[webkit-changes] [WebKit/WebKit] de77dd: [JSC] Handle OutOfBounds GetByVal of TypedArray

Thu, 04 Apr 2024 07:53:31 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: de77ddb828e1bb4c9ccd13bf96819e1268f28deb
      
https://github.com/WebKit/WebKit/commit/de77ddb828e1bb4c9ccd13bf96819e1268f28deb
  Author: Yusuke Suzuki <[email protected]>
  Date:   2024-04-04 (Thu, 04 Apr 2024)

  Changed paths:
    A JSTests/microbenchmarks/uint8-clamped-array-out-of-bounds.js
    A JSTests/stress/typed-array-out-of-bounds.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Handle OutOfBounds GetByVal of TypedArray
https://bugs.webkit.org/show_bug.cgi?id=272107
rdar://problem/125863449

Reviewed by Justin Michaud.

Previously, DFG / FTL are not tolerant against OutOfBounds access of 
TypedArray: whenever we encounter this, we did OSR exit.
But this is not so great, and we should make it work well since there are legit 
cases which does OutOfBounds access to TypedArray.

This patch integrates OutOfBounds GetByVal access to TypedArray, which is 
similar to what we have for the other arrays.
Based on ArrayProfile information, we annotate DFG::ArrayMode with OutOfBounds. 
And then DFG / FTL handle this case gracefully.
InBounds case is still fastest since we can put strong type prediction / 
invariant on the returned value too. But still, OutOfBounds
handling is better than just doing OSR exit repeatedly.
One of the interesting aspect is that TypedArray does not propagate access of 
OutOfBounds to [[Prototype]], which is specified in the spec.
As a result, we can say that the result is `undefined` when OutOfBounds access 
happens, which makes slow path case significantly simpler.

                                                  ToT                     
Patched

    uint8-clamped-array-out-of-bounds       18.8348+-0.0251     ^      
1.3021+-0.0190        ^ definitely 14.4654x faster

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck): Deleted.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl):

Canonical link: https://commits.webkit.org/277050@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to