Context Navigation

← Previous Change
Next Change →

bytecompiler

Timestamp:

May 27, 2020, 7:43:25 PM (5 years ago)

Author:

Message:

hasOwnProperty inside structure property for-in loop should use an opcode like has_structure_property but for hasOwnProperty
https://bugs.webkit.org/show_bug.cgi?id=212248

Reviewed by Keith Miller.

JSTests:

microbenchmarks/has-own-property-for-in-loop.js: Added.
stress/has-own-property-structure-for-in-loop-correctness.js: Added.

Source/JavaScriptCore:

This patch applies the same principles from r262083 but to hasOwnProperty.

In this patch, we have a fast path for this syntactic pattern when
iterating structure properties:

for (let <p> in <o>)

if (<o>.hasOwnProperty(<p>))

We look for both <p> and <o> as resolve nodes, and we look for them being the
same values both in the header and inside the body.

Using a simple static analysis, when we detect this pattern, we compare the
result of <o>.hasOwnProperty to the original hasOwnProperty function. If
it's the same, we execute the fast path new bytecode has_own_structure_property,
which on the fast path is two loads, a compare and branch, and a materialization of
the boolean constant true.

On the slow path, has_own_structure_property just executes the runtime code
for hasOwnProperty.

In my testing, this seems like it might be 3-5% faster on Speedometer 2's
react subtests. I was getting some noise when running the tests locally,
so I can't say for certain it's a definite speedup. But the data implies
it has a good chance at being a speedup.

builtins/BuiltinNames.h:
bytecode/BytecodeList.rb:
bytecode/BytecodeUseDef.cpp:

(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):

bytecode/LinkTimeConstant.h:
bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitWideJumpIfNotFunctionHasOwnProperty):
(JSC::BytecodeGenerator::recordHasOwnStructurePropertyInForInLoop):
(JSC::BytecodeGenerator::emitHasOwnStructureProperty):
(JSC::BytecodeGenerator::pushStructureForInScope):
(JSC::StructureForInContext::finalize):
(JSC::BytecodeGenerator::findStructureForInContext):

bytecompiler/BytecodeGenerator.h:

(JSC::StructureForInContext::StructureForInContext):
(JSC::StructureForInContext::base const):
(JSC::StructureForInContext::addHasOwnPropertyJump):

bytecompiler/Label.h:

(JSC::GenericBoundLabel::GenericBoundLabel):

bytecompiler/NodesCodegen.cpp:

(JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode):
(JSC::ForInNode::emitBytecode):

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

dfg/DFGNodeType.h:
dfg/DFGOperations.cpp:
dfg/DFGOperations.h:
dfg/DFGPredictionPropagationPhase.cpp:
dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileHasStructureProperty):
(JSC::DFG::SpeculativeJIT::compileHasOwnStructurePropertyImpl):
(JSC::DFG::SpeculativeJIT::compileHasOwnStructureProperty):
(JSC::DFG::SpeculativeJIT::compileInStructureProperty):

dfg/DFGSpeculativeJIT.h:
dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileHasOwnStructureProperty):

jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

jit/JIT.h:
jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_has_structure_propertyImpl):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emit_op_has_own_structure_property):
(JSC::JIT::emit_op_in_structure_property):

jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_has_structure_propertyImpl):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emit_op_has_own_structure_property):
(JSC::JIT::emit_op_in_structure_property):

llint/LowLevelInterpreter.asm:
llint/LowLevelInterpreter64.asm:
parser/ASTBuilder.h:

(JSC::ASTBuilder::makeFunctionCallNode):

parser/NodeConstructors.h:

(JSC::HasOwnPropertyFunctionCallDotNode::HasOwnPropertyFunctionCallDotNode):

parser/Nodes.h:
runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

runtime/CommonSlowPaths.h:
runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

runtime/ObjectPrototype.cpp:

(JSC::objectPrototypeHasOwnProperty):
(JSC::objectProtoFuncHasOwnProperty):

runtime/ObjectPrototype.h:

Location:

trunk/Source/JavaScriptCore/bytecompiler

Files:

: 4 edited

BytecodeGenerator.cpp (modified) (8 diffs)
BytecodeGenerator.h (modified) (10 diffs)
Label.h (modified) (1 diff)
NodesCodegen.cpp (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

-              r262165
+              r262233
         m_codeBlock->addJumpTarget(instructions().size());
         // This disables peephole optimizations when an instruction is a jump target
         m_lastOpcodeID = op_end;
+        disablePeepholeOptimization();
+    }
+}
 …
+{
     ASSERT(m_lastInstruction.isValid());
     m_lastOpcodeID = op_end;
+    disablePeepholeOptimization();
     m_writer.rewind(m_lastInstruction);
+}
 …
+{
     OpJneqPtr::emit(this, cond, moveLinkTimeConstant(nullptr, LinkTimeConstant::applyFunction), target.bind(this));
+}
+unsigned BytecodeGenerator::emitWideJumpIfNotFunctionHasOwnProperty(RegisterID* cond, Label& target)
+{
+    OpJneqPtr::emit<OpcodeSize::Wide32>(this, cond, moveLinkTimeConstant(nullptr, LinkTimeConstant::hasOwnPropertyFunction), target.bind(this));
+    return m_lastInstruction.offset();
+}
+void BytecodeGenerator::recordHasOwnStructurePropertyInForInLoop(StructureForInContext& structureContext, unsigned branchOffset, Label& genericPath)
+{
+    RELEASE_ASSERT(genericPath.isBound());
+    RELEASE_ASSERT(!genericPath.isForward());
+    structureContext.addHasOwnPropertyJump(branchOffset, genericPath.location());
+}
 …
+}
+RegisterID* BytecodeGenerator::emitHasOwnStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator)
+{
+    OpHasOwnStructureProperty::emit(this, dst, base, propertyName, enumerator);
+    return dst;
+}
 RegisterID* BytecodeGenerator::emitGetPropertyEnumerator(RegisterID* dst, RegisterID* base)
+{
 …
+}
 void BytecodeGenerator::pushStructureForInScope(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+void BytecodeGenerator::pushStructureForInScope(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister, RegisterID* baseRegister)
+{
     if (!localRegister)
         return;
     unsigned bodyBytecodeStartOffset = instructions().size();
     m_forInContextStack.append(adoptRef(*new StructureForInContext(localRegister, indexRegister, propertyRegister, enumeratorRegister, bodyBytecodeStartOffset)));
+    m_forInContextStack.append(adoptRef(*new StructureForInContext(localRegister, indexRegister, propertyRegister, enumeratorRegister, baseRegister, bodyBytecodeStartOffset)));
+}
 …
     auto bytecode = instruction->as<OldOpType>();
+    // disable peephole optimizations
+    generator.m_lastOpcodeID = op_end;
+    generator.disablePeepholeOptimization();
     // Change the opcode to get_by_val.
 …
     for (const auto& instTuple : m_inInsts)
         rewriteOp<OpInStructureProperty>(generator, instTuple);
+    for (const auto& hasOwnPropertyTuple : m_hasOwnPropertyJumpInsts) {
+        static_assert(sizeof(OpJmp) <= sizeof(OpJneqPtr));
+        unsigned branchInstIndex = std::get<0>(hasOwnPropertyTuple);
+        unsigned newBranchTarget = std::get<1>(hasOwnPropertyTuple);
+        auto instruction = generator.m_writer.ref(branchInstIndex);
+        RELEASE_ASSERT(instruction->is<OpJneqPtr>());
+        RELEASE_ASSERT(instruction->isWide32());
+        auto end = branchInstIndex + instruction->size();
+        generator.m_writer.seek(branchInstIndex);
+        generator.disablePeepholeOptimization();
+        OpJmp::emit(&generator, BoundLabel(static_cast<int>(newBranchTarget) - static_cast<int>(branchInstIndex)));
+        while (generator.m_writer.position() < end)
+            OpNop::emit<OpcodeSize::Narrow>(&generator);
+    }
     generator.m_writer.seek(generator.m_writer.size());
 …
+}
+StructureForInContext* BytecodeGenerator::findStructureForInContext(RegisterID* property)
+{
+    for (size_t i = m_forInContextStack.size(); i--; ) {
+        ForInContext& context = m_forInContextStack[i].get();
+        if (context.local() != property)
+            continue;
+        if (!context.isStructureForInContext())
+            break;
+        return &context.asStructureForInContext();
+    }
+    return nullptr;
+}
 } // namespace JSC

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

-              r262083
+              r262233
         using GetInst = std::tuple<unsigned, int>;
         using InInst = GetInst;
+        StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister, unsigned bodyBytecodeStartOffset)
+        using HasOwnPropertyJumpInst = std::tuple<unsigned, unsigned>;
+        StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister, RegisterID* base, unsigned bodyBytecodeStartOffset)
             : ForInContext(localRegister, Type::StructureForIn, bodyBytecodeStartOffset)
             , m_indexRegister(indexRegister)
             , m_propertyRegister(propertyRegister)
             , m_enumeratorRegister(enumeratorRegister)
+            , m_base(base)
+        {
+        }
 …
         RegisterID* property() const { return m_propertyRegister.get(); }
         RegisterID* enumerator() const { return m_enumeratorRegister.get(); }
+        RegisterID* base() const { return m_base.get(); }
         void addGetInst(unsigned instIndex, int propertyRegIndex)
 …
+        {
             m_inInsts.append(InInst { instIndex, propertyRegIndex });
+        }
+        void addHasOwnPropertyJump(unsigned branchInstIndex, unsigned genericPathTarget)
+        {
+            m_hasOwnPropertyJumpInsts.append(HasOwnPropertyJumpInst { branchInstIndex, genericPathTarget });
+        }
 …
         RefPtr<RegisterID> m_propertyRegister;
         RefPtr<RegisterID> m_enumeratorRegister;
+        RefPtr<RegisterID> m_base;
         Vector<GetInst> m_getInsts;
         Vector<InInst> m_inInsts;
+        Vector<HasOwnPropertyJumpInst> m_hasOwnPropertyJumpInsts;
     };
 …
         void hoistSloppyModeFunctionIfNecessary(const Identifier& functionName);
+        StructureForInContext* findStructureForInContext(RegisterID* property);
     private:
 …
         void emitJumpIfNotFunctionCall(RegisterID* cond, Label& target);
         void emitJumpIfNotFunctionApply(RegisterID* cond, Label& target);
+        unsigned emitWideJumpIfNotFunctionHasOwnProperty(RegisterID* cond, Label& target);
+        void recordHasOwnStructurePropertyInForInLoop(StructureForInContext&, unsigned branchOffset, Label& genericPath);
         template<typename BinOp, typename JmpOp>
 …
         RegisterID* emitHasIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
         RegisterID* emitHasStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator);
+        RegisterID* emitHasOwnStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator);
         RegisterID* emitHasGenericProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
         RegisterID* emitGetPropertyEnumerator(RegisterID* dst, RegisterID* base);
 …
         void pushIndexedForInScope(RegisterID* local, RegisterID* index);
         void popIndexedForInScope(RegisterID* local);
         void pushStructureForInScope(RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
+        void pushStructureForInScope(RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator, RegisterID* base);
         void popStructureForInScope(RegisterID* local);
 …
         RegisterID* emitMove(RegisterID* dst, RegisterID* src);
+    public:
+        void disablePeepholeOptimization() { m_lastOpcodeID = op_end; }
+    private:
         bool canDoPeepholeOptimization() const { return m_lastOpcodeID != op_end; }
 …
             auto prevLastInstruction = m_lastInstruction;
             m_writer.swap(writer);
             m_lastOpcodeID = op_end;
+            disablePeepholeOptimization();
             m_lastInstruction = m_writer.ref();
             fn();

trunk/Source/JavaScriptCore/bytecompiler/Label.h

-              r252800
+              r262233
         { }
         explicit GenericBoundLabel(int target)
+        explicit GenericBoundLabel(int offset)
             : m_type(Offset)
             , m_generator(nullptr)
             , m_target(target)
+            , m_target(offset)
         { }

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

-              r261895
+              r262233
         generator.emitLabel(end.get());
+    }
+    generator.emitProfileType(returnValue.get(), divotStart(), divotEnd());
+    return returnValue.get();
+}
+RegisterID* HasOwnPropertyFunctionCallDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
+{
+    RefPtr<RegisterID> returnValue = generator.finalDestination(dst);
+    RefPtr<RegisterID> base = generator.emitNode(m_base);
+    if (m_base->isOptionalChainBase())
+        generator.emitOptionalCheck(base.get());
+    generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
+    RefPtr<RegisterID> function = generator.emitGetById(generator.newTemporary(), base.get(), generator.propertyNames().hasOwnProperty);
+    if (isOptionalChainBase())
+        generator.emitOptionalCheck(function.get());
+    RELEASE_ASSERT(m_args->m_listNode && m_args->m_listNode->m_expr && !m_args->m_listNode->m_next);
+    ExpressionNode* argument = m_args->m_listNode->m_expr;
+    RELEASE_ASSERT(argument->isResolveNode());
+    StructureForInContext* structureContext = nullptr;
+    Variable argumentVariable = generator.variable(static_cast<ResolveNode*>(argument)->identifier());
+    if (argumentVariable.isLocal()) {
+        RegisterID* property = argumentVariable.local();
+        structureContext = generator.findStructureForInContext(property);
+    }
+    if (structureContext && structureContext->base() == base.get()) {
+        Ref<Label> realCall = generator.newLabel();
+        Ref<Label> end = generator.newLabel();
+        unsigned branchInsnOffset = generator.emitWideJumpIfNotFunctionHasOwnProperty(function.get(), realCall.get());
+        generator.emitHasOwnStructureProperty(returnValue.get(), base.get(), generator.emitNode(argument), structureContext->enumerator());
+        generator.emitJump(end.get());
+        generator.emitLabel(realCall.get());
+        {
+            CallArguments callArguments(generator, m_args);
+            generator.move(callArguments.thisRegister(), base.get());
+            generator.emitCallInTailPosition(returnValue.get(), function.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd(), DebuggableCall::Yes);
+        }
+        generator.emitLabel(end.get());
+        generator.recordHasOwnStructurePropertyInForInLoop(*structureContext, branchInsnOffset, realCall);
+    } else {
+        CallArguments callArguments(generator, m_args);
+        generator.move(callArguments.thisRegister(), base.get());
+        generator.emitCallInTailPosition(returnValue.get(), function.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd(), DebuggableCall::Yes);
+    }
     generator.emitProfileType(returnValue.get(), divotStart(), divotEnd());
     return returnValue.get();
 …
         generator.emitNode(generator.ignoredResult(), m_lexpr);
-    RefPtr<RegisterID> base = generator.newTemporary();
     RefPtr<RegisterID> length;
     RefPtr<RegisterID> enumerator;
     generator.emitNode(base.get(), m_expr);
+    RefPtr<RegisterID> base = generator.emitNode(m_expr);
     RefPtr<RegisterID> local = this->tryGetBoundLocal(generator);
     RefPtr<RegisterID> enumeratorIndex;
 …
         generator.emitProfileControlFlow(profilerStartOffset);
         generator.pushStructureForInScope(local.get(), enumeratorIndex.get(), propertyName.get(), enumerator.get());
+        generator.pushStructureForInScope(local.get(), enumeratorIndex.get(), propertyName.get(), enumerator.get(), base.get());
         generator.emitNode(dst, m_statement);
         generator.popStructureForInScope(local.get());

Note: See TracChangeset for help on using the changeset viewer.