Don't prevent CreateThis being folded to NewObject when the structure is poly proto
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 May 2018 04:33:53 +0000 (04:33 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 May 2018 04:33:53 +0000 (04:33 +0000)
commitaa11e3b58fb1197add4eb076c682141d56c6869c
treee6014447d25ffe15062f5e0a6d6b3c740692624e
parentab8f4ac6f441052e1717736ab4722775173edb66
Don't prevent CreateThis being folded to NewObject when the structure is poly proto
https://bugs.webkit.org/show_bug.cgi?id=185177

Reviewed by Filip Pizlo.

JSTests:

* microbenchmarks/construct-poly-proto-object.js: Added.
(foo.A):
(foo):
* stress/allocation-sinking-new-object-with-poly-proto.js: Added.
(foo.A):
(foo):
(makePolyProto):
(bar):
(baz):

Source/JavaScriptCore:

This patch teaches the DFG/FTL how to constant fold CreateThis with
a known poly proto Structure to NewObject. We do it by emitting a NewObject
followed by a PutByOffset for the prototype value.

We make it so that ObjectAllocationProfile holds the prototype value.
This is sound because JSFunction clears that profile when its 'prototype'
field changes.

This patch also renames underscoreProtoPrivateName to polyProtoName since
that name was nonsensical: it was only used for poly proto.

This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
regressed that benchmark when I first introduced poly proto.

* builtins/BuiltinNames.cpp:
* builtins/BuiltinNames.h:
(JSC::BuiltinNames::BuiltinNames):
(JSC::BuiltinNames::polyProtoName const):
(JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::prototype):
(JSC::ObjectAllocationProfile::clear):
(JSC::ObjectAllocationProfile::visitAggregate):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/FunctionRareData.h:
* runtime/Structure.cpp:
(JSC::Structure::create):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231345 268f45cc-cd09-0410-ab3c-d52691b4dbfc
15 files changed:
JSTests/ChangeLog
JSTests/microbenchmarks/construct-poly-proto-object.js [new file with mode: 0644]
JSTests/stress/allocation-sinking-new-object-with-poly-proto.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/builtins/BuiltinNames.cpp
Source/JavaScriptCore/builtins/BuiltinNames.h
Source/JavaScriptCore/bytecode/ObjectAllocationProfile.h
Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/FunctionRareData.h
Source/JavaScriptCore/runtime/Structure.cpp