[webkit-changes] [WebKit/WebKit] 48a8c7: [JSC] Add ProxyObjectHas IC to optimize "has" trap

Tue, 14 Mar 2023 05:32:07 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 48a8c72db72281068a18847926c158d0b49673e1
      
https://github.com/WebKit/WebKit/commit/48a8c72db72281068a18847926c158d0b49673e1
  Author: Alexey Shvayka <[email protected]>
  Date:   2023-03-14 (Tue, 14 Mar 2023)

  Changed paths:
    A JSTests/microbenchmarks/proxy-has-hit.js
    A JSTests/microbenchmarks/proxy-has-miss-handler.js
    A JSTests/microbenchmarks/proxy-has-miss.js
    M Source/JavaScriptCore/builtins/BuiltinNames.h
    M Source/JavaScriptCore/builtins/ProxyHelpers.js
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/AccessCase.h
    M Source/JavaScriptCore/bytecode/LinkTimeConstant.h
    M Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
    M Source/JavaScriptCore/runtime/ProxyObject.cpp
    M Source/JavaScriptCore/runtime/ProxyObject.h

  Log Message:
  -----------
  [JSC] Add ProxyObjectHas IC to optimize "has" trap
https://bugs.webkit.org/show_bug.cgi?id=253830
<rdar://problem/106644477>

Reviewed by Yusuke Suzuki.

This change adds ProxyObjectHas IC for Proxy "has" trap, which detects 
ProxyObject and calls
@performProxyObjectHas JS function that, in the most common case, avoids 
calling into C++
to validate the trap result.

While progressing provided microbenchmarks by up to 10x, unfortunately this 
patch does not
affect Speedometer2 nor JetStream3: JS3/proxy-mobx invokes "has" trap only on 
indexed properties,
which are currently rejected by isCacheableIdentifierCell() and not supported 
by ProxyObjectAccessCase.

Parameter order of "get" and "set" IC helpers had to be rearranged to simplify 
ProxyObjectAccessCase::emit().

                                   ToT                       patch

proxy-has-hit                48.4694+-0.3179     ^      4.8357+-0.0314        ^ 
definitely 10.0232x faster
proxy-has-miss               53.6834+-0.3113     ^     15.9198+-0.0730        ^ 
definitely 3.3721x faster
proxy-has-miss-handler       30.9117+-0.1541     ^      4.9238+-0.0337        ^ 
definitely 6.2781x faster

<geometric>                  43.1641+-0.1435     ^      7.2367+-0.0233        ^ 
definitely 5.9646x faster

* JSTests/microbenchmarks/proxy-has-hit.js: Added.
* JSTests/microbenchmarks/proxy-has-miss-handler.js: Added.
* JSTests/microbenchmarks/proxy-has-miss.js: Added.
* Source/JavaScriptCore/builtins/BuiltinNames.h:
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectHas):
(linkTimeConstant.performProxyObjectGet):
(linkTimeConstant.performProxyObjectSetSloppy):
(linkTimeConstant.performProxyObjectSetStrict):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::needsScratchFPR const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::runWithDowncast):
(JSC::AccessCase::canBeShared):
* Source/JavaScriptCore/bytecode/AccessCase.h:
* Source/JavaScriptCore/bytecode/LinkTimeConstant.h:
* Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp:
(JSC::ProxyObjectAccessCase::emit):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheInBy):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleProxyObjectLoad):
(JSC::DFG::ByteCodeParser::handlePutById):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
* Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h:
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::performProxyObjectHasFunction const):
* Source/JavaScriptCore/runtime/ProxyObject.cpp:
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::validateNegativeHasTrapResult):
* Source/JavaScriptCore/runtime/ProxyObject.h:

Canonical link: https://commits.webkit.org/261628@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to