // Int8ToDouble will convert int52's that fit in an int32 into a double
-                // rather than trying to create a boxed int32 like Int52ToValue does.
-                
-                Node* result = m_insertionSet.insertNode(
-                    m_indexInBlock, SpecInt52AsDouble, Int52ToDouble,
-                    m_currentNode->codeOrigin, Edge(edge.node(), NumberUse));
-                edge = Edge(result, useKind);
-                return;
-            }
-        }
-        
-        if (enableInt52() && useKind != MachineIntUse
-            && edge->shouldSpeculateMachineInt() && !edge->shouldSpeculateInt32()) {
-            // We make all non-int52 uses of int52 values have an intermediate Int52ToValue
-            // node to ensure that we handle this properly:
-            //
-            // a: SomeInt52
-            // b: ArithAdd(@a, ...)
-            // c: Call(..., @a)
-            // d: ArithAdd(@a, ...)
-            //
-            // Without an intermediate node and just labeling the uses, we will get:
-            //
-            // a: SomeInt52
-            // b: ArithAdd(Int52:@a, ...)
-            // c: Call(..., Untyped:@a)
-            // d: ArithAdd(Int52:@a, ...)
-            //
-            // And now the c->Untyped:@a edge will box the value of @a into a double. This
-            // is bad, because now the d->Int52:@a edge will either have to do double-to-int
-            // conversions, or will have to OSR exit unconditionally. Alternatively we could
-            // have the c->Untyped:@a edge box the value by copying rather than in-place.
-            // But these boxings are also costly so this wouldn't be great.
-            //
-            // The solution we use is to always have non-Int52 uses of predicted Int52's use
-            // an intervening Int52ToValue node:
-            //
-            // a: SomeInt52
-            // b: ArithAdd(Int52:@a, ...)
-            // x: Int52ToValue(Int52:@a)
-            // c: Call(..., Untyped:@x)
-            // d: ArithAdd(Int52:@a, ...)
-            //
-            // Note that even if we had multiple non-int52 uses of @a, the multiple
-            // Int52ToValue's would get CSE'd together. So the boxing would only happen once.
-            // At the same time, @a would continue to be represented as a native int52.
-            //
-            // An alternative would have been to insert ToNativeInt52 nodes on int52 uses of
-            // int52's. This would have handled the above example but would fall over for:
-            //
-            // a: SomeInt52
-            // b: Call(..., @a)
-            // c: ArithAdd(@a, ...)
-            //
-            // But the solution we use handles the above gracefully.
-            
-            Node* result = m_insertionSet.insertNode(
-                m_indexInBlock, SpecInt52, Int52ToValue,
-                m_currentNode->codeOrigin, Edge(edge.node(), UntypedUse));
-            edge = Edge(result, useKind);
+        if (isDouble(useKind) && edge->shouldSpeculateInt32ForArithmetic()) {
+            injectInt32ToDoubleNode(edge, useKind, direction);
             return;
         }
         
         observeUseKindOnNode<useKind>(edge.node());
-        
         edge.setUseKind(useKind);
     }
@@ -1511 +1379 @@
     {
         Node* result = m_insertionSet.insertNode(
-            m_indexInBlock, SpecInt52AsDouble, Int32ToDouble,
+            m_indexInBlock, SpecInt48, Int32ToDouble,
             m_currentNode->codeOrigin, Edge(edge.node(), NumberUse));
         if (direction == ForwardSpeculation)
@@ -1567 +1435 @@
     {
         AddSpeculationMode mode = m_graph.addSpeculationMode(node);
-        if (mode != DontSpeculateInt32) {
-            truncateConstantsIfNecessary(node, mode);
-            fixEdge<Int32Use>(node->child1());
-            fixEdge<Int32Use>(node->child2());
-            return true;
-        }
-        
-        if (m_graph.addShouldSpeculateMachineInt(node)) {
-            fixEdge<MachineIntUse>(node->child1());
-            fixEdge<MachineIntUse>(node->child2());
-            return true;
-        }
-        
-        return false;
+        if (mode == DontSpeculateInt32)
+            return false;
+        
+        truncateConstantsIfNecessary(node, mode);
+        fixEdge<Int32Use>(node->child1());
+        fixEdge<Int32Use>(node->child2());
+        return true;
     }