Changeset 94629 in webkit for trunk/Source/JavaScriptCore/dfg

Timestamp:

Sep 6, 2011, 7:47:51 PM (14 years ago)

Author:

[email protected]

Message:

DFG JIT does not optimize booleans
​https://bugs.webkit.org/show_bug.cgi?id=67670

Reviewed by Gavin Barraclough.

This adds boolean value profiling, boolean prediction in the DFG,
boolean forward flow propagation in the DFGPropagator, boolean
data format in DFG generation info, and comprehensive optimizations
based on both boolean prediction and boolean generation info.
This is brings the speed-up on v8-richards to 12%, and gives slight
speed-ups elsewhere as well.

Making this work right required navigating some subtleties in
value profiling. Some functions get compiled with insufficient
information because some important path of the function never
executed. In these cases, we wish to fall back on static
speculation. But to do so, we need to ensure that predictions that
are inherent in the code (like that GetById almost certainly takes
a cell operand) are reflected in predictions that we make in
DFGPropagator. Thus, DFGPropagator now does both backward and
forward flow, using a both forward and backward fixpoint.

The backward flow in DFGPropagator is a separate static analysis,
and needs to keep a set of backward flow abstract values for
variables, arguments, and globals. To make this easy, this patch
factors out DFGGraph's prediction tracking capability into
DFGPredictionTracker, which now gets used by both DFGGraph (for
forward flow predictions) and DFGPropagator (for backward flow
predictions). Backward flow predictions eventually get merged
into forward flow ones, but the two are not equivalent: a forward
flow prediction is a superset of the backward flow prediction.

Debugging these prediction issues required a better understanding
of where we fail speculation, and what our value predictions look
like. This patch also adds optional verbose speculation failure
(so an informative printf fires whenever speculation failure occurs)
and slight improvements to the verbosity in other places.

• bytecode/ValueProfile.h:

(JSC::ValueProfile::numberOfBooleans):
(JSC::ValueProfile::probabilityOfBoolean):
(JSC::ValueProfile::dump):
(JSC::ValueProfile::computeStatistics):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::stronglyPredict):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGGenerationInfo.h:

(JSC::DFG::dataFormatToString):
(JSC::DFG::needDataFormatConversion):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::predictArgumentTypes):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::predictions):
(JSC::DFG::Graph::predict):
(JSC::DFG::Graph::predictGlobalVar):
(JSC::DFG::Graph::getPrediction):
(JSC::DFG::Graph::getGlobalVarPrediction):
(JSC::DFG::Graph::isBooleanConstant):
(JSC::DFG::Graph::valueOfBooleanConstant):

• dfg/DFGJITCodeGenerator.cpp:

(JSC::DFG::JITCodeGenerator::fillInteger):
(JSC::DFG::JITCodeGenerator::fillDouble):
(JSC::DFG::JITCodeGenerator::fillJSValue):
(JSC::DFG::JITCodeGenerator::isKnownNotInteger):
(JSC::DFG::JITCodeGenerator::isKnownBoolean):
(JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::JITCodeGenerator::emitBranch):
(JSC::DFG::JITCodeGenerator::speculationCheck):
(JSC::DFG::GPRTemporary::GPRTemporary):

• dfg/DFGJITCodeGenerator.h:

(JSC::DFG::JITCodeGenerator::isBooleanConstant):
(JSC::DFG::JITCodeGenerator::valueOfBooleanConstant):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
(JSC::DFG::JITCompiler::link):

• dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::debugCall):
(JSC::DFG::JITCompiler::isBooleanConstant):
(JSC::DFG::JITCompiler::valueOfBooleanConstant):

• dfg/DFGNode.h:

(JSC::DFG::isBooleanPrediction):
(JSC::DFG::predictionToString):
(JSC::DFG::mergePredictions):
(JSC::DFG::makePrediction):
(JSC::DFG::Node::isBooleanConstant):
(JSC::DFG::Node::valueOfBooleanConstant):
(JSC::DFG::Node::hasBooleanResult):
(JSC::DFG::Node::hasNumericResult):
(JSC::DFG::Node::predict):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionTracker.h: Added.

(JSC::DFG::operandIsArgument):
(JSC::DFG::PredictionSlot::PredictionSlot):
(JSC::DFG::PredictionTracker::PredictionTracker):
(JSC::DFG::PredictionTracker::initializeSimilarTo):
(JSC::DFG::PredictionTracker::numberOfArguments):
(JSC::DFG::PredictionTracker::numberOfVariables):
(JSC::DFG::PredictionTracker::argumentIndexForOperand):
(JSC::DFG::PredictionTracker::predictArgument):
(JSC::DFG::PredictionTracker::predict):
(JSC::DFG::PredictionTracker::predictGlobalVar):
(JSC::DFG::PredictionTracker::getArgumentPrediction):
(JSC::DFG::PredictionTracker::getPrediction):
(JSC::DFG::PredictionTracker::getGlobalVarPrediction):

• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::Propagator):
(JSC::DFG::Propagator::fixpoint):
(JSC::DFG::Propagator::setPrediction):
(JSC::DFG::Propagator::mergeUse):
(JSC::DFG::Propagator::mergePrediction):
(JSC::DFG::Propagator::propagateNode):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
(JSC::DFG::SpeculateBooleanOperand::~SpeculateBooleanOperand):
(JSC::DFG::SpeculateBooleanOperand::index):
(JSC::DFG::SpeculateBooleanOperand::gpr):
(JSC::DFG::SpeculateBooleanOperand::use):

• runtime/JSGlobalData.h:
• runtime/JSValue.cpp:

(JSC::JSValue::description):

Location:

trunk/Source/JavaScriptCore/dfg

Files:

• DFGByteCodeParser.cpp (modified) (1 diff)
• DFGGenerationInfo.h (modified) (5 diffs)
• DFGGraph.cpp (modified) (3 diffs)
• DFGGraph.h (modified) (8 diffs)
• DFGJITCodeGenerator.cpp (modified) (11 diffs)
• DFGJITCodeGenerator.h (modified) (5 diffs)
• DFGJITCompiler.cpp (modified) (3 diffs)
• DFGJITCompiler.h (modified) (3 diffs)
• DFGNode.h (modified) (13 diffs)
• DFGOperations.cpp (modified) (1 diff)
• DFGOperations.h (modified) (1 diff)
• DFGPredictionTracker.h (added)
• DFGPropagator.cpp (modified) (13 diffs)
• DFGSpeculativeJIT.cpp (modified) (9 diffs)
• DFGSpeculativeJIT.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -476 +476 @@
         ASSERT(profile);
 #if DFG_DEBUG_VERBOSE
-        printf("Dynamic prediction [%u, %u]: ", nodeIndex, bytecodeIndex);
+        printf("Dynamic profile [%u, %u]: ", nodeIndex, bytecodeIndex);
         profile->dump(stdout);
         printf("\n");
 #endif
         m_graph[nodeIndex].predict(makePrediction(*m_globalData, *profile), StrongPrediction);
+#if DFG_DEBUG_VERBOSE
+        printf("    Prediction: %s\n", predictionToString(m_graph[nodeIndex].getPrediction()));
+#endif
 #else
         UNUSED_PARAM(nodeIndex);

trunk/Source/JavaScriptCore/dfg/DFGGenerationInfo.h

@@ -43 +43 @@
     DataFormatInteger = 1,
     DataFormatDouble = 2,
-    DataFormatCell = 3,
+    DataFormatBoolean = 3,
+    DataFormatCell = 4,
     DataFormatJS = 8,
     DataFormatJSInteger = DataFormatJS | DataFormatInteger,
     DataFormatJSDouble = DataFormatJS | DataFormatDouble,
     DataFormatJSCell = DataFormatJS | DataFormatCell,
+    DataFormatJSBoolean = DataFormatJS | DataFormatBoolean
 };
 
@@ -62 +64 @@
     case DataFormatCell:
         return "Cell";
+    case DataFormatBoolean:
+        return "Boolean";
     case DataFormatJS:
         return "JS";
@@ -70 +74 @@
     case DataFormatJSCell:
         return "JSCell";
+    case DataFormatJSBoolean:
+        return "JSBoolean";
     default:
         return "Unknown";
@@ -89 +95 @@
     case DataFormatJSDouble:
     case DataFormatJSCell:
+    case DataFormatJSBoolean:
         switch (to) {
         case DataFormatInteger:
@@ -98 +105 @@
         case DataFormatJSDouble:
         case DataFormatJSCell:
+        case DataFormatJSBoolean:
             return false;
         default:
+            // This captures DataFormatBoolean, which is currently unused.
             ASSERT_NOT_REACHED();
         }
     default:
+        // This captures DataFormatBoolean, which is currently unused.
         ASSERT_NOT_REACHED();
     }

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -53 +53 @@
 
     unsigned refCount = node.refCount();
-    if (!refCount)
+    if (!refCount) {
+        printf("% 4d:\tskipped %s\n", (int)nodeIndex, opName(op));
         return;
+    }
     bool mustGenerate = node.mustGenerate();
     if (mustGenerate)
@@ -194 +196 @@
 {
     if (exec) {
-        size_t numberOfArguments = std::min(exec->argumentCountIncludingThis(), m_argumentPredictions.size());
+        size_t numberOfArguments = std::min(exec->argumentCountIncludingThis(), m_predictions.numberOfArguments());
         
         for (size_t arg = 1; arg < numberOfArguments; ++arg) {
             JSValue argumentValue = exec->argument(arg - 1);
             if (argumentValue.isInt32())
-                m_argumentPredictions[arg].m_value |= PredictInt32;
+                m_predictions.predictArgument(arg, PredictInt32, WeakPrediction);
             else if (argumentValue.isDouble())
-                m_argumentPredictions[arg].m_value |= PredictDouble;
+                m_predictions.predictArgument(arg, PredictDouble, WeakPrediction);
         }
     }
@@ -223 +225 @@
 #endif
         
-        mergePrediction(m_argumentPredictions[arg].m_value, makePrediction(globalData, *profile));
+        m_predictions.predictArgument(arg, makePrediction(globalData, *profile) & ~PredictionTagMask, StrongPrediction);
         
 #if DFG_DEBUG_VERBOSE
-        printf("    Prediction: %s\n", predictionToString(m_argumentPredictions[arg].m_value));
+        printf("    Prediction: %s\n", predictionToString(m_predictions.getArgumentPrediction(arg)));
 #endif
     }

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -31 +31 @@
 #include "CodeBlock.h"
 #include "DFGNode.h"
+#include "DFGPredictionTracker.h"
 #include "RegisterFile.h"
 #include <wtf/HashMap.h>
@@ -42 +43 @@
 
 namespace DFG {
-
-// helper function to distinguish vars & temporaries from arguments.
-inline bool operandIsArgument(int operand) { return operand < 0; }
-
-struct PredictionSlot {
-public:
-    PredictionSlot()
-        : m_value(PredictNone)
-    {
-    }
-    PredictedType m_value;
-};
 
 typedef uint32_t BlockIndex;
@@ -104 +93 @@
 public:
     Graph(unsigned numArguments, unsigned numVariables)
-        : m_argumentPredictions(numArguments)
-        , m_variablePredictions(numVariables)
+        : m_predictions(numArguments, numVariables)
     {
     }
@@ -136 +124 @@
         return *m_blocks[blockIndexForBytecodeOffset(bytecodeBegin)];
     }
-
+    
+    PredictionTracker& predictions()
+    {
+        return m_predictions;
+    }
+    
     bool predict(int operand, PredictedType prediction, PredictionSource source)
     {
-        if (operandIsArgument(operand)) {
-            unsigned argument = operand + m_argumentPredictions.size() + RegisterFile::CallFrameHeaderSize;
-            return mergePrediction(m_argumentPredictions[argument].m_value, makePrediction(prediction, source));
-        }
-        
-        if ((unsigned)operand >= m_variablePredictions.size()) {
-            ASSERT(operand >= 0);
-            m_variablePredictions.resize(operand + 1);
-        }
-        
-        return mergePrediction(m_variablePredictions[operand].m_value, makePrediction(prediction, source));
+        return m_predictions.predict(operand, prediction, source);
     }
     
     bool predictGlobalVar(unsigned varNumber, PredictedType prediction, PredictionSource source)
     {
-        HashMap<unsigned, PredictionSlot>::iterator iter = m_globalVarPredictions.find(varNumber + 1);
-        if (iter == m_globalVarPredictions.end()) {
-            PredictionSlot predictionSlot;
-            bool result = mergePrediction(predictionSlot.m_value, makePrediction(prediction, source));
-            m_globalVarPredictions.add(varNumber + 1, predictionSlot);
-            return result;
-        } else
-            return mergePrediction(iter->second.m_value, makePrediction(prediction, source));
+        return m_predictions.predictGlobalVar(varNumber, prediction, source);
     }
     
     bool predict(Node& node, PredictedType prediction, PredictionSource source)
     {
-        switch (node.op) {
-        case GetLocal:
-            return predict(node.local(), prediction, source);
-            break;
-        case GetGlobalVar:
-            return predictGlobalVar(node.varNumber(), prediction, source);
-        case GetById:
-        case GetMethod:
-        case GetByVal:
-        case Call:
-        case Construct:
-            return node.predict(prediction, source);
-        default:
-            return false;
-        }
+        return m_predictions.predict(node, prediction, source);
     }
 
     PredictedType getPrediction(int operand)
     {
-        if (operandIsArgument(operand)) {
-            unsigned argument = operand + m_argumentPredictions.size() + RegisterFile::CallFrameHeaderSize;
-            return m_argumentPredictions[argument].m_value;
-        }
-        if ((unsigned)operand < m_variablePredictions.size())
-            return m_variablePredictions[operand].m_value;
-        return PredictNone;
+        return m_predictions.getPrediction(operand);
     }
     
     PredictedType getGlobalVarPrediction(unsigned varNumber)
     {
-        HashMap<unsigned, PredictionSlot>::iterator iter = m_globalVarPredictions.find(varNumber + 1);
-        if (iter == m_globalVarPredictions.end())
-            return PredictNone;
-        return iter->second.m_value;
+        return m_predictions.getGlobalVarPrediction(varNumber);
     }
     
@@ -212 +165 @@
             nodePtr = &(*this)[nodePtr->child1()];
         
-        switch (nodePtr->op) {
-        case GetLocal:
-            return getPrediction(nodePtr->local());
-        case GetGlobalVar:
-            return getGlobalVarPrediction(nodePtr->varNumber());
-        case GetById:
-        case GetMethod:
-        case GetByVal:
-        case Call:
-        case Construct:
-            return nodePtr->getPrediction();
-        default:
-            return PredictNone;
-        }
+        return m_predictions.getPrediction(*nodePtr);
     }
     
@@ -245 +185 @@
         return at(nodeIndex).isDoubleConstant(codeBlock);
     }
+    bool isBooleanConstant(CodeBlock* codeBlock, NodeIndex nodeIndex)
+    {
+        return at(nodeIndex).isBooleanConstant(codeBlock);
+    }
     // Helper methods get constant values from nodes.
     JSValue valueOfJSConstant(CodeBlock* codeBlock, NodeIndex nodeIndex)
@@ -257 +201 @@
     {
         return at(nodeIndex).valueOfDoubleConstant(codeBlock);
+    }
+    bool valueOfBooleanConstant(CodeBlock* codeBlock, NodeIndex nodeIndex)
+    {
+        return at(nodeIndex).valueOfBooleanConstant(codeBlock);
     }
 
@@ -272 +220 @@
     void refChildren(NodeIndex);
 
-    Vector<PredictionSlot, 16> m_argumentPredictions;
-    Vector<PredictionSlot, 16> m_variablePredictions;
-    HashMap<unsigned, PredictionSlot> m_globalVarPredictions;
+    PredictionTracker m_predictions;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp

@@ -81 +81 @@
     case DataFormatCell:
     case DataFormatJSCell:
+    case DataFormatBoolean:
+    case DataFormatJSBoolean:
         // Should only be calling this function if we know this operand to be integer.
         ASSERT_NOT_REACHED();
@@ -154 +156 @@
     case DataFormatCell:
     case DataFormatJSCell:
+    case DataFormatBoolean:
+    case DataFormatJSBoolean:
         // Should only be calling this function if we know this operand to be numeric.
         ASSERT_NOT_REACHED();
@@ -296 +300 @@
     case DataFormatJSInteger:
     case DataFormatJSDouble:
-    case DataFormatJSCell: {
+    case DataFormatJSCell:
+    case DataFormatJSBoolean: {
         GPRReg gpr = info.gpr();
         m_gprs.lock(gpr);
         return gpr;
     }
+        
+    case DataFormatBoolean:
+        // this type currently never occurs
+        ASSERT_NOT_REACHED();
     }
 
@@ -407 +416 @@
     return (info.registerFormat() | DataFormatJS) == DataFormatJSDouble
         || (info.registerFormat() | DataFormatJS) == DataFormatJSCell
+        || (info.registerFormat() | DataFormatJS) == DataFormatJSBoolean
         || (node.isConstant() && !valueOfJSConstant(nodeIndex).isInt32());
+}
+
+bool JITCodeGenerator::isKnownBoolean(NodeIndex nodeIndex)
+{
+    Node& node = m_jit.graph()[nodeIndex];
+    if (node.hasBooleanResult())
+        return true;
+    
+    if (isBooleanConstant(nodeIndex))
+        return true;
+    
+    VirtualRegister virtualRegister = node.virtualRegister();
+    GenerationInfo& info = m_generationInfo[virtualRegister];
+    
+    return (info.registerFormat() | DataFormatJS) == DataFormatJSBoolean
+        || (info.spillFormat() | DataFormatJS) == DataFormatJSBoolean;
 }
 
@@ -589 +615 @@
     
     m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
-    jsValueResult(resultGPR, m_compileIndex);
+    jsValueResult(resultGPR, m_compileIndex, DataFormatJSBoolean);
 }
 
@@ -744 +770 @@
         
         m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
-        jsValueResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+        jsValueResult(resultGPR, m_compileIndex, DataFormatJSBoolean, UseChildrenCalledExplicitly);
     } else {
         GPRTemporary result(this, arg2);
@@ -778 +804 @@
         m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
         
-        jsValueResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+        jsValueResult(resultGPR, m_compileIndex, DataFormatJSBoolean, UseChildrenCalledExplicitly);
     }
 }
@@ -940 +966 @@
     }
     
-    jsValueResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+    jsValueResult(resultGPR, m_compileIndex, DataFormatJSBoolean, UseChildrenCalledExplicitly);
 }
 
@@ -969 +995 @@
     GPRReg valueGPR = value.gpr();
     
-    GPRTemporary result(this);
-    GPRReg resultGPR = result.gpr();
-    
-    value.use();
-    
     BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
     BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(node.notTakenBytecodeOffset());
-
-    addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsNumber(0)))), notTaken);
-    addBranch(m_jit.branchPtr(MacroAssembler::AboveOrEqual, valueGPR, GPRInfo::tagTypeNumberRegister), taken);
-    addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(false)))), notTaken);
-    addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(true)))), taken);
-    
-    silentSpillAllRegisters(resultGPR);
-    m_jit.move(valueGPR, GPRInfo::argumentGPR1);
-    m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
-    appendCallWithExceptionCheck(dfgConvertJSValueToBoolean);
-    m_jit.move(GPRInfo::returnValueGPR, resultGPR);
-    silentFillAllRegisters(resultGPR);
-    
-    addBranch(m_jit.branchTest8(MacroAssembler::NonZero, resultGPR), taken);
-    if (notTaken != (m_block + 1))
-        addBranch(m_jit.jump(), notTaken);
-    
-    noResult(m_compileIndex, UseChildrenCalledExplicitly);
+    
+    if (isKnownBoolean(node.child1())) {
+        MacroAssembler::ResultCondition condition = MacroAssembler::NonZero;
+        
+        if (taken == (m_block + 1)) {
+            condition = MacroAssembler::Zero;
+            BlockIndex tmp = taken;
+            taken = notTaken;
+            notTaken = tmp;
+        }
+        
+        addBranch(m_jit.branchTest32(condition, valueGPR, TrustedImm32(true)), taken);
+        if (notTaken != (m_block + 1))
+            addBranch(m_jit.jump(), notTaken);
+        
+        noResult(m_compileIndex);
+    } else {
+        GPRTemporary result(this);
+        GPRReg resultGPR = result.gpr();
+        
+        bool predictBoolean = isBooleanPrediction(m_jit.graph().getPrediction(m_jit.graph()[node.child1()]));
+    
+        if (predictBoolean) {
+            addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(false)))), notTaken);
+            addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(true)))), taken);
+        }
+        
+        if (m_isSpeculative && predictBoolean) {
+            speculationCheck(m_jit.jump());
+            value.use();
+        } else {
+            addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsNumber(0)))), notTaken);
+            addBranch(m_jit.branchPtr(MacroAssembler::AboveOrEqual, valueGPR, GPRInfo::tagTypeNumberRegister), taken);
+    
+            if (!predictBoolean) {
+                addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(false)))), notTaken);
+                addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(true)))), taken);
+            }
+    
+            value.use();
+    
+            silentSpillAllRegisters(resultGPR);
+            m_jit.move(valueGPR, GPRInfo::argumentGPR1);
+            m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+            appendCallWithExceptionCheck(dfgConvertJSValueToBoolean);
+            m_jit.move(GPRInfo::returnValueGPR, resultGPR);
+            silentFillAllRegisters(resultGPR);
+    
+            addBranch(m_jit.branchTest8(MacroAssembler::NonZero, resultGPR), taken);
+            if (notTaken != (m_block + 1))
+                addBranch(m_jit.jump(), notTaken);
+        }
+        
+        noResult(m_compileIndex, UseChildrenCalledExplicitly);
+    }
 }
 
@@ -1080 +1138 @@
     
     m_jit.addJSCall(fastCall, slowCall, targetToCheck, isCall, m_jit.graph()[m_compileIndex].exceptionInfo);
+}
+
+void JITCodeGenerator::speculationCheck(MacroAssembler::Jump jumpToFail)
+{
+    ASSERT(m_isSpeculative);
+    static_cast<SpeculativeJIT*>(this)->speculationCheck(jumpToFail);
 }
 
@@ -1288 +1352 @@
 }
 
+GPRTemporary::GPRTemporary(JITCodeGenerator* jit, SpeculateBooleanOperand& op1)
+    : m_jit(jit)
+    , m_gpr(InvalidGPRReg)
+{
+    if (m_jit->canReuse(op1.index()))
+        m_gpr = m_jit->reuse(op1.gpr());
+    else
+        m_gpr = m_jit->allocate();
+}
+
 GPRTemporary::GPRTemporary(JITCodeGenerator* jit, JSValueOperand& op1)
     : m_jit(jit)

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -42 +42 @@
 class SpeculateDoubleOperand;
 class SpeculateCellOperand;
+class SpeculateBooleanOperand;
 
 
@@ -411 +412 @@
     bool isKnownNotInteger(NodeIndex);
 
+    bool isKnownBoolean(NodeIndex);
+    
     // Checks/accessors for constant values.
     bool isConstant(NodeIndex nodeIndex) { return m_jit.isConstant(nodeIndex); }
@@ -416 +419 @@
     bool isInt32Constant(NodeIndex nodeIndex) { return m_jit.isInt32Constant(nodeIndex); }
     bool isDoubleConstant(NodeIndex nodeIndex) { return m_jit.isDoubleConstant(nodeIndex); }
+    bool isBooleanConstant(NodeIndex nodeIndex) { return m_jit.isBooleanConstant(nodeIndex); }
     int32_t valueOfInt32Constant(NodeIndex nodeIndex) { return m_jit.valueOfInt32Constant(nodeIndex); }
     double valueOfDoubleConstant(NodeIndex nodeIndex) { return m_jit.valueOfDoubleConstant(nodeIndex); }
     JSValue valueOfJSConstant(NodeIndex nodeIndex) { return m_jit.valueOfJSConstant(nodeIndex); }
+    bool valueOfBooleanConstant(NodeIndex nodeIndex) { return m_jit.valueOfBooleanConstant(nodeIndex); }
     bool isNullConstant(NodeIndex nodeIndex)
     {
@@ -576 +581 @@
     
     void emitCall(Node&);
+    
+    void speculationCheck(MacroAssembler::Jump jumpToFail);
 
     // Called once a node has completed code generation but prior to setting
@@ -1122 +1129 @@
     GPRTemporary(JITCodeGenerator*, IntegerOperand&, IntegerOperand&);
     GPRTemporary(JITCodeGenerator*, SpeculateCellOperand&);
+    GPRTemporary(JITCodeGenerator*, SpeculateBooleanOperand&);
     GPRTemporary(JITCodeGenerator*, JSValueOperand&);
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -489 +489 @@
     breakpoint();
 #endif
+    
+#if DFG_VERBOSE_SPECULATION_FAILURE
+    SpeculationFailureDebugInfo* debugInfo = new SpeculationFailureDebugInfo;
+    debugInfo->codeBlock = m_codeBlock;
+    debugInfo->debugOffset = debugOffset();
+    
+    debugCall(debugOperationPrintSpeculationFailure, debugInfo);
+#endif
 
     // Does this speculation check require any additional recovery to be performed,
@@ -494 +502 @@
     // non-speculative path.
     if (recovery) {
-        // The only additional recovery we currently support is for integer add operation
-        ASSERT(recovery->type() == SpeculativeAdd);
-        ASSERT(check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].nodeIndex != NoNode);
-        // Revert the add.
-        sub32(recovery->src(), recovery->dest());
-        
-        // If recovery->dest() should have been boxed prior to the addition, then rebox
-        // it.
-        DataFormat format = check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].format;
-        ASSERT(format == DataFormatInteger || format == DataFormatJSInteger || format == DataFormatJS);
-        if (format != DataFormatInteger)
-            orPtr(GPRInfo::tagTypeNumberRegister, recovery->dest());
+        switch (recovery->type()) {
+        case SpeculativeAdd: {
+            ASSERT(check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].nodeIndex != NoNode);
+            // Revert the add.
+            sub32(recovery->src(), recovery->dest());
+            
+            // If recovery->dest() should have been boxed prior to the addition, then rebox
+            // it.
+            DataFormat format = check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].format;
+            ASSERT(format == DataFormatInteger || format == DataFormatJSInteger || format == DataFormatJS);
+            if (format != DataFormatInteger)
+                orPtr(GPRInfo::tagTypeNumberRegister, recovery->dest());
+            break;
+        }
+            
+        case BooleanSpeculationCheck: {
+            ASSERT(check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].nodeIndex != NoNode);
+            // Rebox the (non-)boolean
+            xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), recovery->dest());
+            break;
+        }
+            
+        default:
+            ASSERT_NOT_REACHED();
+            break;
+        }
     }
     
@@ -876 +898 @@
     // Link the code, populate data in CodeBlock data structures.
 #if DFG_DEBUG_VERBOSE
-    fprintf(stderr, "JIT code start at [%p, %p)\n", linkBuffer.debugAddress(), static_cast<char*>(linkBuffer.debugAddress()) + linkBuffer.debugSize());
+    fprintf(stderr, "JIT code for %p start at [%p, %p)\n", m_codeBlock, linkBuffer.debugAddress(), static_cast<char*>(linkBuffer.debugAddress()) + linkBuffer.debugSize());
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -55 +55 @@
 struct SpeculationCheck;
 
+#ifndef NDEBUG
+typedef void (*V_DFGDebugOperation_EP)(ExecState*, void*);
+#endif
+
+#if DFG_VERBOSE_SPECULATION_FAILURE
+struct SpeculationFailureDebugInfo {
+    CodeBlock* codeBlock;
+    unsigned debugOffset;
+};
+#endif
+
 // === CallRecord ===
 //
@@ -206 +217 @@
         return functionCall;
     }
+    
+#ifndef NDEBUG
+    // Add a debug call. This call has no effect on JIT code execution state.
+    void debugCall(V_DFGDebugOperation_EP function, void* argument)
+    {
+        for (unsigned i = 0; i < GPRInfo::numberOfRegisters; ++i)
+            storePtr(GPRInfo::toRegister(i), m_globalData->debugDataBuffer + i);
+        for (unsigned i = 0; i < FPRInfo::numberOfRegisters; ++i) {
+            move(TrustedImmPtr(m_globalData->debugDataBuffer + GPRInfo::numberOfRegisters + i), GPRInfo::regT0);
+            storeDouble(FPRInfo::toRegister(i), GPRInfo::regT0);
+        }
+        move(TrustedImmPtr(argument), GPRInfo::argumentGPR1);
+        move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+        move(TrustedImmPtr(reinterpret_cast<void*>(function)), GPRInfo::regT0);
+        call(GPRInfo::regT0);
+        for (unsigned i = 0; i < FPRInfo::numberOfRegisters; ++i) {
+            move(TrustedImmPtr(m_globalData->debugDataBuffer + GPRInfo::numberOfRegisters + i), GPRInfo::regT0);
+            loadDouble(GPRInfo::regT0, FPRInfo::toRegister(i));
+        }
+        for (unsigned i = 0; i < GPRInfo::numberOfRegisters; ++i)
+            loadPtr(m_globalData->debugDataBuffer + i, GPRInfo::toRegister(i));
+    }
+#endif
 
     // Helper methods to check nodes for constants.
@@ -212 +246 @@
     bool isInt32Constant(NodeIndex nodeIndex) { return graph().isInt32Constant(codeBlock(), nodeIndex); }
     bool isDoubleConstant(NodeIndex nodeIndex) { return graph().isDoubleConstant(codeBlock(), nodeIndex); }
+    bool isBooleanConstant(NodeIndex nodeIndex) { return graph().isBooleanConstant(codeBlock(), nodeIndex); }
     // Helper methods get constant values from nodes.
     JSValue valueOfJSConstant(NodeIndex nodeIndex) { return graph().valueOfJSConstant(codeBlock(), nodeIndex); }
     int32_t valueOfInt32Constant(NodeIndex nodeIndex) { return graph().valueOfInt32Constant(codeBlock(), nodeIndex); }
     double valueOfDoubleConstant(NodeIndex nodeIndex) { return graph().valueOfDoubleConstant(codeBlock(), nodeIndex); }
+    bool valueOfBooleanConstant(NodeIndex nodeIndex) { return graph().valueOfBooleanConstant(codeBlock(), nodeIndex); }
 
     // These methods JIT generate dynamic, debug-only checks - akin to ASSERTs.

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -45 +45 @@
 // Emit a breakpoint into the speculation failure code.
 #define DFG_JIT_BREAK_ON_SPECULATION_FAILURE 0
+// Log every speculation failure.
+#define DFG_VERBOSE_SPECULATION_FAILURE 0
 // Disable the DFG JIT without having to touch Platform.h!
 #define DFG_DEBUG_LOCAL_DISBALE 0
@@ -90 +92 @@
 #define NodeResultDouble  0x2000
 #define NodeResultInt32   0x3000
+#define NodeResultBoolean 0x4000
 
 // This macro defines a set of information about all known node types, used to populate NodeId, NodeType below.
@@ -141 +144 @@
     \
     /* Nodes for comparison operations. */\
-    macro(CompareLess, NodeResultJS | NodeMustGenerate) \
-    macro(CompareLessEq, NodeResultJS | NodeMustGenerate) \
-    macro(CompareGreater, NodeResultJS | NodeMustGenerate) \
-    macro(CompareGreaterEq, NodeResultJS | NodeMustGenerate) \
-    macro(CompareEq, NodeResultJS | NodeMustGenerate) \
-    macro(CompareStrictEq, NodeResultJS) \
+    macro(CompareLess, NodeResultBoolean | NodeMustGenerate) \
+    macro(CompareLessEq, NodeResultBoolean | NodeMustGenerate) \
+    macro(CompareGreater, NodeResultBoolean | NodeMustGenerate) \
+    macro(CompareGreaterEq, NodeResultBoolean | NodeMustGenerate) \
+    macro(CompareEq, NodeResultBoolean | NodeMustGenerate) \
+    macro(CompareStrictEq, NodeResultBoolean) \
     \
     /* Calls. */\
@@ -160 +163 @@
     macro(Breakpoint, NodeMustGenerate) \
     macro(CheckHasInstance, NodeMustGenerate) \
-    macro(InstanceOf, NodeResultJS) \
-    macro(LogicalNot, NodeResultJS) \
+    macro(InstanceOf, NodeResultBoolean) \
+    macro(LogicalNot, NodeResultBoolean) \
     \
     /* Block terminals. */\
@@ -199 +202 @@
 static const PredictedType PredictDouble = 0x08;
 static const PredictedType PredictNumber = 0x0c;
-static const PredictedType PredictTop    = 0x0f;
+static const PredictedType PredictBoolean = 0x10;
+static const PredictedType PredictTop    = 0x1f;
 static const PredictedType StrongPredictionTag = 0x80;
 static const PredictedType PredictionTagMask    = 0x80;
@@ -228 +232 @@
 {
     return !!(value & PredictNumber) && !(value & ~(PredictNumber | PredictionTagMask));
+}
+
+inline bool isBooleanPrediction(PredictedType value)
+{
+    return (value & ~PredictionTagMask) == PredictBoolean;
 }
 
@@ -249 +258 @@
         case PredictInt32:
             return "p-strong-int32";
+        case PredictDouble:
+            return "p-strong-double";
         case PredictNumber:
             return "p-strong-number";
+        case PredictBoolean:
+            return "p-strong-boolean";
         default:
             return "p-strong-top";
@@ -264 +277 @@
     case PredictInt32:
         return "p-weak-int32";
+    case PredictDouble:
+        return "p-weak-double";
     case PredictNumber:
         return "p-weak-number";
+    case PredictBoolean:
+        return "p-weak-boolean";
     default:
         return "p-weak-top";
@@ -326 +343 @@
     if (statistics.cells == statistics.samples)
         return StrongPredictionTag | PredictCell;
+    
+    if (statistics.booleans == statistics.samples)
+        return StrongPredictionTag | PredictBoolean;
     
     return StrongPredictionTag | PredictTop;
@@ -424 +444 @@
     }
     
+    bool isBooleanConstant(CodeBlock* codeBlock)
+    {
+        return isConstant() && valueOfJSConstant(codeBlock).isBoolean();
+    }
+    
     int32_t valueOfInt32Constant(CodeBlock* codeBlock)
     {
@@ -434 +459 @@
         ASSERT(isDoubleConstant(codeBlock));
         return valueOfJSConstant(codeBlock).uncheckedGetNumber();
+    }
+    
+    bool valueOfBooleanConstant(CodeBlock* codeBlock)
+    {
+        ASSERT(isBooleanConstant(codeBlock));
+        return valueOfJSConstant(codeBlock).getBoolean();
     }
 
@@ -493 +524 @@
         return (op & NodeResultMask) == NodeResultJS;
     }
+    
+    bool hasBooleanResult()
+    {
+        return (op & NodeResultMask) == NodeResultBoolean;
+    }
 
     // Check for integers or doubles.
     bool hasNumericResult()
     {
-        // This check will need updating if more result types are added.
-        ASSERT((hasInt32Result() || hasDoubleResult()) == !hasJSResult());
-        return !hasJSResult();
+        return hasInt32Result() || hasDoubleResult();
     }
 
@@ -564 +598 @@
         ASSERT(source == StrongPrediction);
         
-        PredictedType newPrediction = StrongPredictionTag | prediction;
+        PredictedType newPrediction = StrongPredictionTag | prediction | m_opInfo2;
         bool result = m_opInfo2 != newPrediction;
-        m_opInfo2 |= newPrediction;
+        m_opInfo2 = newPrediction;
         return result;
     }

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -679 +679 @@
 }
 
+#if DFG_VERBOSE_SPECULATION_FAILURE
+void debugOperationPrintSpeculationFailure(ExecState*, void* debugInfoRaw)
+{
+    SpeculationFailureDebugInfo* debugInfo = static_cast<SpeculationFailureDebugInfo*>(debugInfoRaw);
+    printf("Speculation failure in %p at 0x%x!\n", debugInfo->codeBlock, debugInfo->debugOffset);
+}
+#endif
+
 } // extern "C"
 } } // namespace JSC::DFG

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -116 +116 @@
 RegisterSizedBoolean dfgConvertJSValueToBoolean(ExecState*, EncodedJSValue);
 
+#if DFG_VERBOSE_SPECULATION_FAILURE
+void debugOperationPrintSpeculationFailure(ExecState*, void*);
+#endif
+
 } // extern "C"
 } } // namespace JSC::DFG

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -41 +41 @@
         , m_profiledBlock(profiledBlock)
     {
+        // Predictions is a forward flow property that propagates the values seen at
+        // a particular value source to their various uses, ensuring that uses perform
+        // speculation that does not contravene the expected values.
         m_predictions.resize(m_graph.size());
-        for (NodeIndex i = 0; i < m_graph.size(); ++i)
+        
+        // Uses is a backward flow property that propagates the hard expectations at
+        // certain uses to their value sources, ensuring that predictions about
+        // values do not contravene the code itself. This comes up only in the
+        // cases of obvious cell uses, like GetById and friends as well as Call.
+        // We're essentially statically speculating that if the value profile indicates
+        // that only booleans (for example) flow into a GetById, then the value
+        // profile is simply wrong due to insufficient coverage and needs to be
+        // adjusted accordingly. The alternatives would be to assume either
+        // that the GetById never executes, or always executes on a boolean leading
+        // to whatever bizarre behavior that's supposed to cause.
+        m_uses.resize(m_graph.size());
+        m_variableUses.initializeSimilarTo(m_graph.predictions());
+        
+        for (unsigned i = 0; i < m_graph.size(); ++i) {
             m_predictions[i] = PredictNone;
+            m_uses[i] = PredictNone;
+        }
     }
     
@@ -52 +71 @@
 #endif
         do {
+            m_changed = false;
+            
             // Forward propagation is near-optimal for both topologically-sorted and
             // DFS-sorted code.
-            m_changed = false;
             propagateForward();
             if (!m_changed)
@@ -65 +85 @@
             m_changed = false;
             propagateBackward();
-            if (!m_changed)
-                break;
-            
-            // Do another forward pass because forward passes are on average more
-            // profitable.
-            m_changed = false;
-            propagateForward();
         } while (m_changed);
     }
     
 private:
-    void setPrediction(PredictedType prediction)
-    {
+    bool setPrediction(PredictedType prediction)
+    {
+        ASSERT(m_graph[m_compileIndex].hasResult());
+        
         if (m_predictions[m_compileIndex] == prediction)
-            return;
+            return false;
         
         m_predictions[m_compileIndex] = prediction;
-        m_changed = true;
-    }
-    
-    void mergePrediction(PredictedType prediction)
-    {
-        if (DFG::mergePrediction(m_predictions[m_compileIndex], prediction))
-            m_changed = true;
+        return true;
+    }
+    
+    bool mergeUse(NodeIndex nodeIndex, PredictedType prediction)
+    {
+        ASSERT(m_graph[nodeIndex].hasResult());
+        
+        return DFG::mergePrediction(m_uses[nodeIndex], prediction);
+    }
+    
+    bool mergePrediction(PredictedType prediction)
+    {
+        ASSERT(m_graph[m_compileIndex].hasResult());
+        
+        return DFG::mergePrediction(m_predictions[m_compileIndex], prediction);
     }
     
@@ -97 +120 @@
         
         NodeType op = node.op;
+
+#if DFG_DEBUG_VERBOSE
+        printf("   %s[%u]: ", Graph::opName(op), m_compileIndex);
+#endif
+        
+        bool changed = false;
+        
         switch (op) {
         case JSConstant: {
             JSValue value = node.valueOfJSConstant(m_codeBlock);
             if (value.isInt32())
-                setPrediction(makePrediction(PredictInt32, StrongPrediction));
+                changed |= setPrediction(makePrediction(PredictInt32, StrongPrediction));
             else if (value.isDouble())
-                setPrediction(makePrediction(PredictDouble, StrongPrediction));
+                changed |= setPrediction(makePrediction(PredictDouble, StrongPrediction));
             else if (value.isCell()) {
                 JSCell* cell = value.asCell();
                 if (isJSArray(&m_globalData, cell))
-                    setPrediction(makePrediction(PredictArray, StrongPrediction));
+                    changed |= setPrediction(makePrediction(PredictArray, StrongPrediction));
                 else
-                    setPrediction(makePrediction(PredictCell, StrongPrediction));
-            } else
-                setPrediction(makePrediction(PredictTop, StrongPrediction));
+                    changed |= setPrediction(makePrediction(PredictCell, StrongPrediction));
+            } else if (value.isBoolean())
+                changed |= setPrediction(makePrediction(PredictBoolean, StrongPrediction));
+            else
+                changed |= setPrediction(makePrediction(PredictTop, StrongPrediction));
             break;
         }
             
         case GetLocal: {
+            changed |= m_graph.predict(node.local(), m_uses[m_compileIndex] & ~PredictionTagMask, StrongPrediction);
+            changed |= m_variableUses.predict(node.local(), m_uses[m_compileIndex] & ~PredictionTagMask, StrongPrediction);
+
             PredictedType prediction = m_graph.getPrediction(node.local());
             if (isStrongPrediction(prediction))
-                mergePrediction(prediction);
+                changed |= mergePrediction(prediction);
             break;
         }
             
         case SetLocal: {
-            m_changed |= m_graph.predict(node.local(), m_predictions[node.child1()] & ~PredictionTagMask, StrongPrediction);
+            changed |= m_graph.predict(node.local(), m_predictions[node.child1()] & ~PredictionTagMask, StrongPrediction);
+            changed |= mergeUse(node.child1(), m_variableUses.getPrediction(node.local()));
             break;
         }
@@ -136 +172 @@
         case ValueToInt32:
         case ArithMod: {
-            setPrediction(makePrediction(PredictInt32, StrongPrediction));
+            changed |= setPrediction(makePrediction(PredictInt32, StrongPrediction));
             break;
         }
@@ -145 +181 @@
             if (isStrongPrediction(prediction)) {
                 if (isNumberPrediction(prediction))
-                    mergePrediction(prediction);
+                    changed |= mergePrediction(prediction);
                 else
-                    mergePrediction(makePrediction(PredictNumber, StrongPrediction));
+                    changed |= mergePrediction(makePrediction(PredictNumber, StrongPrediction));
             }
+            
             break;
         }
@@ -159 +196 @@
                 if (isNumberPrediction(left) && isNumberPrediction(right)) {
                     if (isInt32Prediction(mergePredictions(left, right)))
-                        mergePrediction(makePrediction(PredictInt32, StrongPrediction));
+                        changed |= mergePrediction(makePrediction(PredictInt32, StrongPrediction));
                     else
-                        mergePrediction(makePrediction(PredictDouble, StrongPrediction));
+                        changed |= mergePrediction(makePrediction(PredictDouble, StrongPrediction));
                 } else
-                    mergePrediction(makePrediction(PredictTop, StrongPrediction));
+                    changed |= mergePrediction(makePrediction(PredictTop, StrongPrediction));
             }
             break;
@@ -176 +213 @@
             if (isStrongPrediction(left) && isStrongPrediction(right)) {
                 if (isInt32Prediction(mergePredictions(left, right)))
-                    mergePrediction(makePrediction(PredictInt32, StrongPrediction));
+                    changed |= mergePrediction(makePrediction(PredictInt32, StrongPrediction));
                 else
-                    mergePrediction(makePrediction(PredictDouble, StrongPrediction));
+                    changed |= mergePrediction(makePrediction(PredictDouble, StrongPrediction));
             }
             break;
@@ -184 +221 @@
             
         case ArithDiv: {
-            setPrediction(makePrediction(PredictDouble, StrongPrediction));
+            changed |= setPrediction(makePrediction(PredictDouble, StrongPrediction));
             break;
         }
@@ -196 +233 @@
         case CompareStrictEq:
         case InstanceOf: {
-            // This is sad, as we don't have a boolean prediction, even though we easily
-            // could.
-            setPrediction(makePrediction(PredictTop, StrongPrediction));
+            changed |= setPrediction(makePrediction(PredictBoolean, StrongPrediction));
             break;
         }
@@ -204 +239 @@
         case GetById:
         case GetMethod:
-        case GetByVal:
+        case GetByVal: {
+            changed |= mergeUse(node.child1(), PredictCell | StrongPredictionTag);
+            changed |= node.predict(m_uses[m_compileIndex] & ~PredictionTagMask, StrongPrediction);
+            if (isStrongPrediction(node.getPrediction()))
+                changed |= setPrediction(node.getPrediction());
+            break;
+        }
+            
         case Call:
         case Construct: {
+            changed |= mergeUse(m_graph.m_varArgChildren[node.firstChild()], PredictCell | StrongPredictionTag);
+            changed |= node.predict(m_uses[m_compileIndex] & ~PredictionTagMask, StrongPrediction);
             if (isStrongPrediction(node.getPrediction()))
-                setPrediction(node.getPrediction());
+                changed |= setPrediction(node.getPrediction());
             break;
         }
             
         case ConvertThis: {
-            setPrediction(makePrediction(PredictCell, StrongPrediction));
+            changed |= setPrediction(makePrediction(PredictCell, StrongPrediction));
             break;
         }
             
         case GetGlobalVar: {
+            changed |= m_variableUses.predictGlobalVar(node.varNumber(), m_uses[m_compileIndex] & ~PredictionTagMask, StrongPrediction);
             PredictedType prediction = m_graph.getGlobalVarPrediction(node.varNumber());
             if (isStrongPrediction(prediction))
-                mergePrediction(prediction);
+                changed |= mergePrediction(prediction);
             break;
         }
             
         case PutGlobalVar: {
-            m_changed |= m_graph.predictGlobalVar(node.varNumber(), m_predictions[node.child1()] & ~PredictionTagMask, StrongPrediction);
-            break;
-        }
-            
+            changed |= m_graph.predictGlobalVar(node.varNumber(), m_predictions[node.child1()] & ~PredictionTagMask, StrongPrediction);
+            changed |= mergeUse(node.child1(), m_variableUses.getGlobalVarPrediction(node.varNumber()));
+            break;
+        }
+            
+        case PutByVal:
+        case PutByValAlias:
+        case PutById:
+        case PutByIdDirect:
+            changed |= mergeUse(node.child1(), PredictCell | StrongPredictionTag);
+            break;
+
 #ifndef NDEBUG
         // These get ignored because they don't return anything.
-        case PutByVal:
-        case PutByValAlias:
         case DFG::Jump:
         case Branch:
         case Return:
-        case PutById:
-        case PutByIdDirect:
         case CheckHasInstance:
         case Phi:
@@ -256 +305 @@
 #endif
         }
+
+#if DFG_DEBUG_VERBOSE
+        printf("expect(%s) use(%s) %s\n", predictionToString(m_predictions[m_compileIndex]), predictionToString(m_uses[m_compileIndex]), changed ? "CHANGED" : "");
+#endif
+        
+        m_changed |= changed;
     }
     
@@ -284 +339 @@
     
     Vector<PredictedType, 16> m_predictions;
+    Vector<PredictedType, 16> m_uses;
+    
+    PredictionTracker m_variableUses;
 
 #if DFG_DEBUG_VERBOSE

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -129 +129 @@
     case DataFormatDouble:
     case DataFormatCell:
+    case DataFormatBoolean:
     case DataFormatJSDouble:
-    case DataFormatJSCell: {
+    case DataFormatJSCell:
+    case DataFormatJSBoolean: {
         terminateSpeculativeExecution();
         returnFormat = DataFormatInteger;
@@ -224 +226 @@
 
     switch (info.registerFormat()) {
-    case DataFormatNone:
-        // Should have filled, above.
+    case DataFormatNone: // Should have filled, above.
+    case DataFormatBoolean: // This type never occurs.
         ASSERT_NOT_REACHED();
         
     case DataFormatCell:
     case DataFormatJSCell:
-    case DataFormatJS: {
+    case DataFormatJS:
+    case DataFormatJSBoolean: {
         GPRReg jsValueGpr = info.gpr();
         m_gprs.lock(jsValueGpr);
@@ -350 +353 @@
     case DataFormatInteger:
     case DataFormatJSDouble:
-    case DataFormatDouble: {
+    case DataFormatDouble:
+    case DataFormatJSBoolean:
+    case DataFormatBoolean: {
+        terminateSpeculativeExecution();
+        return allocate();
+    }
+    }
+
+    ASSERT_NOT_REACHED();
+    return InvalidGPRReg;
+}
+
+GPRReg SpeculativeJIT::fillSpeculateBoolean(NodeIndex nodeIndex)
+{
+    Node& node = m_jit.graph()[nodeIndex];
+    VirtualRegister virtualRegister = node.virtualRegister();
+    GenerationInfo& info = m_generationInfo[virtualRegister];
+
+    switch (info.registerFormat()) {
+    case DataFormatNone: {
+        GPRReg gpr = allocate();
+
+        if (node.isConstant()) {
+            JSValue jsValue = valueOfJSConstant(nodeIndex);
+            if (jsValue.isBoolean()) {
+                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+                m_jit.move(MacroAssembler::TrustedImmPtr(JSValue::encode(jsValue)), gpr);
+                info.fillJSValue(gpr, DataFormatJSBoolean);
+                return gpr;
+            }
+            terminateSpeculativeExecution();
+            return gpr;
+        }
+        ASSERT(info.spillFormat() & DataFormatJS);
+        m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
+        m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), gpr);
+
+        info.fillJSValue(gpr, DataFormatJS);
+        if (info.spillFormat() != DataFormatJSBoolean) {
+            m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
+            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, TrustedImm32(static_cast<int32_t>(~1))), SpeculationRecovery(BooleanSpeculationCheck, gpr, InvalidGPRReg));
+            m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
+        }
+        info.fillJSValue(gpr, DataFormatJSBoolean);
+        return gpr;
+    }
+
+    case DataFormatBoolean:
+    case DataFormatJSBoolean: {
+        GPRReg gpr = info.gpr();
+        m_gprs.lock(gpr);
+        return gpr;
+    }
+
+    case DataFormatJS: {
+        GPRReg gpr = info.gpr();
+        m_gprs.lock(gpr);
+        m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
+        speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, TrustedImm32(static_cast<int32_t>(~1))), SpeculationRecovery(BooleanSpeculationCheck, gpr, InvalidGPRReg));
+        m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
+        info.fillJSValue(gpr, DataFormatJSBoolean);
+        return gpr;
+    }
+
+    case DataFormatJSInteger:
+    case DataFormatInteger:
+    case DataFormatJSDouble:
+    case DataFormatDouble:
+    case DataFormatJSCell:
+    case DataFormatCell: {
         terminateSpeculativeExecution();
         return allocate();
@@ -529 +601 @@
         // If we add a DataFormatBool, we should use it here.
         m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-        jsValueResult(result.gpr(), m_compileIndex);
+        jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
     }
     
@@ -562 +634 @@
             VirtualRegister virtualRegister = node.virtualRegister();
             m_gprs.retain(result.gpr(), virtualRegister, SpillOrderJS);
-            m_generationInfo[virtualRegister].initJSValue(m_compileIndex, node.refCount(), result.gpr(), isArrayPrediction(prediction) ? DataFormatJSCell : DataFormatJS);
+            
+            DataFormat format;
+            if (isArrayPrediction(prediction))
+                format = DataFormatJSCell;
+            else if (isBooleanPrediction(prediction))
+                format = DataFormatJSBoolean;
+            else
+                format = DataFormatJS;
+            
+            m_generationInfo[virtualRegister].initJSValue(m_compileIndex, node.refCount(), result.gpr(), format);
         }
         break;
@@ -579 +660 @@
             m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local()));
             noResult(m_compileIndex);
+        } else if (isBooleanPrediction(predictedType)) {
+            SpeculateBooleanOperand boolean(this, node.child1());
+            m_jit.storePtr(boolean.gpr(), JITCompiler::addressFor(node.local()));
+            noResult(m_compileIndex);
         } else {
             JSValueOperand value(this, node.child1());
@@ -842 +927 @@
 
     case LogicalNot: {
+        if (isKnownBoolean(node.child1())) {
+            SpeculateBooleanOperand value(this, node.child1());
+            GPRTemporary result(this, value);
+            
+            m_jit.move(value.gpr(), result.gpr());
+            m_jit.xorPtr(TrustedImm32(true), result.gpr());
+            
+            jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
+            break;
+        }
+        
         JSValueOperand value(this, node.child1());
         GPRTemporary result(this); // FIXME: We could reuse, but on speculation fail would need recovery to restore tag (akin to add).
@@ -851 +947 @@
 
         // If we add a DataFormatBool, we should use it here.
-        jsValueResult(result.gpr(), m_compileIndex);
+        jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
         break;
     }
@@ -1228 +1324 @@
 
         putResult.link(&m_jit);
-        jsValueResult(scratchReg, m_compileIndex);
+        jsValueResult(scratchReg, m_compileIndex, DataFormatJSBoolean);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -38 +38 @@
 // may need be performed should a speculation check fail.
 enum SpeculationRecoveryType {
-    SpeculativeAdd
+    SpeculativeAdd,
+    BooleanSpeculationCheck
 };
 
@@ -133 +134 @@
     FPRReg fillSpeculateDouble(NodeIndex);
     GPRReg fillSpeculateCell(NodeIndex);
-
-private:
+    GPRReg fillSpeculateBoolean(NodeIndex);
+
+private:
+    friend class JITCodeGenerator;
+    
     void compile(Node&);
     void compile(BasicBlock&);
@@ -409 +413 @@
 };
 
+class SpeculateBooleanOperand {
+public:
+    explicit SpeculateBooleanOperand(SpeculativeJIT* jit, NodeIndex index)
+        : m_jit(jit)
+        , m_index(index)
+        , m_gprOrInvalid(InvalidGPRReg)
+    {
+        ASSERT(m_jit);
+        if (jit->isFilled(index))
+            gpr();
+    }
+    
+    ~SpeculateBooleanOperand()
+    {
+        ASSERT(m_gprOrInvalid != InvalidGPRReg);
+        m_jit->unlock(m_gprOrInvalid);
+    }
+    
+    NodeIndex index() const
+    {
+        return m_index;
+    }
+    
+    GPRReg gpr()
+    {
+        if (m_gprOrInvalid == InvalidGPRReg)
+            m_gprOrInvalid = m_jit->fillSpeculateBoolean(index());
+        return m_gprOrInvalid;
+    }
+    
+    void use()
+    {
+        m_jit->use(m_index);
+    }
+
+private:
+    SpeculativeJIT* m_jit;
+    NodeIndex m_index;
+    GPRReg m_gprOrInvalid;
+};
+
 
 // === SpeculationCheckIndexIterator ===