Title: [113557] trunk/Source/_javascript_Core
- Revision
- 113557
- Author
- [email protected]
- Date
- 2012-04-09 00:48:08 -0700 (Mon, 09 Apr 2012)
Log Message
DFG should not load the property storage if it is inline.
https://bugs.webkit.org/show_bug.cgi?id=83455
Reviewed by Gavin Barraclough.
We had previously decided to have all property storage accesses go through
the property storage pointer even if they don't "really" have to, because
we were thinking this would help GC barriers somehow. Well, we never ended
up doing anything with that. Hence, doing these wasted loads of the
property storage pointer when the storage is inline is just a waste of CPU
cycles.
This change makes the DFG's inline property accesses (GetByOffset and
PutByOffset) go directly to the inline property storage if the structure(s)
tell us that it's OK.
This looks like an across-the-board 1% win.
* bytecode/StructureSet.h:
(JSC):
(JSC::StructureSet::allAreUsingInlinePropertyStorage):
(StructureSet):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::fillStorage):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (113556 => 113557)
--- trunk/Source/_javascript_Core/ChangeLog 2012-04-09 05:25:55 UTC (rev 113556)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-04-09 07:48:08 UTC (rev 113557)
@@ -1,5 +1,34 @@
2012-04-08 Filip Pizlo <[email protected]>
+ DFG should not load the property storage if it is inline.
+ https://bugs.webkit.org/show_bug.cgi?id=83455
+
+ Reviewed by Gavin Barraclough.
+
+ We had previously decided to have all property storage accesses go through
+ the property storage pointer even if they don't "really" have to, because
+ we were thinking this would help GC barriers somehow. Well, we never ended
+ up doing anything with that. Hence, doing these wasted loads of the
+ property storage pointer when the storage is inline is just a waste of CPU
+ cycles.
+
+ This change makes the DFG's inline property accesses (GetByOffset and
+ PutByOffset) go directly to the inline property storage if the structure(s)
+ tell us that it's OK.
+
+ This looks like an across-the-board 1% win.
+
+ * bytecode/StructureSet.h:
+ (JSC):
+ (JSC::StructureSet::allAreUsingInlinePropertyStorage):
+ (StructureSet):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::fillStorage):
+
+2012-04-08 Filip Pizlo <[email protected]>
+
Command-line jsc's exception handling should be rationalized
https://bugs.webkit.org/show_bug.cgi?id=83437
Modified: trunk/Source/_javascript_Core/bytecode/StructureSet.h (113556 => 113557)
--- trunk/Source/_javascript_Core/bytecode/StructureSet.h 2012-04-09 05:25:55 UTC (rev 113556)
+++ trunk/Source/_javascript_Core/bytecode/StructureSet.h 2012-04-09 07:48:08 UTC (rev 113557)
@@ -27,13 +27,12 @@
#define StructureSet_h
#include "PredictedType.h"
+#include "Structure.h"
#include <stdio.h>
#include <wtf/Vector.h>
namespace JSC {
-class Structure;
-
namespace DFG {
class StructureAbstractValue;
}
@@ -107,6 +106,15 @@
size_t size() const { return m_structures.size(); }
+ bool allAreUsingInlinePropertyStorage() const
+ {
+ for (size_t i = 0; i < m_structures.size(); ++i) {
+ if (!m_structures[i]->isUsingInlineStorage())
+ return false;
+ }
+ return true;
+ }
+
Structure* at(size_t i) const { return m_structures.at(i); }
Structure* operator[](size_t i) const { return at(i); }
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (113556 => 113557)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2012-04-09 05:25:55 UTC (rev 113556)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2012-04-09 07:48:08 UTC (rev 113557)
@@ -1881,10 +1881,20 @@
addToGraph(ForceOSRExit);
addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(getByIdStatus.structureSet())), base);
- set(currentInstruction[1].u.operand, addToGraph(GetByOffset, OpInfo(m_graph.m_storageAccessData.size()), OpInfo(prediction), addToGraph(GetPropertyStorage, base)));
+ NodeIndex propertyStorage;
+ size_t offsetOffset;
+ if (getByIdStatus.structureSet().allAreUsingInlinePropertyStorage()) {
+ propertyStorage = base;
+ ASSERT(!(sizeof(JSObject) % sizeof(EncodedJSValue)));
+ offsetOffset = sizeof(JSObject) / sizeof(EncodedJSValue);
+ } else {
+ propertyStorage = addToGraph(GetPropertyStorage, base);
+ offsetOffset = 0;
+ }
+ set(currentInstruction[1].u.operand, addToGraph(GetByOffset, OpInfo(m_graph.m_storageAccessData.size()), OpInfo(prediction), propertyStorage));
StorageAccessData storageAccessData;
- storageAccessData.offset = getByIdStatus.offset();
+ storageAccessData.offset = getByIdStatus.offset() + offsetOffset;
storageAccessData.identifierNumber = identifierNumber;
m_graph.m_storageAccessData.append(storageAccessData);
} else
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (113556 => 113557)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-04-09 05:25:55 UTC (rev 113556)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-04-09 07:48:08 UTC (rev 113557)
@@ -68,12 +68,26 @@
return gpr;
}
- case DataFormatStorage: {
+ case DataFormatStorage:
+ case DataFormatCell: {
GPRReg gpr = info.gpr();
m_gprs.lock(gpr);
return gpr;
}
+ case DataFormatJS:
+ case DataFormatJSCell: {
+#if USE(JSVALUE64)
+ GPRReg gpr = info.gpr();
+ m_gprs.lock(gpr);
+ return gpr;
+#else
+ GPRReg gpr = info.payloadGPR();
+ m_gprs.lock(gpr);
+ return gpr;
+#endif
+ }
+
default:
ASSERT_NOT_REACHED();
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
