<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[203361] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/203361">203361</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2016-07-18 12:12:57 -0700 (Mon, 18 Jul 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>DFG should really support jneq_ptr
https://bugs.webkit.org/show_bug.cgi?id=159700
Reviewed by Keith Miller.
Source/JavaScriptCore:
Prior to this change, DFG statically speculated that jneq_ptr would always fall through. This
meant that programs that called o.apply() or o.call() where apply or call weren't the
expected ones (i.e. the function.prototype.apply/call) would rage-recompile forever.
This adds profiling to jneq_ptr. We now know if it always falls through or sometimes doesn't.
If it sometimes doesn't, we now emit an actual control flow diamond. I decided to add a new
NodeType for "equal pointer", since none of the existing ones really captured that. For
example, there was no way to express "equal pointer" for strings or symbols. We don't use it
for that right now, but we might, and if we did, then it would be hugely surprising that the
DFG interpreted this as value equality. So, the DFG now has CompareEqPtr, which means exactly
what jneq_ptr means by "equal pointer".
This is an enormous speed-up on microbenchmarks. I would assume that it's a speed-up on some
real things, too, but I don't know that for a fact.
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
(JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
(JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCellOperand):
* dfg/DFGNodeType.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
(JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareEqPtr):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEqConstant): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_jneq_ptr):
(JSC::JIT::emit_op_eq):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_jneq_ptr):
(JSC::JIT::emit_op_eq):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
LayoutTests:
These tests now run super fast.
* js/regress/apply-not-apply-expected.txt: Added.
* js/regress/apply-not-apply.html: Added.
* js/regress/call-or-not-call-expected.txt: Added.
* js/regress/call-or-not-call.html: Added.
* js/regress/script-tests/apply-not-apply.js: Added.
(let.o.apply):
(foo):
* js/regress/script-tests/call-or-not-call.js: Added.
(let.o.call):
(foo):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeListjson">trunk/Source/JavaScriptCore/bytecode/BytecodeList.json</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValidatecpp">trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregressapplynotapplyexpectedtxt">trunk/LayoutTests/js/regress/apply-not-apply-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregressapplynotapplyhtml">trunk/LayoutTests/js/regress/apply-not-apply.html</a></li>
<li><a href="#trunkLayoutTestsjsregresscallornotcallexpectedtxt">trunk/LayoutTests/js/regress/call-or-not-call-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresscallornotcallhtml">trunk/LayoutTests/js/regress/call-or-not-call.html</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestsapplynotapplyjs">trunk/LayoutTests/js/regress/script-tests/apply-not-apply.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestscallornotcalljs">trunk/LayoutTests/js/regress/script-tests/call-or-not-call.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/LayoutTests/ChangeLog 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-07-12 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should really support jneq_ptr
+ https://bugs.webkit.org/show_bug.cgi?id=159700
+
+ Reviewed by Keith Miller.
+
+ These tests now run super fast.
+
+ * js/regress/apply-not-apply-expected.txt: Added.
+ * js/regress/apply-not-apply.html: Added.
+ * js/regress/call-or-not-call-expected.txt: Added.
+ * js/regress/call-or-not-call.html: Added.
+ * js/regress/script-tests/apply-not-apply.js: Added.
+ (let.o.apply):
+ (foo):
+ * js/regress/script-tests/call-or-not-call.js: Added.
+ (let.o.call):
+ (foo):
+
</ins><span class="cx"> 2016-07-18 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> Marking fast/shapes/shape-outside-floats/shape-outside-big-box-border-radius-002.html as flaky on ios-sim
</span></span></pre></div>
<a id="trunkLayoutTestsjsregressapplynotapplyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/apply-not-apply-expected.txt (0 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/apply-not-apply-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/apply-not-apply-expected.txt 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/apply-not-apply
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressapplynotapplyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/apply-not-apply.html (0 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/apply-not-apply.html (rev 0)
+++ trunk/LayoutTests/js/regress/apply-not-apply.html 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/apply-not-apply.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresscallornotcallexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/call-or-not-call-expected.txt (0 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/call-or-not-call-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/call-or-not-call-expected.txt 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/call-or-not-call
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresscallornotcallhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/call-or-not-call.html (0 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/call-or-not-call.html (rev 0)
+++ trunk/LayoutTests/js/regress/call-or-not-call.html 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/call-or-not-call.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestsapplynotapplyjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/apply-not-apply.js (0 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/apply-not-apply.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/apply-not-apply.js 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+"use strict";
+
+(function() {
+ let o = {
+ apply(a, b) {
+ return a + b;
+ }
+ };
+
+ function foo() {
+ let result = 0;
+ for (let i = 0; i < 1000; ++i)
+ result = o.apply(result, 1);
+ return result;
+ }
+
+ noInline(foo);
+
+ let result = 0;
+ for (let i = 0; i < 10000; ++i)
+ result += foo();
+
+ if (result != 10000000)
+ throw new "Bad result: " + result;
+})();
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestscallornotcalljs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/call-or-not-call.js (0 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/call-or-not-call.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/call-or-not-call.js 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+"use strict";
+
+(function() {
+ let o = {
+ call(ignored, a, b) {
+ return a + b;
+ }
+ };
+
+ let a = [o, (a, b) => a - 2 * b];
+
+ function foo() {
+ let result = 0;
+ for (let i = 0; i < 1000; ++i)
+ result = a[((i % 5) == 0) | 0].call(null, result, 1);
+ return result;
+ }
+
+ noInline(foo);
+
+ let result = 0;
+ for (let i = 0; i < 10000; ++i)
+ result += foo();
+
+ if (result != 4000000)
+ throw "Bad result: " + result;
+})();
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1,5 +1,75 @@
</span><span class="cx"> 2016-07-12 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><ins>+ DFG should really support jneq_ptr
+ https://bugs.webkit.org/show_bug.cgi?id=159700
+
+ Reviewed by Keith Miller.
+
+ Prior to this change, DFG statically speculated that jneq_ptr would always fall through. This
+ meant that programs that called o.apply() or o.call() where apply or call weren't the
+ expected ones (i.e. the function.prototype.apply/call) would rage-recompile forever.
+
+ This adds profiling to jneq_ptr. We now know if it always falls through or sometimes doesn't.
+ If it sometimes doesn't, we now emit an actual control flow diamond. I decided to add a new
+ NodeType for "equal pointer", since none of the existing ones really captured that. For
+ example, there was no way to express "equal pointer" for strings or symbols. We don't use it
+ for that right now, but we might, and if we did, then it would be hugely surprising that the
+ DFG interpreted this as value equality. So, the DFG now has CompareEqPtr, which means exactly
+ what jneq_ptr means by "equal pointer".
+
+ This is an enormous speed-up on microbenchmarks. I would assume that it's a speed-up on some
+ real things, too, but I don't know that for a fact.
+
+ * bytecode/BytecodeList.json:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
+ (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
+ (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasCellOperand):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
+ (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGValidate.cpp:
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareEqPtr):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEqConstant): Deleted.
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_jneq_ptr):
+ (JSC::JIT::emit_op_eq):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_jneq_ptr):
+ (JSC::JIT::emit_op_eq):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2016-07-12 Filip Pizlo <fpizlo@apple.com>
+
</ins><span class="cx"> OSR entry into DFG has problems with lexical scoping
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=159687
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeListjson"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeList.json (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -86,7 +86,7 @@
</span><span class="cx"> { "name" : "op_jfalse", "length" : 3 },
</span><span class="cx"> { "name" : "op_jeq_null", "length" : 3 },
</span><span class="cx"> { "name" : "op_jneq_null", "length" : 3 },
</span><del>- { "name" : "op_jneq_ptr", "length" : 4 },
</del><ins>+ { "name" : "op_jneq_ptr", "length" : 5 },
</ins><span class="cx"> { "name" : "op_jless", "length" : 4 },
</span><span class="cx"> { "name" : "op_jlesseq", "length" : 4 },
</span><span class="cx"> { "name" : "op_jgreater", "length" : 4 },
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1311,6 +1311,7 @@
</span><span class="cx"> int offset = (++it)->u.operand;
</span><span class="cx"> printLocationAndOp(out, exec, location, it, "jneq_ptr");
</span><span class="cx"> out.printf("%s, %d (%p), %d(->%d)", registerName(r0).data(), pointer, m_globalObject->actualPointerFor(pointer), offset, location + offset);
</span><ins>+ ++it;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> case op_jless: {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1448,6 +1448,7 @@
</span><span class="cx"> instructions().append(cond->index());
</span><span class="cx"> instructions().append(Special::CallFunction);
</span><span class="cx"> instructions().append(target->bind(begin, instructions().size()));
</span><ins>+ instructions().append(0);
</ins><span class="cx"> return target;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1459,6 +1460,7 @@
</span><span class="cx"> instructions().append(cond->index());
</span><span class="cx"> instructions().append(Special::ApplyFunction);
</span><span class="cx"> instructions().append(target->bind(begin, instructions().size()));
</span><ins>+ instructions().append(0);
</ins><span class="cx"> return target;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -3059,6 +3061,7 @@
</span><span class="cx"> instructions().append(func->index());
</span><span class="cx"> instructions().append(Special::ObjectConstructor);
</span><span class="cx"> instructions().append(realCall->bind(begin, instructions().size()));
</span><ins>+ instructions().append(0);
</ins><span class="cx">
</span><span class="cx"> if (dst != ignoredResult())
</span><span class="cx"> emitNewObject(dst);
</span><span class="lines">@@ -3079,6 +3082,7 @@
</span><span class="cx"> instructions().append(func->index());
</span><span class="cx"> instructions().append(Special::ArrayConstructor);
</span><span class="cx"> instructions().append(realCall->bind(begin, instructions().size()));
</span><ins>+ instructions().append(0);
</ins><span class="cx">
</span><span class="cx"> if (dst != ignoredResult()) {
</span><span class="cx"> if (callArguments.argumentCountIncludingThis() == 2)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1522,6 +1522,18 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case CompareEqPtr: {
+ Node* childNode = node->child1().node();
+ JSValue childValue = forNode(childNode).value();
+ if (childValue) {
+ setConstant(node, jsBoolean(childValue.isCell() && childValue.asCell() == node->cellOperand()->cell()));
+ break;
+ }
+
+ forNode(node).setType(SpecBoolean);
+ break;
+ }
+
</ins><span class="cx"> case StringCharCodeAt:
</span><span class="cx"> forNode(node).setType(SpecInt32Only);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -4564,17 +4564,23 @@
</span><span class="cx"> NEXT_OPCODE(op_construct_varargs);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case op_jneq_ptr:
- // Statically speculate for now. It makes sense to let speculate-only jneq_ptr
- // support simmer for a while before making it more general, since it's
- // already gnarly enough as it is.
- ASSERT(pointerIsFunction(currentInstruction[2].u.specialPointer));
- addToGraph(
- CheckCell,
- OpInfo(m_graph.freeze(static_cast<JSCell*>(actualPointerFor(
- m_inlineStackTop->m_codeBlock, currentInstruction[2].u.specialPointer)))),
- get(VirtualRegister(currentInstruction[1].u.operand)));
</del><ins>+ case op_jneq_ptr: {
+ Special::Pointer specialPointer = currentInstruction[2].u.specialPointer;
+ ASSERT(pointerIsCell(specialPointer));
+ JSCell* actualPointer = static_cast<JSCell*>(
+ actualPointerFor(m_inlineStackTop->m_codeBlock, specialPointer));
+ FrozenValue* frozenPointer = m_graph.freeze(actualPointer);
+ int operand = currentInstruction[1].u.operand;
+ unsigned relativeOffset = currentInstruction[3].u.operand;
+ Node* child = get(VirtualRegister(operand));
+ if (currentInstruction[4].u.operand) {
+ Node* condition = addToGraph(CompareEqPtr, OpInfo(frozenPointer), child);
+ addToGraph(Branch, OpInfo(branchData(m_currentIndex + OPCODE_LENGTH(op_jneq_ptr), m_currentIndex + relativeOffset)), condition);
+ LAST_OPCODE(op_jneq_ptr);
+ }
+ addToGraph(CheckCell, OpInfo(frozenPointer), child);
</ins><span class="cx"> NEXT_OPCODE(op_jneq_ptr);
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> case op_resolve_scope: {
</span><span class="cx"> int dst = currentInstruction[1].u.operand;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -164,6 +164,7 @@
</span><span class="cx"> case GetGlobalObject:
</span><span class="cx"> case StringCharCodeAt:
</span><span class="cx"> case CompareStrictEq:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> case IsJSArray:
</span><span class="cx"> case IsEmpty:
</span><span class="cx"> case IsUndefined:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -139,6 +139,7 @@
</span><span class="cx"> case CompareGreaterEq:
</span><span class="cx"> case CompareEq:
</span><span class="cx"> case CompareStrictEq:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> case Call:
</span><span class="cx"> case TailCallInlinedCaller:
</span><span class="cx"> case Construct:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -620,7 +620,7 @@
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> case StringFromCharCode:
</span><span class="cx"> if (node->child1()->shouldSpeculateInt32())
</span><span class="cx"> fixEdge<Int32Use>(node->child1());
</span><span class="lines">@@ -1589,6 +1589,7 @@
</span><span class="cx"> case PutByIdWithThis:
</span><span class="cx"> case PutByValWithThis:
</span><span class="cx"> case GetByValWithThis:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1467,6 +1467,7 @@
</span><span class="cx"> case NewGeneratorFunction:
</span><span class="cx"> case CreateActivation:
</span><span class="cx"> case MaterializeCreateActivation:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -265,6 +265,7 @@
</span><span class="cx"> macro(CompareGreaterEq, NodeResultBoolean | NodeMustGenerate) \
</span><span class="cx"> macro(CompareEq, NodeResultBoolean | NodeMustGenerate) \
</span><span class="cx"> macro(CompareStrictEq, NodeResultBoolean) \
</span><ins>+ macro(CompareEqPtr, NodeResultBoolean) \
</ins><span class="cx"> \
</span><span class="cx"> /* Calls. */\
</span><span class="cx"> macro(Call, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -781,6 +781,7 @@
</span><span class="cx"> case CompareGreaterEq:
</span><span class="cx"> case CompareEq:
</span><span class="cx"> case CompareStrictEq:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> case OverridesHasInstance:
</span><span class="cx"> case InstanceOf:
</span><span class="cx"> case InstanceOfCustom:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -235,6 +235,7 @@
</span><span class="cx"> case CompareGreaterEq:
</span><span class="cx"> case CompareEq:
</span><span class="cx"> case CompareStrictEq:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> case Call:
</span><span class="cx"> case TailCallInlinedCaller:
</span><span class="cx"> case Construct:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -8256,6 +8256,19 @@
</span><span class="cx"> noResult(node);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::compileCompareEqPtr(Node* node)
+{
+ JSValueOperand operand(this, node->child1());
+ GPRTemporary result(this);
+ JSValueRegs regs = operand.jsValueRegs();
+ GPRReg resultGPR = result.gpr();
+ m_jit.boxBooleanPayload(false, resultGPR);
+ JITCompiler::JumpList notEqual = m_jit.branchIfNotEqual(regs, node->cellOperand()->value());
+ m_jit.boxBooleanPayload(true, resultGPR);
+ notEqual.link(&m_jit);
+ blessedBooleanResult(resultGPR, node);
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -2559,6 +2559,7 @@
</span><span class="cx"> void compileResolveScope(Node*);
</span><span class="cx"> void compileGetDynamicVar(Node*);
</span><span class="cx"> void compilePutDynamicVar(Node*);
</span><ins>+ void compileCompareEqPtr(Node*);
</ins><span class="cx">
</span><span class="cx"> void moveTrueTo(GPRReg);
</span><span class="cx"> void moveFalseTo(GPRReg);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -2387,6 +2387,10 @@
</span><span class="cx"> if (compileStrictEq(node))
</span><span class="cx"> return;
</span><span class="cx"> break;
</span><ins>+
+ case CompareEqPtr:
+ compileCompareEqPtr(node);
+ break;
</ins><span class="cx">
</span><span class="cx"> case StringCharCodeAt: {
</span><span class="cx"> compileGetCharCodeAt(node);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -2522,6 +2522,10 @@
</span><span class="cx"> if (compileStrictEq(node))
</span><span class="cx"> return;
</span><span class="cx"> break;
</span><ins>+
+ case CompareEqPtr:
+ compileCompareEqPtr(node);
+ break;
</ins><span class="cx">
</span><span class="cx"> case StringCharCodeAt: {
</span><span class="cx"> compileGetCharCodeAt(node);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValidatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -266,6 +266,10 @@
</span><span class="cx"> VALIDATE((node), !!node->child1());
</span><span class="cx"> VALIDATE((node), !!node->child2());
</span><span class="cx"> break;
</span><ins>+ case CompareEqPtr:
+ VALIDATE((node), !!node->child1());
+ VALIDATE((node), !!node->cellOperand()->value() && node->cellOperand()->value().isCell());
+ break;
</ins><span class="cx"> case CheckStructure:
</span><span class="cx"> case StringFromCharCode:
</span><span class="cx"> VALIDATE((node), !!node->child1());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -244,6 +244,7 @@
</span><span class="cx"> case ResolveScope:
</span><span class="cx"> case GetDynamicVar:
</span><span class="cx"> case PutDynamicVar:
</span><ins>+ case CompareEqPtr:
</ins><span class="cx"> // These are OK.
</span><span class="cx"> break;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -819,6 +819,9 @@
</span><span class="cx"> case CompareGreaterEq:
</span><span class="cx"> compileCompareGreaterEq();
</span><span class="cx"> break;
</span><ins>+ case CompareEqPtr:
+ compileCompareEqPtr();
+ break;
</ins><span class="cx"> case LogicalNot:
</span><span class="cx"> compileLogicalNot();
</span><span class="cx"> break;
</span><span class="lines">@@ -4984,14 +4987,12 @@
</span><span class="cx"> DFG_CRASH(m_graph, m_node, "Bad use kinds");
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void compileCompareStrictEqConstant()
</del><ins>+ void compileCompareEqPtr()
</ins><span class="cx"> {
</span><del>- JSValue constant = m_node->child2()->asJSValue();
-
</del><span class="cx"> setBoolean(
</span><span class="cx"> m_out.equal(
</span><span class="cx"> lowJSValue(m_node->child1()),
</span><del>- m_out.constInt64(JSValue::encode(constant))));
</del><ins>+ weakPointer(m_node->cellOperand()->cell())));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileCompareLess()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -421,7 +421,10 @@
</span><span class="cx"> unsigned target = currentInstruction[3].u.operand;
</span><span class="cx">
</span><span class="cx"> emitGetVirtualRegister(src, regT0);
</span><del>- addJump(branchPtr(NotEqual, regT0, TrustedImmPtr(actualPointerFor(m_codeBlock, ptr))), target);
</del><ins>+ CCallHelpers::Jump equal = branchPtr(Equal, regT0, TrustedImmPtr(actualPointerFor(m_codeBlock, ptr)));
+ store32(TrustedImm32(1), &currentInstruction[4].u.operand);
+ addJump(jump(), target);
+ equal.link(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emit_op_eq(Instruction* currentInstruction)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -589,8 +589,12 @@
</span><span class="cx"> unsigned target = currentInstruction[3].u.operand;
</span><span class="cx">
</span><span class="cx"> emitLoad(src, regT1, regT0);
</span><del>- addJump(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)), target);
- addJump(branchPtr(NotEqual, regT0, TrustedImmPtr(actualPointerFor(m_codeBlock, ptr))), target);
</del><ins>+ CCallHelpers::Jump notCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
+ CCallHelpers::Jump equal = branchPtr(Equal, regT0, TrustedImmPtr(actualPointerFor(m_codeBlock, ptr)));
+ notCell.link(this);
+ store32(TrustedImm32(1), &currentInstruction[4].u.operand);
+ addJump(jump(), target);
+ equal.link(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emit_op_eq(Instruction* currentInstruction)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1808,9 +1808,10 @@
</span><span class="cx"> loadp JSGlobalObject::m_specialPointers[t2, t1, 4], t1
</span><span class="cx"> bpeq PayloadOffset[cfr, t0, 8], t1, .opJneqPtrFallThrough
</span><span class="cx"> .opJneqPtrBranch:
</span><ins>+ storei 1, 16[PC]
</ins><span class="cx"> dispatchBranch(12[PC])
</span><span class="cx"> .opJneqPtrFallThrough:
</span><del>- dispatch(4)
</del><ins>+ dispatch(5)
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> macro compare(integerCompare, doubleCompare, slowPath)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (203360 => 203361)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2016-07-18 19:12:24 UTC (rev 203360)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2016-07-18 19:12:57 UTC (rev 203361)
</span><span class="lines">@@ -1767,9 +1767,10 @@
</span><span class="cx"> loadp CodeBlock::m_globalObject[t2], t2
</span><span class="cx"> loadp JSGlobalObject::m_specialPointers[t2, t1, 8], t1
</span><span class="cx"> bpneq t1, [cfr, t0, 8], .opJneqPtrTarget
</span><del>- dispatch(4)
</del><ins>+ dispatch(5)
</ins><span class="cx">
</span><span class="cx"> .opJneqPtrTarget:
</span><ins>+ storei 1, 32[PB, PC, 8]
</ins><span class="cx"> dispatchIntIndirect(3)
</span><span class="cx">
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>