Changeset 258901 in webkit

Timestamp:

Mar 23, 2020 8:02:28 PM (4 years ago)

Author:

keith_miller@apple.com

Message:

HasIndexedProperty should know about sane chain
​https://bugs.webkit.org/show_bug.cgi?id=209457

Reviewed by Saam Barati.

This patch makes it so HasIndexedProperty is aware of
sane chain. This is useful because, most of the time we do an
indexed in it is on an array. If the array has a sane chain (i.e.
no indexed properties on it's prototypes and has the default
prototype chain) then we can just test for the index being a hole.

Note, we could also just convert OOB indices into false but that
should happen in another patch.
​https://bugs.webkit.org/show_bug.cgi?id=209456

I didn't add any tests because it turns out we already have a ton.
I know this because I broke most of them repeatedly... >.>

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::setSaneChainIfPossible):
(JSC::DFG::FixupPhase::convertToHasIndexedProperty):

• dfg/DFGNodeType.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
(JSC::FTL::DFG::LowerDFGToB3::speculateAndJump):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::isEmpty):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• dfg/DFGClobberize.h (modified) (4 diffs)
• dfg/DFGFixupPhase.cpp (modified) (6 diffs)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (5 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (6 diffs)
• jit/AssemblyHelpers.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-03-23  Keith Miller  <keith_miller@apple.com>
+
+        HasIndexedProperty should know about sane chain
+        https://bugs.webkit.org/show_bug.cgi?id=209457
+
+        Reviewed by Saam Barati.
+
+        This patch makes it so HasIndexedProperty is aware of
+        sane chain. This is useful because, most of the time we do an
+        indexed in it is on an array. If the array has a sane chain (i.e.
+        no indexed properties on it's prototypes and has the default
+        prototype chain) then we can just test for the index being a hole.
+
+        Note, we could also just convert OOB indices into false but that
+        should happen in another patch.
+        https://bugs.webkit.org/show_bug.cgi?id=209456
+
+        I didn't add any tests because it turns out we already have a ton.
+        I know this because I broke most of them repeatedly... >.>
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::setSaneChainIfPossible):
+        (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateAndJump):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::isEmpty):
+
 2020-03-23  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -3919 +3919 @@
         case Array::Contiguous:
         case Array::ArrayStorage: {
-            break;
+            if (mode.isInBounds())
+                break;
+            FALLTHROUGH;
         }
         default: {

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -325 +325 @@
                 return;
             }
-            read(Heap);
-            return;
+            break;
         }
             
@@ -336 +335 @@
                 return;
             }
-            read(Heap);
-            return;
+            break;
         }
             
@@ -347 +345 @@
                 return;
             }
-            read(Heap);
-            return;
+            break;
         }
 
@@ -357 +354 @@
                 return;
             }
-            read(Heap);
-            return;
-        }
-
-        default: {
-            read(World);
-            write(Heap);
-            return;
-        }
-        }
-        RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+
+        default: 
+            break;
+        }
+        read(World);
+        write(Heap);
         return;
     }

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -958 +958 @@
                     }
                     
-                    if (canDoSaneChain) {
-                        JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
-                        Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
-                        Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
-                        if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
-                            && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
-                            && globalObject->arrayPrototypeChainIsSane()) {
-                            m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
-                            m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
-                            node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
-                        }
-                    }
+                    if (canDoSaneChain)
+                        setSaneChainIfPossible(node);
                 }
                 break;
@@ -2030 +2020 @@
             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
+
+            ArrayMode arrayMode = node->arrayMode();
+            // FIXME: OutOfBounds shouldn't preclude going sane chain because OOB is just false and cannot have effects.
+            // See: https://bugs.webkit.org/show_bug.cgi?id=209456
+            if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds)
+                setSaneChainIfPossible(node);
             break;
         }
@@ -3343 +3339 @@
             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
     }
+
+    void setSaneChainIfPossible(Node* node)
+    {
+        JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
+        Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
+        Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
+        if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
+            && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
+            && globalObject->arrayPrototypeChainIsSane()) {
+            m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
+            m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
+            node->setArrayMode(node->arrayMode().withSpeculation(Array::SaneChain));
+            node->clearFlags(NodeMustGenerate);
+        }
+    }
     
     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
@@ -3695 +3706 @@
     {
         node->setOp(HasIndexedProperty);
-        node->clearFlags(NodeMustGenerate);
 
         {
@@ -3703 +3713 @@
             m_graph.m_varArgChildren.append(node->child2());
             m_graph.m_varArgChildren.append(Edge());
-            node->mergeFlags(NodeHasVarArgs);
+            node->setFlags(defaultFlags(HasIndexedProperty));
             node->children = AdjacencyList(AdjacencyList::Variable, firstChild, numChildren);
         }
@@ -3716 +3726 @@
 
         blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
+        auto arrayMode = node->arrayMode();
+        // FIXME: OutOfBounds shouldn't preclude going sane chain because OOB is just false and cannot have effects.
+        // See: https://bugs.webkit.org/show_bug.cgi?id=209456
+        if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds)
+            setSaneChainIfPossible(node);
 
         fixEdge<CellUse>(m_graph.varArgChild(node, 0));

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -484 +484 @@
     /* For-in enumeration opcodes */\
     macro(GetEnumerableLength, NodeMustGenerate | NodeResultJS) \
-    macro(HasIndexedProperty, NodeResultBoolean | NodeHasVarArgs) \
+    /* Must generate because of Proxies on the prototype chain */ \
+    macro(HasIndexedProperty, NodeMustGenerate | NodeResultBoolean | NodeHasVarArgs) \
     macro(HasStructureProperty, NodeResultBoolean) \
     macro(HasGenericProperty, NodeResultBoolean) \

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -13581 +13581 @@
 
         MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
+
         if (mode.isInBounds())
             speculationCheck(OutOfBounds, JSValueRegs(), nullptr, outOfBounds);
@@ -13588 +13589 @@
 #if USE(JSVALUE64)
         m_jit.load64(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchGPR);
-        slowCases.append(m_jit.branchIfEmpty(scratchGPR));
 #else
         m_jit.load32(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), scratchGPR);
-        slowCases.append(m_jit.branchIfEmpty(scratchGPR));
 #endif
+
+        if (mode.isSaneChain()) {
+            m_jit.isEmpty(scratchGPR, resultGPR);
+            break;
+        }
+
+        MacroAssembler::Jump isHole = m_jit.branchIfEmpty(scratchGPR);
+        if (!mode.isInBounds())
+            slowCases.append(isHole);
+        else
+            speculationCheck(LoadFromHole, JSValueRegs(), nullptr, isHole);
         m_jit.move(TrustedImm32(1), resultGPR);
         break;
@@ -13604 +13614 @@
 
         MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
+
         if (mode.isInBounds())
             speculationCheck(OutOfBounds, JSValueRegs(), nullptr, outOfBounds);
@@ -13610 +13621 @@
 
         m_jit.loadDouble(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchFPR);
-        slowCases.append(m_jit.branchIfNaN(scratchFPR));
+
+        if (mode.isSaneChain()) {
+            m_jit.compareDouble(MacroAssembler::DoubleEqualAndOrdered, scratchFPR, scratchFPR, resultGPR);
+            break;
+        }
+
+        MacroAssembler::Jump isHole = m_jit.branchIfNaN(scratchFPR);
+        if (!mode.isInBounds())
+            slowCases.append(isHole);
+        else
+            speculationCheck(LoadFromHole, JSValueRegs(), nullptr, isHole);
         m_jit.move(TrustedImm32(1), resultGPR);
         break;
@@ -13630 +13651 @@
 #if USE(JSVALUE64)
         m_jit.load64(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()), scratchGPR);
-        slowCases.append(m_jit.branchIfEmpty(scratchGPR));
 #else
         m_jit.load32(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), scratchGPR);
-        slowCases.append(m_jit.branchIfEmpty(scratchGPR));
 #endif
+
+        if (mode.isSaneChain()) {
+            m_jit.isEmpty(scratchGPR, resultGPR);
+            break;
+        }
+
+        MacroAssembler::Jump isHole = m_jit.branchIfEmpty(scratchGPR);
+        if (!mode.isInBounds() || mode.isSaneChain())
+            slowCases.append(isHole);
+        else
+            speculationCheck(LoadFromHole, JSValueRegs(), nullptr, isHole);
         m_jit.move(TrustedImm32(1), resultGPR);
         break;

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11594 +11594 @@
         LValue base = lowCell(m_graph.varArgChild(m_node, 0));
         LValue index = lowInt32(m_graph.varArgChild(m_node, 1));
+        ArrayMode mode = m_node->arrayMode();
 
         switch (m_node->arrayMode().type()) {
@@ -11601 +11602 @@
             LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
 
-            IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
+            IndexedAbstractHeap& heap = mode.type() == Array::Int32 ?
                 m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
 
@@ -11608 +11609 @@
             LBasicBlock lastNext = nullptr;
 
+            if (!mode.isInBounds()) {
+                LBasicBlock checkHole = m_out.newBlock();
+                m_out.branch(
+                    m_out.aboveOrEqual(
+                        index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
+                    rarely(slowCase), usually(checkHole));
+                lastNext = m_out.appendTo(checkHole, slowCase);
+            } else
+                lastNext = m_out.insertNewBlocksBefore(slowCase);
+
+            LValue checkHoleResultValue =
+                m_out.notZero64(m_out.load64(baseIndex(heap, storage, index, m_graph.varArgChild(m_node, 1))));
+            ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
+            if (mode.isSaneChain())
+                m_out.jump(continuation);
+            else if (!mode.isInBounds())
+                m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
+            else
+                speculateAndJump(continuation, LoadFromHole, noValue(), nullptr, checkHoleResultValue);
+
+            m_out.appendTo(slowCase, continuation);
+            ValueFromBlock slowResult = m_out.anchor(
+                m_out.notZero64(vmCall(Int64, operationHasIndexedPropertyByInt, weakPointer(globalObject), base, index, internalMethodType)));
+            m_out.jump(continuation);
+
+            m_out.appendTo(continuation, lastNext);
+            setBoolean(m_out.phi(Int32, checkHoleResult, slowResult));
+            return;
+        }
+        case Array::Double: {
+            LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
+            LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
+            
+            IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
+            
+            LBasicBlock slowCase = m_out.newBlock();
+            LBasicBlock continuation = m_out.newBlock();
+            LBasicBlock lastNext = nullptr;
+            
             if (!m_node->arrayMode().isInBounds()) {
                 LBasicBlock checkHole = m_out.newBlock();
@@ -11618 +11658 @@
                 lastNext = m_out.insertNewBlocksBefore(slowCase);
 
-            LValue checkHoleResultValue =
-                m_out.notZero64(m_out.load64(baseIndex(heap, storage, index, m_graph.varArgChild(m_node, 1))));
-            ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
-            m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
-
-            m_out.appendTo(slowCase, continuation);
-            ValueFromBlock slowResult = m_out.anchor(
-                m_out.notZero64(vmCall(Int64, operationHasIndexedPropertyByInt, weakPointer(globalObject), base, index, internalMethodType)));
-            m_out.jump(continuation);
-
-            m_out.appendTo(continuation, lastNext);
-            setBoolean(m_out.phi(Int32, checkHoleResult, slowResult));
-            return;
-        }
-        case Array::Double: {
-            LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
-            LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
-            
-            IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
-            
-            LBasicBlock slowCase = m_out.newBlock();
-            LBasicBlock continuation = m_out.newBlock();
-            LBasicBlock lastNext = nullptr;
-            
-            if (!m_node->arrayMode().isInBounds()) {
-                LBasicBlock checkHole = m_out.newBlock();
-                m_out.branch(
-                    m_out.aboveOrEqual(
-                        index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
-                    rarely(slowCase), usually(checkHole));
-                lastNext = m_out.appendTo(checkHole, slowCase);
-            } else
-                lastNext = m_out.insertNewBlocksBefore(slowCase);
-
             LValue doubleValue = m_out.loadDouble(baseIndex(heap, storage, index, m_graph.varArgChild(m_node, 1)));
             LValue checkHoleResultValue = m_out.doubleEqual(doubleValue, doubleValue);
             ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
-            m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
+            if (mode.isSaneChain())
+                m_out.jump(continuation);
+            else if (!mode.isInBounds())
+                m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
+            else
+                speculateAndJump(continuation, LoadFromHole, noValue(), nullptr, checkHoleResultValue);
             
             m_out.appendTo(slowCase, continuation);
@@ -11688 +11699 @@
                 m_out.notZero64(m_out.load64(baseIndex(m_heaps.ArrayStorage_vector, storage, index, m_graph.varArgChild(m_node, 1))));
             ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
-            m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
+            if (mode.isSaneChain())
+                m_out.jump(continuation);
+            else if (!mode.isInBounds())
+                m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
+            else
+                speculateAndJump(continuation, LoadFromHole, noValue(), nullptr, checkHoleResultValue);
 
             m_out.appendTo(slowCase, continuation);
@@ -16127 +16143 @@
         appendOSRExit(kind, lowValue, profile, failCondition, m_origin);
     }
+
+    template<typename... Args>
+    void speculateAndJump(B3::BasicBlock* target, Args... args)
+    {
+        speculate(args...);
+        m_out.jump(target);
+    }
     
     void terminate(ExitKind kind)

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -962 +962 @@
     Jump branchIfNotFunction(GPRReg cellGPR) { return branchIfNotType(cellGPR, JSFunctionType); }
     
+    void isEmpty(GPRReg gpr, GPRReg dst)
+    {
+#if USE(JSVALUE64)
+        test64(NonZero, gpr, TrustedImm32(-1), dst);
+#else
+        compare32(Equal, gpr, TrustedImm32(JSValue::EmptyValueTag), dst);
+#endif
+    }
+
     Jump branchIfEmpty(GPRReg gpr)
     {