[webkit-changes] [WebKit/WebKit] febcba: [JSC] Implement `Array.prototype.includes` in C++

SUZUKI Sosuke noreply at github.com
Sun Feb 23 00:14:56 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: febcbad98051656212532ede02755f28ebe86848
      https://github.com/WebKit/WebKit/commit/febcbad98051656212532ede02755f28ebe86848
  Author: Sosuke Suzuki <aosukeke at gmail.com>
  Date:   2025-02-23 (Sun, 23 Feb 2025)

  Changed paths:
    A JSTests/microbenchmarks/array-prototype-includes-bigint.js
    A JSTests/microbenchmarks/array-prototype-includes-contiguous.js
    A JSTests/microbenchmarks/array-prototype-includes-double-from-contiguous.js
    A JSTests/microbenchmarks/array-prototype-includes-double.js
    A JSTests/microbenchmarks/array-prototype-includes-int32-from-contiguous.js
    A JSTests/microbenchmarks/array-prototype-includes-int32.js
    A JSTests/microbenchmarks/array-prototype-includes-string-16-const.js
    A JSTests/microbenchmarks/array-prototype-includes-string-16.js
    A JSTests/microbenchmarks/array-prototype-includes-string-const.js
    A JSTests/microbenchmarks/array-prototype-includes-string.js
    A JSTests/stress/array-prototype-includes-contiguous-nan.js
    A JSTests/stress/array-prototype-includes-double-nan.js
    A JSTests/stress/array-prototype-includes-doublerepuse.js
    A JSTests/stress/array-prototype-includes-hole-contiguous.js
    A JSTests/stress/array-prototype-includes-hole-double.js
    A JSTests/stress/array-prototype-includes-hole-int32.js
    A JSTests/stress/array-prototype-includes-int32-nan.js
    A JSTests/stress/array-prototype-includes-int32use.js
    A JSTests/stress/array-prototype-includes-objectuse.js
    A JSTests/stress/array-prototype-includes-otheruse.js
    A JSTests/stress/array-prototype-includes-stringuse.js
    A JSTests/stress/array-prototype-includes-symboluse.js
    A JSTests/stress/array-prototype-includes-untypeduse-contiguous.js
    A JSTests/stress/array-prototype-includes-untypeduse-int32.js
    M Source/JavaScriptCore/builtins/ArrayPrototype.js
    M Source/JavaScriptCore/builtins/BuiltinNames.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
    M Source/JavaScriptCore/runtime/CommonIdentifiers.h
    M Source/JavaScriptCore/runtime/Intrinsic.h
    M Source/JavaScriptCore/runtime/JSArray.cpp
    M Source/JavaScriptCore/runtime/JSArray.h
    M Source/JavaScriptCore/runtime/JSCJSValueInlines.h

  Log Message:
  -----------
  [JSC] Implement `Array.prototype.includes` in C++
https://bugs.webkit.org/show_bug.cgi?id=287693

Reviewed by Yusuke Suzuki.

Currently, JSC’s `Array#includes` is implemented in JavaScript, whereas
the similar `Array#indexOf` is implemented in C++ and benefits from
DFG/FTL optimizations.

This patch reimplements `Array#includes` in C++ in the same way as
`Array#indexOf`, thereby enabling DFG/FTL support.

In most cases, the patch shows performance improvements:

```
                                                  TipOfTree                  Patched
array-prototype-includes-double                25.2368+-0.1405     ^     20.9887+-3.0246        ^ definitely 1.2024x faster
array-prototype-includes-int32-from-contiguous
                                               22.4340+-0.4231     ^     17.1624+-0.2591        ^ definitely 1.3072x faster
array-prototype-includes-string                43.4965+-0.6154     ^     30.8301+-0.7207        ^ definitely 1.4108x faster
array-prototype-includes-string-16             73.3458+-0.8209     ^     51.7629+-0.5639        ^ definitely 1.4170x faster
array-prototype-includes-double-from-contiguous
                                               73.3174+-0.9760     ^     42.4634+-1.0352        ^ definitely 1.7266x faster
array-prototype-includes-int32                205.9207+-0.2986     ^    107.2346+-0.4414        ^ definitely 1.9203x faster
array-prototype-includes-contiguous            27.8838+-2.6451     ^      9.7461+-0.1414        ^ definitely 2.8610x faster
array-prototype-includes-bigint                17.6066+-0.2040     ^     12.2816+-0.1275        ^ definitely 1.4336x faster
```

However, benchmarks that use constant strings experience a performance
regression. This is due to the loss of constant folding for the `===`
operator that was effective in the JavaScript implementation:

```
                                                  TipOfTree                  Patched
array-prototype-includes-string-const          17.8715+-0.0715     !     24.9579+-0.2986        ! definitely 1.3965x slower
array-prototype-includes-string-16-const       17.9026+-0.0907     !     50.5343+-0.6068        ! definitely 2.8227x slower
```

* Source/JavaScriptCore/builtins/ArrayPrototype.js:
(includes): Deleted.
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/CommonIdentifiers.h:
* Source/JavaScriptCore/runtime/JSCJSValueInlines.h:
(JSC::sameValueZero):

Canonical link: https://commits.webkit.org/290906@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list