[webkit-changes] [219636] trunk/Source/JavaScriptCore

[mark . lam]

Title: [219636] trunk/Source/_javascript_Core

Revision

219636

Author

mark....@apple.com

Date

2017-07-18 15:40:59 -0700 (Tue, 18 Jul 2017)

Log Message

Butterfly storage need not be initialized for indexing type Undecided.
https://bugs.webkit.org/show_bug.cgi?id=174516

Reviewed by Saam Barati.

While it's not incorrect to initialize the butterfly storage when the
indexingType is Undecided, it is inefficient as we'll end up initializing
it again later when we convert the storage to a different indexingType.
Some of our code already skips initializing Undecided butterflies.
This patch makes it the consistent behavior everywhere.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSObject.cpp:
(JSC::JSObject::ensureLengthSlow):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
• trunk/Source/_javascript_Core/runtime/JSArray.cpp
• trunk/Source/_javascript_Core/runtime/JSArray.h
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (219635 => 219636)

--- trunk/Source/_javascript_Core/ChangeLog	2017-07-18 22:28:33 UTC (rev 219635)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-07-18 22:40:59 UTC (rev 219636)
@@ -1,3 +1,25 @@
+2017-07-18  Mark Lam  <mark....@apple.com>
+
+        Butterfly storage need not be initialized for indexing type Undecided.
+        https://bugs.webkit.org/show_bug.cgi?id=174516
+
+        Reviewed by Saam Barati.
+
+        While it's not incorrect to initialize the butterfly storage when the
+        indexingType is Undecided, it is inefficient as we'll end up initializing
+        it again later when we convert the storage to a different indexingType.
+        Some of our code already skips initializing Undecided butterflies.
+        This patch makes it the consistent behavior everywhere.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ensureLengthSlow):
+
 2017-07-18  Saam Barati  <sbar...@apple.com>
 
         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (219635 => 219636)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-07-18 22:28:33 UTC (rev 219635)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-07-18 22:40:59 UTC (rev 219636)
@@ -139,7 +139,7 @@
         slowCases, this, operationNewRawObject, resultGPR, storageGPR,
         structure, vectorLength));
 
-    if (numElements < vectorLength) {
+    if (numElements < vectorLength && LIKELY(!hasUndecided(structure->indexingType()))) {
 #if USE(JSVALUE64)
         if (hasDouble(structure->indexingType()))
             m_jit.move(TrustedImm64(bitwise_cast<int64_t>(PNaN)), scratchGPR);

Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (219635 => 219636)

--- trunk/Source/_javascript_Core/runtime/JSArray.cpp	2017-07-18 22:28:33 UTC (rev 219635)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp	2017-07-18 22:40:59 UTC (rev 219636)
@@ -91,7 +91,7 @@
         if (hasDouble(indexingType)) {
             for (; i < vectorLength; ++i)
                 butterfly->contiguousDouble()[i] = PNaN;
-        } else {
+        } else if (LIKELY(!hasUndecided(indexingType))) {
             for (; i < vectorLength; ++i)
                 butterfly->contiguous()[i].clear();
         }

Modified: trunk/Source/_javascript_Core/runtime/JSArray.h (219635 => 219636)

--- trunk/Source/_javascript_Core/runtime/JSArray.h	2017-07-18 22:28:33 UTC (rev 219635)
+++ trunk/Source/_javascript_Core/runtime/JSArray.h	2017-07-18 22:40:59 UTC (rev 219636)
@@ -239,7 +239,7 @@
         butterfly->setPublicLength(initialLength);
         if (hasDouble(indexingType))
             clearArray(butterfly->contiguousDouble().data(), vectorLength);
-        else
+        else if (LIKELY(!hasUndecided(indexingType)))
             clearArray(butterfly->contiguous().data(), vectorLength);
     } else {
         ASSERT(

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (219635 => 219636)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2017-07-18 22:28:33 UTC (rev 219635)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2017-07-18 22:40:59 UTC (rev 219636)
@@ -3167,7 +3167,7 @@
     if (hasDouble(indexingType())) {
         for (unsigned i = oldVectorLength; i < newVectorLength; ++i)
             butterfly->indexingPayload<double>()[i] = PNaN;
-    } else {
+    } else if (LIKELY(!hasUndecided(indexingType()))) {
         for (unsigned i = oldVectorLength; i < newVectorLength; ++i)
             butterfly->indexingPayload<WriteBarrier<Unknown>>()[i].clear();
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes