<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[189075] trunk/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/189075">189075</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2015-08-27 16:59:57 -0700 (Thu, 27 Aug 2015)</dd>
</dl>

<h3>Log Message</h3>
<pre>DFG::StrCat isn't really effectful
https://bugs.webkit.org/show_bug.cgi?id=148443

Reviewed by Geoffrey Garen.

I previously made the DFG StrCat node effectful because it is implemented by calling a
DFGOperations function that could cause arbitrary effects. But, the node is only generated from the
op_strcat bytecode operation, and that operation is only used when we first ensure that its
operands are primitives. Primitive operands to StrCat cannot cause arbitrary side-effects. The
reason why I didn't immediately mark StrCat as pure was because there was nothing in DFG IR that
guaranteed that StrCat's children were primitives.

This change adds a KnownPrimitiveUse use kind, and applies it to StrCat. This allows us to mark
StrCat as being pure. This should be a speed-up because we can CSE StrCat and because it means that
we can OSR exit after a StrCat (a pure node doesn't clobber exit state), so we can convert more
of a large string concatenation into MakeRope's.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter&lt;AbstractStateType&gt;::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
* dfg/DFGOperations.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::shouldNotHaveTypeCheck):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
(JSC::FTL::DFG::LowerDFGToLLVM::speculate):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGUseKindcpp">trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGUseKindh">trunk/Source/JavaScriptCore/dfg/DFGUseKind.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/ChangeLog        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -1,3 +1,49 @@
</span><ins>+2015-08-27  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        DFG::StrCat isn't really effectful
+        https://bugs.webkit.org/show_bug.cgi?id=148443
+
+        Reviewed by Geoffrey Garen.
+
+        I previously made the DFG StrCat node effectful because it is implemented by calling a
+        DFGOperations function that could cause arbitrary effects. But, the node is only generated from the
+        op_strcat bytecode operation, and that operation is only used when we first ensure that its
+        operands are primitives. Primitive operands to StrCat cannot cause arbitrary side-effects. The
+        reason why I didn't immediately mark StrCat as pure was because there was nothing in DFG IR that
+        guaranteed that StrCat's children were primitives.
+
+        This change adds a KnownPrimitiveUse use kind, and applies it to StrCat. This allows us to mark
+        StrCat as being pure. This should be a speed-up because we can CSE StrCat and because it means that
+        we can OSR exit after a StrCat (a pure node doesn't clobber exit state), so we can convert more
+        of a large string concatenation into MakeRope's.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter&lt;AbstractStateType&gt;::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::shouldNotHaveTypeCheck):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
+        (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
+
</ins><span class="cx"> 2015-08-27  Brent Fulgham  &lt;bfulgham@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [Win] Unreviewed build fix after r189064.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -420,7 +420,6 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     case StrCat: {
</span><del>-        clobberWorld(node-&gt;origin.semantic, clobberLimit);
</del><span class="cx">         forNode(node).setType(m_graph, SpecString);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="lines">@@ -1575,7 +1574,7 @@
</span><span class="cx">         
</span><span class="cx">         clobberWorld(node-&gt;origin.semantic, clobberLimit);
</span><span class="cx">         
</span><del>-        forNode(node).setType(m_graph, (SpecHeapTop &amp; ~SpecCell) | SpecString | SpecSymbol);
</del><ins>+        forNode(node).setType(m_graph, SpecHeapTop &amp; ~SpecObject);
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -157,6 +157,7 @@
</span><span class="cx">     case BooleanToNumber:
</span><span class="cx">     case FiatInt52:
</span><span class="cx">     case MakeRope:
</span><ins>+    case StrCat:
</ins><span class="cx">     case ValueToInt32:
</span><span class="cx">     case GetExecutable:
</span><span class="cx">     case BottomValue:
</span><span class="lines">@@ -393,15 +394,6 @@
</span><span class="cx">         write(Heap);
</span><span class="cx">         return;
</span><span class="cx">         
</span><del>-    case StrCat:
-        // This is pretty weird. In fact, StrCat has very limited effectfulness because we only
-        // pass it primitive values. But, right now, the compiler isn't smart enough to know this
-        // and that's probably OK.
-        // FIXME: https://bugs.webkit.org/show_bug.cgi?id=148443
-        read(World);
-        write(Heap);
-        return;
-
</del><span class="cx">     case GetGetter:
</span><span class="cx">         read(GetterSetter_getter);
</span><span class="cx">         def(HeapLocation(GetterLoc, GetterSetter_getter, node-&gt;child1()), LazyNode(node));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -160,7 +160,18 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         case StrCat: {
</span><del>-            attemptToMakeFastStringAdd(node);
</del><ins>+            if (attemptToMakeFastStringAdd(node))
+                break;
+
+            // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
+            // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
+            // the implementation of StrCat doesn't dynamically optimize for empty strings.
+            // https://bugs.webkit.org/show_bug.cgi?id=148540
+            m_graph.doToChildren(
+                node,
+                [&amp;] (Edge&amp; edge) {
+                    fixEdge&lt;KnownPrimitiveUse&gt;(edge);
+                });
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">             
</span><span class="lines">@@ -1510,14 +1521,6 @@
</span><span class="cx"> 
</span><span class="cx">     bool attemptToMakeFastStringAdd(Node* node)
</span><span class="cx">     {
</span><del>-        if (!node-&gt;origin.exitOK) {
-            // If this code cannot exit, then we should not convert it to a MakeRope, since MakeRope
-            // can exit. This arises because we think that StrCat clobbers exit state, even though it
-            // doesn't really do that.
-            // FIXME: https://bugs.webkit.org/show_bug.cgi?id=148443
-            return false;
-        }
-        
</del><span class="cx">         bool goodToGo = true;
</span><span class="cx">         m_graph.doToChildren(
</span><span class="cx">             node,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -1114,11 +1114,9 @@
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><span class="cx">     JSString* str1 = JSValue::decode(a).toString(exec);
</span><del>-    if (exec-&gt;hadException())
-        return nullptr;
</del><ins>+    ASSERT(!exec-&gt;hadException()); // Impossible, since we must have been given primitives.
</ins><span class="cx">     JSString* str2 = JSValue::decode(b).toString(exec);
</span><del>-    if (exec-&gt;hadException())
-        return nullptr;
</del><ins>+    ASSERT(!exec-&gt;hadException());
</ins><span class="cx"> 
</span><span class="cx">     if (sumOverflows&lt;int32_t&gt;(str1-&gt;length(), str2-&gt;length())) {
</span><span class="cx">         throwOutOfMemoryError(exec);
</span><span class="lines">@@ -1134,14 +1132,11 @@
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><span class="cx">     JSString* str1 = JSValue::decode(a).toString(exec);
</span><del>-    if (exec-&gt;hadException())
-        return nullptr;
</del><ins>+    ASSERT(!exec-&gt;hadException()); // Impossible, since we must have been given primitives.
</ins><span class="cx">     JSString* str2 = JSValue::decode(b).toString(exec);
</span><del>-    if (exec-&gt;hadException())
-        return nullptr;
</del><ins>+    ASSERT(!exec-&gt;hadException());
</ins><span class="cx">     JSString* str3 = JSValue::decode(c).toString(exec);
</span><del>-    if (exec-&gt;hadException())
-        return nullptr;
</del><ins>+    ASSERT(!exec-&gt;hadException());
</ins><span class="cx"> 
</span><span class="cx">     if (sumOverflows&lt;int32_t&gt;(str1-&gt;length(), str2-&gt;length(), str3-&gt;length())) {
</span><span class="cx">         throwOutOfMemoryError(exec);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -89,6 +89,11 @@
</span><span class="cx">             if (m_state.forNode(edge).m_type &amp; ~SpecString)
</span><span class="cx">                 m_result = false;
</span><span class="cx">             return;
</span><ins>+
+        case KnownPrimitiveUse:
+            if (m_state.forNode(edge).m_type &amp; ~(SpecHeapTop &amp; ~SpecObject))
+                m_result = false;
+            return;
</ins><span class="cx">             
</span><span class="cx">         case LastUseKind:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -5881,6 +5881,9 @@
</span><span class="cx">     case KnownStringUse:
</span><span class="cx">         ASSERT(!needsTypeCheck(edge, SpecString));
</span><span class="cx">         break;
</span><ins>+    case KnownPrimitiveUse:
+        ASSERT(!needsTypeCheck(edge, SpecHeapTop &amp; ~SpecObject));
+        break;
</ins><span class="cx">     case Int32Use:
</span><span class="cx">         speculateInt32(edge);
</span><span class="cx">         break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -2063,9 +2063,9 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     case StrCat: {
</span><del>-        JSValueOperand op1(this, node-&gt;child1());
-        JSValueOperand op2(this, node-&gt;child2());
-        JSValueOperand op3(this, node-&gt;child3());
</del><ins>+        JSValueOperand op1(this, node-&gt;child1(), ManualOperandSpeculation);
+        JSValueOperand op2(this, node-&gt;child2(), ManualOperandSpeculation);
+        JSValueOperand op3(this, node-&gt;child3(), ManualOperandSpeculation);
</ins><span class="cx">         
</span><span class="cx">         GPRReg op1TagGPR = op1.tagGPR();
</span><span class="cx">         GPRReg op1PayloadGPR = op1.payloadGPR();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -2195,9 +2195,9 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case StrCat: {
</span><del>-        JSValueOperand op1(this, node-&gt;child1());
-        JSValueOperand op2(this, node-&gt;child2());
-        JSValueOperand op3(this, node-&gt;child3());
</del><ins>+        JSValueOperand op1(this, node-&gt;child1(), ManualOperandSpeculation);
+        JSValueOperand op2(this, node-&gt;child2(), ManualOperandSpeculation);
+        JSValueOperand op3(this, node-&gt;child3(), ManualOperandSpeculation);
</ins><span class="cx">         
</span><span class="cx">         GPRReg op1GPR = op1.gpr();
</span><span class="cx">         GPRReg op2GPR = op2.gpr();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGUseKindcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -100,6 +100,9 @@
</span><span class="cx">     case KnownStringUse:
</span><span class="cx">         out.print(&quot;KnownString&quot;);
</span><span class="cx">         return;
</span><ins>+    case KnownPrimitiveUse:
+        out.print(&quot;KnownPrimitive&quot;);
+        return;
</ins><span class="cx">     case SymbolUse:
</span><span class="cx">         out.print(&quot;Symbol&quot;);
</span><span class="cx">         return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGUseKindh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGUseKind.h (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGUseKind.h        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/dfg/DFGUseKind.h        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -58,6 +58,7 @@
</span><span class="cx">     StringIdentUse,
</span><span class="cx">     StringUse,
</span><span class="cx">     KnownStringUse,
</span><ins>+    KnownPrimitiveUse, // This bizarre type arises for op_strcat, which has a bytecode guarantee that it will only see primitives (i.e. not objects).
</ins><span class="cx">     SymbolUse,
</span><span class="cx">     StringObjectUse,
</span><span class="cx">     StringOrStringObjectUse,
</span><span class="lines">@@ -120,6 +121,8 @@
</span><span class="cx">     case StringUse:
</span><span class="cx">     case KnownStringUse:
</span><span class="cx">         return SpecString;
</span><ins>+    case KnownPrimitiveUse:
+        return SpecHeapTop &amp; ~SpecObject;
</ins><span class="cx">     case SymbolUse:
</span><span class="cx">         return SpecSymbol;
</span><span class="cx">     case StringObjectUse:
</span><span class="lines">@@ -147,6 +150,7 @@
</span><span class="cx">     case KnownInt32Use:
</span><span class="cx">     case KnownCellUse:
</span><span class="cx">     case KnownStringUse:
</span><ins>+    case KnownPrimitiveUse:
</ins><span class="cx">     case KnownBooleanUse:
</span><span class="cx">     case Int52RepUse:
</span><span class="cx">     case DoubleRepUse:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -422,6 +422,7 @@
</span><span class="cx">                 case ObjectOrOtherUse:
</span><span class="cx">                 case StringUse:
</span><span class="cx">                 case KnownStringUse:
</span><ins>+                case KnownPrimitiveUse:
</ins><span class="cx">                 case StringObjectUse:
</span><span class="cx">                 case StringOrStringObjectUse:
</span><span class="cx">                 case SymbolUse:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (189074 => 189075)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2015-08-27 23:53:17 UTC (rev 189074)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2015-08-27 23:59:57 UTC (rev 189075)
</span><span class="lines">@@ -1326,12 +1326,14 @@
</span><span class="cx">         if (m_node-&gt;child3()) {
</span><span class="cx">             result = vmCall(
</span><span class="cx">                 m_out.operation(operationStrCat3), m_callFrame,
</span><del>-                lowJSValue(m_node-&gt;child1()), lowJSValue(m_node-&gt;child2()),
-                lowJSValue(m_node-&gt;child3()));
</del><ins>+                lowJSValue(m_node-&gt;child1(), ManualOperandSpeculation),
+                lowJSValue(m_node-&gt;child2(), ManualOperandSpeculation),
+                lowJSValue(m_node-&gt;child3(), ManualOperandSpeculation));
</ins><span class="cx">         } else {
</span><span class="cx">             result = vmCall(
</span><span class="cx">                 m_out.operation(operationStrCat2), m_callFrame,
</span><del>-                lowJSValue(m_node-&gt;child1()), lowJSValue(m_node-&gt;child2()));
</del><ins>+                lowJSValue(m_node-&gt;child1(), ManualOperandSpeculation),
+                lowJSValue(m_node-&gt;child2(), ManualOperandSpeculation));
</ins><span class="cx">         }
</span><span class="cx">         setJSValue(result);
</span><span class="cx">     }
</span><span class="lines">@@ -7495,6 +7497,7 @@
</span><span class="cx">             break;
</span><span class="cx">         case KnownInt32Use:
</span><span class="cx">         case KnownStringUse:
</span><ins>+        case KnownPrimitiveUse:
</ins><span class="cx">         case DoubleRepUse:
</span><span class="cx">         case Int52RepUse:
</span><span class="cx">             ASSERT(!m_interpreter.needsTypeCheck(edge));
</span></span></pre>
</div>
</div>

</body>
</html>