Changeset 254252 in webkit for trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

Timestamp:

Jan 8, 2020, 10:07:29 PM (5 years ago)

Author:

[email protected]

Message:

[JSC] Introduce JSArrayIterator
​https://bugs.webkit.org/show_bug.cgi?id=204043

Reviewed by Yusuke Suzuki.

JSTests:

• stress/array-iterator-materialize-at-osr-exit.js: Added.

(shouldBe):
(test):

• stress/array-iterator-materialize-one-path.js: Added.

(shouldBe):
(test):

• stress/array-iterator-materialize.js: Added.

(shouldBe):
(test):

• stress/array-iterator-sinking.js: Added.

(shouldBe):
(test):

• stress/array-iterators-next-error-messages.js:

(catch):

• stress/array-iterators-next-with-call.js:
• stress/for-of-iteration.js: Added.

(shouldBe):
(test1):
(test2):
(test3):

• stress/typedarray-functions-with-neutered.js:

(checkProtoFunc):

Source/JavaScriptCore:

This patch introduces JSArrayIterator that changes the iterator object
from a JSFinalObject to an InternalFieldsObject. This makes accessing it
much easier from C++ code and makes the iterator object smaller. It also
means that the JS code for the next function is much simpler and can *almost*
be inlined without shenanigans.

As part of this patch the keys/values/entries functions have been converted to
C++ with intrinsics since that's slightly more efficient in the LLInt/Baseline.

Lastly, this patch also add a custom ISOSubspace for JSArrayIterator objects.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• builtins/ArrayIteratorPrototype.js:

(next):
(globalPrivate.arrayIteratorNextHelper):
(globalPrivate.arrayIteratorValueNext): Deleted.
(globalPrivate.arrayIteratorKeyNext): Deleted.
(globalPrivate.arrayIteratorKeyValueNext): Deleted.

• builtins/ArrayPrototype.js:

(globalPrivate.ArrayIterator): Deleted.
(values): Deleted.
(keys): Deleted.
(entries): Deleted.

• builtins/TypedArrayPrototype.js:

(values): Deleted.
(keys): Deleted.
(entries): Deleted.

• bytecode/BytecodeIntrinsicRegistry.cpp:

(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):

• bytecode/BytecodeIntrinsicRegistry.h:
• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::emitIsArrayIterator):

• bytecompiler/NodesCodegen.cpp:

(JSC::arrayIteratorInternalFieldIndex):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_getArrayIteratorInternalField):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putArrayIteratorInternalField):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isAsyncGenerator): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isUndefinedOrNull): Deleted.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGClobbersExitState.cpp:

(JSC::DFG::clobbersExitState):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

• dfg/DFGHeapLocation.h:
• dfg/DFGMayExit.cpp:
• dfg/DFGNode.h:

(JSC::DFG::Node::convertToPhantomNewObject):
(JSC::DFG::Node::convertToPhantomNewArrayIterator):
(JSC::DFG::Node::convertToPhantomCreateActivation):
(JSC::DFG::Node::hasStructure):
(JSC::DFG::Node::hasObjectMaterializationData):
(JSC::DFG::Node::isPhantomAllocation):

• dfg/DFGNodeType.h:
• dfg/DFGObjectAllocationSinkingPhase.cpp:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGPromotedHeapLocation.cpp:

(WTF::printInternal):

• dfg/DFGPromotedHeapLocation.h:

(JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCheckNeutered):
(JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
(JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject):
(JSC::DFG::SpeculativeJIT::compileNewArrayIterator):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStoreBarrierInsertionPhase.cpp:
• dfg/DFGTypeCheckHoistingPhase.cpp:

(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):

• dfg/DFGValidate.cpp:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckArray):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckNeutered):
(JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayIterator):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObjectImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject):

• ftl/FTLOperations.cpp:

(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):

• inspector/JSInjectedScriptHost.cpp:

(Inspector::JSInjectedScriptHost::subtype):
(Inspector::JSInjectedScriptHost::getInternalProperties):
(Inspector::cloneArrayIteratorObject):
(Inspector::JSInjectedScriptHost::iteratorEntries):

• runtime/ArrayPrototype.cpp:

(JSC::ArrayPrototype::finishCreation):
(JSC::createArrayIteratorObject):
(JSC::arrayProtoFuncValues):
(JSC::arrayProtoFuncEntries):
(JSC::arrayProtoFuncKeys):

• runtime/CommonIdentifiers.h:
• runtime/Intrinsic.cpp:

(JSC::intrinsicName):

• runtime/Intrinsic.h:
• runtime/IterationKind.h:

(): Deleted.

• runtime/JSArrayIterator.cpp: Added.

(JSC::JSArrayIterator::create):
(JSC::JSArrayIterator::createWithInitialValues):
(JSC::JSArrayIterator::createStructure):
(JSC::JSArrayIterator::JSArrayIterator):
(JSC::JSArrayIterator::finishCreation):
(JSC::JSArrayIterator::visitChildren):

• runtime/JSArrayIterator.h: Added.
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::arrayIteratorPrototype const):
(JSC::JSGlobalObject::arrayIteratorStructure const):

• runtime/JSMapIterator.h:
• runtime/JSSetIterator.h:
• runtime/JSType.cpp:

(WTF::printInternal):

• runtime/JSType.h:
• runtime/JSTypedArrayViewPrototype.cpp:

(JSC::createTypedArrayIteratorObject):
(JSC::typedArrayViewProtoFuncValues):
(JSC::typedArrayProtoViewFuncEntries):
(JSC::typedArrayViewProtoFuncKeys):
(JSC::JSTypedArrayViewPrototype::finishCreation):

• runtime/VM.cpp:
• runtime/VM.h:

Source/WebCore:

JSDOMIterator should just use the JSC IterationKind enum. Also,
update other files for the enum member name changes.

• bindings/js/JSDOMIterator.h:

(WebCore::IteratorTraits>::asJS):

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::serialize):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateIterableDefinition):

• bindings/scripts/test/JS/JSTestInterface.cpp:

(WebCore::jsTestInterfacePrototypeFunctionEntriesCaller):
(WebCore::jsTestInterfacePrototypeFunctionKeysCaller):
(WebCore::jsTestInterfacePrototypeFunctionValuesCaller):

• bindings/scripts/test/JS/JSTestIterable.cpp:

(WebCore::jsTestIterablePrototypeFunctionEntriesCaller):
(WebCore::jsTestIterablePrototypeFunctionKeysCaller):
(WebCore::jsTestIterablePrototypeFunctionValuesCaller):

• bindings/scripts/test/JS/JSTestNode.cpp:

(WebCore::jsTestNodePrototypeFunctionEntriesCaller):
(WebCore::jsTestNodePrototypeFunctionKeysCaller):
(WebCore::jsTestNodePrototypeFunctionValuesCaller):

LayoutTests:

Change the labels of iteration kinds to match what JS refers to them as.

• inspector/model/remote-object/iterator-expected.txt:
• inspector/model/remote-object/iterator-large-expected.txt:
• inspector/model/remote-object/iterators-mutated-expected.txt:

File:

• trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp (modified) (11 diffs)

trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

@@ -41 +41 @@
 #include "DFGSSACalculator.h"
 #include "DFGValidate.h"
+#include "JSArrayIterator.h"
 #include "JSCInlines.h"
 #include <wtf/StdList.h>
@@ -141 +142 @@
     // replace any use of those pointers by the corresponding
     // materialization
-    enum class Kind { Escaped, Object, Activation, Function, GeneratorFunction, AsyncFunction, AsyncGeneratorFunction, RegExpObject };
+    enum class Kind { Escaped, Object, Activation, Function, GeneratorFunction, AsyncFunction, AsyncGeneratorFunction, InternalFieldObject, RegExpObject };
 
     using Fields = HashMap<PromotedLocationDescriptor, Node*>;
@@ -246 +247 @@
     }
 
+    bool isInternalFieldObjectAllocation() const
+    {
+        return m_kind == Kind::InternalFieldObject;
+    }
+
     bool isRegExpObjectAllocation() const
     {
@@ -290 +296 @@
         case Kind::AsyncFunction:
             out.print("AsyncFunction");
+            break;
+
+        case Kind::InternalFieldObject:
+            out.print("InternalFieldObject");
             break;
 
@@ -816 +826 @@
     }
 
+    template<typename InternalFieldClass>
+    Allocation* handleInternalFieldClass(Node* node, HashMap<PromotedLocationDescriptor, LazyNode>& writes)
+    {
+        Allocation* result = &m_heap.newAllocation(node, Allocation::Kind::InternalFieldObject);
+        writes.add(StructurePLoc, LazyNode(m_graph.freeze(node->structure().get())));
+        auto initialValues = InternalFieldClass::initialValues();
+        static_assert(initialValues.size() == InternalFieldClass::numberOfInternalFields);        
+        for (unsigned index = 0; index < initialValues.size(); ++index)
+            writes.add(PromotedLocationDescriptor(InternalFieldObjectPLoc, index), LazyNode(m_graph.freeze(initialValues[index])));
+
+        return result;
+    }
+
     template<typename WriteFunctor, typename ResolveFunctor>
     void handleNode(
@@ -857 +880 @@
             writes.add(FunctionExecutablePLoc, LazyNode(node->cellOperand()));
             writes.add(FunctionActivationPLoc, LazyNode(node->child1().node()));
+            break;
+        }
+
+        case NewArrayIterator: {
+            target = handleInternalFieldClass<JSArrayIterator>(node, writes);
             break;
         }
@@ -1069 +1097 @@
             }
             break;
+
+        case GetInternalField: {
+            target = m_heap.onlyLocalAllocation(node->child1().node());
+            if (target && target->isInternalFieldObjectAllocation())
+                exactRead = PromotedLocationDescriptor(InternalFieldObjectPLoc, node->internalFieldIndex());
+            else
+                m_heap.escape(node->child1().node());
+            break;
+        }
+
+        case PutInternalField: {
+            target = m_heap.onlyLocalAllocation(node->child1().node());
+            if (target && target->isInternalFieldObjectAllocation())
+                writes.add(PromotedLocationDescriptor(InternalFieldObjectPLoc, node->internalFieldIndex()), LazyNode(node->child2().node()));
+            else {
+                m_heap.escape(node->child1().node());
+                m_heap.escape(node->child2().node());
+            }
+            break;
+        }
 
         case Check:
@@ -1562 +1610 @@
         }
 
+        case Allocation::Kind::InternalFieldObject: {
+            ObjectMaterializationData* data = m_graph.m_objectMaterializationData.add();
+            return m_graph.addNode(
+                allocation.identifier()->prediction(), Node::VarArg, MaterializeNewInternalFieldObject,
+                where->origin.withSemantic(
+                    allocation.identifier()->origin.semantic),
+                OpInfo(allocation.identifier()->structure()), OpInfo(data), 0, 0);
+        }
+
         case Allocation::Kind::Activation: {
             ObjectMaterializationData* data = m_graph.m_objectMaterializationData.add();
@@ -1947 +2004 @@
                     case NewAsyncFunction:
                         node->convertToPhantomNewAsyncFunction();
+                        break;
+
+                    case NewArrayIterator:
+                        node->convertToPhantomNewArrayIterator();
                         break;
 
@@ -2225 +2286 @@
         }
 
+        case MaterializeNewInternalFieldObject: {
+            ObjectMaterializationData& data = node->objectMaterializationData();
+
+            unsigned firstChild = m_graph.m_varArgChildren.size();
+
+            Vector<PromotedHeapLocation> locations = m_locationsForAllocation.get(escapee);
+
+            PromotedHeapLocation structure(StructurePLoc, allocation.identifier());
+            ASSERT(locations.contains(structure));
+            m_graph.m_varArgChildren.append(Edge(resolve(block, structure), KnownCellUse));
+
+            for (PromotedHeapLocation location : locations) {
+                switch (location.kind()) {
+                case StructurePLoc: {
+                    ASSERT(location == structure);
+                    break;
+                }
+
+                case InternalFieldObjectPLoc: {
+                    ASSERT(location.base() == allocation.identifier());
+                    data.m_properties.append(location.descriptor());
+                    Node* value = resolve(block, location);
+                    if (m_sinkCandidates.contains(value))
+                        m_graph.m_varArgChildren.append(m_bottom);
+                    else
+                        m_graph.m_varArgChildren.append(value);
+                    break;
+                }
+
+                default:
+                    DFG_CRASH(m_graph, node, "Bad location kind");
+                }
+            }
+
+            node->children = AdjacencyList(
+                AdjacencyList::Variable,
+                firstChild, m_graph.m_varArgChildren.size() - firstChild);
+            break;
+        }
+
         case NewRegexp: {
             Vector<PromotedHeapLocation> locations = m_locationsForAllocation.get(escapee);
@@ -2356 +2457 @@
         }
 
+        case InternalFieldObjectPLoc: {
+            return m_graph.addNode(
+                PutInternalField,
+                origin.takeValidExit(canExit),
+                OpInfo(location.info()),
+                Edge(base, KnownCellUse),
+                value->defaultEdge());
+        }
+
         case RegExpObjectLastIndexPLoc: {
             return m_graph.addNode(