[webkit-changes] [WebKit/WebKit] 570a35: [JSC] Add B3::Mutability and Immutable loads

Mon, 22 Sep 2025 09:49:28 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 570a3530f9490b5a09863d56d3726e7a1c384971
      
https://github.com/WebKit/WebKit/commit/570a3530f9490b5a09863d56d3726e7a1c384971
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-09-22 (Mon, 22 Sep 2025)

  Changed paths:
    M Source/JavaScriptCore/b3/B3Effects.cpp
    M Source/JavaScriptCore/b3/B3Effects.h
    M Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp
    M Source/JavaScriptCore/b3/B3MemoryValue.h
    M Source/JavaScriptCore/b3/B3Value.cpp
    M Source/JavaScriptCore/b3/testb3.h
    M Source/JavaScriptCore/b3/testb3_1.cpp
    M Source/JavaScriptCore/b3/testb3_8.cpp
    M Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp
    M Source/JavaScriptCore/ftl/FTLAbstractHeap.h
    M Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp
    M Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp

  Log Message:
  -----------
  [JSC] Add B3::Mutability and Immutable loads
https://bugs.webkit.org/show_bug.cgi?id=299223
rdar://problem/160980434

Reviewed by Yijia Huang.

This patch adds B3::Mutability and Immutable loads concept.
Unlike super simple C program, JS and Wasm can offer much more
semantics. One of the important thing is "immutable" loads which the
runtime can ensure this load is producing an immutable value, and all
the following execution with the same Load will generate the same value.
This is still control dependent, but this immutable information can
allow B3 to do CSE. Let's say,

    @0: Load(@x, immutable)
    @1: CCall(...) # potentially clobber everything
    @2: Load(@x, immutable)

Without this strong guarantee, @1 can potentially clobber all heap, and
@2 can produce the different value from @0. But JS / Wasm loads are not
just a memory load, and the runtime can offer much stronger guarantee.
For example, JSC knows StringImpl::m_length never changes. Thus, we can
replace @2 with @1 when @1 says it is an "immutable" load.

Actual implementation is teaching B3 CSE to handle immutable load
correctly. When clobbering happens, B3 CSE will prune all potential CSE
memory values. But we keep immutable ones. So the subsequent B3 values
dominated this value can still find this, and replace itself with this.

We start annotating FTL abstract heap with this Immutable information.
And many wasm's Immutable fields start getting this information (for
example, immutable wasm global value should get this annotation).

We also attach controlDependent: false flag to loads which does not rely
on the other checks.

Tests: Source/JavaScriptCore/b3/testb3_1.cpp
       Source/JavaScriptCore/b3/testb3_8.cpp
* Source/JavaScriptCore/b3/B3Effects.cpp:
(JSC::B3::Effects::dump const):
* Source/JavaScriptCore/b3/B3Effects.h:
* Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp:
* Source/JavaScriptCore/b3/B3MemoryValue.h:
* Source/JavaScriptCore/b3/B3Value.cpp:
(JSC::B3::Value::effects const):
* Source/JavaScriptCore/b3/testb3.h:
* Source/JavaScriptCore/b3/testb3_1.cpp:
(run):
* Source/JavaScriptCore/b3/testb3_8.cpp:
(testLoadImmutable):
* Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:
(JSC::FTL::AbstractHeap::AbstractHeap):
(JSC::FTL::AbstractHeap::shallowDump const):
* Source/JavaScriptCore/ftl/FTLAbstractHeap.h:
(JSC::FTL::AbstractHeap::initialize):
(JSC::FTL::AbstractHeap::mutability const):
* Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
(JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
* Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::getGlobal):
(JSC::Wasm::OMGIRGenerator::setGlobal):
(JSC::Wasm::OMGIRGenerator::emitWriteBarrier):
(JSC::Wasm::OMGIRGenerator::emitStructSet):
(JSC::Wasm::OMGIRGenerator::addArrayGet):
(JSC::Wasm::OMGIRGenerator::emitArraySetUncheckedWithoutWriteBarrier):
(JSC::Wasm::OMGIRGenerator::addArraySet):
(JSC::Wasm::OMGIRGenerator::addArrayLen):
(JSC::Wasm::OMGIRGenerator::addStructGet):
(JSC::Wasm::OMGIRGenerator::emitRefTestOrCast):
(JSC::Wasm::OMGIRGenerator::allocatorForWasmGCHeapCellSize):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArrayUninitialized):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCStructUninitialized):
(JSC::Wasm::OMGIRGenerator::mutatorFence):
(JSC::Wasm::OMGIRGenerator::emitLoadRTTFromObject):
(JSC::Wasm::OMGIRGenerator::addCallIndirect):
(JSC::Wasm::OMGIRGenerator::emitNotRTTKind): Deleted.

Canonical link: https://commits.webkit.org/300327@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to