[webkit-changes] [WebKit/WebKit] ea191c: [JSC] Make speculationFromValue cheap

Yusuke Suzuki noreply at github.com
Mon Jul 31 00:44:42 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ea191c94955ddd2f015f7a677b138109987620b2
      https://github.com/WebKit/WebKit/commit/ea191c94955ddd2f015f7a677b138109987620b2
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-07-31 (Mon, 31 Jul 2023)

  Changed paths:
    M Source/JavaScriptCore/bytecode/SpeculatedType.cpp
    M Source/JavaScriptCore/bytecode/SpeculatedType.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGAbstractValue.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractValue.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGInsertionSet.cpp
    M Source/JavaScriptCore/dfg/DFGInsertionSet.h
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/JSType.h

  Log Message:
  -----------
  [JSC] Make speculationFromValue cheap
https://bugs.webkit.org/show_bug.cgi?id=259633
rdar://113098188

Reviewed by Mark Lam.

This patch makes speculationFromValue extremely cheap by using JSType based SpeculatedType lookup.
This function can be called from operationOptimize & GC End phase. And this sometimes takes very long
time due to huge size of functions. Thus making this function extremely cheap is particularly important
to make startup time faster. In particular, we observed massive sampling points for speculationFromValue
in startup times in Speedometer2.1, Speedometer3.0, JetStream2.1, and JetStream3.0.

1. This patch removes SpecFunctionWithDefaultHasInstance and SpecFunctionWithNonDefaultHasInstance.
   We can just use existing Structure iteration and that can cover almost all possible cases. These
   type makes speculationFromValue costly for JSFunction and derived classes, so rather not so great.
2. This patch makes some functions JS_EXPORT_PRIVATE to make speculationFromValue non-JS_EXPORT_PRIVATE.
   So we can allow LTO / PGO to inline this if it is useful.
3. We define JSType via macro, and we list up corresponding SpeculatedType at that time. This allows us
   to construct a mapping between them easily, and this makes speculationFromValue just array lookup,
   which becomes extremely fast.

* Source/JavaScriptCore/bytecode/SpeculatedType.cpp:
(JSC::=):
(JSC::speculationFromStructure):
(JSC::speculationFromCell):
* Source/JavaScriptCore/bytecode/SpeculatedType.h:
* Source/JavaScriptCore/dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::validateOSREntryValue const):
(JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
* Source/JavaScriptCore/dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::observeIndexingTypeTransition):
(JSC::DFG::AbstractValue::validateOSREntryValue const): Deleted.
(JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const): Deleted.
* Source/JavaScriptCore/dfg/DFGInsertionSet.cpp:
(JSC::DFG::InsertionSet::insertConstant):
* Source/JavaScriptCore/dfg/DFGInsertionSet.h:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/JSType.h:

Canonical link: https://commits.webkit.org/266422@main

More information about the webkit-changes mailing list