Ignore:
Timestamp:
May 21, 2017, 11:24:44 PM (8 years ago)
Author:
Yusuke Suzuki
Message:

[FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=172216

Reviewed by Saam Barati.

JSTests:

  • stress/array-storage-get-by-val.js: Added.

(shouldBe):
(testOutOfBound):
(testInBound):
(testSlowPutOutOfBound):
(testSlowPutInBound):

Source/JavaScriptCore:

This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
ArrayStorage and SlowPutArrayStorage, then it produces vector length.
CheckInBounds uses this vector length to perform bound checking for ArrayStorage
and SlowPutArrayStorage.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGArrayMode.cpp:

(JSC::DFG::permitsBoundsCheckLowering):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

  • dfg/DFGHeapLocation.h:
  • dfg/DFGIntegerRangeOptimizationPhase.cpp:
  • dfg/DFGNode.h:

(JSC::DFG::Node::hasArrayMode):

  • dfg/DFGNodeType.h:
  • dfg/DFGPredictionPropagationPhase.cpp:
  • dfg/DFGSSALoweringPhase.cpp:

(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):

  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLAbstractHeapRepository.h:

(JSC::FTL::AbstractHeapRepository::forIndexingType):
(JSC::FTL::AbstractHeapRepository::forArrayType):

  • ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitArrayStoragePutByVal):

  • jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitArrayStoragePutByVal):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r215984 r217202  
    406406    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    407407
    408     Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
     408    Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
    409409
    410410    Label storeResult(this);
    411411    emitGetVirtualRegister(value, regT3);
    412     store64(regT3, BaseIndex(regT2, regT1, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
     412    store64(regT3, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
    413413    emitWriteBarrier(currentInstruction[1].u.operand, value, ShouldFilterValue);
    414414    Jump end = jump();
Note: See TracChangeset for help on using the changeset viewer.