1. 23 Aug, 2013 1 commit
    • fpizlo@apple.com's avatar
      build-jsc --ftl-jit should work · 67aa405d
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=120194
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
      * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
      * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
      * ftl/FTLLowerDFGToLLVM.cpp: Build fix
      (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
      (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
      
      Source/WTF: 
      
      * wtf/LLVMHeaders.h: I don't know what went wrong here. If HAVE(LLVM), then we need those headers!
      
      Tools: 
      
      * Scripts/build-jsc: Need to pass the feature flag to xcodebuild
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154509 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      67aa405d
  2. 24 Jul, 2013 39 commits
    • oliver@apple.com's avatar
      fourthTier: DFG IR dumps should be easier to read · 237b1464
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=119050
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      Added a DumpContext that includes support for printing an endnote
      that describes all structures in full, while the main flow of the
      dump just uses made-up names for the structures. This is helpful
      since Structure::dump() may print a lot. The stuff it prints is
      useful, but if it's all inline with the surrounding thing you're
      dumping (often, a node in the DFG), then you get a ridiculously
      long print-out. All classes that dump structures (including
      Structure itself) now have dumpInContext() methods that use
      inContext() for dumping anything that might transitively print a
      structure. If Structure::dumpInContext() is called with a NULL
      context, it just uses dump() like before. Hence you don't have to
      know anything about DumpContext unless you want to.
      
      inContext(*structure, context) dumps something like %B4:Array,
      and the endnote will have something like:
      
          %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
      
      where B4 is the inferred name that StringHashDumpContext came up
      with.
      
      Also shortened a bunch of other dumps, removing information that
      isn't so important.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayProfile.cpp:
      (JSC::dumpArrayModes):
      * bytecode/CodeBlockHash.cpp:
      (JSC):
      (JSC::CodeBlockHash::CodeBlockHash):
      (JSC::CodeBlockHash::dump):
      * bytecode/CodeOrigin.cpp:
      (JSC::CodeOrigin::dumpInContext):
      (JSC):
      (JSC::InlineCallFrame::dumpInContext):
      (JSC::InlineCallFrame::dump):
      * bytecode/CodeOrigin.h:
      (CodeOrigin):
      (InlineCallFrame):
      * bytecode/Operands.h:
      (JSC::OperandValueTraits::isEmptyForDump):
      (Operands):
      (JSC::Operands::dump):
      (JSC):
      * bytecode/OperandsInlines.h: Added.
      (JSC):
      (JSC::::dumpInContext):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::dumpInContext):
      (JSC::StructureSet::dump):
      (StructureSet):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::dump):
      (DFG):
      (JSC::DFG::AbstractValue::dumpInContext):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::operator!):
      (AbstractValue):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGCommon.cpp:
      * dfg/DFGCommon.h:
      (JSC::DFG::NodePointerTraits::isEmptyForDump):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::createDumpList):
      * dfg/DFGDisassembler.h:
      (Disassembler):
      * dfg/DFGFlushFormat.h:
      (WTF::inContext):
      (WTF):
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dumpCodeOrigin):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dumpBlockHeader):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGLazyJSValue.cpp:
      (JSC::DFG::LazyJSValue::dumpInContext):
      (JSC::DFG::LazyJSValue::dump):
      (DFG):
      * dfg/DFGLazyJSValue.h:
      (LazyJSValue):
      * dfg/DFGNode.h:
      (JSC::DFG::nodeMapDump):
      (WTF::inContext):
      (WTF):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGStructureAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::dumpInContext):
      (JSC::DFG::StructureAbstractValue::dump):
      (StructureAbstractValue):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      (JSC::FTL::ExitValue::dump):
      (FTL):
      * ftl/FTLExitValue.h:
      (ExitValue):
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dumpInContext):
      (FTL):
      * ftl/FTLValueSource.h:
      (ValueSource):
      * runtime/DumpContext.cpp: Added.
      (JSC):
      (JSC::DumpContext::DumpContext):
      (JSC::DumpContext::~DumpContext):
      (JSC::DumpContext::isEmpty):
      (JSC::DumpContext::dump):
      * runtime/DumpContext.h: Added.
      (JSC):
      (DumpContext):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dump):
      (JSC):
      (JSC::JSValue::dumpInContext):
      * runtime/JSCJSValue.h:
      (JSC):
      (JSValue):
      * runtime/Structure.cpp:
      (JSC::Structure::dumpInContext):
      (JSC):
      (JSC::Structure::dumpBrief):
      (JSC::Structure::dumpContextHeader):
      * runtime/Structure.h:
      (JSC):
      (Structure):
      
      Source/WTF:
      
      Reviewed by Mark Hahnenberg.
      
      Added support for dumping values within a context. By default, if you say
      print(inContext(value, context)) it calls value.dumpInContext(out, context)
      instead of value.dump(out).
      
      Hoisted the support for six-character hashes out of JSC::CodeBlockHash into
      WTF, in the form of SixCharacterHash.h.
      
      Added a helper for creating dump contexts where the inContext() dump will
      just use a short string hash to "name" the object being dumped, and then
      will print out the full dumps in an endnote to your dump.
      
      Added support for using CString as a hashtable key.
      
      * WTF.xcodeproj/project.pbxproj:
      * wtf/PrintStream.h:
      (WTF):
      (ValueInContext):
      (WTF::ValueInContext::ValueInContext):
      (WTF::ValueInContext::dump):
      (WTF::inContext):
      * wtf/SixCharacterHash.cpp: Added.
      (WTF):
      (WTF::sixCharacterHashStringToInteger):
      (WTF::integerToSixCharacterHashString):
      * wtf/SixCharacterHash.h: Added.
      (WTF):
      * wtf/StringHashDumpContext.h: Added.
      (WTF):
      (StringHashDumpContext):
      (WTF::StringHashDumpContext::StringHashDumpContext):
      (WTF::StringHashDumpContext::getID):
      (WTF::StringHashDumpContext::dumpBrief):
      (WTF::StringHashDumpContext::brief):
      (WTF::StringHashDumpContext::isEmpty):
      (WTF::StringHashDumpContext::dump):
      * wtf/text/CString.cpp:
      (WTF::CString::hash):
      (WTF):
      (WTF::operator<):
      (WTF::CStringHash::equal):
      * wtf/text/CString.h:
      (WTF::CString::CString):
      (CString):
      (WTF::CString::isHashTableDeletedValue):
      (WTF):
      (WTF::CStringHash::hash):
      (CStringHash):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153296 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      237b1464
    • oliver@apple.com's avatar
      fourthTier: DFG should do a high-level LICM before going to FTL · e17632e6
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118749
      
      Reviewed by Oliver Hunt.
      
      Implements LICM hoisting for nodes that never write anything and never read
      things that are clobbered by the loop. There are some other preconditions for
      hoisting, see DFGLICMPhase.cpp.
      
      Also did a few fixes:
      
      - ClobberSet::add was failing to switch Super entries to Direct entries in
        some cases.
      
      - DFGClobberize.cpp needed to #include "Operations.h".
      
      - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
      
      - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
        Knowing the indexInBlock is an optional optimization that all other clients
        of AI still opt into, but LICM doesn't.
      
      This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGAbstractInterpreter.h:
      (AbstractInterpreter):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      (JSC::DFG::::execute):
      (DFG):
      (JSC::DFG::::clobberWorld):
      (JSC::DFG::::clobberStructures):
      * dfg/DFGAtTailAbstractState.cpp: Added.
      (DFG):
      (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
      (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
      (JSC::DFG::AtTailAbstractState::createValueForNode):
      (JSC::DFG::AtTailAbstractState::forNode):
      * dfg/DFGAtTailAbstractState.h: Added.
      (DFG):
      (AtTailAbstractState):
      (JSC::DFG::AtTailAbstractState::initializeTo):
      (JSC::DFG::AtTailAbstractState::forNode):
      (JSC::DFG::AtTailAbstractState::variables):
      (JSC::DFG::AtTailAbstractState::block):
      (JSC::DFG::AtTailAbstractState::isValid):
      (JSC::DFG::AtTailAbstractState::setDidClobber):
      (JSC::DFG::AtTailAbstractState::setIsValid):
      (JSC::DFG::AtTailAbstractState::setBranchDirection):
      (JSC::DFG::AtTailAbstractState::setFoundConstants):
      (JSC::DFG::AtTailAbstractState::haveStructures):
      (JSC::DFG::AtTailAbstractState::setHaveStructures):
      * dfg/DFGBasicBlock.h:
      (JSC::DFG::BasicBlock::insertBeforeLast):
      * dfg/DFGBasicBlockInlines.h:
      (DFG):
      * dfg/DFGClobberSet.cpp:
      (JSC::DFG::ClobberSet::add):
      (JSC::DFG::ClobberSet::addAll):
      * dfg/DFGClobberize.cpp:
      (JSC::DFG::doesWrites):
      * dfg/DFGClobberize.h:
      (DFG):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::DCEPhase):
      (JSC::DFG::DCEPhase::run):
      (JSC::DFG::DCEPhase::fixupBlock):
      (DCEPhase):
      * dfg/DFGEdgeDominates.h: Added.
      (DFG):
      (EdgeDominates):
      (JSC::DFG::EdgeDominates::EdgeDominates):
      (JSC::DFG::EdgeDominates::operator()):
      (JSC::DFG::EdgeDominates::result):
      (JSC::DFG::edgesDominate):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGLICMPhase.cpp: Added.
      (LICMPhase):
      (JSC::DFG::LICMPhase::LICMPhase):
      (JSC::DFG::LICMPhase::run):
      (JSC::DFG::LICMPhase::attemptHoist):
      (DFG):
      (JSC::DFG::performLICM):
      * dfg/DFGLICMPhase.h: Added.
      (DFG):
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153295 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e17632e6
    • oliver@apple.com's avatar
      fourthTier: NodeExitsForward shouldn't be duplicated in NodeType · 500b53ae
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118956
      
      Reviewed by Sam Weinig.
      
      We had two way of expressing that something exits forward: the NodeExitsForward
      flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
      makes it just be a flag.
      
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::int32ToDoubleCSE):
      (JSC::DFG::CSEPhase::checkStructureElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
      (JSC::DFG::Node::hasStructureSet):
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::hasArrayMode):
      (JSC::DFG::Node::willHaveCodeGenOrOSR):
      * dfg/DFGNodeType.h:
      (DFG):
      (JSC::DFG::needsOSRForwardRewiring):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGTypeCheckHoistingPhase.cpp:
      (JSC::DFG::TypeCheckHoistingPhase::run):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      500b53ae
    • oliver@apple.com's avatar
      fourthTier: It should be possible for a DFG::Node to claim to exit to one... · cf49616a
      oliver@apple.com authored
      fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
      https://bugs.webkit.org/show_bug.cgi?id=118946
      
      Reviewed by Geoffrey Garen.
      
      We want to decouple the exit target code origin of a node from the code origin
      for all other purposes. The purposes of code origins are:
      
      - Where the node will exit, if it exits. The exit target should be consistent with
        the surrounding nodes, in that if you just looked at the code origins of nodes in
        the graph, they would be consistent with the code origins in bytecode. This is
        necessary for live-at-bytecode analyses to work, and to preserve the original
        bytecode semantics when exiting.
      
      - What kind of code the node came from, for semantics thingies. For example, we
        might use the code origin to find the node's global object for doing an original
        array check. Or we might use it to determine if the code is in strict mode. Or
        other similar things. When we use the code origin in this way, we're basically
        using it as a way of describing the node's meta-data without putting it into the
        node directly, to save space. In the absurd extreme you could imagine nodes not
        even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
        what bytecode the node originated from. We won't do that, but you can think of
        this use of code origins as just a way of compressing meta-data.
      
      - What code origin we should supply profiling to, if we exit. This is closely
        related to the semantics thingies, in that the exit profiling is a persistent
        kind of semantic meta-data that survives between recompiles, and the only way to
        do that is to ascribe it to the original bytecode via the code origin.
      
      If we hoist a node, we need to change the exit target code origin, but we must not
      change the code origin for other purposes. The best way to do this is to decouple
      the two kinds of code origin.
      
      OSR exit data structures already do this, because they may edit the exit target
      code origin while keeping the code origin for profiling intact. This happens for
      forward exits. So, we just need to thread separation all the way back to DFG::Node.
      That's what this patch does.
      
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (Node):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExitBase.h:
      (JSC::DFG::OSRExitBase::OSRExitBase):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (LowerDFGToLLVM):
      * ftl/FTLOSRExit.cpp:
      (JSC::FTL::OSRExit::OSRExit):
      * ftl/FTLOSRExit.h:
      (OSRExit):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153291 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cf49616a
    • oliver@apple.com's avatar
      fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit · 6d1bb643
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118948
      
      Source/JavaScriptCore:
      
      Reviewed by Sam Weinig.
      
      - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
        This allows doing "what if" experiments with IR generation, even if the generated IR
        can't yet execute.
      
      - Add an OSR exit path that just calls an intrinsic that combines the branch and the
        off-ramp.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      * ftl/FTLFail.cpp: Added.
      (FTL):
      (JSC::FTL::fail):
      * ftl/FTLFail.h: Added.
      (FTL):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      * runtime/Options.h:
      (JSC):
      
      Tools:
      
      Reviewed by Sam Weinig.
      
      - Make ReducedFTL capable of dealing with code that uses the fake OSR exit intrinsic,
        by exporting it as a function.
      
      - Make combineModules.rb idempotent. Sometimes it's convenient to run a file through
        it even if you know that you've already done so. See processIRDump.sh.
      
      - Add a script, processIRDump.sh, that takes the output of --dumpLLVMIR=true and
        runs it through ReducedFTL automatically. You typically want to say something like:
      
        jsc --dumpLLVMIR=true <program(s)> > jsc-output.txt
        ./processIRDump.sh --timing < jsc-output.txt
      
      * ReducedFTL/ReducedFTL.c:
      (webkit_osr_exit):
      * ReducedFTL/combineModules.rb:
      * ReducedFTL/processIRDump.sh: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153289 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6d1bb643
    • oliver@apple.com's avatar
      fourthTier: Structure should be able to tell you if it's valid to load at a... · 0402d951
      oliver@apple.com authored
      fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
      https://bugs.webkit.org/show_bug.cgi?id=118878
      
      Reviewed by Oliver Hunt.
      
      - Change Structure::isValidOffset() to actually answer the question "If I attempted
        to load from an object of this structure, at this offset, would I commit suicide
        or would I get back some kind of value?"
      
      - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
        way from the start.
      
      - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
      
      - Make GetByOffset also reference the base object in addition to the butterfly.
      
      The future use of this power will be to answer questions like "If I hoisted this
      GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
      fine?"
      
      I don't currently plan to use this power to perform validation, since the CSE has
      the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
      remove - both in the case of StructureSets where size >= 2 and in the case of
      CheckStructures that match across PutStructures. At first I tried to write a
      validator that was aware of this, but the validation code got way too complicated
      and I started having nightmares of spurious assertion bugs being filed against me.
      
      This also changes some of the code for how we hash FunctionExecutable's for debug
      dumps, since that code still had some thread-safety issues. Basically, the
      concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
      that could transitively try to compute the hash from the source code. The source
      code is a string that may be lazily computed, and that involves all manner of thread
      unsafe things.
      
      * bytecode/CodeOrigin.cpp:
      (JSC::InlineCallFrame::hash):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::handlePutByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.h:
      (StorageAccessData):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToGetByOffset):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
      (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
      * runtime/FunctionExecutableDump.cpp:
      (JSC::FunctionExecutableDump::dump):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::isValidOffset):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153284 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0402d951
    • oliver@apple.com's avatar
      fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation · 55d32d9a
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118835
      
      Reviewed by Oliver Hunt.
      
      This separates AbstractState into two things:
      
      - InPlaceAbstractState, which can tell you the abstract state of anything you
        might care about, and uses the old AbstractState's algorithms and data
        structures for doing so.
      
      - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
        respect to an AbstractStateType. Currently we always use
        AbstractStateType = InPlaceAbstractState. But we could drop in an other
        class that supports basic primitives like forNode() and variables().
      
      This is important because:
      
      - We want to hoist things out of loops.
      
      - We don't know what things rely on what type checks.
      
      - We only want to hoist type checks out of loops if they aren't clobbered.
      
      - We may want to still hoist things that depended on those type checks, if it's
        safe to do those things based on the CFA state at the tail of the loop
        pre-header.
      
      - We don't want things to rely on their type checks by way of a token, because
        that's just weird.
      
      So, we want to be able to have a special form of the CFA that can
      incrementally update a basic block's state-at-tail, and we want to be able to
      do this for multiple blocks simultaneously. This requires *not* storing the
      per-node state in the nodes themselves, but instead using the at-tail HashMap
      directly.
      
      Hence we need to have a way of making the abstract interpreter (i.e.
      AbstractState::execute) polymorphic with respect to state representation. Put
      another way, we need to separate the way that abstract state is represented
      from the way DFG IR is abstractly interpreted.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGAbstractInterpreter.h: Added.
      (DFG):
      (AbstractInterpreter):
      (JSC::DFG::AbstractInterpreter::forNode):
      (JSC::DFG::AbstractInterpreter::variables):
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
      (JSC::DFG::AbstractInterpreter::filter):
      (JSC::DFG::AbstractInterpreter::filterArrayModes):
      (JSC::DFG::AbstractInterpreter::filterByValue):
      (JSC::DFG::AbstractInterpreter::trySetConstant):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h: Added.
      (DFG):
      (JSC::DFG::::AbstractInterpreter):
      (JSC::DFG::::~AbstractInterpreter):
      (JSC::DFG::::booleanResult):
      (JSC::DFG::::startExecuting):
      (JSC::DFG::::executeEdges):
      (JSC::DFG::::verifyEdge):
      (JSC::DFG::::verifyEdges):
      (JSC::DFG::::executeEffects):
      (JSC::DFG::::execute):
      (JSC::DFG::::clobberWorld):
      (JSC::DFG::::clobberCapturedVars):
      (JSC::DFG::::clobberStructures):
      (JSC::DFG::::dump):
      (JSC::DFG::::filter):
      (JSC::DFG::::filterArrayModes):
      (JSC::DFG::::filterByValue):
      * dfg/DFGAbstractState.cpp: Removed.
      * dfg/DFGAbstractState.h: Removed.
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::CFAPhase):
      (JSC::DFG::CFAPhase::performBlockCFA):
      (CFAPhase):
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (ConstantFoldingPhase):
      * dfg/DFGInPlaceAbstractState.cpp: Added.
      (DFG):
      (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
      (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
      (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
      (JSC::DFG::setLiveValues):
      (JSC::DFG::InPlaceAbstractState::initialize):
      (JSC::DFG::InPlaceAbstractState::endBasicBlock):
      (JSC::DFG::InPlaceAbstractState::reset):
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      (JSC::DFG::InPlaceAbstractState::merge):
      (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
      (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
      * dfg/DFGInPlaceAbstractState.h: Added.
      (DFG):
      (InPlaceAbstractState):
      (JSC::DFG::InPlaceAbstractState::forNode):
      (JSC::DFG::InPlaceAbstractState::variables):
      (JSC::DFG::InPlaceAbstractState::block):
      (JSC::DFG::InPlaceAbstractState::didClobber):
      (JSC::DFG::InPlaceAbstractState::isValid):
      (JSC::DFG::InPlaceAbstractState::setDidClobber):
      (JSC::DFG::InPlaceAbstractState::setIsValid):
      (JSC::DFG::InPlaceAbstractState::setBranchDirection):
      (JSC::DFG::InPlaceAbstractState::setFoundConstants):
      (JSC::DFG::InPlaceAbstractState::haveStructures):
      (JSC::DFG::InPlaceAbstractState::setHaveStructures):
      * dfg/DFGMergeMode.h: Added.
      (DFG):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
      (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
      (JSC::DFG::SpeculativeJIT::speculateStringObject):
      (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::needsTypeCheck):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (FTL):
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::speculateNumber):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (LowerDFGToLLVM):
      
      Conflicts:
      	Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153282 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      55d32d9a
    • oliver@apple.com's avatar
      fourthTier: DFG should have an SSA form for use by FTL · 827d2cf7
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118338
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
      after breaking critical edges. The conversion algorithm follows Aycock and
      Horspool, and the SSA form itself follows something I've done before, where
      instead of having Phi functions specify input nodes corresponding to block
      predecessors, we instead have Upsilon functions in the predecessors that
      specify which value in that block goes into which subsequent Phi. Upsilons
      don't have to dominate Phis (usually they don't) and they correspond to a
      non-SSA "mov" into the Phi's "variable". This gives all of the good
      properties of SSA, while ensuring that a bunch of CFG transformations don't
      have to be SSA-aware.
      
      So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
      simplification is probably SSA-aware by default, though I haven't tried it.
      Constant folding probably needs a few tweaks, but is likely ready. Ditto
      for CSE, though it's not clear that we'd want to use block-local CSE when
      we could be doing GVN.
      
      Currently only the FTL can generate code from the SSA form, and there is no
      way to convert from SSA to ThreadedCPS or LoadStore. There probably will
      never be such a capability.
      
      In order to handle OSR exit state in the SSA, we place MovHints at Phi
      points. Other than that, you can reconstruct state-at-exit by forward
      propagating MovHints. Note that MovHint is the new SetLocal in SSA.
      SetLocal and GetLocal only survive into SSA if they are on captured
      variables, or in the case of flushes. A "live SetLocal" will be
      NodeMustGenerate and will always correspond to a flush. Computing the
      state-at-exit requires running SSA liveness analysis, OSR availability
      analysis, and flush liveness analysis. The FTL runs all of these prior to
      generating code. While OSR exit continues to be tricky, much of the logic
      is now factored into separate phases and the backend has to do less work
      to reason about what happened outside of the basic block that is being
      lowered.
      
      Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
      code in depth-first order, thus guaranteeing that a node will always be
      lowered (and hence have a LValue) before any of the blocks dominated by
      that node's block have code generated. For Upsilon/Phi, we just use
      alloca's. We could do something more clever there, but it's probably not
      worth it, at least not now.
      
      Finally, while the SSA form is currently only being converted to LLVM IR,
      there is nothing that prevents us from considering other backends in the
      future - with the caveat that this form is designed to be first lowered to
      a lower-level SSA before actual machine code generation commences. So we
      ought to either use LLVM (the intended path) or we will have to write our
      own SSA low-level backend.
      
      This runs all of the code that the FTL was known to run previously. No
      change in performance for now. But it does open some exciting
      possibilities!
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/Operands.h:
      (JSC::OperandValueTraits::dump):
      (JSC::Operands::fill):
      (Operands):
      (JSC::Operands::clear):
      (JSC::Operands::operator==):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::beginBasicBlock):
      (JSC::DFG::setLiveValues):
      (DFG):
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::endBasicBlock):
      (JSC::DFG::AbstractState::executeEffects):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      (JSC::DFG::AbstractState::merge):
      * dfg/DFGAbstractState.h:
      (AbstractState):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::justOneChild):
      (AdjacencyList):
      * dfg/DFGBasicBlock.cpp: Added.
      (DFG):
      (JSC::DFG::BasicBlock::BasicBlock):
      (JSC::DFG::BasicBlock::~BasicBlock):
      (JSC::DFG::BasicBlock::ensureLocals):
      (JSC::DFG::BasicBlock::isInPhis):
      (JSC::DFG::BasicBlock::isInBlock):
      (JSC::DFG::BasicBlock::removePredecessor):
      (JSC::DFG::BasicBlock::replacePredecessor):
      (JSC::DFG::BasicBlock::dump):
      (JSC::DFG::BasicBlock::SSAData::SSAData):
      (JSC::DFG::BasicBlock::SSAData::~SSAData):
      * dfg/DFGBasicBlock.h:
      (BasicBlock):
      (JSC::DFG::BasicBlock::operator[]):
      (JSC::DFG::BasicBlock::successor):
      (JSC::DFG::BasicBlock::successorForCondition):
      (SSAData):
      * dfg/DFGBasicBlockInlines.h:
      (DFG):
      * dfg/DFGBlockInsertionSet.cpp: Added.
      (DFG):
      (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
      (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
      (JSC::DFG::BlockInsertionSet::insert):
      (JSC::DFG::BlockInsertionSet::insertBefore):
      (JSC::DFG::BlockInsertionSet::execute):
      * dfg/DFGBlockInsertionSet.h: Added.
      (DFG):
      (BlockInsertionSet):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::run):
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
      * dfg/DFGCommon.cpp:
      (WTF::printInternal):
      * dfg/DFGCommon.h:
      (JSC::DFG::doesKill):
      (DFG):
      (JSC::DFG::killStatusForDoesKill):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
      * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
      (DFG):
      (CriticalEdgeBreakingPhase):
      (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
      (JSC::DFG::CriticalEdgeBreakingPhase::run):
      (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
      (JSC::DFG::performCriticalEdgeBreaking):
      * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
      (DFG):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::run):
      (JSC::DFG::DCEPhase::findTypeCheckRoot):
      (JSC::DFG::DCEPhase::countNode):
      (DCEPhase):
      (JSC::DFG::DCEPhase::countEdge):
      (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGEdge.cpp:
      (JSC::DFG::Edge::dump):
      * dfg/DFGEdge.h:
      (JSC::DFG::Edge::Edge):
      (JSC::DFG::Edge::setNode):
      (JSC::DFG::Edge::useKindUnchecked):
      (JSC::DFG::Edge::setUseKind):
      (JSC::DFG::Edge::setProofStatus):
      (JSC::DFG::Edge::willNotHaveCheck):
      (JSC::DFG::Edge::willHaveCheck):
      (Edge):
      (JSC::DFG::Edge::killStatusUnchecked):
      (JSC::DFG::Edge::killStatus):
      (JSC::DFG::Edge::setKillStatus):
      (JSC::DFG::Edge::doesKill):
      (JSC::DFG::Edge::doesNotKill):
      (JSC::DFG::Edge::shift):
      (JSC::DFG::Edge::makeWord):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGFlushFormat.cpp: Added.
      (WTF):
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h: Added.
      (DFG):
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      (WTF):
      * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
      (DFG):
      (FlushLivenessAnalysisPhase):
      (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
      (JSC::DFG::FlushLivenessAnalysisPhase::run):
      (JSC::DFG::FlushLivenessAnalysisPhase::process):
      (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
      (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
      (JSC::DFG::performFlushLivenessAnalysis):
      * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
      (DFG):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dumpBlockHeader):
      (DFG):
      (JSC::DFG::Graph::addForDepthFirstSort):
      (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::convertToConstant):
      (JSC::DFG::Graph::valueProfileFor):
      (Graph):
      * dfg/DFGInsertionSet.h:
      (DFG):
      (JSC::DFG::InsertionSet::execute):
      * dfg/DFGLivenessAnalysisPhase.cpp: Added.
      (DFG):
      (LivenessAnalysisPhase):
      (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
      (JSC::DFG::LivenessAnalysisPhase::run):
      (JSC::DFG::LivenessAnalysisPhase::process):
      (JSC::DFG::LivenessAnalysisPhase::addChildUse):
      (JSC::DFG::performLivenessAnalysis):
      * dfg/DFGLivenessAnalysisPhase.h: Added.
      (DFG):
      * dfg/DFGNode.cpp:
      (JSC::DFG::Node::hasVariableAccessData):
      (DFG):
      * dfg/DFGNode.h:
      (DFG):
      (Node):
      (JSC::DFG::Node::hasLocal):
      (JSC::DFG::Node::variableAccessData):
      (JSC::DFG::Node::hasPhi):
      (JSC::DFG::Node::phi):
      (JSC::DFG::Node::takenBlock):
      (JSC::DFG::Node::notTakenBlock):
      (JSC::DFG::Node::successor):
      (JSC::DFG::Node::successorForCondition):
      (JSC::DFG::nodeComparator):
      (JSC::DFG::nodeListDump):
      (JSC::DFG::nodeMapDump):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::dumpNodeFlags):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
      (DFG):
      (OSRAvailabilityAnalysisPhase):
      (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
      (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
      (JSC::DFG::performOSRAvailabilityAnalysis):
      * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
      (DFG):
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSSAConversionPhase.cpp: Added.
      (DFG):
      (SSAConversionPhase):
      (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
      (JSC::DFG::SSAConversionPhase::run):
      (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
      (JSC::DFG::SSAConversionPhase::forwardPhi):
      (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
      (JSC::DFG::SSAConversionPhase::deduplicateChildren):
      (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
      (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
      (JSC::DFG::performSSAConversion):
      * dfg/DFGSSAConversionPhase.h: Added.
      (DFG):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      (Validate):
      (JSC::DFG::Validate::validateCPS):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::flushFormat):
      (VariableAccessData):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lower):
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileBlock):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
      (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
      (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
      (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
      (JSC::FTL::LowerDFGToLLVM::compileArithMod):
      (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
      (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
      (JSC::FTL::LowerDFGToLLVM::compileBitOr):
      (JSC::FTL::LowerDFGToLLVM::compileBitXor):
      (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
      (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
      (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
      (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
      (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
      (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
      (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
      (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
      (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
      (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
      (JSC::FTL::LowerDFGToLLVM::speculateBackward):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::lowStorage):
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
      (JSC::FTL::LowerDFGToLLVM::isLive):
      (JSC::FTL::LowerDFGToLLVM::use):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
      (JSC::FTL::LowerDFGToLLVM::setInt32):
      (JSC::FTL::LowerDFGToLLVM::setJSValue):
      (JSC::FTL::LowerDFGToLLVM::setBoolean):
      (JSC::FTL::LowerDFGToLLVM::setStorage):
      (JSC::FTL::LowerDFGToLLVM::setDouble):
      (JSC::FTL::LowerDFGToLLVM::isValid):
      * ftl/FTLLoweredNodeValue.h: Added.
      (FTL):
      (LoweredNodeValue):
      (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
      (JSC::FTL::LoweredNodeValue::isSet):
      (JSC::FTL::LoweredNodeValue::operator!):
      (JSC::FTL::LoweredNodeValue::value):
      (JSC::FTL::LoweredNodeValue::block):
      * ftl/FTLValueFromBlock.h:
      (JSC::FTL::ValueFromBlock::ValueFromBlock):
      (ValueFromBlock):
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      
      Source/WTF:
      
      Reviewed by Mark Hahnenberg.
      
      - Extend variadicity of PrintStream and dataLog.
      
      - Give HashSet the ability to add a span of things.
      
      - Give HashSet the ability to == another HashSet.
      
      - Note FIXME's in HashTable concerning copying performance, that affects
        the way that the DFG now uses HashSets and HashMaps.
      
      - Factor out the bulk-insertion logic of JSC::DFG::InsertionSet into
        WTF::Insertion, so that it can be used in more places.
      
      - Create a dumper for lists and maps.
      
      * WTF.xcodeproj/project.pbxproj:
      * wtf/DataLog.h:
      (WTF):
      (WTF::dataLog):
      * wtf/HashSet.h:
      (HashSet):
      (WTF):
      (WTF::::add):
      (WTF::=):
      * wtf/HashTable.h:
      (WTF::::HashTable):
      (WTF::=):
      * wtf/Insertion.h: Added.
      (WTF):
      (Insertion):
      (WTF::Insertion::Insertion):
      (WTF::Insertion::index):
      (WTF::Insertion::element):
      (WTF::Insertion::operator<):
      (WTF::executeInsertions):
      * wtf/ListDump.h: Added.
      (WTF):
      (ListDump):
      (WTF::ListDump::ListDump):
      (WTF::ListDump::dump):
      (MapDump):
      (WTF::MapDump::MapDump):
      (WTF::MapDump::dump):
      (WTF::listDump):
      (WTF::sortedListDump):
      (WTF::lessThan):
      (WTF::mapDump):
      (WTF::sortedMapDump):
      * wtf/PrintStream.h:
      (PrintStream):
      (WTF::PrintStream::print):
      
      Conflicts:
      	Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153274 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      827d2cf7
    • oliver@apple.com's avatar
      fourthTier: FTL should better report its compile-times and it should be able... · 62242ce4
      oliver@apple.com authored
      fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
      https://bugs.webkit.org/show_bug.cgi?id=118401
      
      Reviewed by Sam Weinig.
      
      Add two new OSR exit modes, which are useful only for playing with compile times:
      
      - All OSR exits are llvm.trap().
      
      - OSR exits don't take arguments and have no exit value marshaling.
      
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThread):
      (JSC::DFG::Plan::compileInThreadImpl):
      * dfg/DFGPlan.h:
      (Plan):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::trap):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153268 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62242ce4
    • oliver@apple.com's avatar
      fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex · 426f5b02
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118339
      
      Reviewed by Michael Saboff.
      
      This accomplishes two goals:
      
      1) Simplifies a bunch of code. You can now much more directly get to a successor
         or predecessor, since you just get the pointer directly. The backend(s) always
         hold onto a pointer to the block they're on, so you don't have to do work to
         get the block from the index.
      
      2) It allows for the possibility of inserting blocks into the program.
         Previously, if you did that, you'd have to edit all references to blocks since
         those references would have outdated indexing after an insertion. Now, if you
         change the indexing, you just have to invalidate some analyses and make sure
         that you change each block's BasicBlock::index accordingly.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::endBasicBlock):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      * dfg/DFGAbstractState.h:
      (AbstractState):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::run):
      * dfg/DFGBasicBlock.h:
      (DFG):
      (JSC::DFG::BasicBlock::BasicBlock):
      (JSC::DFG::BasicBlock::size):
      (JSC::DFG::BasicBlock::isEmpty):
      (JSC::DFG::BasicBlock::at):
      (JSC::DFG::BasicBlock::operator[]):
      (JSC::DFG::BasicBlock::last):
      (JSC::DFG::BasicBlock::resize):
      (JSC::DFG::BasicBlock::grow):
      (BasicBlock):
      (JSC::DFG::BasicBlock::append):
      (JSC::DFG::BasicBlock::numSuccessors):
      (JSC::DFG::BasicBlock::successor):
      (JSC::DFG::BasicBlock::successorForCondition):
      (JSC::DFG::BasicBlock::dump):
      (UnlinkedBlock):
      (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
      (JSC::DFG::getBytecodeBeginForBlock):
      (JSC::DFG::blockForBytecodeOffset):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::linkBlock):
      (JSC::DFG::ByteCodeParser::linkBlocks):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      (JSC::DFG::CFAPhase::performForwardCFA):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      (JSC::DFG::CFGSimplificationPhase::convertToJump):
      * dfg/DFGCPSRethreadingPhase.cpp:
      (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
      (JSC::DFG::CPSRethreadingPhase::propagatePhis):
      (CPSRethreadingPhase):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::run):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::run):
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::run):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::Disassembler):
      (JSC::DFG::Disassembler::createDumpList):
      * dfg/DFGDisassembler.h:
      (JSC::DFG::Disassembler::setForBlockIndex):
      * dfg/DFGDominators.cpp:
      (JSC::DFG::Dominators::compute):
      (JSC::DFG::Dominators::iterateForBlock):
      * dfg/DFGDominators.h:
      (JSC::DFG::Dominators::dominates):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dumpBlockHeader):
      (JSC::DFG::Graph::handleSuccessor):
      (JSC::DFG::Graph::determineReachability):
      (JSC::DFG::Graph::resetReachability):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::numBlocks):
      (JSC::DFG::Graph::block):
      (JSC::DFG::Graph::lastBlock):
      (Graph):
      (JSC::DFG::Graph::appendBlock):
      (JSC::DFG::Graph::killBlock):
      (DFG):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::JITCompiler):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::setForBlockIndex):
      * dfg/DFGNaturalLoops.cpp:
      (JSC::DFG::NaturalLoop::dump):
      (JSC::DFG::NaturalLoops::compute):
      (JSC::DFG::NaturalLoops::loopsOf):
      * dfg/DFGNaturalLoops.h:
      (JSC::DFG::NaturalLoop::NaturalLoop):
      (JSC::DFG::NaturalLoop::addBlock):
      (JSC::DFG::NaturalLoop::header):
      (JSC::DFG::NaturalLoop::at):
      (JSC::DFG::NaturalLoop::operator[]):
      (JSC::DFG::NaturalLoop::contains):
      (NaturalLoop):
      (JSC::DFG::NaturalLoops::headerOf):
      (NaturalLoops):
      * dfg/DFGNode.h:
      (DFG):
      (JSC::DFG::SwitchCase::SwitchCase):
      (JSC::DFG::SwitchCase::withBytecodeIndex):
      (SwitchCase):
      (JSC::DFG::SwitchCase::targetBytecodeIndex):
      (JSC::DFG::SwitchData::SwitchData):
      (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
      (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
      (SwitchData):
      (JSC::DFG::Node::setTakenBlock):
      (JSC::DFG::Node::setNotTakenBlock):
      (JSC::DFG::Node::takenBlock):
      (JSC::DFG::Node::notTakenBlock):
      (JSC::DFG::Node::successor):
      (JSC::DFG::Node::successorForCondition):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagateForward):
      (JSC::DFG::PredictionPropagationPhase::propagateBackward):
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::createOSREntries):
      (JSC::DFG::SpeculativeJIT::linkOSREntries):
      (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileRegExpExec):
      (JSC::DFG::SpeculativeJIT::addBranch):
      (JSC::DFG::SpeculativeJIT::linkBranches):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::nextBlock):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::branchDouble):
      (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
      (JSC::DFG::SpeculativeJIT::branch32):
      (JSC::DFG::SpeculativeJIT::branchTest32):
      (JSC::DFG::SpeculativeJIT::branch64):
      (JSC::DFG::SpeculativeJIT::branch8):
      (JSC::DFG::SpeculativeJIT::branchPtr):
      (JSC::DFG::SpeculativeJIT::branchTestPtr):
      (JSC::DFG::SpeculativeJIT::branchTest8):
      (JSC::DFG::SpeculativeJIT::jump):
      (JSC::DFG::SpeculativeJIT::addBranch):
      (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
      (StringSwitchCase):
      (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
      (BranchRecord):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGTypeCheckHoistingPhase.cpp:
      (JSC::DFG::TypeCheckHoistingPhase::run):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
      (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
      * dfg/DFGUnificationPhase.cpp:
      (JSC::DFG::UnificationPhase::run):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      (JSC::DFG::Validate::checkOperand):
      (JSC::DFG::Validate::reportValidationContext):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lower):
      (JSC::FTL::LowerDFGToLLVM::compileBlock):
      (JSC::FTL::LowerDFGToLLVM::compileJump):
      (JSC::FTL::LowerDFGToLLVM::compileBranch):
      (JSC::FTL::LowerDFGToLLVM::lowBlock):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153267 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      426f5b02
    • oliver@apple.com's avatar
      fourthTier: FTL should support hole/OOB PutByVal's · 8c55ed0b
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118112
      
      Reviewed by Geoffrey Garen.
      
      Added a common code generator for the out-of-bounds case that is reused by
      all contiguous-like arrays (Int32, Double, Contiguous).
      
      This is relatively straight-forward, except that it's the first time that
      the FTL has to call DFG operations that take more than two arguments.
      
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::functionType):
      (JSC::FTL::buildCall):
      * ftl/FTLAbstractHeapRepository.h:
      (FTL):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
      (JSC::FTL::LowerDFGToLLVM::vmCall):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::call):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153254 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8c55ed0b
    • oliver@apple.com's avatar
      fourthTier: FTL should support ArrayifyToStructure · b0cdcb4a
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118095
      
      Reviewed by Mark Hahnenberg.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
      (LowerDFGToLLVM):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153252 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b0cdcb4a
    • oliver@apple.com's avatar
      fourthTier: FTL should support... · 6a2aafdc
      oliver@apple.com authored
      fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
      https://bugs.webkit.org/show_bug.cgi?id=118091
      
      Reviewed by Mark Hahnenberg.
      
      I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
      which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
      the FTL. I then fixed those bugs, also:
      
      - The FTL should not attempt to compile a block that is not reachable according to the CFA.
        This is analogous to terminating basic block compilation if the CFA becomes !isValid().
        Attempting to compile such a block means that you're running on broken CFA state, and the
        CFA will become inconsistent with the code you're generating, leading to some
        strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
        a node and hence don't have LValue's for that node (by virtue of us giving up due to
        !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
        weren't visited by the CFA at all, and the CFA expects you to know this because it
        expects that you already checked BasicBlock::cfaHasVisited.
      
      - SetLocal needs to change the ValueSource of the operand to indicate that its value has
        been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
        speak). This is because although OSR exit already knows that the value of the operand is
        stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
        will also assume that if the Node dies then the value-at-exit for that operand should be
        Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
        things; in particular the local always outlives the Node in the case of a SetLocal. So,
        we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
        to ensure that OSR exit knows that the darn thing is really live until the end of the
        basic block, as opposed to until whenever the Node dies (which could be at any time).
      
      - PutByOffset was erroneously storing to an offset from the base object, rather than an
        offset from the storage. Note that the storage will be the base object (exactly - i.e.
        same node, same value) for inline stores, but will be a distinct thing for out-of-line
        stores.
      
      - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
        when it should have been using DoubleInLocals.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileBlock):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153251 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6a2aafdc
    • oliver@apple.com's avatar
      fourthTier: FTL should support PutByVal · 5b4f1429
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118075
      
      Reviewed by Mark Hahnenberg.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::lower):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153250 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5b4f1429
    • oliver@apple.com's avatar
      fourthTier: DFG should support switch_string · 5c826c0d
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117967
      
      Source/JavaScriptCore:
      
      Reviewed by Sam Weinig.
      
      Add a reusable binary switch creator.
      
      Implement switch on string using three modes:
      
      - Binary switch on StringImpl* in the case of identifiers.
      
      - Trie of binary switches on characters in the case of a not-too-big
        switch over not-too-big 8-bit strings.
      
      - Hash lookup if all else fails.
      
      Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
      string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
      pdfjs.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/JumpTable.h:
      (StringJumpTable):
      (JSC::StringJumpTable::clear):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGBinarySwitch.cpp: Added.
      (DFG):
      (JSC::DFG::BinarySwitch::BinarySwitch):
      (JSC::DFG::BinarySwitch::advance):
      (JSC::DFG::BinarySwitch::build):
      * dfg/DFGBinarySwitch.h: Added.
      (DFG):
      (BinarySwitch):
      (JSC::DFG::BinarySwitch::caseIndex):
      (JSC::DFG::BinarySwitch::caseValue):
      (JSC::DFG::BinarySwitch::fallThrough):
      (JSC::DFG::BinarySwitch::Case::Case):
      (Case):
      (JSC::DFG::BinarySwitch::Case::operator<):
      (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
      (BranchCode):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGLazyJSValue.cpp:
      (JSC::DFG::LazyJSValue::getValue):
      (JSC::DFG::equalToStringImpl):
      (DFG):
      (JSC::DFG::LazyJSValue::strictEqual):
      (JSC::DFG::LazyJSValue::dump):
      * dfg/DFGLazyJSValue.h:
      (JSC::DFG::LazyJSValue::knownStringImpl):
      (LazyJSValue):
      (JSC::DFG::LazyJSValue::stringImpl):
      (JSC::DFG::LazyJSValue::switchLookupValue):
      * dfg/DFGNode.cpp:
      (WTF::printInternal):
      * dfg/DFGNode.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitSwitchChar):
      (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
      (DFG):
      (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
      (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
      (JSC::DFG::SpeculativeJIT::emitSwitchString):
      (JSC::DFG::SpeculativeJIT::emitSwitch):
      (JSC::DFG::SpeculativeJIT::addBranch):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::branch8):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
      (StringSwitchCase):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileSwitch):
      * runtime/Options.h:
      (JSC):
      
      Source/WTF:
      
      Reviewed by Sam Weinig.
      
      Make it possible to compare a RefPtr<StringImpl> and a StringImpl* without
      having to ref the StringImpl.
      
      * wtf/text/StringHash.h:
      (WTF::StringHash::equal):
      
      LayoutTests:
      
      Reviewed by Sam Weinig.
      
      * fast/js/regress/script-tests/switch-string-basic-big-var.js: Added.
      (foo):
      (make):
      * fast/js/regress/script-tests/switch-string-basic-big.js: Added.
      (foo):
      (make):
      * fast/js/regress/script-tests/switch-string-basic-var.js: Added.
      (foo):
      (make):
      * fast/js/regress/script-tests/switch-string-basic.js: Added.
      (foo):
      * fast/js/regress/script-tests/switch-string-big-length-tower-var.js: Added.
      (foo):
      * fast/js/regress/script-tests/switch-string-length-tower-var.js: Added.
      (foo):
      * fast/js/regress/script-tests/switch-string-length-tower.js: Added.
      (foo):
      * fast/js/regress/script-tests/switch-string-short.js: Added.
      (foo):
      * fast/js/regress/switch-string-basic-big-expected.txt: Added.
      * fast/js/regress/switch-string-basic-big-var-expected.txt: Added.
      * fast/js/regress/switch-string-basic-big-var.html: Added.
      * fast/js/regress/switch-string-basic-big.html: Added.
      * fast/js/regress/switch-string-basic-expected.txt: Added.
      * fast/js/regress/switch-string-basic-var-expected.txt: Added.
      * fast/js/regress/switch-string-basic-var.html: Added.
      * fast/js/regress/switch-string-basic.html: Added.
      * fast/js/regress/switch-string-big-length-tower-var-expected.txt: Added.
      * fast/js/regress/switch-string-big-length-tower-var.html: Added.
      * fast/js/regress/switch-string-length-tower-expected.txt: Added.
      * fast/js/regress/switch-string-length-tower-var-expected.txt: Added.
      * fast/js/regress/switch-string-length-tower-var.html: Added.
      * fast/js/regress/switch-string-length-tower.html: Added.
      * fast/js/regress/switch-string-short-expected.txt: Added.
      * fast/js/regress/switch-string-short.html: Added.
      
      Conflicts:
      	Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153248 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5c826c0d
    • oliver@apple.com's avatar
      fourthTier: FTL should support SwitchChar · 39478946
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117849
      
      Reviewed by Geoffrey Garen.
      
      This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
      SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
      support for calling slow paths, and we avoided adding coverage that would require
      that. Well, this patch adds the ability to call slow paths and just uses that for
      resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
      so I did that, too.
      
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::addCodeOrigin):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGNode.cpp:
      (WTF):
      (WTF::printInternal):
      * dfg/DFGNode.h:
      (WTF):
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::int16Type):
      (JSC::FTL::constInt):
      * ftl/FTLAbstractHeapRepository.h:
      (FTL):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLCommonValues.cpp:
      (JSC::FTL::CommonValues::CommonValues):
      * ftl/FTLCommonValues.h:
      (CommonValues):
      * ftl/FTLIntrinsicRepository.cpp:
      (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
      (FTL):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      (IntrinsicRepository):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::lower):
      (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
      (JSC::FTL::LowerDFGToLLVM::compileJump):
      (JSC::FTL::LowerDFGToLLVM::compileBranch):
      (JSC::FTL::LowerDFGToLLVM::compileSwitch):
      (JSC::FTL::LowerDFGToLLVM::buildSwitch):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lowString):
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::isObject):
      (JSC::FTL::LowerDFGToLLVM::isNotString):
      (JSC::FTL::LowerDFGToLLVM::isString):
      (JSC::FTL::LowerDFGToLLVM::isNotObject):
      (JSC::FTL::LowerDFGToLLVM::speculateObject):
      (JSC::FTL::LowerDFGToLLVM::speculateString):
      (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
      (JSC::FTL::LowerDFGToLLVM::vmCall):
      (JSC::FTL::LowerDFGToLLVM::callPreflight):
      (JSC::FTL::LowerDFGToLLVM::callCheck):
      (JSC::FTL::LowerDFGToLLVM::lowBlock):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::constBool):
      (JSC::FTL::Output::constInt8):
      (JSC::FTL::Output::constInt32):
      (JSC::FTL::Output::constIntPtr):
      (JSC::FTL::Output::constInt64):
      (JSC::FTL::Output::load16):
      (JSC::FTL::Output::isNull):
      (JSC::FTL::Output::notNull):
      (JSC::FTL::Output::testIsZero32):
      (JSC::FTL::Output::testNonZero32):
      (Output):
      (JSC::FTL::Output::operation):
      (JSC::FTL::Output::crash):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153235 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      39478946
    • oliver@apple.com's avatar
      fourthTier: DFG should have switch_char · 9e1c8098
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117710
      
      Source/JavaScriptCore:
      
      Reviewed by Michael Saboff.
      
      Add op_switch_char. Most of this is fairly simple, except for the whole
      LazyJSValue thing.
      
      It's long been the case that anytime you wanted the DFG to speak of a string
      that didn't appear in the constant pool, you would have a hard time since
      the DFG isn't allowed to allocate in the GC heap. For example, if you know
      that you want to speak of a single character string, you might find that
      the one you wanted to speak of had been GC'd. Another example is if you
      wanted to add constant folding for string concatenation - something we don't
      have yet but will want eventually.
      
      I solve this by finally adding the notion of LazyJSValue. In the future I
      anticipate using this for a variety of string-related things. The idea here
      is that the DFG can either say that it already knows what the value is, or
      it can describe the value. For example, in this patch I needed to be able to
      describe single-character strings.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      * bytecode/JumpTable.h:
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGPRInfo.h:
      (JSC::DFG::JSValueRegs::payloadGPR):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::jumpTable):
      (DFG):
      (JSC::DFG::JITCompiler::numberOfJumpTables):
      (JSC::DFG::JITCompiler::linkSwitches):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JITCompiler):
      * dfg/DFGLazyJSValue.cpp: Added.
      (DFG):
      (JSC::DFG::LazyJSValue::getValue):
      (JSC::DFG::equalToSingleCharacter):
      (JSC::DFG::LazyJSValue::strictEqual):
      (JSC::DFG::LazyJSValue::dump):
      * dfg/DFGLazyJSValue.h: Added.
      (DFG):
      (LazyJSValue):
      (JSC::DFG::LazyJSValue::LazyJSValue):
      (JSC::DFG::LazyJSValue::singleCharacterString):
      (JSC::DFG::LazyJSValue::tryGetValue):
      (JSC::DFG::LazyJSValue::value):
      (JSC::DFG::LazyJSValue::character):
      (JSC::DFG::LazyJSValue::switchLookupValue):
      * dfg/DFGNode.h:
      (JSC::DFG::SwitchCase::SwitchCase):
      (SwitchCase):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
      (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
      (DFG):
      (JSC::DFG::SpeculativeJIT::emitSwitchImm):
      (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
      (JSC::DFG::SpeculativeJIT::emitSwitchChar):
      (JSC::DFG::SpeculativeJIT::emitSwitch):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      
      Source/WTF:
      
      Reviewed by Michael Saboff.
      
      I wanted to be able to say stringImpl->at(index), and now I can!
      
      Also made it possible to convert a UChar to a utf8 CString without
      allocating a StringImpl.
      
      * wtf/text/StringImpl.cpp:
      (WTF::StringImpl::utf8Impl):
      (WTF):
      (WTF::StringImpl::utf8ForCharacters):
      (WTF::StringImpl::utf8ForRange):
      * wtf/text/StringImpl.h:
      (StringImpl):
      (WTF::StringImpl::at):
      (WTF::StringImpl::operator[]):
      
      LayoutTests:
      
      Rubber stamped by Mark Hahnenberg.
      
      * fast/js/regress/script-tests/switch-char-constant.js: Added.
      (foo):
      (bar):
      * fast/js/regress/script-tests/switch-char.js: Added.
      (foo):
      (bar):
      * fast/js/regress/switch-char-constant-expected.txt: Added.
      * fast/js/regress/switch-char-constant.html: Added.
      * fast/js/regress/switch-char-expected.txt: Added.
      * fast/js/regress/switch-char.html: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153234 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9e1c8098
    • oliver@apple.com's avatar
      fourthTier: FTL should support Switch · 9f4a672d
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117704
      
      Reviewed by Oliver Hunt.
      
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::clearImmediateSwitchJumpTables):
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::buildFPToSI):
      (JSC::FTL::buildSwitch):
      (JSC::FTL::addCase):
      (FTL):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileSwitch):
      (LowerDFGToLLVM):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::fpToInt):
      (JSC::FTL::Output::fpToInt32):
      (Output):
      (JSC::FTL::Output::switchInstruction):
      * ftl/FTLSwitchCase.h: Added.
      (FTL):
      (SwitchCase):
      (JSC::FTL::SwitchCase::SwitchCase):
      (JSC::FTL::SwitchCase::value):
      (JSC::FTL::SwitchCase::target):
      
      Conflicts:
      	Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153230 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9f4a672d
    • oliver@apple.com's avatar
      fourthTier: don't insert ForceOSRExits except for inadequate coverage · 37bd9382
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117363
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      Previously (in http://trac.webkit.org/changeset/151303) I made it so that we
      inserted ForceOSRExits more eagerly.  I now think it's better to have
      contradictions execute normally and exit with full OSR exit profiling.  It's
      better at catching the few cases where the DFG will end up with different
      types than the baseline engines.
      
      This simplifies a bunch of code. For example it gets rid of
      ConstantFoldingPhase::paintUnreachableCode().
      
      You can think of this as a partial roll-out of r151303, except that it uses
      the facilities introduced by that patch to give us run-time assertions that
      check the CFA's correctness: if the CFA thought that something was a
      contradiction but the code didn't exit, we'll now trap.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::AbstractState):
      (JSC::DFG::AbstractState::startExecuting):
      (JSC::DFG::AbstractState::executeEffects):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::filter):
      (JSC::DFG::AbstractState::filterArrayModes):
      (JSC::DFG::AbstractState::filterByValue):
      (DFG):
      * dfg/DFGAbstractState.h:
      (AbstractState):
      (JSC::DFG::AbstractState::filter):
      (JSC::DFG::AbstractState::filterArrayModes):
      (JSC::DFG::AbstractState::filterByValue):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::run):
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (ConstantFoldingPhase):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      
      LayoutTests:
      
      Reviewed by Mark Hahnenberg.
      
      Convert this test, since this was the test originally added for
      ConstantFoldingPhase::paintUnreachableCode(). I wanted to make sure that I had good coverage
      for this since I am removing that method.
      
      * fast/js/dfg-force-exit-then-sparse-conditional-constant-prop-in-loop-expected.txt:
      * fast/js/script-tests/dfg-force-exit-then-sparse-conditional-constant-prop-in-loop.js:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153215 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      37bd9382
    • oliver@apple.com's avatar
      fourthTier: DFG CFA should know when it hits a contradiction · 3391387e
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117272
      
      Reviewed by Oliver Hunt.
      
      This makes the DFG CFA immediately detect when it hit a contradiction. Previously
      we might not know this: for example if we did an int32 type check on a known string;
      the code would definitely always exit but the CFA would think that we wouldn't have
      even though it would have computed a BOTTOM (i.e. contradictory) value for that
      variable.
      
      This requires two other changes:
      
      - CFA must report contradictions as if they are frequent exit sites, since
        contradictory speculations will subsequently get replaced with ForceOSRExit.
        ForceOSRExit cannot itself report profiling data back to the DFG::ExitProfile. So,
        we do this on behalf of the speculation, eagerly, within the CFA. This also has
        the effect of speeding convergence somewhat. We may want to revisit this later;
        for example we might want to instead have the notion of a ForceOSRExit that knows
        the set of speculations that got folded into it.
      
      - This revealed a bug where the CFA was modeling CheckStructure on a node that had
        a known singleton m_futurePossibleStructure set somewhat differently than the
        constant folder. If the CheckStructure was checking a structure set with two or
        more structures in it, it would not filter the abstract value. But the constant
        folder would turn this into a watchpoint on the singleton structure, thereby
        filtering the value. This discrepancy meant that we wouldn't realize the
        contradiction until the backend, and the AbstractState::bail() method asserts that
        we always realize contradictions in the constant folder.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addFrequentExitSite):
      (JSC::CodeBlock::hasExitSite):
      (CodeBlock):
      * bytecode/DFGExitProfile.cpp:
      (JSC::DFG::ExitProfile::add):
      (JSC::DFG::ExitProfile::hasExitSite):
      (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
      (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
      (DFG):
      (JSC::DFG::QueryableExitProfile::initialize):
      * bytecode/DFGExitProfile.h:
      (JSC::DFG::FrequentExitSite::FrequentExitSite):
      (ExitProfile):
      (JSC::DFG::ExitProfile::hasExitSite):
      (QueryableExitProfile):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::AbstractState):
      (JSC::DFG::AbstractState::beginBasicBlock):
      (JSC::DFG::AbstractState::reset):
      (JSC::DFG::AbstractState::startExecuting):
      (JSC::DFG::AbstractState::executeEffects):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::filter):
      (DFG):
      (JSC::DFG::AbstractState::filterArrayModes):
      (JSC::DFG::AbstractState::filterByValue):
      (JSC::DFG::AbstractState::bail):
      * dfg/DFGAbstractState.h:
      (AbstractState):
      (JSC::DFG::AbstractState::filter):
      (JSC::DFG::AbstractState::filterArrayModes):
      (JSC::DFG::AbstractState::filterByValue):
      (JSC::DFG::AbstractState::filterByType):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::filterArrayModes):
      (DFG):
      (JSC::DFG::AbstractValue::filterByValue):
      (JSC::DFG::AbstractValue::normalizeClarity):
      * dfg/DFGAbstractValue.h:
      (AbstractValue):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::debugFail):
      (JSC::DFG::capabilityLevel):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (ConstantFoldingPhase):
      (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
      * dfg/DFGFiltrationResult.h: Added.
      (DFG):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExitBase.cpp:
      (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
      * dfg/DFGOSRExitBase.h:
      (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
      (JSC::DFG::SpeculativeJIT::bail):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
      (JSC::DFG::SpeculativeJIT::speculateStringObject):
      (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153213 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3391387e
    • oliver@apple.com's avatar
      fourthTier: FTL should support ArithAbs · 0452e56c
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116890
      
      Reviewed by Oliver Hunt.
      
      Implements ArithAbs in the FTL, and cleans up the DFG implementation. The
      DFG implementation was previously doing zero extensions manually when it
      is probably better to just use StrictInt32Operand instead.
      
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
      (LowerDFGToLLVM):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::doubleAbs):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153198 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0452e56c
    • oliver@apple.com's avatar
      fourthTier: FTL should call masqueradesAsUndefinedWatchpointIfIsStillValid()... · 34c16e27
      oliver@apple.com authored
      fourthTier: FTL should call masqueradesAsUndefinedWatchpointIfIsStillValid() in all of the places where it currently calls masqueradesAsUndefinedWatchpointIsStillValid()
      https://bugs.webkit.org/show_bug.cgi?id=116892
      
      Reviewed by Oliver Hunt.
      
      All of those places mean to plant the watchpoint if it's still valid.
      
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
      (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153196 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      34c16e27
    • oliver@apple.com's avatar
      fourthTier: FTL should support ArithMin/ArithMax · 61cccb84
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116885
      
      Reviewed by Oliver Hunt.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153194 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      61cccb84
    • oliver@apple.com's avatar
      fourthTier: FTL should support ArithMod · d533b183
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116792
      
      Reviewed by Oliver Hunt.
      
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::buildFRem):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileArithMod):
      (LowerDFGToLLVM):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::doubleRem):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153190 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d533b183
    • oliver@apple.com's avatar
      fourthTier: FTL should support ArithDiv · dd372b7a
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116771
      
      Reviewed by Oliver Hunt.
      
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::buildDiv):
      (JSC::FTL::buildRem):
      (JSC::FTL::buildFDiv):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLCommonValues.cpp:
      (JSC::FTL::CommonValues::CommonValues):
      * ftl/FTLCommonValues.h:
      (CommonValues):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
      (LowerDFGToLLVM):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::div):
      (JSC::FTL::Output::rem):
      (JSC::FTL::Output::doubleDiv):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      dd372b7a
    • oliver@apple.com's avatar
      fourthTier: FTL boolify should support ObjectOrOtherUse · fdbb0868
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116741
      
      Reviewed by Geoffrey Garen.
      
      Just reusing what was already there in equalNullOrUndefined(). Note that we will
      sometimes generate some redundant IR - like having some spurious bitNot's in
      places - but it's safe to assume that LLVM will simplify those, and that it won't
      be the longest pole in the tent for compile times.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
      (JSC::FTL::LowerDFGToLLVM::boolify):
      (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153182 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      fdbb0868
    • oliver@apple.com's avatar
      fourthTier: FTL should support LogicalNot and Branch on Int32 and Number · ec61ab2d
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116739
      
      Reviewed by Gavin Barraclough.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
      (JSC::FTL::LowerDFGToLLVM::compileBranch):
      (JSC::FTL::LowerDFGToLLVM::boolify):
      (LowerDFGToLLVM):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::isZero32):
      (JSC::FTL::Output::notZero32):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153181 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ec61ab2d
    • oliver@apple.com's avatar
      fourthTier: FTL shouldn't use the LLVM global context, and should instead... · f023bee1
      oliver@apple.com authored
      fourthTier: FTL shouldn't use the LLVM global context, and should instead create its own context for each compilation
      https://bugs.webkit.org/show_bug.cgi?id=116631
      
      Reviewed by Mark Hahnenberg.
      
      In the future we might want to share contexts for multiple compilations, but for
      now using one context per compilation is a progression over just constantly using
      the global context.
      
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThread):
      (DFG):
      (JSC::DFG::Plan::compileInThreadImpl):
      * dfg/DFGPlan.h:
      * ftl/FTLAbbreviatedTypes.h:
      (FTL):
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::voidType):
      (JSC::FTL::int1Type):
      (JSC::FTL::int8Type):
      (JSC::FTL::int32Type):
      (JSC::FTL::int64Type):
      (JSC::FTL::intPtrType):
      (JSC::FTL::doubleType):
      (JSC::FTL::structType):
      (JSC::FTL::mdKindID):
      (JSC::FTL::mdString):
      (JSC::FTL::mdNode):
      (JSC::FTL::appendBasicBlock):
      (JSC::FTL::insertBasicBlock):
      * ftl/FTLAbstractHeap.cpp:
      (JSC::FTL::AbstractHeap::tbaaMetadataSlow):
      (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
      (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
      (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
      * ftl/FTLAbstractHeap.h:
      (IndexedAbstractHeap):
      (NumberedAbstractHeap):
      (AbsoluteAbstractHeap):
      * ftl/FTLAbstractHeapRepository.cpp:
      (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
      * ftl/FTLAbstractHeapRepository.h:
      (AbstractHeapRepository):
      * ftl/FTLCommonValues.cpp:
      (JSC::FTL::CommonValues::CommonValues):
      * ftl/FTLCommonValues.h:
      (CommonValues):
      * ftl/FTLCompile.cpp:
      (JSC::FTL::mmAllocateCodeSection):
      * ftl/FTLIntrinsicRepository.cpp:
      (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      (IntrinsicRepository):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lower):
      * ftl/FTLOutput.cpp:
      (JSC::FTL::Output::Output):
      * ftl/FTLOutput.h:
      (Output):
      (JSC::FTL::Output::newBlock):
      * ftl/FTLState.cpp:
      (JSC::FTL::State::State):
      (JSC::FTL::State::~State):
      (FTL):
      * ftl/FTLState.h:
      (State):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153174 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f023bee1
    • oliver@apple.com's avatar
      fourthTier: DFG should separate link phase into things that must be done... · 90fce824
      oliver@apple.com authored
      fourthTier: DFG should separate link phase into things that must be done concurrently and things that must be done synchronously, and have a way of passing data from one to the other
      https://bugs.webkit.org/show_bug.cgi?id=116060
      
      Reviewed by Gavin Barraclough.
      
      This introduces the concept of a DFG::Plan, which corresponds to:
      
      - The data that the concurrent DFG or FTL need to start compiling a CodeBlock.
        This mostly includes basic things like CodeBlock*, but also a list of
        must-handle values for OSR entry.
      
      - The data that the synchronous linker need to link in code compiled by a
        concurrent compilation thread. This is further encapsulated by DFG::Finalizer,
        since the data, and the actions that need to be taken, are different in DFG
        versus FTL. This patch also institutes the policy that the concurrent
        compilation thread shall not use LinkBuffer::performFinalization(), since that
        code assumes that it's running on the same thread that will actually run the
        code.
      
      - The actions that need to be taken to compile code. In other words, most of the
        code that previously lived in DFGDriver.cpp now lives in
        DFG::Plan::compileInThread().
      
      - The actions that need to be taken when synchronously linking the code. This
        includes "really" adding watchpoints and identifiers, checking watchpoint and
        chain validity, and running the DFG::Finalizer.
      
      Currently, DFGDriver just creates a Plan and runs it synchronously. But in the
      future, we will be able to malloc some Plans and enqueue them, and have the
      concurrent thread dequeue them and call Plan::compileInThread().
      
      For now, this has no behavior or performance change.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/LinkBuffer.cpp:
      (JSC::LinkBuffer::performFinalization):
      * assembler/LinkBuffer.h:
      (LinkBuffer):
      (JSC::LinkBuffer::LinkBuffer):
      (JSC::LinkBuffer::~LinkBuffer):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::setFuturePossibleStructure):
      (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
      * dfg/DFGDriver.cpp:
      (DFG):
      (JSC::DFG::compile):
      * dfg/DFGFailedFinalizer.cpp: Added.
      (DFG):
      (JSC::DFG::FailedFinalizer::FailedFinalizer):
      (JSC::DFG::FailedFinalizer::~FailedFinalizer):
      (JSC::DFG::FailedFinalizer::finalize):
      (JSC::DFG::FailedFinalizer::finalizeFunction):
      * dfg/DFGFailedFinalizer.h: Added.
      (DFG):
      (FailedFinalizer):
      * dfg/DFGFinalizer.cpp: Added.
      (DFG):
      (JSC::DFG::Finalizer::Finalizer):
      (JSC::DFG::Finalizer::~Finalizer):
      * dfg/DFGFinalizer.h: Added.
      (DFG):
      (Finalizer):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::dump):
      (DFG):
      * dfg/DFGGraph.h:
      (Graph):
      (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
      (JSC::DFG::Graph::compilation):
      (JSC::DFG::Graph::identifiers):
      (JSC::DFG::Graph::watchpoints):
      (JSC::DFG::Graph::chains):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::linkOSRExits):
      (JSC::DFG::JITCompiler::link):
      (JSC::DFG::JITCompiler::compile):
      (JSC::DFG::JITCompiler::compileFunction):
      (JSC::DFG::JITCompiler::linkFunction):
      (DFG):
      (JSC::DFG::JITCompiler::disassemble):
      * dfg/DFGJITCompiler.h:
      (JITCompiler):
      (JSC::DFG::JITCompiler::addLazily):
      * dfg/DFGJITFinalizer.cpp: Added.
      (DFG):
      (JSC::DFG::JITFinalizer::JITFinalizer):
      (JSC::DFG::JITFinalizer::~JITFinalizer):
      (JSC::DFG::JITFinalizer::finalize):
      (JSC::DFG::JITFinalizer::finalizeFunction):
      (JSC::DFG::JITFinalizer::finalizeCommon):
      * dfg/DFGJITFinalizer.h: Added.
      (DFG):
      (JITFinalizer):
      * dfg/DFGPlan.cpp: Added.
      (DFG):
      (JSC::DFG::dumpAndVerifyGraph):
      (JSC::DFG::Plan::Plan):
      (JSC::DFG::Plan::~Plan):
      (JSC::DFG::Plan::compileInThread):
      (JSC::DFG::Plan::isStillValid):
      (JSC::DFG::Plan::reallyAdd):
      (JSC::DFG::Plan::finalize):
      * dfg/DFGPlan.h: Added.
      (DFG):
      (Plan):
      (JSC::DFG::Plan::vm):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::identifierUID):
      (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
      * dfg/DFGTypeCheckHoistingPhase.cpp:
      (JSC::DFG::TypeCheckHoistingPhase::run):
      * ftl/FTLGeneratedFunction.h: Added.
      (FTL):
      * ftl/FTLJITFinalizer.cpp: Added.
      (FTL):
      (JSC::FTL::JITFinalizer::JITFinalizer):
      (JSC::FTL::JITFinalizer::~JITFinalizer):
      (JSC::FTL::JITFinalizer::finalize):
      (JSC::FTL::JITFinalizer::finalizeFunction):
      * ftl/FTLJITFinalizer.h: Added.
      (FTL):
      (JITFinalizer):
      (JSC::FTL::JITFinalizer::initializeExitThunksLinkBuffer):
      (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
      (JSC::FTL::JITFinalizer::initializeCode):
      (JSC::FTL::JITFinalizer::initializeFunction):
      (JSC::FTL::JITFinalizer::initializeArityCheck):
      (JSC::FTL::JITFinalizer::initializeJITCode):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      * ftl/FTLLink.h:
      (FTL):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
      * ftl/FTLState.cpp:
      (JSC::FTL::State::State):
      * ftl/FTLState.h:
      (FTL):
      (State):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153161 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      90fce824
    • oliver@apple.com's avatar
      fourthTier: FTL should support Jump and ForceOSRExit · 0d018be1
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115942
      
      Reviewed by Oliver Hunt.
      
      Added two obvious nodes: Jump and ForceOSRExit. We already had everything we needed
      to support them.
      
      Adding these increases our coverage a fair bit, and revealed a bug: LLVM's full
      instruction selector currently appears to mishandle doubles in constant pools (or
      just constant pools in general) with the small code model in the MCJIT. But switching
      to FastISel "fixes" it. That's what this patch does, for now. This will probably
      actually be permanent; the FastISel does pretty much everything we would ever want,
      at least in the foreseeable future.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      (FTL):
      * ftl/FTLCompile.cpp:
      (JSC::FTL::compile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileBlock):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileJump):
      (JSC::FTL::LowerDFGToLLVM::compileReturn):
      (JSC::FTL::LowerDFGToLLVM::compileForceOSRExit):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153156 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0d018be1
    • oliver@apple.com's avatar
      fourthTier: FTL should support CompareStrictEqConstant · 9a58da10
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115941
      
      Reviewed by Mark Hahnenberg.
      
      Pretty simple, but factors out the craziness of comparing against null or undefined
      in a way that is reusable for both == and ===.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153155 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9a58da10
    • oliver@apple.com's avatar
      fourthTier: FTL should support CompareEqConstant · aafa46d1
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115939
      
      Reviewed by Oliver Hunt and Mark Hahnenberg.
      
      The most interesting part of this patch is the way I make it easier to deal with
      the inputs to Phi functions. This adds the notion of ValueFromBlock, which you
      can get by doing m_out.anchor(value). You can build up a vector of these, and then
      pass them to m_out.phi(type, vector) in one go.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * ftl/FTLAbbreviatedTypes.h: Added.
      (FTL):
      * ftl/FTLAbbreviations.h:
      (FTL):
      (JSC::FTL::addIncoming):
      (JSC::FTL::buildPhi):
      * ftl/FTLAbstractHeapRepository.h:
      (FTL):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::phi):
      (Output):
      (JSC::FTL::Output::anchor):
      * ftl/FTLValueFromBlock.h: Added.
      (FTL):
      (ValueFromBlock):
      (JSC::FTL::ValueFromBlock::ValueFromBlock):
      (JSC::FTL::ValueFromBlock::value):
      (JSC::FTL::ValueFromBlock::block):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153154 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      aafa46d1
    • oliver@apple.com's avatar
      fourthTier: FTL should support CompareStrictEq · 023d1c71
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115927
      
      Reviewed by Mark Hahnenberg.
      
      Do the sensible thing, and make it so that for common cases, CompareEq is
      implemented in terms of CompareStrictEq in the FTL backend. All of the cases
      we currently support can be done this way.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153153 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      023d1c71
    • oliver@apple.com's avatar
      fourthTier: FTL should support Int32ToDouble · afce403e
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115926
      
      Reviewed by Mark Hahnenberg.
      
      This node exists mainly to help the DFG see that a node may have both an int
      and a double representation. But in the FTL, nodes already have multiple
      representations. So this is just a no-op for the FTL.
      
      I considered making it so that the node isn't even inserted if we're doing
      FTL compilation, but that would have required a bunch of conditionalizing in
      the DFG's optimization phases, which sort of expect this node to be present
      and necessary.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
      (LowerDFGToLLVM):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153152 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      afce403e
    • oliver@apple.com's avatar
      fourthTier: FTL should support LogicalNot · 4965ebc2
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115924
      
      Reviewed by Mark Hahnenberg.
      
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::buildNot):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
      (LowerDFGToLLVM):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::bitNot):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153151 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4965ebc2
    • oliver@apple.com's avatar
      fourthTier: FTL should support CompareGreater, CompareLessEq, and CompareGreaterEq · 1f9b9b7d
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115923
      
      Reviewed by Mark Hahnenberg.
      
      Also fixed a bug where double CompareLess would assert.
      
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153150 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1f9b9b7d
    • oliver@apple.com's avatar
      fourthTier: CodeBlock should be RefCounted · 410b541c
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115594
      
      Reviewed by Geoffrey Garen.
      
      This makes it possible to have the currently-being-compiled CodeBlock not be
      installed in Executable, while also allowing it to point to its intended
      alternative(). So long as we were using ownership and not reference counting, it
      would have been difficult to have both CodeBlock::m_alternative and
      Executable::m_codeBlockForBlah point to the previous CodeBlock.
      
      I also took the opportunity to clean up a bunch of code that appears to have
      rotted.
      
      * assembler/MacroAssemblerCodeRef.h:
      (MacroAssemblerCodePtr):
      (JSC::MacroAssemblerCodePtr::operator==):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::releaseAlternative):
      (JSC::CodeBlock::setAlternative):
      (CodeBlock):
      (JSC::GlobalCodeBlock::GlobalCodeBlock):
      (JSC::ProgramCodeBlock::ProgramCodeBlock):
      (JSC::EvalCodeBlock::EvalCodeBlock):
      (JSC::FunctionCodeBlock::FunctionCodeBlock):
      * heap/DFGCodeBlocks.cpp:
      (JSC::DFGCodeBlocks::~DFGCodeBlocks):
      (JSC::DFGCodeBlocks::jettison):
      (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
      * heap/DFGCodeBlocks.h:
      (DFGCodeBlocks):
      * heap/Heap.cpp:
      (JSC::Heap::jettisonDFGCodeBlock):
      * heap/Heap.h:
      * jit/JITDriver.h:
      (JSC::jitCompileIfAppropriate):
      (JSC::jitCompileFunctionIfAppropriate):
      * runtime/Executable.cpp:
      (JSC::jettisonCodeBlock):
      (JSC::EvalExecutable::jitCompile):
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::jitCompile):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::jitCompileForCall):
      (JSC::FunctionExecutable::jitCompileForConstruct):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      (JSC::FunctionExecutable::compileForCallInternal):
      (JSC::FunctionExecutable::compileForConstructInternal):
      * runtime/Executable.h:
      (EvalExecutable):
      (FunctionExecutable):
      (JSC::FunctionExecutable::codeBlockFor):
      * runtime/ExecutionHarness.h:
      (JSC::prepareForExecution):
      (JSC::prepareFunctionForExecution):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153147 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      410b541c
    • oliver@apple.com's avatar
      fourthTier: FTL should support double variables · 32295c1a
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=113624
      
      Reviewed by Geoffrey Garen.
      
      Made all of the operations that the FTL already supports, also support doubles.
      OSR exit already basically had everything it needed, so no changes there. This
      mostly just glues together bits of DFG IR to LLVM IR, in a straight-forward way.
      
      * ftl/FTLAbbreviations.h:
      (FTL):
      (JSC::FTL::doubleType):
      (JSC::FTL::constReal):
      (JSC::FTL::buildPhi):
      (JSC::FTL::addIncoming):
      (JSC::FTL::buildFAdd):
      (JSC::FTL::buildFSub):
      (JSC::FTL::buildFMul):
      (JSC::FTL::buildFNeg):
      (JSC::FTL::buildSIToFP):
      (JSC::FTL::buildUIToFP):
      (JSC::FTL::buildBitCast):
      (JSC::FTL::buildFCmp):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLCommonValues.cpp:
      (JSC::FTL::CommonValues::CommonValues):
      * ftl/FTLCommonValues.h:
      (CommonValues):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lower):
      (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
      (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::isCellOrMisc):
      (JSC::FTL::LowerDFGToLLVM::unboxDouble):
      (JSC::FTL::LowerDFGToLLVM::boxDouble):
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::speculateNumber):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::constDouble):
      (Output):
      (JSC::FTL::Output::phi):
      (JSC::FTL::Output::doubleAdd):
      (JSC::FTL::Output::doubleSub):
      (JSC::FTL::Output::doubleMul):
      (JSC::FTL::Output::doubleNeg):
      (JSC::FTL::Output::intToFP):
      (JSC::FTL::Output::intToDouble):
      (JSC::FTL::Output::unsignedToFP):
      (JSC::FTL::Output::unsignedToDouble):
      (JSC::FTL::Output::bitCast):
      (JSC::FTL::Output::loadDouble):
      (JSC::FTL::Output::storeDouble):
      (JSC::FTL::Output::doubleEqual):
      (JSC::FTL::Output::doubleNotEqualOrUnordered):
      (JSC::FTL::Output::doubleLessThan):
      (JSC::FTL::Output::doubleLessThanOrEqual):
      (JSC::FTL::Output::doubleGreaterThan):
      (JSC::FTL::Output::doubleGreaterThanOrEqual):
      (JSC::FTL::Output::doubleEqualOrUnordered):
      (JSC::FTL::Output::doubleNotEqual):
      (JSC::FTL::Output::doubleLessThanOrUnordered):
      (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
      (JSC::FTL::Output::doubleGreaterThanOrUnordered):
      (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
      (JSC::FTL::Output::testIsZero64):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153133 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      32295c1a
    • oliver@apple.com's avatar
      fourthTier: Landing the initial FTL logic in a single commit to avoid spurious · ea77149c
      oliver@apple.com authored
      broken builds.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153121 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ea77149c