[webkit-changes] [WebKit/WebKit] de77dd: [JSC] Handle OutOfBounds GetByVal of TypedArray

Yusuke Suzuki noreply at github.com
Thu Apr 4 07:53:04 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: de77ddb828e1bb4c9ccd13bf96819e1268f28deb
      https://github.com/WebKit/WebKit/commit/de77ddb828e1bb4c9ccd13bf96819e1268f28deb
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-04-04 (Thu, 04 Apr 2024)

  Changed paths:
    A JSTests/microbenchmarks/uint8-clamped-array-out-of-bounds.js
    A JSTests/stress/typed-array-out-of-bounds.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Handle OutOfBounds GetByVal of TypedArray
https://bugs.webkit.org/show_bug.cgi?id=272107
rdar://problem/125863449

Reviewed by Justin Michaud.

Previously, DFG / FTL are not tolerant against OutOfBounds access of TypedArray: whenever we encounter this, we did OSR exit.
But this is not so great, and we should make it work well since there are legit cases which does OutOfBounds access to TypedArray.

This patch integrates OutOfBounds GetByVal access to TypedArray, which is similar to what we have for the other arrays.
Based on ArrayProfile information, we annotate DFG::ArrayMode with OutOfBounds. And then DFG / FTL handle this case gracefully.
InBounds case is still fastest since we can put strong type prediction / invariant on the returned value too. But still, OutOfBounds
handling is better than just doing OSR exit repeatedly.
One of the interesting aspect is that TypedArray does not propagate access of OutOfBounds to [[Prototype]], which is specified in the spec.
As a result, we can say that the result is `undefined` when OutOfBounds access happens, which makes slow path case significantly simpler.

                                                  ToT                     Patched

    uint8-clamped-array-out-of-bounds       18.8348+-0.0251     ^      1.3021+-0.0190        ^ definitely 14.4654x faster

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck): Deleted.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl):

Canonical link: https://commits.webkit.org/277050@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list