[JAEGER] Added PIC for arguments.length (bug 580036).

2024-09-13 09:24:08 -07:00 · 2010-07-19 18:21:34 -07:00 · 2010-07-19 18:21:34 -07:00 · 3c92cb6c14
commit 3c92cb6c14
parent 8c885cf46b
2 changed files with 57 additions and 6 deletions
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -529,11 +529,11 @@ struct JSObject {
     * Argument index i is stored in dslots[i], accessible via
     * {get,set}ArgsElement().
     */
-    static const uint32 JSSLOT_ARGS_LENGTH = JSSLOT_PRIVATE + 1;
    static const uint32 JSSLOT_ARGS_CALLEE = JSSLOT_PRIVATE + 2;

  public:
    /* Number of extra fixed slots besides JSSLOT_PRIVATE. */
+    static const uint32 JSSLOT_ARGS_LENGTH = JSSLOT_PRIVATE + 1;
    static const uint32 ARGS_FIXED_RESERVED_SLOTS = 2;

    inline uint32 getArgsLength() const;
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@ -518,6 +518,48 @@ class GetPropCompiler : public PICStubCompiler
        repatcher.relinkCallerToTrampoline(retPtr, target);
    }

+    bool generateArgsLengthStub()
+    {
+        Assembler masm;
+
+        Address clasp(pic.objReg, offsetof(JSObject, clasp));
+        Jump notArgs = masm.branchPtr(Assembler::NotEqual, clasp, ImmPtr(&js_SlowArrayClass));
+
+        masm.loadData32(Address(pic.objReg, offsetof(JSObject, fslots) +
+                                            JSObject::JSSLOT_ARGS_LENGTH * sizeof(Value)),
+                        pic.objReg);
+        masm.move(pic.objReg, pic.shapeReg);
+        masm.and32(Imm32(1), pic.shapeReg);
+        Jump overridden = masm.branchTest32(Assembler::NonZero, pic.shapeReg, pic.shapeReg);
+        
+        masm.move(ImmTag(JSVAL_TAG_INT32), pic.shapeReg);
+        Jump done = masm.jump();
+
+        JSC::ExecutablePool *ep = getExecPool(masm.size());
+        if (!ep || !pic.execPools.append(ep)) {
+            if (ep)
+                ep->release();
+            js_ReportOutOfMemory(f.cx);
+            return false;
+        }
+
+        JSC::LinkBuffer buffer(&masm, ep);
+        buffer.link(notArgs, pic.slowPathStart);
+        buffer.link(overridden, pic.slowPathStart);
+        buffer.link(done, pic.storeBack);
+
+        CodeLocationLabel start = buffer.finalizeCodeAddendum();
+        JaegerSpew(JSpew_PICs, "generate args length stub at %p\n",
+                   start.executableAddress());
+
+        PICRepatchBuffer repatcher(pic, pic.lastPathStart());
+        patchPreviousToHere(repatcher, start);
+
+        disable("args length done");
+
+        return true;
+    }
+
    bool generateArrayLengthStub()
    {
        Assembler masm;
@ -751,6 +793,7 @@ class GetPropCompiler : public PICStubCompiler

        Label start;
        Jump shapeGuard;
+        Jump argsLenGuard;
        if (obj->isDenseArray()) {
            start = masm.label();
            shapeGuard = masm.branchPtr(Assembler::NotEqual,
@ -1251,13 +1294,21 @@ ic::GetProp(VMFrame &f, uint32 index)
            return;
        } else if (!f.regs.sp[-1].isPrimitive()) {
            JSObject *obj = &f.regs.sp[-1].toObject();
-            if (obj->isArray()) {
+            if (obj->isArray() || (obj->isArguments() && !obj->isArgsLengthOverridden())) {
                GetPropCompiler cc(f, script, obj, pic, NULL, stubs::Length);
-                if (!cc.generateArrayLengthStub()) {
-                    cc.disable("error");
-                    THROW();
+                if (obj->isArray()) {
+                    if (!cc.generateArrayLengthStub()) {
+                        cc.disable("error");
+                        THROW();
+                    }
+                    f.regs.sp[-1].setNumber(obj->getArrayLength());
+                } else if (obj->isArguments()) {
+                    if (!cc.generateArgsLengthStub()) {
+                        cc.disable("error");
+                        THROW();
+                    }
+                    f.regs.sp[-1].setInt32(int32_t(obj->getArgsLength()));
                }
-                f.regs.sp[-1].setNumber(obj->getArrayLength());
                return;
            }
        }