[webkit-changes] [WebKit/WebKit] 8f662d: [JSC] Relax ArrayPush DFG optimization

Yusuke Suzuki noreply at github.com
Mon Oct 10 15:18:59 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8f662d8b6ea7f62e9c04fbeb9c9cafb15c7fbd91
      https://github.com/WebKit/WebKit/commit/8f662d8b6ea7f62e9c04fbeb9c9cafb15c7fbd91
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    A JSTests/stress/array-push-slow-put.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Relax ArrayPush DFG optimization
https://bugs.webkit.org/show_bug.cgi?id=246266
rdar://100964873

Reviewed by Alexey Shvayka.

We sometimes miss ArrayPush optimization because ArrayMode type gets SelectUsingArguments, which will be converted to Contiguous etc.
at fixup phase. We optimized ArrayPush only when we know it is Int32, Double, or Contiguous at bytecode parsing phase. We should
accept the other ones since SelectUsingArguments can be converted to Int32, Double etc. shape in fixup phase.
This patch relaxes the restriction in ArrayPush optimization so that we can accept SelectUsingArguments so long as it is JSArray type.
And in fixup phase, we get the specific type. Since we can get SlowPutArrayType, we also add code handling SlowPutArrayType too in DFG and FTL.

* JSTests/stress/array-push-slow-put.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):

Canonical link: https://commits.webkit.org/255366@main

More information about the webkit-changes mailing list