Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3353f1290c6aa2eebdd48c99c539a6a0858c8ab1
https://github.com/WebKit/WebKit/commit/3353f1290c6aa2eebdd48c99c539a6a0858c8ab1
Author: Yijia Huang <[email protected]>
Date: 2025-02-19 (Wed, 19 Feb 2025)
Changed paths:
M JSTests/microbenchmarks/loop-unrolling-4.js
A JSTests/microbenchmarks/loop-unrolling-5.js
A JSTests/stress/array-allocation-sink.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGInsertionSet.h
M Source/JavaScriptCore/dfg/DFGMayExit.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
M Source/JavaScriptCore/dfg/DFGValidate.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp
M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/ftl/FTLOperations.cpp
M Source/JavaScriptCore/runtime/IndexingType.h
M Source/JavaScriptCore/runtime/OptionsList.h
Log Message:
-----------
[JSC] Enable Allocation Sinking for NewArrayWithConstantSize
https://bugs.webkit.org/show_bug.cgi?id=287731
rdar://144885784
Reviewed by Yusuke Suzuki.
This patch enables allocation sinking for NewArrayWithConstantSize, allowing
the DFG JIT to eliminate unnecessary array allocations when safe. This
optimization removes dead allocations and materializes them only if needed,
reducing memory overhead and improving execution efficiency. See the comments
in DFGObjectAllocationSinkingPhase.cpp for details.
Changes:
1. Introduced PhantomNewArrayWithConstantSize and
MaterializeNewArrayWithConstantSize
nodes for sinking and materializing arrays.
2. Tracked array allocations and indexed properties using
ArrayIndexedPropertyPLoc
and ArrayLengthPropertyPLoc.
3. Eliminated redundant bounds checks with removeCheckInBoundsIfNeeded.
4. Implemented JIT and FTL support for materializing sunken arrays.
5. Guarded sinking with isWatchingArrayPrototypeChainIsSaneWatchpoint,
isInBounds,
and constant index access to ensure deoptimization safety.
6. Added Options::useArrayAllocationSinking for runtime control.
* JSTests/microbenchmarks/loop-unrolling-4.js:
(test):
* JSTests/microbenchmarks/loop-unrolling-5.js: Added.
(assert):
(test):
* JSTests/stress/array-allocation-sink.js: Added.
(assert):
(run):
(assert.test):
(run.test):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::convertToPhantomNewArrayWithConstantSize):
(JSC::DFG::Node::hasNewArraySize):
(JSC::DFG::Node::newArraySize):
(JSC::DFG::Node::hasIndexingType):
(JSC::DFG::Node::hasObjectMaterializationData):
(JSC::DFG::Node::isPhantomAllocation):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:
* Source/JavaScriptCore/dfg/DFGValidate.cpp:
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
* Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h:
(JSC::FTL::ExitTimeObjectMaterialization::indexingType const):
(JSC::FTL::ExitTimeObjectMaterialization::size const):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithConstantSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithConstantSize):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/runtime/IndexingType.h:
(JSC::isNewArrayWithConstantSizeIndexingType):
* Source/JavaScriptCore/runtime/OptionsList.h:
Canonical link: https://commits.webkit.org/290691@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
