Skip to content

Commit 6b875a8

Browse files
ConstellationConstellation
committed
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
https://bugs.webkit.org/show_bug.cgi?id=181134 Reviewed by Mark Lam. We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires an additional scratch register. We do not want to allocate an unnecessary register in 64bit implementation. This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking `<= LowestTag(Int32Tag)`. We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`. We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateMisc): (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): (JSC::DFG::SpeculativeJIT::compileToNumber): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::branchIfNotType): (JSC::AssemblyHelpers::jitAssertIsJSNumber): (JSC::AssemblyHelpers::emitConvertValueToBoolean): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfMisc): (JSC::AssemblyHelpers::branchIfNotMisc): (JSC::AssemblyHelpers::branchIfNumber): (JSC::AssemblyHelpers::branchIfNotNumber): (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32): (JSC::AssemblyHelpers::emitTypeOf): * jit/JITAddGenerator.cpp: (JSC::JITAddGenerator::generateFastPath): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emitBinaryDoubleOp): * jit/JITDivGenerator.cpp: (JSC::JITDivGenerator::loadOperand): * jit/JITMulGenerator.cpp: (JSC::JITMulGenerator::generateInline): (JSC::JITMulGenerator::generateFastPath): * jit/JITNegGenerator.cpp: (JSC::JITNegGenerator::generateInline): (JSC::JITNegGenerator::generateFastPath): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_jeq_null): (JSC::JIT::emit_op_jneq_null): (JSC::JIT::emit_op_to_number): (JSC::JIT::emit_op_profile_type): * jit/JITRightShiftGenerator.cpp: (JSC::JITRightShiftGenerator::generateFastPath): * jit/JITSubGenerator.cpp: (JSC::JITSubGenerator::generateInline): (JSC::JITSubGenerator::generateFastPath): * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * runtime/JSCJSValue.h: Canonical link: https://commits.webkit.org/197151@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226434 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent 3ce0f53 commit 6b875a8

19 files changed

Lines changed: 213 additions & 200 deletions

Source/JavaScriptCore/ChangeLog

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,80 @@
1+
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
2+
3+
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
4+
https://bugs.webkit.org/show_bug.cgi?id=181134
5+
6+
Reviewed by Mark Lam.
7+
8+
We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
9+
branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
10+
an additional scratch register. We do not want to allocate an unnecessary register in 64bit
11+
implementation.
12+
13+
This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
14+
and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
15+
setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
16+
`<= LowestTag(Int32Tag)`.
17+
18+
We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
19+
20+
We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
21+
22+
* dfg/DFGSpeculativeJIT.cpp:
23+
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
24+
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
25+
(JSC::DFG::SpeculativeJIT::speculateNumber):
26+
(JSC::DFG::SpeculativeJIT::speculateMisc):
27+
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
28+
(JSC::DFG::SpeculativeJIT::compileToNumber):
29+
* dfg/DFGSpeculativeJIT.h:
30+
* dfg/DFGSpeculativeJIT32_64.cpp:
31+
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
32+
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
33+
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
34+
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
35+
(JSC::DFG::SpeculativeJIT::compile):
36+
* dfg/DFGSpeculativeJIT64.cpp:
37+
(JSC::DFG::SpeculativeJIT::compile):
38+
* jit/AssemblyHelpers.cpp:
39+
(JSC::AssemblyHelpers::branchIfNotType):
40+
(JSC::AssemblyHelpers::jitAssertIsJSNumber):
41+
(JSC::AssemblyHelpers::emitConvertValueToBoolean):
42+
* jit/AssemblyHelpers.h:
43+
(JSC::AssemblyHelpers::branchIfMisc):
44+
(JSC::AssemblyHelpers::branchIfNotMisc):
45+
(JSC::AssemblyHelpers::branchIfNumber):
46+
(JSC::AssemblyHelpers::branchIfNotNumber):
47+
(JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
48+
(JSC::AssemblyHelpers::emitTypeOf):
49+
* jit/JITAddGenerator.cpp:
50+
(JSC::JITAddGenerator::generateFastPath):
51+
* jit/JITArithmetic32_64.cpp:
52+
(JSC::JIT::emitBinaryDoubleOp):
53+
* jit/JITDivGenerator.cpp:
54+
(JSC::JITDivGenerator::loadOperand):
55+
* jit/JITMulGenerator.cpp:
56+
(JSC::JITMulGenerator::generateInline):
57+
(JSC::JITMulGenerator::generateFastPath):
58+
* jit/JITNegGenerator.cpp:
59+
(JSC::JITNegGenerator::generateInline):
60+
(JSC::JITNegGenerator::generateFastPath):
61+
* jit/JITOpcodes32_64.cpp:
62+
(JSC::JIT::emit_op_is_number):
63+
(JSC::JIT::emit_op_jeq_null):
64+
(JSC::JIT::emit_op_jneq_null):
65+
(JSC::JIT::emit_op_to_number):
66+
(JSC::JIT::emit_op_profile_type):
67+
* jit/JITRightShiftGenerator.cpp:
68+
(JSC::JITRightShiftGenerator::generateFastPath):
69+
* jit/JITSubGenerator.cpp:
70+
(JSC::JITSubGenerator::generateInline):
71+
(JSC::JITSubGenerator::generateFastPath):
72+
* llint/LLIntData.cpp:
73+
(JSC::LLInt::Data::performAssertions):
74+
* llint/LowLevelInterpreter.asm:
75+
* llint/LowLevelInterpreter32_64.asm:
76+
* runtime/JSCJSValue.h:
77+
178
2018-01-04 JF Bastien <jfbastien@apple.com>
279

380
Add assembler support for x86 lfence and sfence

Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

Lines changed: 44 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -2427,7 +2427,7 @@ void SpeculativeJIT::compileValueToInt32(Node* node)
24272427
MacroAssembler::AboveOrEqual, tagGPR,
24282428
TrustedImm32(JSValue::LowestTag)));
24292429
} else {
2430-
JITCompiler::Jump isNumber = m_jit.branch32(MacroAssembler::Below, tagGPR, TrustedImm32(JSValue::LowestTag));
2430+
JITCompiler::Jump isDouble = m_jit.branch32(MacroAssembler::Below, tagGPR, TrustedImm32(JSValue::LowestTag));
24312431

24322432
DFG_TYPE_CHECK(
24332433
op1.jsValueRegs(), node->child1(), ~SpecCell,
@@ -2442,7 +2442,7 @@ void SpeculativeJIT::compileValueToInt32(Node* node)
24422442
m_jit.move(payloadGPR, resultGpr);
24432443
converted.append(m_jit.jump());
24442444

2445-
isNumber.link(&m_jit);
2445+
isDouble.link(&m_jit);
24462446
}
24472447

24482448
unboxDouble(tagGPR, payloadGPR, fpr, scratch.fpr());
@@ -2644,7 +2644,7 @@ void SpeculativeJIT::compileDoubleRep(Node* node)
26442644
MacroAssembler::Equal, op1TagGPR, TrustedImm32(JSValue::Int32Tag));
26452645

26462646
if (node->child1().useKind() == NotCellUse) {
2647-
JITCompiler::Jump isNumber = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag + 1));
2647+
JITCompiler::Jump isDouble = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag));
26482648
JITCompiler::Jump isUndefined = m_jit.branch32(JITCompiler::Equal, op1TagGPR, TrustedImm32(JSValue::UndefinedTag));
26492649

26502650
static const double zero = 0;
@@ -2666,7 +2666,7 @@ void SpeculativeJIT::compileDoubleRep(Node* node)
26662666
m_jit.loadDouble(TrustedImmPtr(&NaN), resultFPR);
26672667
done.append(m_jit.jump());
26682668

2669-
isNumber.link(&m_jit);
2669+
isDouble.link(&m_jit);
26702670
} else if (needsTypeCheck(node->child1(), SpecBytecodeNumber)) {
26712671
typeCheck(
26722672
JSValueRegs(op1TagGPR, op1PayloadGPR), node->child1(), SpecBytecodeNumber,
@@ -9127,20 +9127,8 @@ void SpeculativeJIT::speculateNumber(Edge edge)
91279127
return;
91289128

91299129
JSValueOperand value(this, edge, ManualOperandSpeculation);
9130-
#if USE(JSVALUE64)
9131-
GPRReg gpr = value.gpr();
9132-
typeCheck(
9133-
JSValueRegs(gpr), edge, SpecBytecodeNumber,
9134-
m_jit.branchTest64(MacroAssembler::Zero, gpr, GPRInfo::tagTypeNumberRegister));
9135-
#else
9136-
GPRReg tagGPR = value.tagGPR();
9137-
DFG_TYPE_CHECK(
9138-
value.jsValueRegs(), edge, ~SpecInt32Only,
9139-
m_jit.branch32(MacroAssembler::Equal, tagGPR, TrustedImm32(JSValue::Int32Tag)));
9140-
DFG_TYPE_CHECK(
9141-
value.jsValueRegs(), edge, SpecBytecodeNumber,
9142-
m_jit.branch32(MacroAssembler::AboveOrEqual, tagGPR, TrustedImm32(JSValue::LowestTag)));
9143-
#endif
9130+
JSValueRegs valueRegs = value.jsValueRegs();
9131+
DFG_TYPE_CHECK(valueRegs, edge, SpecBytecodeNumber, m_jit.branchIfNotNumber(valueRegs));
91449132
}
91459133

91469134
void SpeculativeJIT::speculateRealNumber(Edge edge)
@@ -9606,18 +9594,7 @@ void SpeculativeJIT::speculateOther(Edge edge)
96069594

96079595
void SpeculativeJIT::speculateMisc(Edge edge, JSValueRegs regs)
96089596
{
9609-
#if USE(JSVALUE64)
9610-
DFG_TYPE_CHECK(
9611-
regs, edge, SpecMisc,
9612-
m_jit.branch64(MacroAssembler::Above, regs.gpr(), MacroAssembler::TrustedImm64(TagBitTypeOther | TagBitBool | TagBitUndefined)));
9613-
#else
9614-
DFG_TYPE_CHECK(
9615-
regs, edge, ~SpecInt32Only,
9616-
m_jit.branch32(MacroAssembler::Equal, regs.tagGPR(), MacroAssembler::TrustedImm32(JSValue::Int32Tag)));
9617-
DFG_TYPE_CHECK(
9618-
regs, edge, SpecMisc,
9619-
m_jit.branch32(MacroAssembler::Below, regs.tagGPR(), MacroAssembler::TrustedImm32(JSValue::UndefinedTag)));
9620-
#endif
9597+
DFG_TYPE_CHECK(regs, edge, SpecMisc, m_jit.branchIfNotMisc(regs));
96219598
}
96229599

96239600
void SpeculativeJIT::speculateMisc(Edge edge)
@@ -10930,7 +10907,7 @@ void SpeculativeJIT::compileNormalizeMapKey(Node* node)
1093010907

1093110908
CCallHelpers::JumpList passThroughCases;
1093210909

10933-
passThroughCases.append(m_jit.branchIfNotNumber(keyRegs, scratchGPR));
10910+
passThroughCases.append(m_jit.branchIfNotNumber(keyRegs));
1093410911
passThroughCases.append(m_jit.branchIfInt32(keyRegs));
1093510912

1093610913
#if USE(JSVALUE64)
@@ -11454,6 +11431,42 @@ void SpeculativeJIT::compileToPrimitive(Node* node)
1145411431
jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
1145511432
}
1145611433

11434+
void SpeculativeJIT::compileToNumber(Node* node)
11435+
{
11436+
JSValueOperand argument(this, node->child1());
11437+
JSValueRegs argumentRegs = argument.jsValueRegs();
11438+
11439+
// We have several attempts to remove ToNumber. But ToNumber still exists.
11440+
// It means that converting non-numbers to numbers by this ToNumber is not rare.
11441+
// Instead of the slow path generator, we emit callOperation here.
11442+
if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
11443+
flushRegisters();
11444+
JSValueRegsFlushedCallResult result(this);
11445+
JSValueRegs resultRegs = result.regs();
11446+
callOperation(operationToNumber, resultRegs, argumentRegs);
11447+
m_jit.exceptionCheck();
11448+
jsValueResult(resultRegs, node);
11449+
return;
11450+
}
11451+
11452+
JSValueRegsTemporary result(this, Reuse, argument);
11453+
JSValueRegs resultRegs = result.regs();
11454+
11455+
auto notNumber = m_jit.branchIfNotNumber(argumentRegs);
11456+
m_jit.moveValueRegs(argumentRegs, resultRegs);
11457+
auto done = m_jit.jump();
11458+
11459+
notNumber.link(&m_jit);
11460+
silentSpillAllRegisters(resultRegs);
11461+
callOperation(operationToNumber, resultRegs, argumentRegs);
11462+
silentFillAllRegisters();
11463+
m_jit.exceptionCheck();
11464+
11465+
done.link(&m_jit);
11466+
11467+
jsValueResult(resultRegs, node);
11468+
}
11469+
1145711470
void SpeculativeJIT::compileLogShadowChickenPrologue(Node* node)
1145811471
{
1145911472
flushRegisters();

Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3109,6 +3109,7 @@ class SpeculativeJIT {
31093109
void compileCreateThis(Node*);
31103110
void compileNewObject(Node*);
31113111
void compileToPrimitive(Node*);
3112+
void compileToNumber(Node*);
31123113
void compileLogShadowChickenPrologue(Node*);
31133114
void compileLogShadowChickenTail(Node*);
31143115

Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

Lines changed: 6 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -346,7 +346,7 @@ void SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined(Edge operan
346346

347347
notCell.link(&m_jit);
348348
// null or undefined?
349-
COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
349+
static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
350350
m_jit.or32(TrustedImm32(1), argTagGPR, resultPayloadGPR);
351351
m_jit.compare32(JITCompiler::Equal, resultPayloadGPR, TrustedImm32(JSValue::NullTag), resultPayloadGPR);
352352

@@ -410,7 +410,7 @@ void SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined(Edge operand, N
410410

411411
notCell.link(&m_jit);
412412
// null or undefined?
413-
COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
413+
static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
414414
m_jit.or32(TrustedImm32(1), argTagGPR, resultGPR);
415415
branch32(invert ? JITCompiler::NotEqual : JITCompiler::Equal, resultGPR, JITCompiler::TrustedImm32(JSValue::NullTag), taken);
416416
}
@@ -1781,7 +1781,7 @@ void SpeculativeJIT::compileObjectOrOtherLogicalNot(Edge nodeUse)
17811781

17821782
notCell.link(&m_jit);
17831783

1784-
COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
1784+
static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
17851785
if (needsTypeCheck(nodeUse, SpecCell | SpecOther)) {
17861786
m_jit.or32(TrustedImm32(1), valueTagGPR, resultPayloadGPR);
17871787
typeCheck(
@@ -1899,7 +1899,7 @@ void SpeculativeJIT::emitObjectOrOtherBranch(Edge nodeUse, BasicBlock* taken, Ba
18991899

19001900
notCell.link(&m_jit);
19011901

1902-
COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
1902+
static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
19031903
if (needsTypeCheck(nodeUse, SpecCell | SpecOther)) {
19041904
m_jit.or32(TrustedImm32(1), valueTagGPR, scratchGPR);
19051905
typeCheck(
@@ -3450,44 +3450,7 @@ void SpeculativeJIT::compile(Node* node)
34503450
}
34513451

34523452
case ToNumber: {
3453-
JSValueOperand argument(this, node->child1());
3454-
GPRTemporary resultTag(this, Reuse, argument, TagWord);
3455-
GPRTemporary resultPayload(this, Reuse, argument, PayloadWord);
3456-
3457-
GPRReg argumentPayloadGPR = argument.payloadGPR();
3458-
GPRReg argumentTagGPR = argument.tagGPR();
3459-
JSValueRegs argumentRegs = argument.jsValueRegs();
3460-
JSValueRegs resultRegs(resultTag.gpr(), resultPayload.gpr());
3461-
3462-
argument.use();
3463-
3464-
// We have several attempts to remove ToNumber. But ToNumber still exists.
3465-
// It means that converting non-numbers to numbers by this ToNumber is not rare.
3466-
// Instead of the slow path generator, we emit callOperation here.
3467-
if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
3468-
flushRegisters();
3469-
callOperation(operationToNumber, resultRegs, argumentRegs);
3470-
m_jit.exceptionCheck();
3471-
} else {
3472-
MacroAssembler::Jump notNumber;
3473-
{
3474-
GPRTemporary scratch(this);
3475-
notNumber = m_jit.branchIfNotNumber(argument.jsValueRegs(), scratch.gpr());
3476-
}
3477-
m_jit.move(argumentTagGPR, resultRegs.tagGPR());
3478-
m_jit.move(argumentPayloadGPR, resultRegs.payloadGPR());
3479-
MacroAssembler::Jump done = m_jit.jump();
3480-
3481-
notNumber.link(&m_jit);
3482-
silentSpillAllRegisters(resultRegs);
3483-
callOperation(operationToNumber, resultRegs, argumentRegs);
3484-
silentFillAllRegisters();
3485-
m_jit.exceptionCheck();
3486-
3487-
done.link(&m_jit);
3488-
}
3489-
3490-
jsValueResult(resultRegs.tagGPR(), resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
3453+
compileToNumber(node);
34913454
break;
34923455
}
34933456

@@ -4385,8 +4348,7 @@ void SpeculativeJIT::compile(Node* node)
43854348
JSValueOperand value(this, node->child1());
43864349
GPRTemporary result(this, Reuse, value, TagWord);
43874350

4388-
m_jit.add32(TrustedImm32(1), value.tagGPR(), result.gpr());
4389-
m_jit.compare32(JITCompiler::Below, result.gpr(), JITCompiler::TrustedImm32(JSValue::LowestTag + 1), result.gpr());
4351+
m_jit.compare32(JITCompiler::BelowOrEqual, result.gpr(), JITCompiler::TrustedImm32(JSValue::LowestTag), result.gpr());
43904352
booleanResult(result.gpr(), node);
43914353
break;
43924354
}

Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

Lines changed: 1 addition & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -3665,36 +3665,7 @@ void SpeculativeJIT::compile(Node* node)
36653665
}
36663666

36673667
case ToNumber: {
3668-
JSValueOperand argument(this, node->child1());
3669-
GPRTemporary result(this, Reuse, argument);
3670-
3671-
GPRReg argumentGPR = argument.gpr();
3672-
GPRReg resultGPR = result.gpr();
3673-
3674-
argument.use();
3675-
3676-
// We have several attempts to remove ToNumber. But ToNumber still exists.
3677-
// It means that converting non-numbers to numbers by this ToNumber is not rare.
3678-
// Instead of the slow path generator, we emit callOperation here.
3679-
if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
3680-
flushRegisters();
3681-
callOperation(operationToNumber, resultGPR, argumentGPR);
3682-
m_jit.exceptionCheck();
3683-
} else {
3684-
MacroAssembler::Jump notNumber = m_jit.branchIfNotNumber(argumentGPR);
3685-
m_jit.move(argumentGPR, resultGPR);
3686-
MacroAssembler::Jump done = m_jit.jump();
3687-
3688-
notNumber.link(&m_jit);
3689-
silentSpillAllRegisters(resultGPR);
3690-
callOperation(operationToNumber, resultGPR, argumentGPR);
3691-
silentFillAllRegisters();
3692-
m_jit.exceptionCheck();
3693-
3694-
done.link(&m_jit);
3695-
}
3696-
3697-
jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
3668+
compileToNumber(node);
36983669
break;
36993670
}
37003671

Source/JavaScriptCore/jit/AssemblyHelpers.cpp

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ AssemblyHelpers::JumpList AssemblyHelpers::branchIfNotType(
8787
break;
8888

8989
case InferredType::Number:
90-
result.append(branchIfNotNumber(regs, tempGPR, mode));
90+
result.append(branchIfNotNumber(regs, mode));
9191
break;
9292

9393
case InferredType::String:
@@ -260,11 +260,9 @@ void AssemblyHelpers::jitAssertIsJSInt32(GPRReg gpr)
260260

261261
void AssemblyHelpers::jitAssertIsJSNumber(GPRReg gpr)
262262
{
263-
Jump checkJSInt32 = branch32(Equal, gpr, TrustedImm32(JSValue::Int32Tag));
264-
Jump checkJSDouble = branch32(Below, gpr, TrustedImm32(JSValue::LowestTag));
263+
Jump checkJSNumber = branch32(BelowOrEqual, gpr, TrustedImm32(JSValue::LowestTag));
265264
abortWithReason(AHIsNotJSNumber);
266-
checkJSInt32.link(this);
267-
checkJSDouble.link(this);
265+
checkJSNumber.link(this);
268266
}
269267

270268
void AssemblyHelpers::jitAssertIsJSDouble(GPRReg gpr)
@@ -721,12 +719,7 @@ void AssemblyHelpers::emitConvertValueToBoolean(VM& vm, JSValueRegs value, GPRRe
721719
done.append(jump());
722720

723721
notBoolean.link(this);
724-
#if USE(JSVALUE64)
725-
auto isNotNumber = branchIfNotNumber(value.gpr());
726-
#else
727-
ASSERT(scratch != InvalidGPRReg);
728-
auto isNotNumber = branchIfNotNumber(value, scratch);
729-
#endif
722+
auto isNotNumber = branchIfNotNumber(value);
730723
auto isDouble = branchIfNotInt32(value);
731724

732725
// It's an int32.

0 commit comments

Comments
 (0)