[webkit-changes] [WebKit/WebKit] b84798: [JSC] Use watchpoint set for sane chain checks

[Yusuke Suzuki]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b8479830cc352feac646ab33c1a9b2c074d930e2
      
https://github.com/WebKit/WebKit/commit/b8479830cc352feac646ab33c1a9b2c074d930e2
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2022-10-10 (Mon, 10 Oct 2022)

  Changed paths:
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M 
Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h
    A Source/JavaScriptCore/bytecode/ChainedWatchpoint.h
    M 
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h
    M Source/JavaScriptCore/bytecode/Watchpoint.cpp
    M Source/JavaScriptCore/bytecode/Watchpoint.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M 
Source/JavaScriptCore/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/runtime/FunctionRareData.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
    M Source/JavaScriptCore/runtime/ObjectAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/runtime/StructureRareDataInlines.h

  Log Message:
  -----------
  [JSC] Use watchpoint set for sane chain checks
https://bugs.webkit.org/show_bug.cgi?id=246258
rdar://100951262

Reviewed by Justin Michaud and Alexey Shvayka.

This patch changes array-prototype-is-sane-chain condition check from a bit 
adhoc one to a
watchpoint based on AbsenceOfIndexedProperties ObjectPropertyCondition. This 
largely simplifies
the implementation of DFG using this watchpoint. We introduce ChainedWatchpoint 
which propagates
one watchpointset's invalidation to the other so that we can propagate 
Object.prototype's sane chain
condition to Array.prototype's sane chain condition. It (1) makes 
arrayPrototypeChainIsSane
efficient, (2) DFG's watchpoint more non-conservative (previously we are 
setting transition-watchpoint,
which is too conservative), and (3) this paves the way to use this 
JSGlobalObject tied watchpoint in uDFG.

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::watchSaneChain):
* Source/JavaScriptCore/dfg/DFGGraph.h:
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::installArrayPrototypeWatchpoint):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): Deleted.
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayPrototypeChainIsSaneWatchpointSet):
(JSC::JSGlobalObject::objectPrototypeChainIsSaneWatchpointSet):
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):

Canonical link: https://commits.webkit.org/255369@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes