Changeset 157656 in webkit for trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

Timestamp:

Oct 18, 2013, 5:09:28 PM (12 years ago)

Author:

[email protected]

Message:

Spread operator should be performing direct "puts" and not triggering setters
​https://bugs.webkit.org/show_bug.cgi?id=123047

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
to array construct. This required a new PutByValDirect node to be introduced to
the DFG. The current implementation simply changes the slow path function that
is called, but in future this could be made faster as it does not need to check
the prototype chain.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):

• bytecode/Opcode.h:

(JSC::padOpcodeName):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitDirectPutByVal):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::ArrayNode::emitBytecode):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGBackwardsPropagationPhase.cpp:

(JSC::DFG::BackwardsPropagationPhase::propagate):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::getArrayLengthElimination):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::putByOffsetStoreElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::clobbersWorld):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasArrayMode):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:

(JSC::DFG::putByVal):
(JSC::DFG::operationPutByValInternal):

• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGTypeCheckHoistingPhase.cpp:

(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:

(JSC::JIT::compileDirectPutByVal):

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::privateCompilePutByVal):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitSlow_op_put_by_val):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

LayoutTests:

Add a new testcase for the setter case. run-javascriptcore-tests hits this with
the llint, baseline, and dfg.

• js/basic-spread-expected.txt:
• js/script-tests/basic-spread.js:

(Array):

File:

• trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp (modified) (8 diffs)

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

@@ -190 +190 @@
                 break;
                 
+            case PutByValDirect:
             case PutByVal:
                 if (!m_graph.byValIsPure(node))
@@ -369 +370 @@
                     return node;
                 break;
+                    
+            case PutByValDirect:
             case PutByVal:
             case PutByValAlias: {
@@ -448 +451 @@
                 // Setting a property cannot change the structure.
                 break;
-                
+                    
+            case PutByValDirect:
             case PutByVal:
             case PutByValAlias:
@@ -495 +499 @@
                 // Setting a property cannot change the structure.
                 break;
-                
+                    
+            case PutByValDirect:
             case PutByVal:
             case PutByValAlias:
@@ -613 +618 @@
                 }
                 break;
-                
+                    
+            case PutByValDirect:
             case PutByVal:
             case PutByValAlias:
@@ -653 +659 @@
                 }
                 break;
-                
+                    
+            case PutByValDirect:
             case PutByVal:
             case PutByValAlias:
@@ -699 +706 @@
                 // pointer of any object, including ours.
                 return 0;
-                
+                    
+            case PutByValDirect:
             case PutByVal:
             case PutByValAlias:
@@ -1253 +1261 @@
                 setReplacement(getByValLoadElimination(node->child1().node(), node->child2().node()));
             break;
-            
+                
+        case PutByValDirect:
         case PutByVal: {
             if (cseMode == StoreElimination)