Title: [271164] trunk
- Revision
- 271164
- Author
- [email protected]
- Date
- 2021-01-05 11:53:56 -0800 (Tue, 05 Jan 2021)
Log Message
We should have a DFG intrinsic for the construct case of the Object constructor
https://bugs.webkit.org/show_bug.cgi?id=155591
Reviewed by Yusuke Suzuki.
JSTests:
* microbenchmarks/new-object-no-expected-function.js: Added.
* stress/call-object-constructor-with-new.js: Added.
* stress/dfg-builtin-constructor-cross-realm.js: Added.
Source/_javascript_Core:
Given that a) ObjectConstructor behaves identically for [[Call]] and [[Construct]] with itself
as NewTarget [1] and b) handleConstantInternalFunction() returns early if NewTarget is altered,
this patch simply removes CodeForCall guard.
While `new Object()` is already optimized via BytecodeGenerator::emitExpectedFunctionSnippet(),
this change is a 4x speedup for rather rare usages like `new window.Object()`.
[1]: https://tc39.es/ecma262/#sec-object-value (step 1)
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (271163 => 271164)
--- trunk/JSTests/ChangeLog 2021-01-05 19:17:50 UTC (rev 271163)
+++ trunk/JSTests/ChangeLog 2021-01-05 19:53:56 UTC (rev 271164)
@@ -1,3 +1,14 @@
+2021-01-05 Alexey Shvayka <[email protected]>
+
+ We should have a DFG intrinsic for the construct case of the Object constructor
+ https://bugs.webkit.org/show_bug.cgi?id=155591
+
+ Reviewed by Yusuke Suzuki.
+
+ * microbenchmarks/new-object-no-expected-function.js: Added.
+ * stress/call-object-constructor-with-new.js: Added.
+ * stress/dfg-builtin-constructor-cross-realm.js: Added.
+
2021-01-05 Dmitry Bezhetskov <[email protected]>
[WASM-References] Added few unreached-invalid tests
Added: trunk/JSTests/microbenchmarks/new-object-no-expected-function.js (0 => 271164)
--- trunk/JSTests/microbenchmarks/new-object-no-expected-function.js (rev 0)
+++ trunk/JSTests/microbenchmarks/new-object-no-expected-function.js 2021-01-05 19:53:56 UTC (rev 271164)
@@ -0,0 +1,11 @@
+const window = this;
+
+(function() {
+ var obj;
+
+ for (var i = 0; i < 1e6; i++)
+ obj = new window.Object();
+
+ if (obj.constructor !== Object)
+ throw new Error("Bad assert!");
+})();
Added: trunk/JSTests/stress/call-object-constructor-with-new.js (0 => 271164)
--- trunk/JSTests/stress/call-object-constructor-with-new.js (rev 0)
+++ trunk/JSTests/stress/call-object-constructor-with-new.js 2021-01-05 19:53:56 UTC (rev 271164)
@@ -0,0 +1,19 @@
+function test(n) {
+ return n === new Object(n);
+}
+noInline(test);
+
+function assert(condition) {
+ if (!condition)
+ throw new Error("assertion failed");
+}
+
+for (let i = 0; i < 1e5; i++) {
+ assert(!test(null));
+ assert(!test(undefined));
+ assert(!test(1));
+ assert(!test(""));
+ assert(!test(Symbol.iterator));
+ assert(test({}));
+ assert(test([]));
+}
Added: trunk/JSTests/stress/dfg-builtin-constructor-cross-realm.js (0 => 271164)
--- trunk/JSTests/stress/dfg-builtin-constructor-cross-realm.js (rev 0)
+++ trunk/JSTests/stress/dfg-builtin-constructor-cross-realm.js 2021-01-05 19:53:56 UTC (rev 271164)
@@ -0,0 +1,33 @@
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error(`Bad value: ${actual}!`);
+}
+noInline(shouldBe);
+
+const {
+ Array: OtherArray,
+ String: OtherString,
+ Object: OtherObject,
+ Int8Array: OtherInt8Array,
+} = createGlobalObject();
+
+function newArray() { return new OtherArray(4); }
+noInline(newArray);
+
+function newString() { return new OtherString("foo"); }
+noInline(newString);
+
+function newObject() { return new OtherObject(); }
+noInline(newObject);
+
+function newInt8Array() { return new OtherInt8Array(4); }
+noInline(newInt8Array);
+
+(function() {
+ for (let i = 0; i < 1e5; i++) {
+ shouldBe(newArray().constructor, OtherArray);
+ shouldBe(newString().constructor, OtherString);
+ shouldBe(newObject().constructor, OtherObject);
+ shouldBe(newInt8Array().constructor, OtherInt8Array);
+ }
+})();
Modified: trunk/Source/_javascript_Core/ChangeLog (271163 => 271164)
--- trunk/Source/_javascript_Core/ChangeLog 2021-01-05 19:17:50 UTC (rev 271163)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-01-05 19:53:56 UTC (rev 271164)
@@ -1,3 +1,22 @@
+2021-01-05 Alexey Shvayka <[email protected]>
+
+ We should have a DFG intrinsic for the construct case of the Object constructor
+ https://bugs.webkit.org/show_bug.cgi?id=155591
+
+ Reviewed by Yusuke Suzuki.
+
+ Given that a) ObjectConstructor behaves identically for [[Call]] and [[Construct]] with itself
+ as NewTarget [1] and b) handleConstantInternalFunction() returns early if NewTarget is altered,
+ this patch simply removes CodeForCall guard.
+
+ While `new Object()` is already optimized via BytecodeGenerator::emitExpectedFunctionSnippet(),
+ this change is a 4x speedup for rather rare usages like `new window.Object()`.
+
+ [1]: https://tc39.es/ecma262/#sec-object-value (step 1)
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+
2021-01-05 Dmitry Bezhetskov <[email protected]>
[WASM-References] Added few unreached-invalid tests
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (271163 => 271164)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2021-01-05 19:17:50 UTC (rev 271163)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2021-01-05 19:53:56 UTC (rev 271164)
@@ -4094,8 +4094,7 @@
return true;
}
- // FIXME: This should handle construction as well. https://bugs.webkit.org/show_bug.cgi?id=155591
- if (function->classInfo(*m_vm) == ObjectConstructor::info() && kind == CodeForCall) {
+ if (function->classInfo(*m_vm) == ObjectConstructor::info()) {
insertChecks();
Node* resultNode;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
