Ignore:
Timestamp:
Dec 13, 2019, 8:34:45 PM (5 years ago)
Author:
[email protected]
Message:

[JSC] Remove JSFixedArray, and use JSImmutableButterfly instead
https://bugs.webkit.org/show_bug.cgi?id=204402

Reviewed by Mark Lam.

JSTests:

  • stress/new-array-with-spread-cow-double.js: Added.

(shouldBe):
(shouldBeArray):
(test):

  • stress/new-array-with-spread-cow-int.js: Added.

(shouldBe):
(shouldBeArray):
(test):

  • stress/new-array-with-spread-cow.js: Added.

(shouldBe):
(shouldBeArray):
(test):

Source/JavaScriptCore:

This patch removes JSFixedArray, and use JSImmutableButterfly instead. JSFixedArray can be replaced by
JSImmutableButterfly with Contiguous shape. And further, we can create an array from JSImmutableButterfly
generated by Spread node in NewArrayBufferWithSpread.

Currently, we are always creating contiguous JSImmutableButterfly from Spread. If it takes contiguous CoW
array, we can reuse JSImmutableButterfly of the input. But if it is CoW and not contiguous shape (like,
CopyOnWriteArrayWithInt32), we create a JSImmutableButterfly and copy it to this new butterfly. We can
extend it to accept non-contiguous JSImmutableButterfly in the future.

  • JavaScriptCore.xcodeproj/project.pbxproj:
  • Sources.txt:
  • bytecompiler/BytecodeGenerator.cpp:
  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGByteCodeParser.cpp:
  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

  • dfg/DFGOperations.cpp:
  • dfg/DFGOperations.h:
  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
(JSC::DFG::SpeculativeJIT::compileObjectKeys):

  • ftl/FTLAbstractHeapRepository.h:
  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
(JSC::FTL::DFG::LowerDFGToB3::toButterfly):

  • ftl/FTLOperations.cpp:

(JSC::FTL::operationMaterializeObjectInOSR):

  • interpreter/Interpreter.cpp:

(JSC::sizeOfVarargs):
(JSC::loadVarargs):

  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/JSCast.h:
  • runtime/JSFixedArray.cpp: Removed.
  • runtime/JSFixedArray.h: Removed.
  • runtime/JSImmutableButterfly.h:

(JSC::JSImmutableButterfly::createFromArray):
(JSC::JSImmutableButterfly::offsetOfPublicLength):
(JSC::JSImmutableButterfly::offsetOfVectorLength):

  • runtime/JSType.cpp:

(WTF::printInternal):

  • runtime/JSType.h:
  • runtime/VM.cpp:

(JSC::VM::VM):

  • runtime/VM.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r253263 r253520  
    5555#include "JSAsyncGeneratorFunction.h"
    5656#include "JSCInlines.h"
    57 #include "JSFixedArray.h"
    5857#include "JSGeneratorFunction.h"
    5958#include "JSImmutableButterfly.h"
     
    79037902
    79047903        MacroAssembler::JumpList slowPath;
     7904        MacroAssembler::JumpList done;
    79057905
    79067906        m_jit.load8(MacroAssembler::Address(argument, JSCell::indexingTypeAndMiscOffset()), scratch1GPR);
     7907        m_jit.and32(TrustedImm32(IndexingModeMask), scratch1GPR);
     7908        auto notShareCase = m_jit.branch32(CCallHelpers::NotEqual, scratch1GPR, TrustedImm32(CopyOnWriteArrayWithContiguous));
     7909        m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), resultGPR);
     7910        m_jit.addPtr(TrustedImm32(-static_cast<ptrdiff_t>(JSImmutableButterfly::offsetOfData())), resultGPR);
     7911        done.append(m_jit.jump());
     7912
     7913        notShareCase.link(&m_jit);
    79077914        m_jit.and32(TrustedImm32(IndexingShapeMask), scratch1GPR);
    79087915        m_jit.sub32(TrustedImm32(Int32Shape), scratch1GPR);
     
    79157922        m_jit.move(lengthGPR, scratch1GPR);
    79167923        m_jit.lshift32(TrustedImm32(3), scratch1GPR);
    7917         m_jit.add32(TrustedImm32(JSFixedArray::offsetOfData()), scratch1GPR);
    7918 
    7919         m_jit.emitAllocateVariableSizedCell<JSFixedArray>(vm(), resultGPR, TrustedImmPtr(m_jit.graph().registerStructure(m_jit.graph().m_vm.fixedArrayStructure.get())), scratch1GPR, scratch1GPR, scratch2GPR, slowPath);
    7920         m_jit.store32(lengthGPR, MacroAssembler::Address(resultGPR, JSFixedArray::offsetOfSize()));
     7924        m_jit.add32(TrustedImm32(JSImmutableButterfly::offsetOfData()), scratch1GPR);
     7925
     7926        m_jit.emitAllocateVariableSizedCell<JSImmutableButterfly>(vm(), resultGPR, TrustedImmPtr(m_jit.graph().registerStructure(m_jit.graph().m_vm.immutableButterflyStructures[arrayIndexFromIndexingType(CopyOnWriteArrayWithContiguous) - NumberOfIndexingShapes].get())), scratch1GPR, scratch1GPR, scratch2GPR, slowPath);
     7927        m_jit.store32(lengthGPR, MacroAssembler::Address(resultGPR, JSImmutableButterfly::offsetOfPublicLength()));
     7928        m_jit.store32(lengthGPR, MacroAssembler::Address(resultGPR, JSImmutableButterfly::offsetOfVectorLength()));
    79217929
    79227930        m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), scratch1GPR);
    7923 
    7924         MacroAssembler::JumpList done;
    79257931
    79267932        m_jit.load8(MacroAssembler::Address(argument, JSCell::indexingTypeAndMiscOffset()), scratch2GPR);
     
    79367942            m_jit.move(TrustedImm64(JSValue::encode(jsUndefined())), scratch2GPR);
    79377943            notEmpty.link(&m_jit);
    7938             m_jit.store64(scratch2GPR, MacroAssembler::BaseIndex(resultGPR, lengthGPR, MacroAssembler::TimesEight, JSFixedArray::offsetOfData()));
     7944            m_jit.store64(scratch2GPR, MacroAssembler::BaseIndex(resultGPR, lengthGPR, MacroAssembler::TimesEight, JSImmutableButterfly::offsetOfData()));
    79397945            m_jit.branchTest32(MacroAssembler::NonZero, lengthGPR).linkTo(loopStart, &m_jit);
    79407946            done.append(m_jit.jump());
     
    79537959            m_jit.boxDouble(doubleFPR, scratch2GPR);
    79547960            doStore.link(&m_jit);
    7955             m_jit.store64(scratch2GPR, MacroAssembler::BaseIndex(resultGPR, lengthGPR, MacroAssembler::TimesEight, JSFixedArray::offsetOfData()));
     7961            m_jit.store64(scratch2GPR, MacroAssembler::BaseIndex(resultGPR, lengthGPR, MacroAssembler::TimesEight, JSImmutableButterfly::offsetOfData()));
    79567962            m_jit.branchTest32(MacroAssembler::NonZero, lengthGPR).linkTo(loopStart, &m_jit);
    79577963            done.append(m_jit.jump());
     
    81438149{
    81448150    ASSERT(node->op() == NewArrayWithSpread);
     8151    JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic);
    81458152
    81468153#if USE(JSVALUE64)
     
    81508157
    81518158        BitVector* bitVector = node->bitVector();
     8159
     8160        if (node->numChildren() == 1 && bitVector->get(0)) {
     8161            Edge use = m_jit.graph().varArgChild(node, 0);
     8162            SpeculateCellOperand immutableButterfly(this, use);
     8163            GPRTemporary result(this);
     8164            GPRTemporary butterfly(this);
     8165            GPRTemporary scratch1(this);
     8166            GPRTemporary scratch2(this);
     8167
     8168            GPRReg immutableButterflyGPR = immutableButterfly.gpr();
     8169            GPRReg resultGPR = result.gpr();
     8170            GPRReg butterflyGPR = butterfly.gpr();
     8171            GPRReg scratch1GPR = scratch1.gpr();
     8172            GPRReg scratch2GPR = scratch2.gpr();
     8173
     8174            RegisteredStructure structure = m_jit.graph().registerStructure(globalObject->originalArrayStructureForIndexingType(CopyOnWriteArrayWithContiguous));
     8175
     8176            MacroAssembler::JumpList slowCases;
     8177
     8178            m_jit.move(immutableButterflyGPR, butterflyGPR);
     8179            m_jit.addPtr(TrustedImm32(JSImmutableButterfly::offsetOfData()), butterflyGPR);
     8180
     8181            emitAllocateJSObject<JSArray>(resultGPR, TrustedImmPtr(structure), butterflyGPR, scratch1GPR, scratch2GPR, slowCases);
     8182
     8183            addSlowPathGenerator(slowPathCall(slowCases, this, operationNewArrayBuffer, resultGPR, &vm(), structure, immutableButterflyGPR));
     8184
     8185            cellResult(resultGPR, node);
     8186            return;
     8187        }
     8188
    81528189        {
    81538190            unsigned startLength = 0;
     
    81648201                if (bitVector->get(i)) {
    81658202                    Edge use = m_jit.graph().varArgChild(node, i);
    8166                     SpeculateCellOperand fixedArray(this, use);
    8167                     GPRReg fixedArrayGPR = fixedArray.gpr();
    8168                     speculationCheck(Overflow, JSValueRegs(), nullptr, m_jit.branchAdd32(MacroAssembler::Overflow, MacroAssembler::Address(fixedArrayGPR, JSFixedArray::offsetOfSize()), lengthGPR));
     8203                    SpeculateCellOperand immutableButterfly(this, use);
     8204                    GPRReg immutableButterflyGPR = immutableButterfly.gpr();
     8205                    speculationCheck(Overflow, JSValueRegs(), nullptr, m_jit.branchAdd32(MacroAssembler::Overflow, MacroAssembler::Address(immutableButterflyGPR, JSImmutableButterfly::offsetOfPublicLength()), lengthGPR));
    81698206                }
    81708207            }
     
    81778214            // non-ArrayStorage shaped array.
    81788215            bool shouldAllowForArrayStorageStructureForLargeArrays = false;
    8179             compileAllocateNewArrayWithSize(m_jit.graph().globalObjectFor(node->origin.semantic), resultGPR, lengthGPR, ArrayWithContiguous, shouldAllowForArrayStorageStructureForLargeArrays);
     8216            compileAllocateNewArrayWithSize(globalObject, resultGPR, lengthGPR, ArrayWithContiguous, shouldAllowForArrayStorageStructureForLargeArrays);
    81808217        }
    81818218
     
    81928229            Edge use = m_jit.graph().varArgChild(node, i);
    81938230            if (bitVector->get(i)) {
    8194                 SpeculateCellOperand fixedArray(this, use);
    8195                 GPRReg fixedArrayGPR = fixedArray.gpr();
    8196 
    8197                 GPRTemporary fixedIndex(this);
    8198                 GPRReg fixedIndexGPR = fixedIndex.gpr();
     8231                SpeculateCellOperand immutableButterfly(this, use);
     8232                GPRReg immutableButterflyGPR = immutableButterfly.gpr();
     8233
     8234                GPRTemporary immutableButterflyIndex(this);
     8235                GPRReg immutableButterflyIndexGPR = immutableButterflyIndex.gpr();
    81998236
    82008237                GPRTemporary item(this);
    82018238                GPRReg itemGPR = item.gpr();
    82028239
    8203                 GPRTemporary fixedLength(this);
    8204                 GPRReg fixedLengthGPR = fixedLength.gpr();
    8205 
    8206                 m_jit.load32(MacroAssembler::Address(fixedArrayGPR, JSFixedArray::offsetOfSize()), fixedLengthGPR);
    8207                 m_jit.move(TrustedImm32(0), fixedIndexGPR);
    8208                 auto done = m_jit.branchPtr(MacroAssembler::AboveOrEqual, fixedIndexGPR, fixedLengthGPR);
     8240                GPRTemporary immutableButterflyLength(this);
     8241                GPRReg immutableButterflyLengthGPR = immutableButterflyLength.gpr();
     8242
     8243                m_jit.load32(MacroAssembler::Address(immutableButterflyGPR, JSImmutableButterfly::offsetOfPublicLength()), immutableButterflyLengthGPR);
     8244                m_jit.move(TrustedImm32(0), immutableButterflyIndexGPR);
     8245                auto done = m_jit.branchPtr(MacroAssembler::AboveOrEqual, immutableButterflyIndexGPR, immutableButterflyLengthGPR);
    82098246                auto loopStart = m_jit.label();
    82108247                m_jit.load64(
    8211                     MacroAssembler::BaseIndex(fixedArrayGPR, fixedIndexGPR, MacroAssembler::TimesEight, JSFixedArray::offsetOfData()),
     8248                    MacroAssembler::BaseIndex(immutableButterflyGPR, immutableButterflyIndexGPR, MacroAssembler::TimesEight, JSImmutableButterfly::offsetOfData()),
    82128249                    itemGPR);
    82138250
    82148251                m_jit.store64(itemGPR, MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight));
    8215                 m_jit.addPtr(TrustedImm32(1), fixedIndexGPR);
     8252                m_jit.addPtr(TrustedImm32(1), immutableButterflyIndexGPR);
    82168253                m_jit.addPtr(TrustedImm32(1), indexGPR);
    8217                 m_jit.branchPtr(MacroAssembler::Below, fixedIndexGPR, fixedLengthGPR).linkTo(loopStart, &m_jit);
     8254                m_jit.branchPtr(MacroAssembler::Below, immutableButterflyIndexGPR, immutableButterflyLengthGPR).linkTo(loopStart, &m_jit);
    82188255
    82198256                done.link(&m_jit);
     
    82408277        Edge use = m_jit.graph().m_varArgChildren[node->firstChild() + i];
    82418278        if (bitVector->get(i)) {
    8242             SpeculateCellOperand fixedArray(this, use);
    8243             GPRReg arrayGPR = fixedArray.gpr();
     8279            SpeculateCellOperand immutableButterfly(this, use);
     8280            GPRReg immutableButterflyGPR = immutableButterfly.gpr();
    82448281#if USE(JSVALUE64)
    8245             m_jit.store64(arrayGPR, &buffer[i]);
     8282            m_jit.store64(immutableButterflyGPR, &buffer[i]);
    82468283#else
    82478284            char* pointer = static_cast<char*>(static_cast<void*>(&buffer[i]));
    8248             m_jit.store32(arrayGPR, pointer + PayloadOffset);
     8285            m_jit.store32(immutableButterflyGPR, pointer + PayloadOffset);
    82498286            m_jit.store32(TrustedImm32(JSValue::CellTag), pointer + TagOffset);
    82508287#endif
     
    82678304    GPRReg resultGPR = result.gpr();
    82688305
    8269     callOperation(operationNewArrayWithSpreadSlow, resultGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), buffer, node->numChildren());
     8306    callOperation(operationNewArrayWithSpreadSlow, resultGPR, TrustedImmPtr::weakPointer(m_graph, globalObject), buffer, node->numChildren());
    82708307    m_jit.exceptionCheck();
    82718308    {
     
    1261412651
    1261512652            m_jit.move(scratchGPR, scratch3GPR);
    12616             m_jit.addPtr(TrustedImmPtr(JSImmutableButterfly::offsetOfData()), scratchGPR);
     12653            m_jit.addPtr(TrustedImm32(JSImmutableButterfly::offsetOfData()), scratchGPR);
    1261712654
    1261812655            emitAllocateJSObject<JSArray>(resultGPR, TrustedImmPtr(arrayStructure), scratchGPR, structureGPR, scratch2GPR, slowButArrayBufferCases);
Note: See TracChangeset for help on using the changeset viewer.