1. 04 Dec, 2013 1 commit
  2. 18 Sep, 2013 3 commits
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 6921b29b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt52Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt52AsDoubleSpeculation):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::fixupBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt52):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt52):
      * dfg/DFGNodeType.h:
      (JSC::DFG::permitsOSRBackwardRewiring):
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/dfg-int-overflow-large-constants-in-a-line-expected.txt:
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      * js/script-tests/dfg-int-overflow-large-constants-in-a-line.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156047 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6921b29b
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r156019 and r156020. · 92c67000
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/156019
      http://trac.webkit.org/changeset/156020
      https://bugs.webkit.org/show_bug.cgi?id=121540
      
      Broke tests (Requested by ap on #webkit).
      
      Source/JavaScriptCore:
      
      * assembler/MacroAssemblerX86_64.h:
      * assembler/X86Assembler.h:
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt48Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt48AsDoubleSpeculation):
      (JSC::isRealNumberSpeculation):
      (JSC::isNumberSpeculation):
      (JSC::isNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::canonicalize):
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt32):
      (JSC::DFG::GenerationInfo::fillInt32):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt48):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt48):
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      (JSC::DFG::shortOperandsDump):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::boxDouble):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int32Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt32):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::mulWithOverflow32):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      
      Source/WTF:
      
      * wtf/PrintStream.h:
      
      Tools:
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests:
      
      * js/regress/large-int-captured-expected.txt: Removed.
      * js/regress/large-int-captured.html: Removed.
      * js/regress/large-int-expected.txt: Removed.
      * js/regress/large-int-neg-expected.txt: Removed.
      * js/regress/large-int-neg.html: Removed.
      * js/regress/large-int.html: Removed.
      * js/regress/marsaglia-larger-ints-expected.txt: Removed.
      * js/regress/marsaglia-larger-ints.html: Removed.
      * js/regress/script-tests/large-int-captured.js: Removed.
      * js/regress/script-tests/large-int-neg.js: Removed.
      * js/regress/script-tests/large-int.js: Removed.
      * js/regress/script-tests/marsaglia-larger-ints.js: Removed.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      92c67000
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 4c466ec6
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156019 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4c466ec6
  3. 18 Dec, 2012 1 commit
  4. 08 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSC should infer when indexed storage contains only integers or doubles · 75c91a79
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98606
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      This adds two new indexing types: int32 and double. It also adds array allocation profiling,
      which allows array allocations to converge to allocating arrays using those types to which
      those arrays would have been converted.
              
      20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
      but a performance win overall on all benchmarks we track.
      
      * API/JSObjectRef.cpp:
      (JSObjectMakeArray):
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * assembler/AbstractMacroAssembler.h:
      (JumpList):
      (JSC::AbstractMacroAssembler::JumpList::JumpList):
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::branchDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::jnp):
      (X86Assembler):
      (JSC::X86Assembler::X86InstructionFormatter::emitRex):
      * bytecode/ArrayAllocationProfile.cpp: Added.
      (JSC):
      (JSC::ArrayAllocationProfile::updateIndexingType):
      * bytecode/ArrayAllocationProfile.h: Added.
      (JSC):
      (ArrayAllocationProfile):
      (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
      (JSC::ArrayAllocationProfile::selectIndexingType):
      (JSC::ArrayAllocationProfile::updateLastAllocation):
      (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
      (JSC::ArrayAllocationProfile::updateLastAllocationFor):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::updatedObservedArrayModes):
      (JSC):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModesInclude):
      (JSC::shouldUseSlowPutArrayStorage):
      (JSC::shouldUseFastArrayStorage):
      (JSC::shouldUseContiguous):
      (JSC::shouldUseDouble):
      (JSC::shouldUseInt32):
      (ArrayProfile):
      * bytecode/ByValInfo.h:
      (JSC::isOptimizableIndexingType):
      (JSC::jitArrayModeForIndexingType):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      (JSC):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllArrayPredictions):
      (JSC::CodeBlock::updateAllPredictions):
      (JSC::CodeBlock::shouldOptimizeNow):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::numberOfArrayAllocationProfiles):
      (JSC::CodeBlock::addArrayAllocationProfile):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllArrayPredictions):
      * bytecode/DFGExitProfile.h:
      (JSC::DFG::exitKindToString):
      * bytecode/Instruction.h:
      (JSC):
      (JSC::Instruction::Instruction):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isRealNumberSpeculation):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC):
      (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
      (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
      (UnlinkedCodeBlock):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::newArrayAllocationProfile):
      (JSC):
      (JSC::BytecodeGenerator::emitNewArray):
      (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      (JSC::DFG::ArrayMode::refine):
      (DFG):
      (JSC::DFG::ArrayMode::alreadyChecked):
      (JSC::DFG::arrayTypeToString):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::withType):
      (ArrayMode):
      (JSC::DFG::ArrayMode::withTypeAndConversion):
      (JSC::DFG::ArrayMode::usesButterfly):
      (JSC::DFG::ArrayMode::isSpecific):
      (JSC::DFG::ArrayMode::supportsLength):
      (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      (CCallHelpers):
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (NewArrayBufferData):
      (JSC::DFG::Node::hasIndexingType):
      (Node):
      (JSC::DFG::Node::indexingType):
      (JSC::DFG::Node::setIndexingType):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (DFG):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (SpeculateIntegerOperand):
      (JSC::DFG::SpeculateIntegerOperand::use):
      (SpeculateDoubleOperand):
      (JSC::DFG::SpeculateDoubleOperand::use):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.h:
      (JSC::JIT::emitInt32GetByVal):
      (JIT):
      (JSC::JIT::emitInt32PutByVal):
      (JSC::JIT::emitDoublePutByVal):
      (JSC::JIT::emitContiguousPutByVal):
      * jit/JITExceptions.cpp:
      (JSC::genericThrow):
      * jit/JITInlineMethods.h:
      (JSC::arrayProfileSaw):
      (JSC::JIT::chooseArrayMode):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emit_op_new_array_with_size):
      (JSC::JIT::emit_op_new_array_buffer):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitDoubleGetByVal):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitGenericContiguousPutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitDoubleGetByVal):
      (JSC):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitGenericContiguousPutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h:
      (JSC):
      * jsc.cpp:
      (GlobalObject::finishCreation):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::jitCompileAndSetHeuristics):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/x86.rb:
      * runtime/ArrayConstructor.cpp:
      (JSC::constructArrayWithSizeQuirk):
      * runtime/ArrayConstructor.h:
      (JSC):
      * runtime/ArrayPrototype.cpp:
      (JSC::arrayProtoFuncConcat):
      (JSC::arrayProtoFuncSlice):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      * runtime/Butterfly.h:
      (JSC::Butterfly::contiguousInt32):
      (JSC::Butterfly::contiguousDouble):
      (JSC::Butterfly::fromContiguous):
      * runtime/ButterflyInlineMethods.h:
      (JSC::Butterfly::createUninitializedDuringCollection):
      * runtime/FunctionPrototype.cpp:
      (JSC::functionProtoFuncBind):
      * runtime/IndexingHeaderInlineMethods.h:
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypes):
      (JSC):
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      (JSC::leastUpperBoundOfIndexingTypeAndValue):
      (JSC::indexingTypeToString):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasUndecided):
      (JSC::hasInt32):
      (JSC::hasDouble):
      * runtime/JSArray.cpp:
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCountWithAnyIndexingType):
      (JSC::JSArray::unshiftCountWithAnyIndexingType):
      (JSC::compareNumbersForQSortWithInt32):
      (JSC):
      (JSC::compareNumbersForQSortWithDouble):
      (JSC::JSArray::sortNumericVector):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sortCompactedVector):
      (JSC::JSArray::sort):
      (JSC::JSArray::sortVector):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSArray):
      (JSC::createContiguousArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
      (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
      (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
      (JSC::JSGlobalObject::isOriginalArrayStructure):
      (JSC::constructEmptyArray):
      (JSC::constructArray):
      * runtime/JSObject.cpp:
      (JSC::JSObject::copyButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createInitialIndexedStorage):
      (JSC):
      (JSC::JSObject::createInitialUndecided):
      (JSC::JSObject::createInitialInt32):
      (JSC::JSObject::createInitialDouble):
      (JSC::JSObject::createInitialContiguous):
      (JSC::JSObject::convertUndecidedToInt32):
      (JSC::JSObject::convertUndecidedToDouble):
      (JSC::JSObject::convertUndecidedToContiguous):
      (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
      (JSC::JSObject::convertUndecidedToArrayStorage):
      (JSC::JSObject::convertInt32ToDouble):
      (JSC::JSObject::convertInt32ToContiguous):
      (JSC::JSObject::convertInt32ToArrayStorage):
      (JSC::JSObject::convertDoubleToContiguous):
      (JSC::JSObject::convertDoubleToArrayStorage):
      (JSC::JSObject::convertContiguousToArrayStorage):
      (JSC::JSObject::convertUndecidedForValue):
      (JSC::JSObject::convertInt32ForValue):
      (JSC::JSObject::setIndexQuicklyToUndecided):
      (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
      (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
      (JSC::JSObject::ensureInt32Slow):
      (JSC::JSObject::ensureDoubleSlow):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::countElements):
      (JSC::JSObject::ensureLengthSlow):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      (JSObject):
      (JSC::JSObject::ensureInt32):
      (JSC::JSObject::ensureDouble):
      (JSC::JSObject::ensureLength):
      (JSC::JSObject::indexingData):
      (JSC::JSObject::currentIndexingData):
      (JSC::JSObject::getHolyIndexQuickly):
      (JSC::JSObject::relevantLength):
      (JSC::JSObject::currentRelevantLength):
      * runtime/JSValue.cpp:
      (JSC::JSValue::description):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      * runtime/StringPrototype.cpp:
      (JSC::stringProtoFuncMatch):
      (JSC::stringProtoFuncSplit):
      * runtime/Structure.cpp:
      (JSC::Structure::nonPropertyTransition):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      Source/WebCore: 
      
      Just refactoring WebCore to pass 0 for the ArrayAllocationProfile*.
      
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::webkitLineDash):
      * bindings/js/JSClipboardCustom.cpp:
      (WebCore::JSClipboard::types):
      * bindings/js/JSDOMBinding.cpp:
      (WebCore::jsArray):
      * bindings/js/JSDOMBinding.h:
      (WebCore::jsArray):
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      (WebCore::getJSListenerFunctions):
      * bindings/js/JSJavaScriptCallFrameCustom.cpp:
      (WebCore::JSJavaScriptCallFrame::scopeChain):
      * bindings/js/JSMessageEventCustom.cpp:
      (WebCore::JSMessageEvent::ports):
      * bindings/js/JSMutationCallbackCustom.cpp:
      (WebCore::JSMutationCallback::handleEvent):
      * bindings/js/JSWebGLRenderingContextCustom.cpp:
      (WebCore::toJS):
      (WebCore::JSWebGLRenderingContext::getAttachedShaders):
      (WebCore::JSWebGLRenderingContext::getSupportedExtensions):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::deserialize):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133953 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      75c91a79
  5. 10 Oct, 2012 1 commit