<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[164923] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/164923">164923</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-03-01 11:57:40 -0800 (Sat, 01 Mar 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>FTL should support PhantomArguments
https://bugs.webkit.org/show_bug.cgi?id=113986
Reviewed by Oliver Hunt.
Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
object into the FTL's OSR exit compiler.
This isn't a speed-up yet, since there is still more to be done to fully support
all of the arguments craziness that our varargs benchmarks do.
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
(JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
(JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
* dfg/DFGOSRExitCompilerCommon.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
(JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
(JSC::FTL::ExitValue::valueFormat):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
* tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
* tests/stress/trivially-foldable-reflective-arguments-access.js: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompiler32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompiler64cpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommoncpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommonh">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitValuecpp">trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitValueh">trunk/Source/JavaScriptCore/ftl/FTLExitValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp">trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstressslightlymoredifficulttofoldreflectiveargumentsaccessjs">trunk/Source/JavaScriptCore/tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresstriviallyfoldablereflectiveargumentsaccessjs">trunk/Source/JavaScriptCore/tests/stress/trivially-foldable-reflective-arguments-access.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -1,5 +1,45 @@
</span><span class="cx"> 2014-02-28 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><ins>+ FTL should support PhantomArguments
+ https://bugs.webkit.org/show_bug.cgi?id=113986
+
+ Reviewed by Oliver Hunt.
+
+ Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
+ object into the FTL's OSR exit compiler.
+
+ This isn't a speed-up yet, since there is still more to be done to fully support
+ all of the arguments craziness that our varargs benchmarks do.
+
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
+ * dfg/DFGOSRExitCompilerCommon.cpp:
+ (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
+ (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
+ (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
+ * dfg/DFGOSRExitCompilerCommon.h:
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLExitValue.cpp:
+ (JSC::FTL::ExitValue::dumpInContext):
+ * ftl/FTLExitValue.h:
+ (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
+ (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
+ (JSC::FTL::ExitValue::valueFormat):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
+ (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
+ (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
+ * ftl/FTLOSRExitCompiler.cpp:
+ (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
+ * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
+ * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
+
+2014-02-28 Filip Pizlo <fpizlo@apple.com>
+
</ins><span class="cx"> Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
</span><span class="cx">
</span><span class="cx"> * dfg/DFGCSEPhase.cpp:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompiler32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -393,66 +393,14 @@
</span><span class="cx"> // registers.
</span><span class="cx">
</span><span class="cx"> if (haveArguments) {
</span><del>- HashSet<InlineCallFrame*, DefaultHash<InlineCallFrame*>::Hash,
- NullableHashTraits<InlineCallFrame*>> didCreateArgumentsObject;
</del><ins>+ ArgumentsRecoveryGenerator argumentsRecovery;
</ins><span class="cx">
</span><span class="cx"> for (size_t index = 0; index < operands.size(); ++index) {
</span><span class="cx"> const ValueRecovery& recovery = operands[index];
</span><span class="cx"> if (recovery.technique() != ArgumentsThatWereNotCreated)
</span><span class="cx"> continue;
</span><del>- int operand = operands.operandForIndex(index);
- // Find the right inline call frame.
- InlineCallFrame* inlineCallFrame = 0;
- for (InlineCallFrame* current = exit.m_codeOrigin.inlineCallFrame;
- current;
- current = current->caller.inlineCallFrame) {
- if (current->stackOffset >= operand) {
- inlineCallFrame = current;
- break;
- }
- }
-
- if (!m_jit.baselineCodeBlockFor(inlineCallFrame)->usesArguments())
- continue;
- VirtualRegister argumentsRegister = m_jit.baselineArgumentsRegisterFor(inlineCallFrame);
- if (didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
- // We know this call frame optimized out an arguments object that
- // the baseline JIT would have created. Do that creation now.
- if (inlineCallFrame) {
- m_jit.setupArgumentsWithExecState(
- AssemblyHelpers::TrustedImmPtr(inlineCallFrame));
- m_jit.move(
- AssemblyHelpers::TrustedImmPtr(
- bitwise_cast<void*>(operationCreateInlinedArguments)),
- GPRInfo::nonArgGPR0);
- } else {
- m_jit.setupArgumentsExecState();
- m_jit.move(
- AssemblyHelpers::TrustedImmPtr(
- bitwise_cast<void*>(operationCreateArguments)),
- GPRInfo::nonArgGPR0);
- }
- m_jit.call(GPRInfo::nonArgGPR0);
- m_jit.store32(
- AssemblyHelpers::TrustedImm32(JSValue::CellTag),
- AssemblyHelpers::tagFor(argumentsRegister));
- m_jit.store32(
- GPRInfo::returnValueGPR,
- AssemblyHelpers::payloadFor(argumentsRegister));
- m_jit.store32(
- AssemblyHelpers::TrustedImm32(JSValue::CellTag),
- AssemblyHelpers::tagFor(unmodifiedArgumentsRegister(argumentsRegister)));
- m_jit.store32(
- GPRInfo::returnValueGPR,
- AssemblyHelpers::payloadFor(unmodifiedArgumentsRegister(argumentsRegister)));
- m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
- }
-
- m_jit.load32(AssemblyHelpers::payloadFor(argumentsRegister), GPRInfo::regT0);
- m_jit.store32(
- AssemblyHelpers::TrustedImm32(JSValue::CellTag),
- AssemblyHelpers::tagFor(operand));
- m_jit.store32(GPRInfo::regT0, AssemblyHelpers::payloadFor(operand));
</del><ins>+ argumentsRecovery.generateFor(
+ operands.operandForIndex(index), exit.m_codeOrigin, m_jit);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompiler64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -365,50 +365,14 @@
</span><span class="cx"> // registers.
</span><span class="cx">
</span><span class="cx"> if (haveArguments) {
</span><del>- HashSet<InlineCallFrame*, DefaultHash<InlineCallFrame*>::Hash,
- NullableHashTraits<InlineCallFrame*>> didCreateArgumentsObject;
</del><ins>+ ArgumentsRecoveryGenerator argumentsRecovery;
</ins><span class="cx">
</span><span class="cx"> for (size_t index = 0; index < operands.size(); ++index) {
</span><span class="cx"> const ValueRecovery& recovery = operands[index];
</span><span class="cx"> if (recovery.technique() != ArgumentsThatWereNotCreated)
</span><span class="cx"> continue;
</span><del>- int operand = operands.operandForIndex(index);
- // Find the right inline call frame.
- InlineCallFrame* inlineCallFrame = 0;
- for (InlineCallFrame* current = exit.m_codeOrigin.inlineCallFrame;
- current;
- current = current->caller.inlineCallFrame) {
- if (current->stackOffset >= operand) {
- inlineCallFrame = current;
- break;
- }
- }
-
- if (!m_jit.baselineCodeBlockFor(inlineCallFrame)->usesArguments())
- continue;
- VirtualRegister argumentsRegister = m_jit.baselineArgumentsRegisterFor(inlineCallFrame);
- if (didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
- // We know this call frame optimized out an arguments object that
- // the baseline JIT would have created. Do that creation now.
- if (inlineCallFrame) {
- m_jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister, GPRInfo::regT0);
- m_jit.setupArguments(GPRInfo::regT0);
- } else
- m_jit.setupArgumentsExecState();
- m_jit.move(
- AssemblyHelpers::TrustedImmPtr(
- bitwise_cast<void*>(operationCreateArguments)),
- GPRInfo::nonArgGPR0);
- m_jit.call(GPRInfo::nonArgGPR0);
- m_jit.store64(GPRInfo::returnValueGPR, AssemblyHelpers::addressFor(argumentsRegister));
- m_jit.store64(
- GPRInfo::returnValueGPR,
- AssemblyHelpers::addressFor(unmodifiedArgumentsRegister(argumentsRegister)));
- m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
- }
-
- m_jit.load64(AssemblyHelpers::addressFor(argumentsRegister), GPRInfo::regT0);
- m_jit.store64(GPRInfo::regT0, AssemblyHelpers::addressFor(operand));
</del><ins>+ argumentsRecovery.generateFor(
+ operands.operandForIndex(index), exit.m_codeOrigin, m_jit);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommoncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -217,6 +217,89 @@
</span><span class="cx"> jit.jump(GPRInfo::regT2);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator() { }
+ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator() { }
+
+void ArgumentsRecoveryGenerator::generateFor(
+ int operand, CodeOrigin codeOrigin, CCallHelpers& jit)
+{
+ // Find the right inline call frame.
+ InlineCallFrame* inlineCallFrame = 0;
+ for (InlineCallFrame* current = codeOrigin.inlineCallFrame;
+ current;
+ current = current->caller.inlineCallFrame) {
+ if (current->stackOffset >= operand) {
+ inlineCallFrame = current;
+ break;
+ }
+ }
+
+ if (!jit.baselineCodeBlockFor(inlineCallFrame)->usesArguments())
+ return;
+ VirtualRegister argumentsRegister = jit.baselineArgumentsRegisterFor(inlineCallFrame);
+ if (m_didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
+ // We know this call frame optimized out an arguments object that
+ // the baseline JIT would have created. Do that creation now.
+#if USE(JSVALUE64)
+ if (inlineCallFrame) {
+ jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister, GPRInfo::regT0);
+ jit.setupArguments(GPRInfo::regT0);
+ } else
+ jit.setupArgumentsExecState();
+ jit.move(
+ AssemblyHelpers::TrustedImmPtr(
+ bitwise_cast<void*>(operationCreateArguments)),
+ GPRInfo::nonArgGPR0);
+ jit.call(GPRInfo::nonArgGPR0);
+ jit.store64(GPRInfo::returnValueGPR, AssemblyHelpers::addressFor(argumentsRegister));
+ jit.store64(
+ GPRInfo::returnValueGPR,
+ AssemblyHelpers::addressFor(unmodifiedArgumentsRegister(argumentsRegister)));
+ jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
+#else // USE(JSVALUE64) -> so the 32_64 part
+ if (inlineCallFrame) {
+ jit.setupArgumentsWithExecState(
+ AssemblyHelpers::TrustedImmPtr(inlineCallFrame));
+ jit.move(
+ AssemblyHelpers::TrustedImmPtr(
+ bitwise_cast<void*>(operationCreateInlinedArguments)),
+ GPRInfo::nonArgGPR0);
+ } else {
+ jit.setupArgumentsExecState();
+ jit.move(
+ AssemblyHelpers::TrustedImmPtr(
+ bitwise_cast<void*>(operationCreateArguments)),
+ GPRInfo::nonArgGPR0);
+ }
+ jit.call(GPRInfo::nonArgGPR0);
+ jit.store32(
+ AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+ AssemblyHelpers::tagFor(argumentsRegister));
+ jit.store32(
+ GPRInfo::returnValueGPR,
+ AssemblyHelpers::payloadFor(argumentsRegister));
+ jit.store32(
+ AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+ AssemblyHelpers::tagFor(unmodifiedArgumentsRegister(argumentsRegister)));
+ jit.store32(
+ GPRInfo::returnValueGPR,
+ AssemblyHelpers::payloadFor(unmodifiedArgumentsRegister(argumentsRegister)));
+ jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
+#endif // USE(JSVALUE64)
+ }
+
+#if USE(JSVALUE64)
+ jit.load64(AssemblyHelpers::addressFor(argumentsRegister), GPRInfo::regT0);
+ jit.store64(GPRInfo::regT0, AssemblyHelpers::addressFor(operand));
+#else // USE(JSVALUE64) -> so the 32_64 part
+ jit.load32(AssemblyHelpers::payloadFor(argumentsRegister), GPRInfo::regT0);
+ jit.store32(
+ AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+ AssemblyHelpers::tagFor(operand));
+ jit.store32(GPRInfo::regT0, AssemblyHelpers::payloadFor(operand));
+#endif // USE(JSVALUE64)
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommonh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -37,6 +37,18 @@
</span><span class="cx"> void reifyInlinedCallFrames(CCallHelpers&, const OSRExitBase&);
</span><span class="cx"> void adjustAndJumpToTarget(CCallHelpers&, const OSRExitBase&);
</span><span class="cx">
</span><ins>+class ArgumentsRecoveryGenerator {
+public:
+ ArgumentsRecoveryGenerator();
+ ~ArgumentsRecoveryGenerator();
+
+ void generateFor(int operand, CodeOrigin, CCallHelpers&);
+
+private:
+ HashSet<InlineCallFrame*, DefaultHash<InlineCallFrame*>::Hash,
+ NullableHashTraits<InlineCallFrame*>> m_didCreateArgumentsObject;
+};
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -140,6 +140,7 @@
</span><span class="cx"> case MultiGetByOffset:
</span><span class="cx"> case MultiPutByOffset:
</span><span class="cx"> case ToPrimitive:
</span><ins>+ case PhantomArguments:
</ins><span class="cx"> // These are OK.
</span><span class="cx"> break;
</span><span class="cx"> case PutByIdDirect:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -59,6 +59,9 @@
</span><span class="cx"> case ExitValueInJSStackAsDouble:
</span><span class="cx"> out.print("InJSStackAsDouble:r", virtualRegister());
</span><span class="cx"> return;
</span><ins>+ case ExitValueArgumentsObjectThatWasNotCreated:
+ out.print("ArgumentsObjectThatWasNotCreated");
+ return;
</ins><span class="cx"> case ExitValueRecovery:
</span><span class="cx"> out.print("Recovery(", recoveryOpcode(), ", arg", leftRecoveryArgument(), ", arg", rightRecoveryArgument(), ", ", recoveryFormat(), ")");
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitValue.h (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitValue.h 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitValue.h 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -51,6 +51,7 @@
</span><span class="cx"> ExitValueInJSStackAsInt32,
</span><span class="cx"> ExitValueInJSStackAsInt52,
</span><span class="cx"> ExitValueInJSStackAsDouble,
</span><ins>+ ExitValueArgumentsObjectThatWasNotCreated,
</ins><span class="cx"> ExitValueRecovery
</span><span class="cx"> };
</span><span class="cx">
</span><span class="lines">@@ -118,6 +119,13 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static ExitValue argumentsObjectThatWasNotCreated()
+ {
+ ExitValue result;
+ result.m_kind = ExitValueArgumentsObjectThatWasNotCreated;
+ return result;
+ }
+
</ins><span class="cx"> static ExitValue recovery(RecoveryOpcode opcode, unsigned leftArgument, unsigned rightArgument, ValueFormat format)
</span><span class="cx"> {
</span><span class="cx"> ExitValue result;
</span><span class="lines">@@ -146,6 +154,7 @@
</span><span class="cx"> }
</span><span class="cx"> bool isConstant() const { return kind() == ExitValueConstant; }
</span><span class="cx"> bool isArgument() const { return kind() == ExitValueArgument; }
</span><ins>+ bool isArgumentsObjectThatWasNotCreated() const { return kind() == ExitValueArgumentsObjectThatWasNotCreated; }
</ins><span class="cx"> bool isRecovery() const { return kind() == ExitValueRecovery; }
</span><span class="cx">
</span><span class="cx"> ExitArgument exitArgument() const
</span><span class="lines">@@ -213,6 +222,7 @@
</span><span class="cx"> case ExitValueDead:
</span><span class="cx"> case ExitValueConstant:
</span><span class="cx"> case ExitValueInJSStack:
</span><ins>+ case ExitValueArgumentsObjectThatWasNotCreated:
</ins><span class="cx"> return ValueFormatJSValue;
</span><span class="cx">
</span><span class="cx"> case ExitValueArgument:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -282,6 +282,9 @@
</span><span class="cx"> case WeakJSConstant:
</span><span class="cx"> compileWeakJSConstant();
</span><span class="cx"> break;
</span><ins>+ case PhantomArguments:
+ compilePhantomArguments();
+ break;
</ins><span class="cx"> case GetArgument:
</span><span class="cx"> compileGetArgument();
</span><span class="cx"> break;
</span><span class="lines">@@ -781,6 +784,11 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> }
</span><ins>+
+ void compilePhantomArguments()
+ {
+ setJSValue(m_out.constInt64(JSValue::encode(JSValue())));
+ }
</ins><span class="cx">
</span><span class="cx"> void compileWeakJSConstant()
</span><span class="cx"> {
</span><span class="lines">@@ -5519,9 +5527,7 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case FlushedArguments:
</span><del>- // FIXME: implement PhantomArguments.
- // https://bugs.webkit.org/show_bug.cgi?id=113986
- RELEASE_ASSERT_NOT_REACHED();
</del><ins>+ exit.m_values[i] = ExitValue::argumentsObjectThatWasNotCreated();
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -5613,9 +5619,7 @@
</span><span class="cx"> exit.m_values[index] = ExitValue::constant(m_graph.valueOfJSConstant(node));
</span><span class="cx"> return true;
</span><span class="cx"> case PhantomArguments:
</span><del>- // FIXME: implement PhantomArguments.
- // https://bugs.webkit.org/show_bug.cgi?id=113986
- RELEASE_ASSERT_NOT_REACHED();
</del><ins>+ exit.m_values[index] = ExitValue::argumentsObjectThatWasNotCreated();
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (164922 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2014-03-01 19:42:14 UTC (rev 164922)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -146,6 +146,12 @@
</span><span class="cx"> jit.load64(AssemblyHelpers::addressFor(value.virtualRegister()), GPRInfo::regT0);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case ExitValueArgumentsObjectThatWasNotCreated:
+ // We can't actually recover this yet, but we can make the stack look sane. This is
+ // a prerequisite to running the actual arguments recovery.
+ jit.move(MacroAssembler::TrustedImm64(JSValue::encode(JSValue())), GPRInfo::regT0);
+ break;
+
</ins><span class="cx"> case ExitValueRecovery:
</span><span class="cx"> record->locations[value.rightRecoveryArgument()].restoreInto(
</span><span class="cx"> jit, jitCode->stackmaps, registerScratch, GPRInfo::regT1);
</span><span class="lines">@@ -337,6 +343,15 @@
</span><span class="cx">
</span><span class="cx"> handleExitCounts(jit, exit);
</span><span class="cx"> reifyInlinedCallFrames(jit, exit);
</span><ins>+
+ ArgumentsRecoveryGenerator argumentsRecovery;
+ for (unsigned index = exit.m_values.size(); index--;) {
+ if (!exit.m_values[index].isArgumentsObjectThatWasNotCreated())
+ continue;
+ int operand = exit.m_values.operandForIndex(index);
+ argumentsRecovery.generateFor(operand, exit.m_codeOrigin, jit);
+ }
+
</ins><span class="cx"> adjustAndJumpToTarget(jit, exit);
</span><span class="cx">
</span><span class="cx"> LinkBuffer patchBuffer(*vm, &jit, codeBlock);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressslightlymoredifficulttofoldreflectiveargumentsaccessjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js (0 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+function foo() {
+ var a = arguments;
+ return a[0];
+}
+
+function bar(x) {
+ return foo(x);
+}
+
+noInline(bar);
+
+for (var i = 0; i < 100000; ++i) {
+ var result = bar(42);
+ if (result != 42)
+ throw "Error: bad result: " + result;
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresstriviallyfoldablereflectiveargumentsaccessjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/trivially-foldable-reflective-arguments-access.js (0 => 164923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/trivially-foldable-reflective-arguments-access.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/trivially-foldable-reflective-arguments-access.js 2014-03-01 19:57:40 UTC (rev 164923)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+function foo() {
+ return arguments[0];
+}
+
+function bar(x) {
+ return foo(x);
+}
+
+noInline(bar);
+
+for (var i = 0; i < 100000; ++i) {
+ var result = bar(42);
+ if (result != 42)
+ throw "Error: bad result: " + result;
+}
</ins></span></pre>
</div>
</div>
</body>
</html>