summaryrefslogtreecommitdiff
path: root/Source/JavaScriptCore/dfg
diff options
context:
space:
mode:
authorSimon Hausmann <simon.hausmann@nokia.com>2012-05-27 21:51:42 +0200
committerSimon Hausmann <simon.hausmann@nokia.com>2012-05-27 21:51:42 +0200
commitbe01689f43cf6882cf670d33df49ead1f570c53a (patch)
tree4bb2161d8983b38e3e7ed37b4a50303bfd5e2e85 /Source/JavaScriptCore/dfg
parenta89b2ebb8e192c5e8cea21079bda2ee2c0c7dddd (diff)
downloadqtwebkit-be01689f43cf6882cf670d33df49ead1f570c53a.tar.gz
Imported WebKit commit 8d6c5efc74f0222dfc7bcce8d845d4a2707ed9e6 (http://svn.webkit.org/repository/webkit/trunk@118629)
Diffstat (limited to 'Source/JavaScriptCore/dfg')
-rw-r--r--Source/JavaScriptCore/dfg/DFGAbstractState.cpp4
-rw-r--r--Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp70
-rw-r--r--Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp30
-rw-r--r--Source/JavaScriptCore/dfg/DFGCSEPhase.cpp263
-rw-r--r--Source/JavaScriptCore/dfg/DFGGraph.h6
-rw-r--r--Source/JavaScriptCore/dfg/DFGNode.h29
-rw-r--r--Source/JavaScriptCore/dfg/DFGNodeType.h24
-rw-r--r--Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp4
-rw-r--r--Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp10
-rw-r--r--Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp10
-rw-r--r--Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp10
11 files changed, 403 insertions, 57 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index 33c058e7d..ff737cf1d 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
@@ -262,7 +262,8 @@ bool AbstractState::execute(unsigned indexInBlock)
switch (node.op()) {
case JSConstant:
- case WeakJSConstant: {
+ case WeakJSConstant:
+ case PhantomArguments: {
forNode(nodeIndex).set(m_graph.valueOfJSConstant(nodeIndex));
node.setCanExit(false);
break;
@@ -1403,6 +1404,7 @@ bool AbstractState::execute(unsigned indexInBlock)
}
case PutStructure:
+ case PhantomPutStructure:
node.setCanExit(false);
clobberStructures(indexInBlock);
forNode(node.child1()).set(node.structureTransitionData().newStructure);
diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
index 5ab515bd7..48163a91b 100644
--- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
@@ -283,6 +283,14 @@ public:
break;
}
+ case Phantom:
+ // We don't care about phantom uses, since phantom uses are all about
+ // just keeping things alive for OSR exit. If something - like the
+ // CreateArguments - is just being kept alive, then this transformation
+ // will not break this, since the Phantom will now just keep alive a
+ // PhantomArguments and OSR exit will still do the right things.
+ break;
+
default:
observeBadArgumentsUses(node);
break;
@@ -392,31 +400,6 @@ public:
VariableAccessData* variableAccessData = node.variableAccessData();
- // If this is a store into the arguments register for an InlineCallFrame*
- // that does not create arguments, then kill it.
- int argumentsRegister =
- m_graph.uncheckedArgumentsRegisterFor(node.codeOrigin);
- if ((variableAccessData->local() == argumentsRegister
- || variableAccessData->local()
- == unmodifiedArgumentsRegister(argumentsRegister))
- && !m_createsArguments.contains(source.codeOrigin.inlineCallFrame)) {
- // Find the Flush. It should be the next instruction.
- Node& flush = m_graph[block->at(indexInBlock + 1)];
- ASSERT(flush.op() == Flush);
- ASSERT(flush.variableAccessData() == variableAccessData);
- ASSERT(flush.child1() == nodeIndex);
- // Be defensive in release mode.
- if (flush.op() != Flush
- || flush.variableAccessData() != variableAccessData
- || flush.child1() != nodeIndex)
- break;
- flush.setOpAndDefaultFlags(Nop);
- m_graph.clearAndDerefChild1(flush);
- flush.setRefCount(0);
- changed = true;
- break;
- }
-
if (variableAccessData->isCaptured())
break;
@@ -583,6 +566,35 @@ public:
insertionSet.execute(*block);
}
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+ NodeIndex nodeIndex = block->at(indexInBlock);
+ Node& node = m_graph[nodeIndex];
+ if (!node.shouldGenerate())
+ continue;
+ if (node.op() != CreateArguments)
+ continue;
+ // If this is a CreateArguments for an InlineCallFrame* that does
+ // not create arguments, then replace it with a PhantomArguments.
+ // PhantomArguments is a constant that represents JSValue() (the
+ // empty value) in DFG and arguments creation for OSR exit.
+ if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame))
+ continue;
+ Node phantom(Phantom, node.codeOrigin);
+ phantom.children = node.children;
+ phantom.ref();
+ node.setOpAndDefaultFlags(PhantomArguments);
+ node.children.reset();
+ NodeIndex phantomNodeIndex = m_graph.size();
+ m_graph.append(phantom);
+ insertionSet.append(indexInBlock, phantomNodeIndex);
+ }
+ insertionSet.execute(*block);
+ }
+
if (changed)
m_graph.collectGarbage();
@@ -659,9 +671,13 @@ private:
}
VariableAccessData* variableAccessData = child.variableAccessData();
- if (variableAccessData->isCaptured())
+ if (variableAccessData->isCaptured()) {
+ if (child.local() == m_graph.uncheckedArgumentsRegisterFor(child.codeOrigin)
+ && node.codeOrigin.inlineCallFrame != child.codeOrigin.inlineCallFrame)
+ m_createsArguments.add(child.codeOrigin.inlineCallFrame);
return;
-
+ }
+
ArgumentsAliasingData& data = m_argumentsAliasing.find(variableAccessData)->second;
data.mergeCallContext(node.codeOrigin.inlineCallFrame);
}
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index 27e198c75..43157963c 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -350,8 +350,9 @@ private:
stack->m_argumentPositions[argument]->addVariable(variableAccessData);
NodeIndex nodeIndex = addToGraph(SetLocal, OpInfo(variableAccessData), value);
m_currentBlock->variablesAtTail.argument(argument) = nodeIndex;
- // Always flush arguments.
- addToGraph(Flush, OpInfo(variableAccessData), nodeIndex);
+ // Always flush arguments, except for 'this'.
+ if (argument)
+ addToGraph(Flush, OpInfo(variableAccessData), nodeIndex);
}
VariableAccessData* flushArgument(int operand)
@@ -1582,10 +1583,27 @@ bool ByteCodeParser::parseBlock(unsigned limit)
case op_convert_this: {
NodeIndex op1 = getThis();
- if (m_graph[op1].op() == ConvertThis)
- setThis(op1);
- else
- setThis(addToGraph(ConvertThis, op1));
+ if (m_graph[op1].op() != ConvertThis) {
+ ValueProfile* profile =
+ m_inlineStackTop->m_profiledBlock->valueProfileForBytecodeOffset(m_currentProfilingIndex);
+ profile->computeUpdatedPrediction();
+#if DFG_ENABLE(DEBUG_VERBOSE)
+ dataLog("[@%lu bc#%u]: profile %p: ", m_graph.size(), m_currentProfilingIndex, profile);
+ profile->dump(WTF::dataFile());
+ dataLog("\n");
+#endif
+ if (profile->m_singletonValueIsTop
+ || !profile->m_singletonValue
+ || !profile->m_singletonValue.isCell()
+ || profile->m_singletonValue.asCell()->classInfo() != &Structure::s_info)
+ setThis(addToGraph(ConvertThis, op1));
+ else {
+ addToGraph(
+ CheckStructure,
+ OpInfo(m_graph.addStructureSet(jsCast<Structure*>(profile->m_singletonValue.asCell()))),
+ op1);
+ }
+ }
NEXT_OPCODE(op_convert_this);
}
diff --git a/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp b/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
index 842bcc236..3eeb70e05 100644
--- a/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
@@ -141,6 +141,22 @@ private:
return NoNode;
}
+ NodeIndex weakConstantCSE(Node& node)
+ {
+ for (unsigned i = endIndexForPureCSE(); i--;) {
+ NodeIndex index = m_currentBlock->at(i);
+ Node& otherNode = m_graph[index];
+ if (otherNode.op() != WeakJSConstant)
+ continue;
+
+ if (otherNode.weakConstant() != node.weakConstant())
+ continue;
+
+ return index;
+ }
+ return NoNode;
+ }
+
NodeIndex impureCSE(Node& node)
{
NodeIndex child1 = canonicalize(node.child1());
@@ -200,6 +216,33 @@ private:
return NoNode;
}
+ NodeIndex globalVarStoreElimination(unsigned varNumber, JSGlobalObject* globalObject)
+ {
+ for (unsigned i = m_indexInBlock; i--;) {
+ NodeIndex index = m_currentBlock->at(i);
+ Node& node = m_graph[index];
+ if (!node.shouldGenerate())
+ continue;
+ switch (node.op()) {
+ case PutGlobalVar:
+ if (node.varNumber() == varNumber && codeBlock()->globalObjectFor(node.codeOrigin) == globalObject)
+ return index;
+ break;
+
+ case GetGlobalVar:
+ if (node.varNumber() == varNumber && codeBlock()->globalObjectFor(node.codeOrigin) == globalObject)
+ return NoNode;
+ break;
+
+ default:
+ break;
+ }
+ if (m_graph.clobbersWorld(index) || node.canExit())
+ return NoNode;
+ }
+ return NoNode;
+ }
+
NodeIndex getByValLoadElimination(NodeIndex child1, NodeIndex child2)
{
for (unsigned i = m_indexInBlock; i--;) {
@@ -304,6 +347,56 @@ private:
return false;
}
+ NodeIndex putStructureStoreElimination(NodeIndex child1)
+ {
+ for (unsigned i = m_indexInBlock; i--;) {
+ NodeIndex index = m_currentBlock->at(i);
+ if (index == child1)
+ break;
+ Node& node = m_graph[index];
+ if (!node.shouldGenerate())
+ break;
+ switch (node.op()) {
+ case CheckStructure:
+ return NoNode;
+
+ case PhantomPutStructure:
+ if (node.child1() == child1) // No need to retrace our steps.
+ return NoNode;
+ break;
+
+ case PutStructure:
+ if (node.child1() == child1)
+ return index;
+ break;
+
+ // PutStructure needs to execute if we GC. Hence this needs to
+ // be careful with respect to nodes that GC.
+ case CreateArguments:
+ case TearOffArguments:
+ case NewFunctionNoCheck:
+ case NewFunction:
+ case NewFunctionExpression:
+ case CreateActivation:
+ case TearOffActivation:
+ case StrCat:
+ case ToPrimitive:
+ case NewRegexp:
+ case NewArrayBuffer:
+ case NewArray:
+ case NewObject:
+ case CreateThis:
+ return NoNode;
+
+ default:
+ break;
+ }
+ if (m_graph.clobbersWorld(index) || node.canExit())
+ return NoNode;
+ }
+ return NoNode;
+ }
+
NodeIndex getByOffsetLoadElimination(unsigned identifierNumber, NodeIndex child1)
{
for (unsigned i = m_indexInBlock; i--;) {
@@ -350,6 +443,52 @@ private:
return NoNode;
}
+ NodeIndex putByOffsetStoreElimination(unsigned identifierNumber, NodeIndex child1)
+ {
+ for (unsigned i = m_indexInBlock; i--;) {
+ NodeIndex index = m_currentBlock->at(i);
+ if (index == child1)
+ break;
+
+ Node& node = m_graph[index];
+ if (!node.shouldGenerate())
+ continue;
+ switch (node.op()) {
+ case GetByOffset:
+ if (m_graph.m_storageAccessData[node.storageAccessDataIndex()].identifierNumber == identifierNumber)
+ return NoNode;
+ break;
+
+ case PutByOffset:
+ if (m_graph.m_storageAccessData[node.storageAccessDataIndex()].identifierNumber == identifierNumber) {
+ if (node.child1() == child1) // Must be same property storage.
+ return index;
+ return NoNode;
+ }
+ break;
+
+ case PutByVal:
+ case PutByValAlias:
+ case GetByVal:
+ if (m_graph.byValIsPure(node)) {
+ // If PutByVal speculates that it's accessing an array with an
+ // integer index, then it's impossible for it to cause a structure
+ // change.
+ break;
+ }
+ return NoNode;
+
+ default:
+ if (m_graph.clobbersWorld(index))
+ return NoNode;
+ break;
+ }
+ if (node.canExit())
+ return NoNode;
+ }
+ return NoNode;
+ }
+
NodeIndex getPropertyStorageLoadElimination(NodeIndex child1)
{
for (unsigned i = m_indexInBlock; i--;) {
@@ -480,6 +619,58 @@ private:
return NoNode;
}
+ // This returns the Flush node that is keeping a SetLocal alive.
+ NodeIndex setLocalStoreElimination(VirtualRegister local)
+ {
+ for (unsigned i = m_indexInBlock; i--;) {
+ NodeIndex index = m_currentBlock->at(i);
+ Node& node = m_graph[index];
+ if (!node.shouldGenerate())
+ continue;
+ switch (node.op()) {
+ case GetLocal:
+ case SetLocal:
+ if (node.local() == local)
+ return NoNode;
+ break;
+
+ case GetLocalUnlinked:
+ if (node.unlinkedLocal() == local)
+ return NoNode;
+ break;
+
+ case Flush: {
+ if (node.local() != local)
+ break;
+ if (!i)
+ break;
+ NodeIndex prevIndex = m_currentBlock->at(i - 1);
+ if (prevIndex != node.child1().index())
+ break;
+ ASSERT(m_graph[prevIndex].local() == local);
+ ASSERT(m_graph[prevIndex].variableAccessData() == node.variableAccessData());
+ ASSERT(m_graph[prevIndex].shouldGenerate());
+ if (m_graph[prevIndex].refCount() > 1)
+ break;
+ return index;
+ }
+
+ case GetScopeChain:
+ if (m_graph.uncheckedActivationRegisterFor(node.codeOrigin) == local)
+ return NoNode;
+ break;
+
+ default:
+ if (m_graph.clobbersWorld(index))
+ return NoNode;
+ break;
+ }
+ if (node.canExit())
+ return NoNode;
+ }
+ return NoNode;
+ }
+
void performSubstitution(Edge& child, bool addRef = true)
{
// Check if this operand is actually unused.
@@ -501,14 +692,16 @@ private:
m_graph[child].ref();
}
- bool setReplacement(NodeIndex replacement)
+ enum PredictionHandlingMode { RequireSamePrediction, AllowPredictionMismatch };
+ bool setReplacement(NodeIndex replacement, PredictionHandlingMode predictionHandlingMode = RequireSamePrediction)
{
if (replacement == NoNode)
return false;
// Be safe. Don't try to perform replacements if the predictions don't
// agree.
- if (m_graph[m_compileIndex].prediction() != m_graph[replacement].prediction())
+ if (predictionHandlingMode == RequireSamePrediction
+ && m_graph[m_compileIndex].prediction() != m_graph[replacement].prediction())
return false;
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
@@ -537,6 +730,17 @@ private:
node.setOpAndDefaultFlags(Phantom);
}
+ void eliminate(NodeIndex nodeIndex, NodeType phantomType = Phantom)
+ {
+ if (nodeIndex == NoNode)
+ return;
+ Node& node = m_graph[nodeIndex];
+ if (node.refCount() != 1)
+ return;
+ ASSERT(node.mustGenerate());
+ node.setOpAndDefaultFlags(phantomType);
+ }
+
void performNodeCSE(Node& node)
{
bool shouldGenerate = node.shouldGenerate();
@@ -622,6 +826,12 @@ private:
NodeIndex phiIndex = node.child1().index();
if (!setReplacement(possibleReplacement))
break;
+ // If the GetLocal we replaced used to refer to a SetLocal, then it now
+ // should refer to the child of the SetLocal instead.
+ if (m_graph[phiIndex].op() == SetLocal) {
+ ASSERT(node.child1().index() == phiIndex);
+ m_graph.changeEdge(node.children.child1(), m_graph[phiIndex].child1());
+ }
NodeIndex oldTailIndex = m_currentBlock->variablesAtTail.operand(
variableAccessData->local());
if (oldTailIndex == m_compileIndex) {
@@ -645,10 +855,39 @@ private:
break;
}
+ case SetLocal: {
+ if (m_fixpointState == FixpointNotConverged)
+ break;
+ VariableAccessData* variableAccessData = node.variableAccessData();
+ if (!variableAccessData->isCaptured())
+ break;
+ VirtualRegister local = variableAccessData->local();
+ NodeIndex replacementIndex = setLocalStoreElimination(local);
+ if (replacementIndex == NoNode)
+ break;
+ Node& replacement = m_graph[replacementIndex];
+ ASSERT(replacement.op() == Flush);
+ ASSERT(replacement.refCount() == 1);
+ ASSERT(replacement.shouldGenerate());
+ ASSERT(replacement.mustGenerate());
+ replacement.setOpAndDefaultFlags(Phantom);
+ NodeIndex setLocalIndex = replacement.child1().index();
+ ASSERT(m_graph[setLocalIndex].op() == SetLocal);
+ m_graph.clearAndDerefChild1(replacement);
+ replacement.children.child1() = m_graph[setLocalIndex].child1();
+ m_graph.ref(replacement.child1());
+ break;
+ }
+
case JSConstant:
// This is strange, but necessary. Some phases will convert nodes to constants,
// which may result in duplicated constants. We use CSE to clean this up.
- setReplacement(constantCSE(node));
+ setReplacement(constantCSE(node), AllowPredictionMismatch);
+ break;
+
+ case WeakJSConstant:
+ // FIXME: have CSE for weak constants against strong constants and vice-versa.
+ setReplacement(weakConstantCSE(node));
break;
case GetArrayLength:
@@ -681,6 +920,12 @@ private:
setReplacement(globalVarLoadElimination(node.varNumber(), codeBlock()->globalObjectFor(node.codeOrigin)));
break;
+ case PutGlobalVar:
+ if (m_fixpointState == FixpointNotConverged)
+ break;
+ eliminate(globalVarStoreElimination(node.varNumber(), codeBlock()->globalObjectFor(node.codeOrigin)));
+ break;
+
case GetByVal:
if (m_graph.byValIsPure(node))
setReplacement(getByValLoadElimination(node.child1().index(), node.child2().index()));
@@ -697,6 +942,12 @@ private:
if (checkStructureLoadElimination(node.structureSet(), node.child1().index()))
eliminate();
break;
+
+ case PutStructure:
+ if (m_fixpointState == FixpointNotConverged)
+ break;
+ eliminate(putStructureStoreElimination(node.child1().index()), PhantomPutStructure);
+ break;
case CheckFunction:
if (checkFunctionElimination(node.function(), node.child1().index()))
@@ -718,6 +969,12 @@ private:
setReplacement(getByOffsetLoadElimination(m_graph.m_storageAccessData[node.storageAccessDataIndex()].identifierNumber, node.child1().index()));
break;
+ case PutByOffset:
+ if (m_fixpointState == FixpointNotConverged)
+ break;
+ eliminate(putByOffsetStoreElimination(m_graph.m_storageAccessData[node.storageAccessDataIndex()].identifierNumber, node.child1().index()));
+ break;
+
default:
// do nothing.
break;
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
index 52654d23b..8ca3e2047 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.h
+++ b/Source/JavaScriptCore/dfg/DFGGraph.h
@@ -352,6 +352,12 @@ public:
codeOrigin.inlineCallFrame->stackOffset;
}
+ int uncheckedActivationRegisterFor(const CodeOrigin& codeOrigin)
+ {
+ ASSERT_UNUSED(codeOrigin, !codeOrigin.inlineCallFrame);
+ return m_codeBlock->uncheckedActivationRegister();
+ }
+
ValueProfile* valueProfileFor(NodeIndex nodeIndex)
{
if (nodeIndex == NoNode)
diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
index 1dbfccb8a..12ebba823 100644
--- a/Source/JavaScriptCore/dfg/DFGNode.h
+++ b/Source/JavaScriptCore/dfg/DFGNode.h
@@ -201,9 +201,21 @@ struct Node {
return op() == WeakJSConstant;
}
+ bool isPhantomArguments()
+ {
+ return op() == PhantomArguments;
+ }
+
bool hasConstant()
{
- return isConstant() || isWeakConstant();
+ switch (op()) {
+ case JSConstant:
+ case WeakJSConstant:
+ case PhantomArguments:
+ return true;
+ default:
+ return false;
+ }
}
unsigned constantNumber()
@@ -234,14 +246,23 @@ struct Node {
JSCell* weakConstant()
{
+ ASSERT(op() == WeakJSConstant);
return bitwise_cast<JSCell*>(m_opInfo);
}
JSValue valueOfJSConstant(CodeBlock* codeBlock)
{
- if (op() == WeakJSConstant)
+ switch (op()) {
+ case WeakJSConstant:
return JSValue(weakConstant());
- return codeBlock->constantRegister(FirstConstantRegisterIndex + constantNumber()).get();
+ case JSConstant:
+ return codeBlock->constantRegister(FirstConstantRegisterIndex + constantNumber()).get();
+ case PhantomArguments:
+ return JSValue();
+ default:
+ ASSERT_NOT_REACHED();
+ return JSValue(); // Have to return something in release mode.
+ }
}
bool isInt32Constant(CodeBlock* codeBlock)
@@ -589,7 +610,7 @@ struct Node {
bool hasStructureTransitionData()
{
- return op() == PutStructure;
+ return op() == PutStructure || op() == PhantomPutStructure;
}
StructureTransitionData& structureTransitionData()
diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
index 091f96c6f..743f87955 100644
--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
@@ -37,11 +37,11 @@ namespace JSC { namespace DFG {
// This macro defines a set of information about all known node types, used to populate NodeId, NodeType below.
#define FOR_EACH_DFG_OP(macro) \
/* A constant in the CodeBlock's constant pool. */\
- macro(JSConstant, NodeResultJS) \
+ macro(JSConstant, NodeResultJS | NodeDoesNotExit) \
\
/* A constant not in the CodeBlock's constant pool. Uses get patched to jumps that exit the */\
/* code block. */\
- macro(WeakJSConstant, NodeResultJS) \
+ macro(WeakJSConstant, NodeResultJS | NodeDoesNotExit) \
\
/* Nodes for handling functions (both as call and as construct). */\
macro(ConvertThis, NodeResultJS) \
@@ -53,10 +53,10 @@ namespace JSC { namespace DFG {
/* VariableAccessData, and thus will share predictions. */\
macro(GetLocal, NodeResultJS) \
macro(SetLocal, 0) \
- macro(Phantom, NodeMustGenerate) \
- macro(Nop, 0) \
- macro(Phi, 0) \
- macro(Flush, NodeMustGenerate) \
+ macro(Phantom, NodeMustGenerate | NodeDoesNotExit) \
+ macro(Nop, 0 | NodeDoesNotExit) \
+ macro(Phi, 0 | NodeDoesNotExit) \
+ macro(Flush, NodeMustGenerate | NodeDoesNotExit) \
\
/* Get the value of a local variable, without linking into the VariableAccessData */\
/* network. This is only valid for variable accesses whose predictions originated */\
@@ -64,12 +64,12 @@ namespace JSC { namespace DFG {
macro(GetLocalUnlinked, NodeResultJS) \
\
/* Marker for an argument being set at the prologue of a function. */\
- macro(SetArgument, 0) \
+ macro(SetArgument, 0 | NodeDoesNotExit) \
\
/* Hint that inlining begins here. No code is generated for this node. It's only */\
/* used for copying OSR data into inline frame data, to support reification of */\
/* call frames of inlined functions. */\
- macro(InlineStart, 0) \
+ macro(InlineStart, 0 | NodeDoesNotExit) \
\
/* Nodes for bitwise operations. */\
macro(BitAnd, NodeResultInt32) \
@@ -118,11 +118,12 @@ namespace JSC { namespace DFG {
macro(PutById, NodeMustGenerate | NodeClobbersWorld) \
macro(PutByIdDirect, NodeMustGenerate | NodeClobbersWorld) \
macro(CheckStructure, NodeMustGenerate) \
- macro(PutStructure, NodeMustGenerate | NodeClobbersWorld) \
+ macro(PutStructure, NodeMustGenerate) \
+ macro(PhantomPutStructure, NodeMustGenerate | NodeDoesNotExit) \
macro(GetPropertyStorage, NodeResultStorage) \
macro(GetIndexedPropertyStorage, NodeMustGenerate | NodeResultStorage) \
macro(GetByOffset, NodeResultJS) \
- macro(PutByOffset, NodeMustGenerate | NodeClobbersWorld) \
+ macro(PutByOffset, NodeMustGenerate) \
macro(GetArrayLength, NodeResultInt32) \
macro(GetArgumentsLength, NodeResultInt32) \
macro(GetStringLength, NodeResultInt32) \
@@ -139,7 +140,7 @@ namespace JSC { namespace DFG {
macro(GetScopedVar, NodeResultJS | NodeMustGenerate) \
macro(PutScopedVar, NodeMustGenerate | NodeClobbersWorld) \
macro(GetGlobalVar, NodeResultJS | NodeMustGenerate) \
- macro(PutGlobalVar, NodeMustGenerate | NodeClobbersWorld) \
+ macro(PutGlobalVar, NodeMustGenerate) \
macro(CheckFunction, NodeMustGenerate) \
\
/* Optimizations for array mutation. */\
@@ -201,6 +202,7 @@ namespace JSC { namespace DFG {
/* Nodes used for arguments. Similar to activation support, only it makes even less */\
/* sense. */\
macro(CreateArguments, NodeResultJS) \
+ macro(PhantomArguments, NodeResultJS | NodeDoesNotExit) \
macro(TearOffArguments, NodeMustGenerate) \
macro(GetMyArgumentsLength, NodeResultJS | NodeMustGenerate) \
macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate) \
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index de01adb1f..75f0b7a74 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -618,7 +618,9 @@ private:
case DoubleAsInt32:
case GetLocalUnlinked:
case GetMyArgumentsLength:
- case GetMyArgumentByVal: {
+ case GetMyArgumentByVal:
+ case PhantomPutStructure:
+ case PhantomArguments: {
// This node should never be visible at this stage of compilation. It is
// inserted by fixup(), which follows this phase.
ASSERT_NOT_REACHED();
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index db71fc01f..caa21aabf 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -1360,13 +1360,15 @@ ValueRecovery SpeculativeJIT::computeValueRecoveryFor(const ValueSource& valueSo
return ValueRecovery::argumentsThatWereNotCreated();
case HaveNode: {
- if (isConstant(valueSource.nodeIndex()))
+ Node* nodePtr = &at(valueSource.nodeIndex());
+
+ if (nodePtr->isPhantomArguments())
+ return ValueRecovery::argumentsThatWereNotCreated();
+
+ if (nodePtr->hasConstant())
return ValueRecovery::constant(valueOfJSConstant(valueSource.nodeIndex()));
- Node* nodePtr = &at(valueSource.nodeIndex());
if (!nodePtr->shouldGenerate()) {
- if (nodePtr->op() == CreateArguments)
- return ValueRecovery::argumentsThatWereNotCreated();
// It's legitimately dead. As in, nobody will ever use this node, or operand,
// ever. Set it to Undefined to make the GC happy after the OSR.
return ValueRecovery::constant(jsUndefined());
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 637e335a3..6c0093e41 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -1848,6 +1848,7 @@ void SpeculativeJIT::compile(Node& node)
switch (op) {
case JSConstant:
+ case PhantomArguments:
initConstantInfo(m_compileIndex);
break;
@@ -3429,6 +3430,15 @@ void SpeculativeJIT::compile(Node& node)
break;
}
+ case PhantomPutStructure: {
+ m_jit.addWeakReferenceTransition(
+ node.codeOrigin.codeOriginOwner(),
+ node.structureTransitionData().previousStructure,
+ node.structureTransitionData().newStructure);
+ noResult(m_compileIndex);
+ break;
+ }
+
case PutStructure: {
SpeculateCellOperand base(this, node.child1());
GPRReg baseGPR = base.gpr();
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index 543e2b913..e4939b23a 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -1924,6 +1924,7 @@ void SpeculativeJIT::compile(Node& node)
switch (op) {
case JSConstant:
+ case PhantomArguments:
initConstantInfo(m_compileIndex);
break;
@@ -3463,6 +3464,15 @@ void SpeculativeJIT::compile(Node& node)
break;
}
+ case PhantomPutStructure: {
+ m_jit.addWeakReferenceTransition(
+ node.codeOrigin.codeOriginOwner(),
+ node.structureTransitionData().previousStructure,
+ node.structureTransitionData().newStructure);
+ noResult(m_compileIndex);
+ break;
+ }
+
case PutStructure: {
SpeculateCellOperand base(this, node.child1());
GPRReg baseGPR = base.gpr();
View Lorry Controller Status