Changeset 217202 in webkit for trunk/Source/JavaScriptCore/jit

Timestamp:

May 21, 2017, 11:24:44 PM (8 years ago)

Author:

Yusuke Suzuki

Message:

[FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
​https://bugs.webkit.org/show_bug.cgi?id=172216

Reviewed by Saam Barati.

JSTests:

• stress/array-storage-get-by-val.js: Added.

(shouldBe):
(testOutOfBound):
(testInBound):
(testSlowPutOutOfBound):
(testSlowPutInBound):

Source/JavaScriptCore:

This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
ArrayStorage and SlowPutArrayStorage, then it produces vector length.
CheckInBounds uses this vector length to perform bound checking for ArrayStorage
and SlowPutArrayStorage.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::permitsBoundsCheckLowering):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

• dfg/DFGHeapLocation.h:
• dfg/DFGIntegerRangeOptimizationPhase.cpp:
• dfg/DFGNode.h:

(JSC::DFG::Node::hasArrayMode):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSSALoweringPhase.cpp:

(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLAbstractHeapRepository.h:

(JSC::FTL::AbstractHeapRepository::forIndexingType):
(JSC::FTL::AbstractHeapRepository::forArrayType):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitArrayStoragePutByVal):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitArrayStoragePutByVal):

Location:

trunk/Source/JavaScriptCore/jit

Files:

• JITOperations.h (modified) (1 diff)
• JITPropertyAccess.cpp (modified) (1 diff)
• JITPropertyAccess32_64.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -125 +125 @@
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_E)(ExecState*);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EA)(ExecState*, JSArray*);
-typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EAZ)(ExecState*, JSArray*, int32_t);
+typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EOZ)(ExecState*, JSObject*, int32_t);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EAapJ)(ExecState*, ArrayAllocationProfile*, EncodedJSValue);
 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EAapJcpZ)(ExecState*, ArrayAllocationProfile*, const JSValue*, int32_t);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -406 +406 @@
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
 
-    Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
+    Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
 
     Label storeResult(this);
     emitGetVirtualRegister(value, regT3);
-    store64(regT3, BaseIndex(regT2, regT1, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
+    store64(regT3, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
     emitWriteBarrier(currentInstruction[1].u.operand, value, ShouldFilterValue);
     Jump end = jump();

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -273 +273 @@
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
     slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, ArrayStorage::vectorLengthOffset())));
-    load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
-    load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
+    load32(BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
+    load32(BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
     slowCases.append(branch32(Equal, regT1, TrustedImm32(JSValue::EmptyValueTag)));
     
@@ -462 +462 @@
     slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, ArrayStorage::vectorLengthOffset())));
 
-    Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
+    Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
     
     Label storeResult(this);
     emitLoad(value, regT1, regT0);
-    store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload))); // payload
-    store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag))); // tag
+    store32(regT0, BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload))); // payload
+    store32(regT1, BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag))); // tag
     Jump end = jump();