[webkit-changes] [285463] branches/safari-612-branch/Source/JavaScriptCore

Mon, 08 Nov 2021 17:09:56 -0800

Title: [285463] branches/safari-612-branch/Source/_javascript_Core
Revision
285463
Author
kocsen_ch...@apple.com
Date
2021-11-08 17:09:09 -0800 (Mon, 08 Nov 2021)

Log Message

Cherry-pick r283862. rdar://problem/85167292

    Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
    https://bugs.webkit.org/show_bug.cgi?id=230823
    <rdar://problem/83565088>

    Reviewed by Yusuke Suzuki.

    When I ported the phase to run right after bytecode parsing, I wanted
    to maintain the same behavior as the prior pass that ran after CPS
    rethreading. I noticed a slight bug in some of my logic that changed
    some of heuristics and how they'd effect double voting.

    The old patch was mimicking the "is loaded from" bit by using the NodeFlags.
    Howver, this has some issues with how this interacts with our other uses
    of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed"
    bit.

    * dfg/DFGBackwardsPropagationPhase.cpp:
    (JSC::DFG::BackwardsPropagationPhase::propagate):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283862 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (285462 => 285463)


--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2021-11-09 01:09:06 UTC (rev 285462)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2021-11-09 01:09:09 UTC (rev 285463)
@@ -1,5 +1,52 @@
 2021-11-08  Kocsen Chung  <kocsen_ch...@apple.com>
 
+        Cherry-pick r283862. rdar://problem/85167292
+
+    Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
+    https://bugs.webkit.org/show_bug.cgi?id=230823
+    <rdar://problem/83565088>
+    
+    Reviewed by Yusuke Suzuki.
+    
+    When I ported the phase to run right after bytecode parsing, I wanted
+    to maintain the same behavior as the prior pass that ran after CPS
+    rethreading. I noticed a slight bug in some of my logic that changed
+    some of heuristics and how they'd effect double voting.
+    
+    The old patch was mimicking the "is loaded from" bit by using the NodeFlags.
+    Howver, this has some issues with how this interacts with our other uses
+    of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed"
+    bit.
+    
+    * dfg/DFGBackwardsPropagationPhase.cpp:
+    (JSC::DFG::BackwardsPropagationPhase::propagate):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283862 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-10-08  Saam Barati  <sbar...@apple.com>
+
+            Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
+            https://bugs.webkit.org/show_bug.cgi?id=230823
+            <rdar://problem/83565088>
+
+            Reviewed by Yusuke Suzuki.
+
+            When I ported the phase to run right after bytecode parsing, I wanted
+            to maintain the same behavior as the prior pass that ran after CPS
+            rethreading. I noticed a slight bug in some of my logic that changed
+            some of heuristics and how they'd effect double voting.
+
+            The old patch was mimicking the "is loaded from" bit by using the NodeFlags.
+            Howver, this has some issues with how this interacts with our other uses
+            of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed"
+            bit.
+
+            * dfg/DFGBackwardsPropagationPhase.cpp:
+            (JSC::DFG::BackwardsPropagationPhase::propagate):
+
+2021-11-08  Kocsen Chung  <kocsen_ch...@apple.com>
+
         Cherry-pick r283818. rdar://problem/85173568
 
     RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*

Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp (285462 => 285463)


--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp	2021-11-09 01:09:06 UTC (rev 285462)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp	2021-11-09 01:09:09 UTC (rev 285463)
@@ -31,6 +31,7 @@
 #include "DFGGraph.h"
 #include "DFGPhase.h"
 #include "JSCJSValueInlines.h"
+#include <wtf/MathExtras.h>
 
 namespace JSC { namespace DFG {
 
@@ -44,7 +45,7 @@
         , m_flagsAtHead(graph)
     {
     }
-    
+
     bool run()
     {
         for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
@@ -213,6 +214,10 @@
         return changed;
     }
     
+    static constexpr NodeFlags VariableIsUsed = 1 << (1 + WTF::getMSBSetConstexpr(NodeBytecodeBackPropMask));
+    static_assert(!(VariableIsUsed & NodeBytecodeBackPropMask));
+    static_assert(VariableIsUsed > NodeBytecodeBackPropMask, "Verify the above doesn't overflow");
+    
     void propagate(Node* node)
     {
         NodeFlags flags = node->flags() & NodeBytecodeBackPropMask;
@@ -220,9 +225,9 @@
         switch (node->op()) {
         case GetLocal: {
             VariableAccessData* variableAccessData = node->variableAccessData();
-            NodeFlags& flagsRef = m_currentFlags.operand(variableAccessData->operand());
-            mergeFlags(flagsRef, flags);
-            variableAccessData->mergeFlags(flagsRef & ~NodeBytecodeUsesAsInt); // We don't care about cross-block uses-as-int for this.
+            flags |= m_currentFlags.operand(variableAccessData->operand());
+            flags |= VariableIsUsed;
+            m_currentFlags.operand(variableAccessData->operand()) = flags;
             break;
         }
             
@@ -231,10 +236,11 @@
 
             Operand operand = variableAccessData->operand();
             NodeFlags flags = m_currentFlags.operand(operand);
-            if (!flags)
+            if (!(flags & VariableIsUsed))
                 break;
 
-            RELEASE_ASSERT(!(flags & ~NodeBytecodeBackPropMask));
+            flags &= NodeBytecodeBackPropMask;
+            flags &= ~NodeBytecodeUsesAsInt; // We don't care about cross-block uses-as-int.
 
             variableAccessData->mergeFlags(flags);
             // We union with NodeBytecodeUsesAsNumber to account for the fact that control flow may cause overflows that our modeling can't handle.
@@ -247,11 +253,15 @@
             
         case Flush: {
             VariableAccessData* variableAccessData = node->variableAccessData();
-            NodeFlags& flagsRef = m_currentFlags.operand(variableAccessData->operand());
-            mergeFlags(flagsRef, NodeBytecodeUsesAsValue);
-            variableAccessData->mergeFlags(flagsRef);
+            mergeFlags(m_currentFlags.operand(variableAccessData->operand()), NodeBytecodeUsesAsValue | VariableIsUsed);
             break;
         }
+
+        case PhantomLocal: {
+            VariableAccessData* variableAccessData = node->variableAccessData();
+            mergeFlags(m_currentFlags.operand(variableAccessData->operand()), VariableIsUsed);
+            break;
+        }
             
         case MovHint:
         case Check:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to