[webkit-changes] [WebKit/WebKit] 286e7d: [JSC] Constant fold Prototype chain access from AI...

Mon, 23 Jun 2025 04:53:14 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 286e7d3bbd1fe44491e050d18d0cedf73f39be52
      
https://github.com/WebKit/WebKit/commit/286e7d3bbd1fe44491e050d18d0cedf73f39be52
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-06-22 (Sun, 22 Jun 2025)

  Changed paths:
    M 
Source/JavaScriptCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
    M Source/JavaScriptCore/bytecode/GetByStatus.cpp
    M Source/JavaScriptCore/bytecode/GetByStatus.h
    M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
    M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h

  Log Message:
  -----------
  [JSC] Constant fold Prototype chain access from AI via 
ObjectPropertyConditionSet
https://bugs.webkit.org/show_bug.cgi?id=294820
rdar://154048764

Reviewed by Yijia Huang.

Previously we only support own property folding for StructureSet &
Identifier folding in AI. But this patch extends this a bit so that we
can handle some prototype property foldings as a constant only when,

1. We only have one structure for the target
2. We are hitting a property
3. The property can be folded into a constant via equivalent object
   property condition.

This can cover many cases as typically they will become an access to
prototype object's properties (like methods etc.). They are constant,
and already watched in somewhere.

* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFor):
* Source/JavaScriptCore/bytecode/GetByStatus.h:
* Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForPrototypePropertyHitConcurrently):
(JSC::generateConditionsForPropertyMissConcurrently):
* Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h:
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::planLoad):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::promoteToConstant): Deleted.
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::promoteToConstant):
* Source/JavaScriptCore/dfg/DFGGraph.h:

Canonical link: https://commits.webkit.org/296499@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to