[webkit-changes] [WebKit/WebKit] b45d2e: [JSC] Add ProxyObjectStore IC to optimize "set" trap

EWS noreply at github.com
Fri Feb 24 11:47:05 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b45d2e9c3d34a09f74191f07275eef8cf57f6f4d
      https://github.com/WebKit/WebKit/commit/b45d2e9c3d34a09f74191f07275eef8cf57f6f4d
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-02-24 (Fri, 24 Feb 2023)

  Changed paths:
    A JSTests/microbenchmarks/proxy-set-miss-handler.js
    A JSTests/microbenchmarks/proxy-set.js
    A JSTests/stress/proxy-set-failure-inline-cache.js
    M Source/JavaScriptCore/builtins/BuiltinNames.h
    M Source/JavaScriptCore/builtins/ProxyHelpers.js
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/AccessCase.h
    M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
    M Source/JavaScriptCore/bytecode/LinkTimeConstant.h
    M Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
    M Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
    M Source/JavaScriptCore/runtime/CacheableIdentifier.h
    M Source/JavaScriptCore/runtime/CacheableIdentifierInlines.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
    M Source/JavaScriptCore/runtime/ProxyObject.cpp
    M Source/JavaScriptCore/runtime/ProxyObject.h

  Log Message:
  -----------
  [JSC] Add ProxyObjectStore IC to optimize "set" trap
https://bugs.webkit.org/show_bug.cgi?id=252602
<rdar://problem/105692284>

Reviewed by Yusuke Suzuki.

This change adds ProxyObjectLoad IC for Proxy "set" trap, which detects ProxyObject and calls
a variant of @performProxyObjectSet JS function, ensuring that errors for both reflection
in case of missing trap and falsy trap result are thrown only in strict mode.

Results in 1.7-6.6x speed-up on provided microbenchmarks, while JetStream3 Proxy tests are neutral
due to very modest usage of Proxy "set" trap (MobX doesn't call it at all, only setters).

Also, factors out a few helpers as CacheableIdentifier instance methods and extracts
ProxyObject::validateSetTrapResult() method to allow for maximum code reuse.

                                   ToT                      patch

proxy-set-miss-handler      129.6017+-0.8690     ^     19.7623+-0.1588        ^ definitely 6.5580x faster
proxy-set                    57.8925+-0.4492     ^     33.9117+-0.2406        ^ definitely 1.7072x faster

* JSTests/microbenchmarks/proxy-set-miss-handler.js: Added.
* JSTests/microbenchmarks/proxy-set.js: Added.
* JSTests/stress/proxy-set-failure-inline-cache.js: Added.
* Source/JavaScriptCore/builtins/BuiltinNames.h:
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectSetSloppy):
(linkTimeConstant.performProxyObjectSetStrict):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::needsScratchFPR const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::runWithDowncast):
(JSC::AccessCase::canBeShared):
* Source/JavaScriptCore/bytecode/AccessCase.h:
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
* Source/JavaScriptCore/bytecode/LinkTimeConstant.h:
* Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* Source/JavaScriptCore/bytecode/ProxyObjectAccessCase.cpp:
(JSC::ProxyObjectAccessCase::emit):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheGetBy):
(JSC::tryCachePutBy):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitPutByVal):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::emitIntrinsicPutByValWithThis):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValWithThisSloppy):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValWithThisStrict):
* Source/JavaScriptCore/runtime/CacheableIdentifier.h:
(JSC::CacheableIdentifier::isPrivateName const):
* Source/JavaScriptCore/runtime/CacheableIdentifierInlines.h:
(JSC::CacheableIdentifier::ensureIsCell):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::globalFuncHandleProxySetTrapResult):
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSGlobalObject::init):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::performProxyObjectSetSloppyFunction const):
(JSC::JSGlobalObject::performProxyObjectSetStrictFunction const):
* Source/JavaScriptCore/runtime/ProxyObject.cpp:
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::validateSetTrapResult):
* Source/JavaScriptCore/runtime/ProxyObject.h:

Canonical link: https://commits.webkit.org/260803@main

More information about the webkit-changes mailing list