[webkit-changes] [WebKit/WebKit] c3b478: Array allocation sinking should split allocations ...

Wed, 17 Sep 2025 18:33:01 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c3b478c1983f5de5b1b216aa888ca5b47c738ac3
      
https://github.com/WebKit/WebKit/commit/c3b478c1983f5de5b1b216aa888ca5b47c738ac3
  Author: Keith Miller <keith_mil...@apple.com>
  Date:   2025-09-17 (Wed, 17 Sep 2025)

  Changed paths:
    A JSTests/stress/array-allocation-elimination-closure-capture.js
    A JSTests/stress/array-allocation-elimination-conditional-usage.js
    A JSTests/stress/array-allocation-elimination-cross-function.js
    A 
JSTests/stress/array-allocation-elimination-loop-unroll-materialize-at-osr.js
    A JSTests/stress/array-allocation-sink-with-osr-exit-materialization.js
    A 
JSTests/stress/array-sink-osr-materialization-self-reference-in-butterfly.js
    A JSTests/stress/array-sink-osr-materialization.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGCloneHelper.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGLoopUnrollingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
    M Source/JavaScriptCore/dfg/DFGUseKind.h
    M Source/JavaScriptCore/dfg/DFGValidate.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp
    M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.h
    M Source/JavaScriptCore/runtime/IndexingType.cpp
    M Source/JavaScriptCore/runtime/IndexingType.h

  Log Message:
  -----------
  Array allocation sinking should split allocations into two, an Array 
allocation and a Butterfly allocation
rdar://159207754
https://bugs.webkit.org/show_bug.cgi?id=298606

Reviewed by Yusuke Suzuki.

This patch minorly rearchitects how we do Array allocation sinking in DFG. 
Previously we tried to model Arrays
in ObjectAllocationSinking as two allocations one where the actual Array was 
allocated and a "Butterfly"
at each `GetButterfly`. This meant that there was now a reverse data dependency 
between the GetButterfly and
the Array allocation Nodes. This was a little unintuitive but also meant that 
any control flow that would
merge two `GetButterfly`s would escape the Array.

This PR simplifies things by more directly representing the heap in 
ObjectAllocationSinking. There are now
two nodes that get sunk when sinking an Array: NewButterflyWithSize and 
NewArrayWithButterfly. All the
indexed properties and the Butterfly's location are stored on the 
NewArrayWithButterfly's Allocation.
The NewButterflyWithSize only contains the Array's length. If we ever wanted to 
extend Array allocation sinking
to support out of bounds stores we'd have to teach `handleNode` how to deal 
with writes to multiple allocations.

Originally I had all the indexed properties and the length are stored on the 
LocalHeap of NewButterflyWithSize and
NewArrayWithButterfly's LocalHeap only contains the butterfly. But I realized 
that we crash while trying to materialize
a phantom array that contains itself or another newly materialized object 
that's in a cycle. This is because we have to
materialize the pointer as a PutByVal. We can't emit this PutByVal without the 
Array since we need to write barrier after
the store.

Overall, this change is perf neutral or maybe a slight progression on JetStream 
3.

Canonical link: https://commits.webkit.org/300129@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to