Context Navigation

← Previous Change
Next Change →

DFGSpeculativeJIT64.cpp

Timestamp:

Sep 18, 2013, 12:25:52 AM (12 years ago)

Author:

Message:

Unreviewed, rolling out r156019 and r156020.
http://trac.webkit.org/changeset/156019
http://trac.webkit.org/changeset/156020
https://bugs.webkit.org/show_bug.cgi?id=121540

Broke tests (Requested by ap on #webkit).

Source/JavaScriptCore:

assembler/MacroAssemblerX86_64.h:
assembler/X86Assembler.h:
bytecode/DataFormat.h:

(JSC::dataFormatToString):

bytecode/ExitKind.cpp:

(JSC::exitKindToString):

bytecode/ExitKind.h:
bytecode/OperandsInlines.h:

(JSC::::dumpInContext):

bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):

bytecode/SpeculatedType.h:

(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt48Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt48AsDoubleSpeculation):
(JSC::isRealNumberSpeculation):
(JSC::isNumberSpeculation):
(JSC::isNumberSpeculationExpectingDefined):

bytecode/ValueRecovery.h:

(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):

dfg/DFGAbstractInterpreter.h:

(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):

dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::validateType):

dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine):

dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::unboxDouble):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::makeSafe):

dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::canonicalize):
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

dfg/DFGCommon.h:
dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):

dfg/DFGFlushFormat.cpp:

(WTF::printInternal):

dfg/DFGFlushFormat.h:

(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):

dfg/DFGGenerationInfo.h:

(JSC::DFG::GenerationInfo::initInt32):
(JSC::DFG::GenerationInfo::fillInt32):

dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

dfg/DFGGraph.h:

(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):

dfg/DFGInPlaceAbstractState.cpp:

(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):

dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::reconstruct):

dfg/DFGMinifiedNode.h:

(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):

dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt48):

dfg/DFGNodeFlags.h:

(JSC::DFG::nodeCanSpeculateInt48):

dfg/DFGNodeType.h:

(JSC::DFG::forwardRewiringSelectionScore):

dfg/DFGOSRExitCompiler.cpp:

(JSC::DFG::shortOperandsDump):

dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):

dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):

dfg/DFGSilentRegisterSavePlan.h:
dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):

dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::boxDouble):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int32Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):

dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGUseKind.cpp:

(WTF::printInternal):

dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):

dfg/DFGValueSource.cpp:

(JSC::DFG::ValueSource::dump):

dfg/DFGValueSource.h:

(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):

dfg/DFGVariableAccessData.h:

(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):

ftl/FTLCArgumentGetter.cpp:

(JSC::FTL::CArgumentGetter::loadNextAndBox):

ftl/FTLCArgumentGetter.h:
ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

ftl/FTLExitValue.cpp:

(JSC::FTL::ExitValue::dumpInContext):

ftl/FTLExitValue.h:
ftl/FTLIntrinsicRepository.h:
ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt32):

ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

ftl/FTLOutput.h:

(JSC::FTL::Output::mulWithOverflow32):

ftl/FTLValueFormat.cpp:

(WTF::printInternal):

ftl/FTLValueFormat.h:
ftl/FTLValueSource.cpp:

(JSC::FTL::ValueSource::dump):

ftl/FTLValueSource.h:
interpreter/Register.h:
runtime/Arguments.cpp:

(JSC::Arguments::tearOffForInlineCallFrame):

runtime/IndexingType.cpp:

(JSC::leastUpperBoundOfIndexingTypeAndType):

runtime/JSCJSValue.h:
runtime/JSCJSValueInlines.h:

Source/WTF:

wtf/PrintStream.h:

Tools:

Scripts/run-jsc-stress-tests:

LayoutTests:

js/regress/large-int-captured-expected.txt: Removed.
js/regress/large-int-captured.html: Removed.
js/regress/large-int-expected.txt: Removed.
js/regress/large-int-neg-expected.txt: Removed.
js/regress/large-int-neg.html: Removed.
js/regress/large-int.html: Removed.
js/regress/marsaglia-larger-ints-expected.txt: Removed.
js/regress/marsaglia-larger-ints.html: Removed.
js/regress/script-tests/large-int-captured.js: Removed.
js/regress/script-tests/large-int-neg.js: Removed.
js/regress/script-tests/large-int.js: Removed.
js/regress/script-tests/marsaglia-larger-ints.js: Removed.

File:

: 1 edited

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (23 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

-              r156019
+              r156029
 #if USE(JSVALUE64)
-void SpeculativeJIT::boxInt52(GPRReg sourceGPR, GPRReg targetGPR, DataFormat format)
+{
-    GPRReg tempGPR;
-    if (sourceGPR == targetGPR)
-        tempGPR = allocate();
-    else
-        tempGPR = targetGPR;
-    FPRReg fpr = fprAllocate();
-    if (format == DataFormatInt52)
-        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), sourceGPR);
-    else
-        ASSERT(format == DataFormatStrictInt52);
-    m_jit.boxInt52(sourceGPR, targetGPR, tempGPR, fpr);
-    if (tempGPR != targetGPR)
-        unlock(tempGPR);
-    unlock(fpr);
+}
 GPRReg SpeculativeJIT::fillJSValue(Edge edge)
+{
 …
             DataFormat spillFormat = info.spillFormat();
             m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
+            switch (spillFormat) {
+            case DataFormatInt32: {
+            if (spillFormat == DataFormatInt32) {
                 m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
                 m_jit.or64(GPRInfo::tagTypeNumberRegister, gpr);
                 spillFormat = DataFormatJSInt32;
+                break;
+            }
+            case DataFormatInt52:
+            case DataFormatStrictInt52: {
+                m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+                boxInt52(gpr, gpr, spillFormat);
+                return gpr;
+            }
+            default:
+            } else {
                 m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
                 if (spillFormat == DataFormatDouble) {
 …
                 } else
                     RELEASE_ASSERT(spillFormat & DataFormatJS);
-                break;
+            }
             info.fillJSValue(*m_stream, gpr, spillFormat);
 …
         return gpr;
+    }
-    case DataFormatInt52:
-    case DataFormatStrictInt52: {
-        GPRReg gpr = info.gpr();
-        lock(gpr);
-        GPRReg resultGPR = allocate();
-        boxInt52(gpr, resultGPR, info.registerFormat());
-        unlock(gpr);
-        return resultGPR;
+    }
 …
         DataFormat spillFormat = info.spillFormat();
         RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32 || spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
+        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
 …
             return gpr;
+        }
-        if (spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52) {
-            // Generally, this can only happen if we've already proved that the
-            // value is an int32. That's because if a value originated as a JSValue
-            // then we would speculate that it's an int32 before representing it as
-            // an int52. Otherwise, if we knowingly produced an int52, then we would
-            // be boxing it into a value using Int52ToValue. This assertion is valid
-            // only because Int52 is something that we introduce at prediction time.
-            // However: we may have an int32-producing node replaced by an
-            // int52-producing node due to CSE. So we must do a check.
-            RELEASE_ASSERT(!(type & ~SpecMachineInt));
-            if (type & SpecInt52) {
-                GPRReg temp = allocate();
-                m_jit.signExtend32ToPtr(gpr, temp);
-                // Currently, we can't supply value profiling information here. :-/
-                speculationCheck(
-                    BadType, JSValueRegs(), 0,
-                    m_jit.branch64(MacroAssembler::NotEqual, gpr, temp));
-                unlock(temp);
+            }
-            if (spillFormat == DataFormatStrictInt52)
-                m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
-            else {
-                m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-                m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
-                m_jit.zeroExtend32ToPtr(gpr, gpr);
+            }
-            info.fillInt32(*m_stream, gpr);
-            returnFormat = DataFormatInt32;
-            return gpr;
+        }
         m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
 …
     case DataFormatJS: {
-        RELEASE_ASSERT(!(type & SpecInt52));
         // Check the value is an integer.
         GPRReg gpr = info.gpr();
 …
         return gpr;
+    }
-    case DataFormatStrictInt52:
-    case DataFormatInt52: {
-        GPRReg gpr = info.gpr();
-        GPRReg result;
-        if (m_gprs.isLocked(gpr)) {
-            result = allocate();
-            m_jit.move(gpr, result);
-        } else {
-            lock(gpr);
-            info.fillInt32(*m_stream, gpr);
-            result = gpr;
+        }
-        RELEASE_ASSERT(!(type & ~SpecMachineInt));
-        if (info.registerFormat() == DataFormatInt52)
-            m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
-        if (type & SpecInt52) {
-            GPRReg temp = allocate();
-            m_jit.signExtend32ToPtr(result, temp);
-            // Currently, we can't supply value profiling information here. :-/
-            speculationCheck(
-                BadType, JSValueRegs(), 0,
-                m_jit.branch64(MacroAssembler::NotEqual, result, temp));
-            unlock(temp);
+        }
-        m_jit.zeroExtend32ToPtr(result, result);
-        returnFormat = DataFormatInt32;
-        return gpr;
+    }
     case DataFormatDouble:
 …
+}
-GPRReg SpeculativeJIT::fillSpeculateInt52(Edge edge, DataFormat desiredFormat)
+{
-    ASSERT(desiredFormat == DataFormatInt52 || desiredFormat == DataFormatStrictInt52);
-    AbstractValue& value = m_state.forNode(edge);
-    SpeculatedType type = value.m_type;
-    m_interpreter.filter(value, SpecMachineInt);
-    VirtualRegister virtualRegister = edge->virtualRegister();
-    GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
-    switch (info.registerFormat()) {
-    case DataFormatNone: {
-        if ((edge->hasConstant() && !valueOfJSConstant(edge.node()).isMachineInt()) || info.spillFormat() == DataFormatDouble) {
-            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
-            return allocate();
+        }
-        GPRReg gpr = allocate();
-        if (edge->hasConstant()) {
-            JSValue jsValue = valueOfJSConstant(edge.node());
-            ASSERT(jsValue.isMachineInt());
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            int64_t value = jsValue.asMachineInt();
-            if (desiredFormat == DataFormatInt52)
-                value = value << JSValue::int52ShiftAmount;
-            m_jit.move(MacroAssembler::Imm64(value), gpr);
-            info.fillGPR(*m_stream, gpr, desiredFormat);
-            return gpr;
+        }
-        DataFormat spillFormat = info.spillFormat();
-        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32 || spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
-        m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
-        if (spillFormat == DataFormatJSInt32 || spillFormat == DataFormatInt32) {
-            // If we know this was spilled as an integer we can fill without checking.
-            m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
-            m_jit.signExtend32ToPtr(gpr, gpr);
-            if (desiredFormat == DataFormatStrictInt52) {
-                info.fillStrictInt52(*m_stream, gpr);
-                return gpr;
+            }
-            m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
-            info.fillInt52(*m_stream, gpr);
-            return gpr;
+        }
-        if (spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52) {
-            m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-            if (desiredFormat == DataFormatStrictInt52) {
-                if (spillFormat == DataFormatInt52)
-                    m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
-                info.fillStrictInt52(*m_stream, gpr);
-                return gpr;
+            }
-            if (spillFormat == DataFormatStrictInt52)
-                m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
-            info.fillInt52(*m_stream, gpr);
-            return gpr;
+        }
-        m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-        // Fill as JSValue, and fall through.
-        info.fillJSValue(*m_stream, gpr, DataFormatJSInt32);
-        m_gprs.unlock(gpr);
+    }
-    case DataFormatJS: {
-        // Check the value is an integer. Note that we would *like* to unbox an Int52
-        // at this point but this is too costly. We only *prove* that this is an Int52
-        // even though we check if it's an int32.
-        GPRReg gpr = info.gpr();
-        GPRReg result;
-        if (m_gprs.isLocked(gpr)) {
-            result = allocate();
-            m_jit.move(gpr, result);
-        } else {
-            m_gprs.lock(gpr);
-            result = gpr;
+        }
-        if (type & ~SpecInt32)
-            speculationCheck(BadType, JSValueRegs(result), edge, m_jit.branch64(MacroAssembler::Below, result, GPRInfo::tagTypeNumberRegister));
-        if (result == gpr) // The not-already-locked, so fill in-place, case.
-            info.fillInt52(*m_stream, gpr, desiredFormat);
-        m_jit.signExtend32ToPtr(result, result);
-        if (desiredFormat == DataFormatInt52)
-            m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
-        return result;
+    }
-    case DataFormatInt32:
-    case DataFormatJSInt32: {
-        GPRReg gpr = info.gpr();
-        GPRReg result;
-        if (m_gprs.isLocked(gpr)) {
-            result = allocate();
-            m_jit.move(gpr, result);
-        } else {
-            m_gprs.lock(gpr);
-            info.fillInt52(*m_stream, gpr, desiredFormat);
-            result = gpr;
+        }
-        m_jit.signExtend32ToPtr(result, result);
-        if (desiredFormat == DataFormatInt52)
-            m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
-        return result;
+    }
-    case DataFormatStrictInt52: {
-        GPRReg gpr = info.gpr();
-        bool wasLocked = m_gprs.isLocked(gpr);
-        lock(gpr);
-        if (desiredFormat == DataFormatStrictInt52)
-            return gpr;
-        if (wasLocked) {
-            GPRReg result = allocate();
-            m_jit.move(gpr, result);
-            unlock(gpr);
-            gpr = result;
-        } else
-            info.fillStrictInt52(*m_stream, gpr);
-        m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
-        return gpr;
+    }
-    case DataFormatInt52: {
-        GPRReg gpr = info.gpr();
-        bool wasLocked = m_gprs.isLocked(gpr);
-        lock(gpr);
-        if (desiredFormat == DataFormatInt52)
-            return gpr;
-        if (wasLocked) {
-            GPRReg result = allocate();
-            m_jit.move(gpr, result);
-            unlock(gpr);
-            gpr = result;
-        } else
-            info.fillInt52(*m_stream, gpr);
-        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
-        return gpr;
+    }
-    case DataFormatDouble:
-    case DataFormatJSDouble:
-        if (edge->hasConstant()) {
-            JSValue jsValue = valueOfJSConstant(edge.node());
-            if (jsValue.isMachineInt()) {
-                int64_t value = jsValue.asMachineInt();
-                if (desiredFormat == DataFormatInt52)
-                    value = value << JSValue::int52ShiftAmount;
-                GPRReg gpr = allocate();
-                m_jit.move(MacroAssembler::Imm64(value), gpr);
-                return gpr;
+            }
+        }
-    case DataFormatCell:
-    case DataFormatBoolean:
-    case DataFormatJSCell:
-    case DataFormatJSBoolean: {
-        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
-        return allocate();
+    }
-    case DataFormatStorage:
-        RELEASE_ASSERT_NOT_REACHED();
-    default:
-        RELEASE_ASSERT_NOT_REACHED();
-        return InvalidGPRReg;
+    }
+}
 FPRReg SpeculativeJIT::fillSpeculateDouble(Edge edge)
+{
 …
     AbstractValue& value = m_state.forNode(edge);
     SpeculatedType type = value.m_type;
     ASSERT(edge.useKind() != KnownNumberUse || !(value.m_type & ~SpecFullNumber));
     m_interpreter.filter(value, SpecFullNumber);
+    ASSERT(edge.useKind() != KnownNumberUse || !(value.m_type & ~SpecNumber));
+    m_interpreter.filter(value, SpecNumber);
     VirtualRegister virtualRegister = edge->virtualRegister();
     GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
 …
             break;
+        }
-        case DataFormatInt52: {
-            GPRReg gpr = allocate();
-            m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
-            m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-            info.fillInt52(*m_stream, gpr);
-            unlock(gpr);
-            break;
+        }
-        case DataFormatStrictInt52: {
-            GPRReg gpr = allocate();
-            m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
-            m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-            info.fillStrictInt52(*m_stream, gpr);
-            unlock(gpr);
-            break;
+        }
         default:
 …
         JITCompiler::Jump isInteger = m_jit.branch64(MacroAssembler::AboveOrEqual, jsValueGpr, GPRInfo::tagTypeNumberRegister);
         if (type & ~SpecFullNumber)
+        if (type & ~SpecNumber)
             speculationCheck(BadType, JSValueRegs(jsValueGpr), edge, m_jit.branchTest64(MacroAssembler::Zero, jsValueGpr, GPRInfo::tagTypeNumberRegister));
 …
         m_gprs.lock(gpr);
         m_jit.convertInt32ToDouble(gpr, fpr);
-        m_gprs.unlock(gpr);
-        return fpr;
+    }
-    case DataFormatInt52: {
-        FPRReg fpr = fprAllocate();
-        GPRReg gpr = info.gpr();
-        m_gprs.lock(gpr);
-        GPRReg temp = allocate();
-        m_jit.move(gpr, temp);
-        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), temp);
-        m_jit.convertInt64ToDouble(temp, fpr);
-        unlock(temp);
-        m_gprs.unlock(gpr);
-        return fpr;
+    }
-    case DataFormatStrictInt52: {
-        FPRReg fpr = fprAllocate();
-        GPRReg gpr = info.gpr();
-        m_gprs.lock(gpr);
-        m_jit.convertInt64ToDouble(gpr, fpr);
         m_gprs.unlock(gpr);
         return fpr;
 …
     case DataFormatDouble:
     case DataFormatJSBoolean:
+    case DataFormatBoolean:
+    case DataFormatInt52:
+    case DataFormatStrictInt52: {
+    case DataFormatBoolean: {
         terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
         return allocate();
 …
     case DataFormatDouble:
     case DataFormatJSCell:
+    case DataFormatCell:
+    case DataFormatInt52:
+    case DataFormatStrictInt52: {
+    case DataFormatCell: {
         terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
         return allocate();
 …
     m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
     jsValueResult(result.gpr(), m_currentNode, DataFormatJSBoolean);
+}
-void SpeculativeJIT::compileInt52Compare(Node* node, MacroAssembler::RelationalCondition condition)
+{
-    SpeculateWhicheverInt52Operand op1(this, node->child1());
-    SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
-    GPRTemporary result(this, Reuse, op1, op2);
-    m_jit.compare64(condition, op1.gpr(), op2.gpr(), result.gpr());
-    // If we add a DataFormatBool, we should use it here.
-    m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-    jsValueResult(result.gpr(), m_currentNode, DataFormatJSBoolean);
+}
-void SpeculativeJIT::compilePeepHoleInt52Branch(Node* node, Node* branchNode, JITCompiler::RelationalCondition condition)
+{
-    BasicBlock* taken = branchNode->takenBlock();
-    BasicBlock* notTaken = branchNode->notTakenBlock();
-    // The branch instruction will branch to the taken block.
-    // If taken is next, switch taken with notTaken & invert the branch condition so we can fall through.
-    if (taken == nextBlock()) {
-        condition = JITCompiler::invert(condition);
-        BasicBlock* tmp = taken;
-        taken = notTaken;
-        notTaken = tmp;
+    }
-    SpeculateWhicheverInt52Operand op1(this, node->child1());
-    SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
-    branch64(condition, op1.gpr(), op2.gpr(), taken);
-    jump(notTaken);
+}
 …
+        }
-        case FlushedInt52: {
-            GPRTemporary result(this);
-            m_jit.load64(JITCompiler::addressFor(node->local()), result.gpr());
-            VirtualRegister virtualRegister = node->virtualRegister();
-            m_gprs.retain(result.gpr(), virtualRegister, SpillOrderJS);
-            generationInfoFromVirtualRegister(virtualRegister).initInt52(node, node->refCount(), result.gpr());
-            break;
+        }
         default:
             GPRTemporary result(this);
 …
+        }
-        case FlushedInt52: {
-            SpeculateInt52Operand value(this, node->child1());
-            m_jit.store64(value.gpr(), JITCompiler::addressFor(node->local()));
-            noResult(node);
-            recordSetLocal(node->local(), ValueSource(Int52InJSStack));
-            break;
+        }
         case FlushedCell: {
             SpeculateCellOperand cell(this, node->child1());
 …
     case Int32ToDouble: {
         compileInt32ToDouble(node);
-        break;
+    }
-    case Int52ToValue: {
-        JSValueOperand operand(this, node->child1());
-        GPRTemporary result(this, Reuse, operand);
-        m_jit.move(operand.gpr(), result.gpr());
-        jsValueResult(result.gpr(), node);
-        break;
+    }
-    case Int52ToDouble: {
-        SpeculateDoubleOperand operand(this, node->child1());
-        FPRTemporary result(this, operand);
-        m_jit.moveDouble(operand.fpr(), result.fpr());
-        doubleResult(result.fpr(), node);
         break;
+    }
 …
             DFG_TYPE_CHECK(
                 JSValueRegs(), node->child2(), SpecFullRealNumber,
+                JSValueRegs(), node->child2(), SpecRealNumber,
                 m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, valueFPR, valueFPR));
 …
         op1.use();
         if (!(m_state.forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean)))
+        if (!(m_state.forNode(node->child1()).m_type & ~(SpecNumber | SpecBoolean)))
             m_jit.move(op1GPR, resultGPR);
         else {
 …
                     FPRReg opFPR = operand.fpr();
                     DFG_TYPE_CHECK(
                         JSValueRegs(), use, SpecFullRealNumber,
+                        JSValueRegs(), use, SpecRealNumber,
                         m_jit.branchDouble(
                             MacroAssembler::DoubleNotEqualOrUnordered, opFPR, opFPR));
 …
                 GPRReg scratchGPR = scratch.gpr();
                 DFG_TYPE_CHECK(
                     JSValueRegs(), use, SpecFullRealNumber,
+                    JSValueRegs(), use, SpecRealNumber,
                     m_jit.branchDouble(
                         MacroAssembler::DoubleNotEqualOrUnordered, opFPR, opFPR));

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 156029 in webkit for trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

Legend:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

Download in other formats: