[webkit-changes] [WebKit/WebKit] 8a9e1a: [JSC] Remove CagedPtr's Data PAC tagging since it ...

Tue, 23 Jan 2024 21:44:20 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8a9e1a58f9fe0fcd03a9aa350ea5bd4fdc352f6e
      
https://github.com/WebKit/WebKit/commit/8a9e1a58f9fe0fcd03a9aa350ea5bd4fdc352f6e
  Author: Yusuke Suzuki <[email protected]>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A JSTests/microbenchmarks/segmentation.js
    M Source/JavaScriptCore/API/MarkedJSValueRefArray.h
    M Source/JavaScriptCore/assembler/testmasm.cpp
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/llint/InPlaceInterpreter.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/llint/WebAssembly.asm
    M Source/JavaScriptCore/runtime/ArrayBuffer.cpp
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/ArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/ArrayBufferView.h
    M Source/JavaScriptCore/runtime/BufferMemoryHandle.cpp
    M Source/JavaScriptCore/runtime/BufferMemoryHandle.h
    M Source/JavaScriptCore/runtime/CachedTypes.cpp
    M Source/JavaScriptCore/runtime/CagedBarrierPtr.h
    M Source/JavaScriptCore/runtime/DirectArguments.cpp
    M Source/JavaScriptCore/runtime/DirectArguments.h
    M Source/JavaScriptCore/runtime/GenericArgumentsInlines.h
    M Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.h
    M Source/JavaScriptCore/runtime/JSBigInt.cpp
    M Source/JavaScriptCore/runtime/JSBigInt.h
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmBinding.cpp
    M Source/JavaScriptCore/wasm/WasmInstance.h
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/WTF/wtf/CagedPtr.h
    M Source/WTF/wtf/CagedUniquePtr.h

  Log Message:
  -----------
  [JSC] Remove CagedPtr's Data PAC tagging since it is not adding values
https://bugs.webkit.org/show_bug.cgi?id=267961
rdar://121473792

Reviewed by Mark Lam.

This patch removes CagedPtr's Data PAC tagging since,

1. From attacking patterns, this does not add values. Right now, we continue 
using Gigacage, but not using Data PAC here.
2. We found that Data PAC is extremely slow. Attached benchmark showed 11.5% 
difference.

                               ToT                     Patched

    segmentation        128.8931+-0.3854     ^    115.6124+-0.1073        ^ 
definitely 1.1149x faster

* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::generateWithGuard):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::toBigInt64):
* Source/JavaScriptCore/llint/InPlaceInterpreter.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/llint/WebAssembly.asm:
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
* Source/JavaScriptCore/runtime/BufferMemoryHandle.h:
* Source/JavaScriptCore/runtime/CagedBarrierPtr.h:
* Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
* Source/JavaScriptCore/runtime/JSBigInt.h:
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::reloadMemoryRegistersFromInstance):
(JSC::Wasm::B3IRGenerator::emitIndirectCall):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::loadWebAssemblyGlobalState):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::restoreWebAssemblyGlobalStateAfterWasmCall):
* Source/JavaScriptCore/wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* Source/JavaScriptCore/wasm/WasmInstance.h:
(JSC::Wasm::Instance::updateCachedMemory):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
* Source/WTF/wtf/CagedPtr.h:
(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::getUnsafe const):
(WTF::CagedPtr::mergePointers): Deleted.
* Source/WTF/wtf/CagedUniquePtr.h:

Canonical link: https://commits.webkit.org/273389@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to