[webkit-changes] [WebKit/WebKit] f014a3: Array allocation sinking should split allocations ...

Wed, 10 Sep 2025 05:50:16 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f014a32890763b138b22bbcf4c6bf413ce343a44
      
https://github.com/WebKit/WebKit/commit/f014a32890763b138b22bbcf4c6bf413ce343a44
  Author: Keith Miller <keith_mil...@apple.com>
  Date:   2025-09-10 (Wed, 10 Sep 2025)

  Changed paths:
    A JSTests/stress/array-allocation-elimination-closure-capture.js
    A JSTests/stress/array-allocation-elimination-conditional-usage.js
    A JSTests/stress/array-allocation-elimination-cross-function.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGCloneHelper.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGLoopUnrollingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
    M Source/JavaScriptCore/dfg/DFGUseKind.h
    M Source/JavaScriptCore/dfg/DFGValidate.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.cpp
    M Source/JavaScriptCore/runtime/IndexingType.cpp
    M Source/JavaScriptCore/runtime/IndexingType.h

  Log Message:
  -----------
  Array allocation sinking should split allocations into two, an Array 
allocation and a Butterfly allocation
https://bugs.webkit.org/show_bug.cgi?id=298606
rdar://159207754

Reviewed by Yusuke Suzuki.

This patch minorly rearchitects how we do Array allocation sinking in DFG. 
Previously we tried to model Arrays
in ObjectAllocationSinking as two allocations one where the actual Array was 
allocated and a "Butterfly"
at each `GetButterfly`. This meant that there was now a reverse data dependency 
between the GetButterfly and
the Array allocation Nodes. This was a little unintuitive but also meant that 
any control flow that would
merge two `GetButterfly`s would escape the Array.

This PR simplifies things by more directly representing the heap in 
ObjectAllocationSinking. There are now
two nodes that get sunk when sinking an Array: NewButterflyWithSize and 
NewArrayWithButterfly. All the
indexed properties and the length are stored on the LocalHeap of 
NewButterflyWithSize and NewArrayWithButterfly's
LocalHeap only contains the butterfly. Right now we only handle in-bounds 
loads/stores to the butterfly
but this model makes it substantially easier to model growing the Array's 
Butterfly in the future.

One other interesting change in this PR is that we could handle sizes greater 
than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
in the slow path. MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is always bigger than a 
MarkBlock's max allocation size
(by a lot) so any allocation that big will always take the slow path. This 
patch fixes that issue for the new nodes
but we should consider addressing that for other Array allocation Nodes in a 
follow up.

Lastly, this patch "corrects" leastUpperBoundOfIndexingTypeAndType so it no 
longer recommends Double storage
when the value is a NaN. Preivously this would just be a perf issue but with 
this patch it's needed for
correctness.

Overall, this change is perf neutral or maybe a slight progression on JetStream 
3.

Canonical link: https://commits.webkit.org/299806@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to