[webkit-changes] [WebKit/WebKit] 932cac: [JSC] Use UnaryArithProfile for to_number and to_n...

Yusuke Suzuki noreply at github.com
Thu Jul 27 13:11:08 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 932caca63d72dce0390933f57a29437339825cec
      https://github.com/WebKit/WebKit/commit/932caca63d72dce0390933f57a29437339825cec
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-07-27 (Thu, 27 Jul 2023)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h
    M Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h
    M Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
    M Source/JavaScriptCore/bytecode/ArithProfile.cpp
    M Source/JavaScriptCore/bytecode/ArithProfile.h
    M Source/JavaScriptCore/bytecode/BytecodeList.rb
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/Opcode.h
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/jit/JITAddGenerator.cpp
    M Source/JavaScriptCore/jit/JITNegGenerator.cpp
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/jit/JITSubGenerator.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp
    M Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp

  Log Message:
  -----------
  [JSC] Use UnaryArithProfile for to_number and to_numeric
https://bugs.webkit.org/show_bug.cgi?id=259549
rdar://112958954

Reviewed by Tadeu Zagallo.

There is no reason to use ValueProfile for them since UnaryArithProfile's bits are sufficient
for the necessary informations for to_number and to_numeric in DFG and uppers. This patch replaces
ValueProfile for them with UnaryArithProfile. This is good direction since,

1. We can collect finer grained information
2. We do not need to get prediction from these resulted values occasionally in operationOptimize.

We would like to expand this to remaining bitops etc.

During working on this, we also found that ArithProfile::emitSetDouble is materializing a pointer twice
for ARM64. This patch fixes it.

* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::or16):
* Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::or16):
* Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::or16):
* Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::or16):
* Source/JavaScriptCore/bytecode/ArithProfile.cpp:
(JSC::ArithProfile<BitfieldType>::emitObserveResult):
(JSC::ArithProfile<BitfieldType>::emitSetDouble const):
(JSC::ArithProfile<BitfieldType>::emitUnconditionalSet const):
* Source/JavaScriptCore/bytecode/ArithProfile.h:
(JSC::UnaryArithProfile::observedNumberBits):
(JSC::UnaryArithProfile::observedNonNumberBits):
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecode/Opcode.h:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitUnaryOp):
(JSC::BytecodeGenerator::emitToNumber):
(JSC::BytecodeGenerator::emitToNumeric):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupToNumberOrToNumericOrCallNumberConstructor):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateFastPath):
* Source/JavaScriptCore/jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateFastPath):
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_to_numeric):
* Source/JavaScriptCore/jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateFastPath):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp:
(JSC::FileBasedFuzzerAgent::getPredictionInternal):
* Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp:
(JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal):

Canonical link: https://commits.webkit.org/266364@main

More information about the webkit-changes mailing list