Changeset 160347 in webkit for trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

Timestamp:

Dec 9, 2013, 7:24:31 PM (11 years ago)

Author:

[email protected]

Message:

Reveal array bounds checks in DFG IR
​https://bugs.webkit.org/show_bug.cgi?id=125253

Reviewed by Oliver Hunt and Mark Hahnenberg.

In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
making this a candidate for LICM.

This also fixes a long-standing performance bug where the JSObject slow paths would
always create contiguous storage, rather than type-specialized storage, when doing a
"storage creating" storage, like:

var o = {};
o[0] = 42;

• CMakeLists.txt:
• GNUmakefile.list.am:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/ExitKind.cpp:

(JSC::exitKindToString):
(JSC::exitKindIsCountable):

• bytecode/ExitKind.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::permitsBoundsCheckLowering):
(JSC::DFG::ArrayMode::permitsBoundsCheckLowering):

• dfg/DFGArrayMode.h:

(JSC::DFG::ArrayMode::lengthNeedsStorage):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGNodeType.h:
• dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThreadImpl):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSSALoweringPhase.cpp: Added.

(JSC::DFG::SSALoweringPhase::SSALoweringPhase):
(JSC::DFG::SSALoweringPhase::run):
(JSC::DFG::SSALoweringPhase::handleNode):
(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
(JSC::DFG::performSSALowering):

• dfg/DFGSSALoweringPhase.h: Added.
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):

• runtime/JSObject.cpp:

(JSC::JSObject::convertUndecidedForValue):
(JSC::JSObject::createInitialForValueAndSet):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength):

• runtime/JSObject.h:
• tests/stress/float32array-out-of-bounds.js: Added.

(make):
(foo):
(test):

• tests/stress/int32-object-out-of-bounds.js: Added.

(make):
(foo):
(test):

• tests/stress/int32-out-of-bounds.js: Added.

(foo):
(test):

File:

• trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

@@ -111 +111 @@
 Array::Type toArrayType(TypedArrayType);
 
+bool permitsBoundsCheckLowering(Array::Type);
+
 class ArrayMode {
 public:
@@ -293 +295 @@
     bool lengthNeedsStorage() const
     {
-        return isJSArray();
+        switch (type()) {
+        case Array::Undecided:
+        case Array::Int32:
+        case Array::Double:
+        case Array::Contiguous:
+        case Array::ArrayStorage:
+        case Array::SlowPutArrayStorage:
+            return true;
+        default:
+            return false;
+        }
     }
     
@@ -342 +354 @@
         }
     }
+    
+    bool permitsBoundsCheckLowering() const;
     
     bool benefitsFromOriginalArray() const