Changeset 156468 in webkit for trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

Timestamp:

Sep 26, 2013, 10:16:47 AM (12 years ago)

Author:

[email protected]

Message:

op_to_this shouldn't use value profiling
​https://bugs.webkit.org/show_bug.cgi?id=121920

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is
to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables
during nursery collections.

This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
ValueProfile.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
(JSC::CodeBlock::updateAllValueProfilePredictions):
(JSC::CodeBlock::updateAllPredictions):
(JSC::CodeBlock::shouldOptimizeNow):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::updateAllValueProfilePredictions):
(JSC::CodeBlock::updateAllPredictions):

• bytecode/LazyOperandValueProfile.cpp:

(JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):

• bytecode/LazyOperandValueProfile.h:
• bytecode/ValueProfile.h:

(JSC::ValueProfileBase::ValueProfileBase):
(JSC::ValueProfileBase::briefDescription):
(JSC::ValueProfileBase::dump):
(JSC::ValueProfileBase::computeUpdatedPrediction):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

LayoutTests:

Updated a couple tests that waited for two DFG compiles, but with this patch we
don't do two compiles any more, so we don't want to wait forever.

• js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-other.js:
• js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-string.js:

File:

• trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -866 +866 @@
 void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
+    WriteBarrierBase<Structure>* cachedStructure = &currentInstruction[2].u.structure;
     emitGetVirtualRegister(currentInstruction[1].u.operand, regT1);
 
     emitJumpSlowCaseIfNotJSCell(regT1);
     loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
-    if (shouldEmitProfiling())
-        emitValueProfilingSite(regT4);
 
     addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
+    loadPtr(cachedStructure, regT2);
+    addSlowCase(branchPtr(NotEqual, regT0, regT2));
 }
 
@@ -944 +945 @@
 void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
+    linkSlowCase(iter);
     linkSlowCase(iter);
     linkSlowCase(iter);