[webkit-changes] [WebKit/WebKit] 8a9e1a: [JSC] Remove CagedPtr's Data PAC tagging since it ...

Yusuke Suzuki noreply at github.com
Tue Jan 23 21:44:09 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8a9e1a58f9fe0fcd03a9aa350ea5bd4fdc352f6e
      https://github.com/WebKit/WebKit/commit/8a9e1a58f9fe0fcd03a9aa350ea5bd4fdc352f6e
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A JSTests/microbenchmarks/segmentation.js
    M Source/JavaScriptCore/API/MarkedJSValueRefArray.h
    M Source/JavaScriptCore/assembler/testmasm.cpp
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/llint/InPlaceInterpreter.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/llint/WebAssembly.asm
    M Source/JavaScriptCore/runtime/ArrayBuffer.cpp
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/ArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/ArrayBufferView.h
    M Source/JavaScriptCore/runtime/BufferMemoryHandle.cpp
    M Source/JavaScriptCore/runtime/BufferMemoryHandle.h
    M Source/JavaScriptCore/runtime/CachedTypes.cpp
    M Source/JavaScriptCore/runtime/CagedBarrierPtr.h
    M Source/JavaScriptCore/runtime/DirectArguments.cpp
    M Source/JavaScriptCore/runtime/DirectArguments.h
    M Source/JavaScriptCore/runtime/GenericArgumentsInlines.h
    M Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.h
    M Source/JavaScriptCore/runtime/JSBigInt.cpp
    M Source/JavaScriptCore/runtime/JSBigInt.h
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmBinding.cpp
    M Source/JavaScriptCore/wasm/WasmInstance.h
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/WTF/wtf/CagedPtr.h
    M Source/WTF/wtf/CagedUniquePtr.h

  Log Message:
  -----------
  [JSC] Remove CagedPtr's Data PAC tagging since it is not adding values
https://bugs.webkit.org/show_bug.cgi?id=267961
rdar://121473792

Reviewed by Mark Lam.

This patch removes CagedPtr's Data PAC tagging since,

1. From attacking patterns, this does not add values. Right now, we continue using Gigacage, but not using Data PAC here.
2. We found that Data PAC is extremely slow. Attached benchmark showed 11.5% difference.

                               ToT                     Patched

    segmentation        128.8931+-0.3854     ^    115.6124+-0.1073        ^ definitely 1.1149x faster

* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::generateWithGuard):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::toBigInt64):
* Source/JavaScriptCore/llint/InPlaceInterpreter.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/llint/WebAssembly.asm:
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
* Source/JavaScriptCore/runtime/BufferMemoryHandle.h:
* Source/JavaScriptCore/runtime/CagedBarrierPtr.h:
* Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
* Source/JavaScriptCore/runtime/JSBigInt.h:
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::reloadMemoryRegistersFromInstance):
(JSC::Wasm::B3IRGenerator::emitIndirectCall):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::loadWebAssemblyGlobalState):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::restoreWebAssemblyGlobalStateAfterWasmCall):
* Source/JavaScriptCore/wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* Source/JavaScriptCore/wasm/WasmInstance.h:
(JSC::Wasm::Instance::updateCachedMemory):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
* Source/WTF/wtf/CagedPtr.h:
(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::getUnsafe const):
(WTF::CagedPtr::mergePointers): Deleted.
* Source/WTF/wtf/CagedUniquePtr.h:

Canonical link: https://commits.webkit.org/273389@main

More information about the webkit-changes mailing list