Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (132756 => 132757)
--- trunk/Source/_javascript_Core/ChangeLog 2012-10-28 23:39:16 UTC (rev 132756)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-10-29 02:16:27 UTC (rev 132757)
@@ -1,5 +1,22 @@
2012-10-28 Filip Pizlo <[email protected]>
+ There should not be blind spots in array length array profiling
+ https://bugs.webkit.org/show_bug.cgi?id=100620
+
+ Reviewed by Oliver Hunt.
+
+ I don't think this has any performance impact. But it's good to not have random
+ programs occasionally emit a GetById for array length accesses.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+
+2012-10-28 Filip Pizlo <[email protected]>
+
Unreviewed, make always-true enum-to-int comparisons use casts.
* dfg/DFGFPRInfo.h:
Modified: trunk/Source/_javascript_Core/jit/JIT.h (132756 => 132757)
--- trunk/Source/_javascript_Core/jit/JIT.h 2012-10-28 23:39:16 UTC (rev 132756)
+++ trunk/Source/_javascript_Core/jit/JIT.h 2012-10-29 02:16:27 UTC (rev 132757)
@@ -543,7 +543,7 @@
void emitJumpSlowCaseIfNotJSCell(int virtualRegisterIndex);
void emitJumpSlowCaseIfNotJSCell(int virtualRegisterIndex, RegisterID tag);
- void compileGetByIdHotPath();
+ void compileGetByIdHotPath(Identifier*);
void compileGetByIdSlowCase(int resultVReg, int baseVReg, Identifier* ident, Vector<SlowCaseEntry>::iterator& iter, bool isMethodCheck = false);
void compileGetDirectOffset(RegisterID base, RegisterID resultTag, RegisterID resultPayload, PropertyOffset cachedOffset);
void compileGetDirectOffset(JSObject* base, RegisterID resultTag, RegisterID resultPayload, PropertyOffset cachedOffset);
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (132756 => 132757)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-10-28 23:39:16 UTC (rev 132756)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-10-29 02:16:27 UTC (rev 132757)
@@ -517,7 +517,7 @@
emitPutVirtualRegister(resultVReg);
}
-void JIT::compileGetByIdHotPath(int baseVReg, Identifier*)
+void JIT::compileGetByIdHotPath(int baseVReg, Identifier* ident)
{
// As for put_by_id, get_by_id requires the offset of the Structure and the offset of the access to be patched.
// Additionally, for get_by_id we need patch the offset of the branch to the slow case (we patch this to jump
@@ -525,6 +525,11 @@
// to jump back to if one of these trampolies finds a match.
emitJumpSlowCaseIfNotJSCell(regT0, baseVReg);
+
+ if (*ident == m_globalData->propertyNames->length && canBeOptimized()) {
+ loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
+ emitArrayProfilingSiteForBytecodeIndex(regT1, regT2, m_bytecodeOffset);
+ }
BEGIN_UNINTERRUPTED_SEQUENCE(sequenceGetByIdHotPath);
@@ -788,7 +793,6 @@
// Check eax is an array
loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
- emitArrayProfilingSiteForBytecodeIndex(regT2, regT1, stubInfo->bytecodeIndex);
Jump failureCases1 = branchTest32(Zero, regT2, TrustedImm32(IsArray));
Jump failureCases2 = branchTest32(Zero, regT2, TrustedImm32(IndexingShapeMask));
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (132756 => 132757)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-10-28 23:39:16 UTC (rev 132756)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-10-29 02:16:27 UTC (rev 132757)
@@ -105,6 +105,7 @@
int dst = currentInstruction[1].u.operand;
int base = currentInstruction[2].u.operand;
+ Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand));
emitLoad(base, regT1, regT0);
emitJumpSlowCaseIfNotJSCell(base, regT1);
@@ -129,7 +130,7 @@
// Do a regular(ish) get_by_id (the slow case will be link to
// cti_op_get_by_id_method_check instead of cti_op_get_by_id.
- compileGetByIdHotPath();
+ compileGetByIdHotPath(ident);
match.link(this);
emitValueProfilingSite(m_bytecodeOffset + OPCODE_LENGTH(op_method_check));
@@ -453,22 +454,28 @@
{
int dst = currentInstruction[1].u.operand;
int base = currentInstruction[2].u.operand;
+ Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand));
emitLoad(base, regT1, regT0);
emitJumpSlowCaseIfNotJSCell(base, regT1);
- compileGetByIdHotPath();
+ compileGetByIdHotPath(ident);
emitValueProfilingSite();
emitStore(dst, regT1, regT0);
map(m_bytecodeOffset + OPCODE_LENGTH(op_get_by_id), dst, regT1, regT0);
}
-void JIT::compileGetByIdHotPath()
+void JIT::compileGetByIdHotPath(Identifier* ident)
{
// As for put_by_id, get_by_id requires the offset of the Structure and the offset of the access to be patched.
// Additionally, for get_by_id we need patch the offset of the branch to the slow case (we patch this to jump
// to array-length / prototype access tranpolines, and finally we also the the property-map access offset as a label
// to jump back to if one of these trampolies finds a match.
+ if (*ident == m_globalData->propertyNames->length && canBeOptimized()) {
+ loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
+ emitArrayProfilingSiteForBytecodeIndex(regT2, regT3, m_bytecodeOffset);
+ }
+
BEGIN_UNINTERRUPTED_SEQUENCE(sequenceGetByIdHotPath);
Label hotPathBegin(this);
@@ -751,7 +758,6 @@
// Check for array
loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
- emitArrayProfilingSiteForBytecodeIndex(regT2, regT3, stubInfo->bytecodeIndex);
Jump failureCases1 = branchTest32(Zero, regT2, TrustedImm32(IsArray));
Jump failureCases2 = branchTest32(Zero, regT2, TrustedImm32(IndexingShapeMask));
