[webkit-changes] [WebKit/WebKit] b84798: [JSC] Use watchpoint set for sane chain checks

[Yusuke Suzuki]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b8479830cc352feac646ab33c1a9b2c074d930e2
      https://github.com/WebKit/WebKit/commit/b8479830cc352feac646ab33c1a9b2c074d930e2
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h
    A Source/JavaScriptCore/bytecode/ChainedWatchpoint.h
    M Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h
    M Source/JavaScriptCore/bytecode/Watchpoint.cpp
    M Source/JavaScriptCore/bytecode/Watchpoint.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M Source/JavaScriptCore/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/runtime/FunctionRareData.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
    M Source/JavaScriptCore/runtime/ObjectAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/runtime/StructureRareDataInlines.h

  Log Message:
  -----------
  [JSC] Use watchpoint set for sane chain checks
https://bugs.webkit.org/show_bug.cgi?id=246258
rdar://100951262

Reviewed by Justin Michaud and Alexey Shvayka.

This patch changes array-prototype-is-sane-chain condition check from a bit adhoc one to a
watchpoint based on AbsenceOfIndexedProperties ObjectPropertyCondition. This largely simplifies
the implementation of DFG using this watchpoint. We introduce ChainedWatchpoint which propagates
one watchpointset's invalidation to the other so that we can propagate Object.prototype's sane chain
condition to Array.prototype's sane chain condition. It (1) makes arrayPrototypeChainIsSane
efficient, (2) DFG's watchpoint more non-conservative (previously we are setting transition-watchpoint,
which is too conservative), and (3) this paves the way to use this JSGlobalObject tied watchpoint in uDFG.

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::watchSaneChain):
* Source/JavaScriptCore/dfg/DFGGraph.h:
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::installArrayPrototypeWatchpoint):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): Deleted.
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayPrototypeChainIsSaneWatchpointSet):
(JSC::JSGlobalObject::objectPrototypeChainIsSaneWatchpointSet):
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):

Canonical link: https://commits.webkit.org/255369@main