Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b8479830cc352feac646ab33c1a9b2c074d930e2
https://github.com/WebKit/WebKit/commit/b8479830cc352feac646ab33c1a9b2c074d930e2
Author: Yusuke Suzuki <[email protected]>
Date: 2022-10-10 (Mon, 10 Oct 2022)
Changed paths:
M Source/JavaScriptCore/CMakeLists.txt
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M
Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h
A Source/JavaScriptCore/bytecode/ChainedWatchpoint.h
M
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h
M Source/JavaScriptCore/bytecode/Watchpoint.cpp
M Source/JavaScriptCore/bytecode/Watchpoint.h
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h
M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGGraph.h
M
Source/JavaScriptCore/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h
M Source/JavaScriptCore/runtime/FunctionRareData.h
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
M Source/JavaScriptCore/runtime/ObjectAdaptiveStructureWatchpoint.h
M Source/JavaScriptCore/runtime/StructureRareDataInlines.h
Log Message:
-----------
[JSC] Use watchpoint set for sane chain checks
https://bugs.webkit.org/show_bug.cgi?id=246258
rdar://100951262
Reviewed by Justin Michaud and Alexey Shvayka.
This patch changes array-prototype-is-sane-chain condition check from a bit
adhoc one to a
watchpoint based on AbsenceOfIndexedProperties ObjectPropertyCondition. This
largely simplifies
the implementation of DFG using this watchpoint. We introduce ChainedWatchpoint
which propagates
one watchpointset's invalidation to the other so that we can propagate
Object.prototype's sane chain
condition to Array.prototype's sane chain condition. It (1) makes
arrayPrototypeChainIsSane
efficient, (2) DFG's watchpoint more non-conservative (previously we are
setting transition-watchpoint,
which is too conservative), and (3) this paves the way to use this
JSGlobalObject tied watchpoint in uDFG.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::watchSaneChain):
* Source/JavaScriptCore/dfg/DFGGraph.h:
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::installArrayPrototypeWatchpoint):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): Deleted.
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayPrototypeChainIsSaneWatchpointSet):
(JSC::JSGlobalObject::objectPrototypeChainIsSaneWatchpointSet):
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
Canonical link: https://commits.webkit.org/255369@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
