[webkit-changes] [WebKit/WebKit] de85e9: [JSC] Clean up JSObject allocation in C++

Yusuke Suzuki noreply at github.com
Tue Apr 25 22:21:51 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: de85e95599abdc0819d949f06c77ca960b6a2293
      https://github.com/WebKit/WebKit/commit/de85e95599abdc0819d949f06c77ca960b6a2293
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    M Source/JavaScriptCore/API/JSAPIValueWrapper.h
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/debugger/DebuggerScope.cpp
    M Source/JavaScriptCore/heap/Allocator.cpp
    M Source/JavaScriptCore/heap/Allocator.h
    M Source/JavaScriptCore/heap/AllocatorInlines.h
    M Source/JavaScriptCore/heap/CompleteSubspace.cpp
    M Source/JavaScriptCore/heap/CompleteSubspaceInlines.h
    M Source/JavaScriptCore/heap/FreeList.h
    M Source/JavaScriptCore/heap/FreeListInlines.h
    M Source/JavaScriptCore/heap/IsoSubspaceInlines.h
    M Source/JavaScriptCore/heap/LocalAllocator.cpp
    M Source/JavaScriptCore/heap/LocalAllocator.h
    M Source/JavaScriptCore/heap/LocalAllocatorInlines.h
    M Source/JavaScriptCore/runtime/AuxiliaryBarrier.h
    M Source/JavaScriptCore/runtime/BrandedStructure.cpp
    M Source/JavaScriptCore/runtime/Exception.cpp
    M Source/JavaScriptCore/runtime/Exception.h
    M Source/JavaScriptCore/runtime/FunctionExecutable.cpp
    M Source/JavaScriptCore/runtime/FunctionExecutable.h
    M Source/JavaScriptCore/runtime/FunctionRareData.cpp
    M Source/JavaScriptCore/runtime/InternalFunction.cpp
    M Source/JavaScriptCore/runtime/IntlSegmentIterator.cpp
    M Source/JavaScriptCore/runtime/IntlSegmentIterator.h
    M Source/JavaScriptCore/runtime/IntlSegments.cpp
    M Source/JavaScriptCore/runtime/IntlSegments.h
    M Source/JavaScriptCore/runtime/JSBoundFunction.cpp
    M Source/JavaScriptCore/runtime/JSCallee.cpp
    M Source/JavaScriptCore/runtime/JSCellInlines.h
    M Source/JavaScriptCore/runtime/JSGlobalProxy.h
    M Source/JavaScriptCore/runtime/JSLexicalEnvironment.h
    M Source/JavaScriptCore/runtime/JSModuleEnvironment.cpp
    M Source/JavaScriptCore/runtime/JSModuleEnvironment.h
    M Source/JavaScriptCore/runtime/JSObject.h
    M Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp
    M Source/JavaScriptCore/runtime/JSRemoteFunction.cpp
    M Source/JavaScriptCore/runtime/JSScope.h
    M Source/JavaScriptCore/runtime/JSWithScope.cpp
    M Source/JavaScriptCore/runtime/ProxyRevoke.cpp
    M Source/JavaScriptCore/runtime/ProxyRevoke.h
    M Source/JavaScriptCore/runtime/ScopedArguments.cpp
    M Source/JavaScriptCore/runtime/ScopedArguments.h
    M Source/JavaScriptCore/runtime/Structure.cpp
    M Source/JavaScriptCore/runtime/Structure.h
    M Source/JavaScriptCore/runtime/StructureChain.cpp
    M Source/JavaScriptCore/runtime/StructureRareData.cpp
    M Source/JavaScriptCore/runtime/TypeInfoBlob.h
    M Source/JavaScriptCore/runtime/WriteBarrier.h
    M Source/JavaScriptCore/tools/JSDollarVM.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h
    M Source/WebCore/bindings/js/JSWindowProxy.cpp

  Log Message:
  -----------
  [JSC] Clean up JSObject allocation in C++
https://bugs.webkit.org/show_bug.cgi?id=255906
rdar://108488362

Reviewed by Michael Saboff.

1. Compute cellSize and propagate it instead of loading it. In many cases, it can be constant-folded since allocated JSCell type is known in IsoSubspace case.
2. Load 4byte Structure Blob and store it in initialization of JSCell.
3. Remove write barrier for butterfly. Since JSObject is newly-allocated and it is before calling finishCreation, it is not exposed to GC yet, and write-barrier
   is not necessary.
4. Add WriteBarrierEarlyInit tag for WriteBarrier<> / AuxiliaryBarrier<> initialization in the constructor. In this case, we do not need a write barrier since the
   cell is not exposed to GC yet.

Before: (fast path only)
    JSC::JSArray::createWithButterfly(JSC::VM&, JSC::GCDeferralContext*, JSC::Structure*, JSC::Butterfly*):
    0000000000914500        pacibsp
    0000000000914504        sub     sp, sp, #0x50
    0000000000914508        stp     x22, x21, [sp, #0x20]
    000000000091450c        stp     x20, x19, [sp, #0x30]
    0000000000914510        stp     x29, x30, [sp, #0x40]
    0000000000914514        add     x29, sp, #0x40
    0000000000914518        mov     x19, x0
    000000000091451c        mov     w8, #0x8fe8
    0000000000914520        add     x8, x0, x8
    0000000000914524        add     x0, x0, #0x88
    0000000000914528        ldp     x20, x9, [x8]
    000000000091452c        cmp     x20, x9
    0000000000914530        b.hs    0x91459c
    0000000000914534        add     x9, x20, #0x10
    0000000000914538        str     x9, [x8]
    000000000091453c        str     w2, [x20]
    0000000000914540        ldrb    w8, [x2, #0x8]
    0000000000914544        strb    w8, [x20, #0x4]
    0000000000914548        ldrb    w8, [x2, #0x9]
    000000000091454c        strb    w8, [x20, #0x5]
    0000000000914550        ldrb    w8, [x2, #0xa]
    0000000000914554        strb    w8, [x20, #0x6]
    0000000000914558        mov     w8, #0x1
    000000000091455c        strb    w8, [x20, #0x7]
    0000000000914560        str     x2, [sp, #0x18]
    0000000000914564        add     x8, sp, #0x18
    0000000000914568        str     x3, [x20, #0x8]
    000000000091456c        ldrb    w8, [x20, #0x7]
    0000000000914570        ldr     w9, [x19, #0x2b0]
    0000000000914574        cmp     w9, w8
    0000000000914578        b.hs    0x9145c0
    000000000091457c        ldrb    w8, [x19, #0x2ab]
    0000000000914580        cbnz    w8, 0x9145cc
    0000000000914584        mov     x0, x20
    0000000000914588        ldp     x29, x30, [sp, #0x40]
    000000000091458c        ldp     x20, x19, [sp, #0x30]
    0000000000914590        ldp     x22, x21, [sp, #0x20]
    0000000000914594        add     sp, sp, #0x50
    0000000000914598        retab
    ...

After: (fast path only)
    JSC::JSArray::createWithButterfly(JSC::VM&, JSC::GCDeferralContext*, JSC::Structure*, JSC::Butterfly*):
    0000000000917158        pacibsp
    000000000091715c        sub     sp, sp, #0x50
    0000000000917160        stp     x24, x23, [sp, #0x10]
    0000000000917164        stp     x22, x21, [sp, #0x20]
    0000000000917168        stp     x20, x19, [sp, #0x30]
    000000000091716c        stp     x29, x30, [sp, #0x40]
    0000000000917170        add     x29, sp, #0x40
    0000000000917174        mov     w8, #0x8fe8
    0000000000917178        add     x9, x0, x8
    000000000091717c        ldp     x8, x10, [x9]
    0000000000917180        cmp     x8, x10
    0000000000917184        b.hs    0x9171cc
    0000000000917188        add     x10, x8, #0x10
    000000000091718c        str     x10, [x9]
    0000000000917190        str     w2, [x8]
    0000000000917194        ldr     w9, [x2, #0x8]
    0000000000917198        str     w9, [x8, #0x4]
    000000000091719c        str     x2, [sp, #0x8]
    00000000009171a0        add     x9, sp, #0x8
    00000000009171a4        str     x3, [x8, #0x8]
    00000000009171a8        ldrb    w9, [x0, #0x2ab]
    00000000009171ac        cbnz    w9, 0x9171f0
    00000000009171b0        mov     x0, x8
    00000000009171b4        ldp     x29, x30, [sp, #0x40]
    00000000009171b8        ldp     x20, x19, [sp, #0x30]
    00000000009171bc        ldp     x22, x21, [sp, #0x20]
    00000000009171c0        ldp     x24, x23, [sp, #0x10]
    00000000009171c4        add     sp, sp, #0x50
    00000000009171c8        retab

* Source/JavaScriptCore/heap/Allocator.cpp:
(JSC::Allocator::cellSize const): Deleted.
* Source/JavaScriptCore/heap/Allocator.h:
* Source/JavaScriptCore/heap/AllocatorInlines.h:
(JSC::Allocator::allocate const):
(JSC::Allocator::cellSize const):
* Source/JavaScriptCore/heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::tryAllocateSlow):
* Source/JavaScriptCore/heap/CompleteSubspaceInlines.h:
(JSC::CompleteSubspace::allocate):
* Source/JavaScriptCore/heap/FreeList.h:
* Source/JavaScriptCore/heap/FreeListInlines.h:
(JSC::FreeList::allocateWithCellSize):
(JSC::FreeList::allocate): Deleted.
* Source/JavaScriptCore/heap/IsoSubspaceInlines.h:
(JSC::GCClient::IsoSubspace::allocate):
* Source/JavaScriptCore/heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
* Source/JavaScriptCore/heap/LocalAllocator.h:
* Source/JavaScriptCore/heap/LocalAllocatorInlines.h:
(JSC::LocalAllocator::allocate):
* Source/JavaScriptCore/runtime/AuxiliaryBarrier.h:
(JSC::AuxiliaryBarrier::AuxiliaryBarrier): Deleted.
* Source/JavaScriptCore/runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
(JSC::tryAllocateCellHelper):
* Source/JavaScriptCore/runtime/JSObject.h:
(JSC::JSObject::JSObject):
* Source/JavaScriptCore/runtime/Structure.h:
(JSC::Structure::typeInfoDefaultCellState const):
* Source/JavaScriptCore/runtime/TypeInfoBlob.h:
(JSC::TypeInfoBlob::defaultCellState const):

Canonical link: https://commits.webkit.org/263402@main

More information about the webkit-changes mailing list