[webkit-changes] [WebKit/WebKit] 8f662d: [JSC] Relax ArrayPush DFG optimization

Mon, 10 Oct 2022 15:19:44 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8f662d8b6ea7f62e9c04fbeb9c9cafb15c7fbd91
      
https://github.com/WebKit/WebKit/commit/8f662d8b6ea7f62e9c04fbeb9c9cafb15c7fbd91
  Author: Yusuke Suzuki <[email protected]>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    A JSTests/stress/array-push-slow-put.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Relax ArrayPush DFG optimization
https://bugs.webkit.org/show_bug.cgi?id=246266
rdar://100964873

Reviewed by Alexey Shvayka.

We sometimes miss ArrayPush optimization because ArrayMode type gets 
SelectUsingArguments, which will be converted to Contiguous etc.
at fixup phase. We optimized ArrayPush only when we know it is Int32, Double, 
or Contiguous at bytecode parsing phase. We should
accept the other ones since SelectUsingArguments can be converted to Int32, 
Double etc. shape in fixup phase.
This patch relaxes the restriction in ArrayPush optimization so that we can 
accept SelectUsingArguments so long as it is JSArray type.
And in fixup phase, we get the specific type. Since we can get 
SlowPutArrayType, we also add code handling SlowPutArrayType too in DFG and FTL.

* JSTests/stress/array-push-slow-put.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):

Canonical link: https://commits.webkit.org/255366@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to