Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b13bf4c3488741d6e41f1be6b2d15300a9951ce8
https://github.com/WebKit/WebKit/commit/b13bf4c3488741d6e41f1be6b2d15300a9951ce8
Author: Yusuke Suzuki <[email protected]>
Date: 2024-02-14 (Wed, 14 Feb 2024)
Changed paths:
M Source/JavaScriptCore/bytecode/AccessCase.cpp
M Source/JavaScriptCore/bytecode/AccessCase.h
M Source/JavaScriptCore/bytecode/InByStatus.cpp
M Source/JavaScriptCore/bytecode/InByStatus.h
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.h
M Source/JavaScriptCore/bytecode/Repatch.cpp
M Source/JavaScriptCore/bytecode/Repatch.h
M Source/JavaScriptCore/bytecode/StructureStubInfo.cpp
M Source/JavaScriptCore/bytecode/StructureStubInfo.h
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGNode.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
M Source/JavaScriptCore/jit/AssemblyHelpers.h
M Source/JavaScriptCore/jit/JITOperations.cpp
M Source/JavaScriptCore/jit/JITOperations.h
M Source/JavaScriptCore/runtime/MegamorphicCache.cpp
M Source/JavaScriptCore/runtime/MegamorphicCache.h
Log Message:
-----------
[JSC] Introduce InBy megamorphic ICs
https://bugs.webkit.org/show_bug.cgi?id=269255
rdar://121083665
Reviewed by Justin Michaud.
This patch adds InBy megamorphic IC in all tiers. This is super similar to
GetBy megamorphic IC.
Similar to GetBy megamorphic IC, we store structure/uid pair and the result.
And when prototype objects
get changed, we bump the epoch (it is already done), and then all cache gets
invalidated.
The only conceptual difference is that we can say `true` for custom accessor
gets found. This is not
possible for GetBy megamorphic IC, but for InBy IC, it is OK since it is only
asking whether it exists or not.
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::runWithDowncast):
(JSC::AccessCase::canBeShared):
* Source/JavaScriptCore/bytecode/AccessCase.h:
* Source/JavaScriptCore/bytecode/InByStatus.cpp:
(JSC::InByStatus::computeFor):
(JSC::InByStatus::computeForStubInfo):
(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByStatus::merge):
(JSC::InByStatus::dump const):
* Source/JavaScriptCore/bytecode/InByStatus.h:
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::needsScratchFPR):
(JSC::forInBy):
(JSC::InlineCacheCompiler::generateWithGuard):
(JSC::InlineCacheCompiler::generateImpl):
(JSC::InlineCacheCompiler::regenerate):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.h:
(JSC::canUseMegamorphicInById):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::repatchInBySlowPathCall):
(JSC::tryCacheInBy):
(JSC::repatchInBy):
* Source/JavaScriptCore/bytecode/Repatch.h:
* Source/JavaScriptCore/bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::summary const):
(JSC::SharedJITStubSet::getMegamorphic const):
(JSC::SharedJITStubSet::setMegamorphic):
* Source/JavaScriptCore/bytecode/StructureStubInfo.h:
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInById):
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToInByIdMaybeMegamorphic):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasCacheableIdentifier):
(JSC::DFG::Node::cacheableIdentifier):
(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::convertToInById): Deleted.
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileInByIdMegamorphic):
(JSC::DFG::SpeculativeJIT::compileInByValMegamorphic):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::hasMegamorphicProperty):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::inByIdMegamorphic):
(JSC::JSC_DEFINE_JIT_OPERATION):
(JSC::inByValMegamorphic):
* Source/JavaScriptCore/jit/JITOperations.h:
* Source/JavaScriptCore/runtime/MegamorphicCache.cpp:
(JSC::MegamorphicCache::age):
(JSC::MegamorphicCache::clearEntries):
* Source/JavaScriptCore/runtime/MegamorphicCache.h:
(JSC::MegamorphicCache::HasEntry::offsetOfUid):
(JSC::MegamorphicCache::HasEntry::offsetOfStructureID):
(JSC::MegamorphicCache::HasEntry::offsetOfEpoch):
(JSC::MegamorphicCache::HasEntry::offsetOfResult):
(JSC::MegamorphicCache::HasEntry::init):
(JSC::MegamorphicCache::offsetOfHasCachePrimaryEntries):
(JSC::MegamorphicCache::offsetOfHasCacheSecondaryEntries):
(JSC::MegamorphicCache::hasCachePrimaryHash):
(JSC::MegamorphicCache::hasCacheSecondaryHash):
(JSC::MegamorphicCache::initAsHasHit):
(JSC::MegamorphicCache::initAsHasMiss):
Canonical link: https://commits.webkit.org/274687@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
