[webkit-changes] [WebKit/WebKit] 7ddf52: [JSC] DFG GetByOffset / PutByOffset should be opti...

Thu, 31 Jul 2025 11:13:26 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7ddf52c48855ebaaa302fae8fe5bce0ce223897b
      
https://github.com/WebKit/WebKit/commit/7ddf52c48855ebaaa302fae8fe5bce0ce223897b
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-07-31 (Thu, 31 Jul 2025)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp

  Log Message:
  -----------
  [JSC] DFG GetByOffset / PutByOffset should be optimized with Double
https://bugs.webkit.org/show_bug.cgi?id=296666
rdar://157062331

Reviewed by Yijia Huang.

This patch implements speculative double load / store via GetByOffset /
PutByOffset in DFG too. It is already implemented in FTL, but this
extends that optimization for DFG.

While FTL identifies these opportunities based on ValueRep reduction
phase, DFG does it more speculatively in DFG fixup phase. The reason is
that FTL needs to do object allocation sinking and argument elimination
after the fixup, and making them DoubleResult introduces complicated
problem for these phases. So FTL handles it in a different way:
identifying them in ValueRep reduction phase, which is more
sophisticated.
But DFG does not have these phases (including ValueRep reduction phase),
thus we do simply speculatively in fixup phase based on prediction
information.

The core of the optimization is the same to FTL's one. We load value
directly to the FPR, and extract double by doing integer arithmetics
onto the FPR. We avoid using fmov between GPRs and FPRs, which is really
costly.

This patch also does the same thing for ClosureVar and GlobalVars.

* Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::storeDouble):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::unboxRealNumberDouble):
(JSC::DFG::SpeculativeJIT::boxDoubleAsDouble):
* Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp:

Canonical link: https://commits.webkit.org/298092@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to