Changeset 224818 in webkit for trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

Timestamp:

Nov 14, 2017, 9:35:33 AM (8 years ago)

Author:

Yusuke Suzuki

Message:

[DFG][FTL] Support Array::DirectArguments with OutOfBounds
​https://bugs.webkit.org/show_bug.cgi?id=179594

Reviewed by Saam Barati.

JSTests:

• stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.

(shouldBe):
(args):

• stress/direct-arguments-out-of-bounds-watchpoint.js: Added.

(shouldBe):
(args):

Source/JavaScriptCore:

Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
arguments[i] accesses if i is in bound, and (2) encourage arguments elimination phase
to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.

This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
accept this type, and emit optimized code compared to Array::Generic case.

We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
exit instead of ExoticObjectMode.

This change significantly improves SixSpeed rest.es5 since it uses OOB access.
Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.

rest.es5 59.6719+-2.2440 ^{3.1634+-0.5507} definitely 18.8635x faster

• dfg/DFGArgumentsEliminationPhase.cpp:
• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine const):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):

File:

• trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

@@ -260 +260 @@
         if (isDirectArgumentsSpeculation(base) || isScopedArgumentsSpeculation(base)) {
             // Handle out-of-bounds accesses as generic accesses.
-            if (graph.hasExitSite(node->origin.semantic, OutOfBounds) || !isInBounds())
+            Array::Type type = isDirectArgumentsSpeculation(base) ? Array::DirectArguments : Array::ScopedArguments;
+            if (graph.hasExitSite(node->origin.semantic, OutOfBounds) || !isInBounds()) {
+                // FIXME: Support OOB access for ScopedArguments.
+                // https://bugs.webkit.org/show_bug.cgi?id=179596
+                if (type == Array::DirectArguments)
+                    return ArrayMode(type, Array::NonArray, Array::OutOfBounds, Array::AsIs);
                 return ArrayMode(Array::Generic);
-            
-            if (isDirectArgumentsSpeculation(base))
-                return withType(Array::DirectArguments);
-            return withType(Array::ScopedArguments);
+            }
+            return withType(type);
         }