Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ed2c12887fd00128e9bc57bc4fc5747b3c915141
https://github.com/WebKit/WebKit/commit/ed2c12887fd00128e9bc57bc4fc5747b3c915141
Author: Yusuke Suzuki <[email protected]>
Date: 2024-04-06 (Sat, 06 Apr 2024)
Changed paths:
M Source/JavaScriptCore/assembler/JITOperationList.cpp
M Source/JavaScriptCore/bytecode/BytecodeList.rb
M Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecode/GetByIdMetadata.h
M Source/JavaScriptCore/bytecode/GetByStatus.cpp
M
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
M Source/JavaScriptCore/bytecode/Opcode.h
M Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGOSRExit.cpp
M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
M Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp
M Source/JavaScriptCore/jit/JIT.cpp
M Source/JavaScriptCore/jit/JIT.h
M Source/JavaScriptCore/jit/JITPropertyAccess.cpp
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/llint/LLIntSlowPaths.h
M Source/JavaScriptCore/llint/LLIntThunks.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp
M Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp
Log Message:
-----------
[JSC] Introduce op_get_length
https://bugs.webkit.org/show_bug.cgi?id=272271
rdar://126009739
Reviewed by Alexey Shvayka.
We found a very silly performance bug: we are getting ArrayProfile from
GetById's metadata in DFG.
But this metadata gets updated only from LLInt. So we end up not getting this
profile data very well in some cases, leading to very bad code generation.
Fundamental problem is that we are doing a bit weird ArrayProfile for GetById.
Since we care it only when it is "length" property access and we know
get_by_id's id at bytecode compile time, we should have specific bytecode which
always get ArrayProfile.
In this patch, we introduce op_get_length. This is "length" version of
get_by_id. And it additionally holds ArrayProfile and LLInt / BaselineJIT /
upper tiers
always update this properly. Furthermore, iterating ArrayProfile gets further
simplified and gets faster because now we do not need to iterate GetById's
metadata: we
only need to iterate GetLength's metadata. Also, op_get_length's size is
smaller than op_get_by_id since we don't embed "length" id number.
* Source/JavaScriptCore/assembler/JITOperationList.cpp:
(JSC::llintOperations):
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp:
(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::getArrayProfile):
(JSC::CodeBlock::updateAllArrayProfilePredictions):
* Source/JavaScriptCore/bytecode/GetByIdMetadata.h:
(JSC::GetByIdModeMetadata::setArrayLengthMode):
(JSC::GetByIdModeMetadataArrayLength::offsetOfArrayProfile): Deleted.
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFromLLInt):
*
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/Opcode.h:
* Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::allocateSharedProfiles):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetById):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::callerReturnPC):
* Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* Source/JavaScriptCore/jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* Source/JavaScriptCore/jit/JIT.h:
* Source/JavaScriptCore/jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_length):
(JSC::JIT::emitSlow_op_get_length):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::performLLIntGetByID):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* Source/JavaScriptCore/llint/LLIntSlowPaths.h:
* Source/JavaScriptCore/llint/LLIntThunks.cpp:
(JSC::LLInt::returnLocationThunk):
* Source/JavaScriptCore/llint/LowLevelInterpreter.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp:
(JSC::FileBasedFuzzerAgent::getPredictionInternal):
* Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp:
(JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal):
Canonical link: https://commits.webkit.org/277165@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
