[DFG] Fold GetByVal if the indexed value is non configurable and non writable
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 22 Jul 2018 16:54:38 +0000 (16:54 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 22 Jul 2018 16:54:38 +0000 (16:54 +0000)
commitf1926a5fc5232a88d0dddd22f2ec7a58400d7abb
tree848676af4df7fd1a171444369da1489acf0e7f0e
parent4ab245f89020cf473e21fa2729a5612c7c35221d
[DFG] Fold GetByVal if the indexed value is non configurable and non writable
https://bugs.webkit.org/show_bug.cgi?id=186462

Reviewed by Saam Barati.

JSTests:

* stress/folding-get-by-val-with-read-only-dont-delete-object.js: Added.
(shouldBe):
(test1):
(test2):
(test3):
(test4):
(test5):
* stress/folding-get-by-val-with-read-only-dont-delete-runtime-array.js: Added.
(shouldBe):
(test1):
(test2):
(test5):
* stress/folding-get-by-val-with-read-only-dont-delete.js: Added.
(shouldBe):
(test1):
(test2):
(test3):
(test4):
(test5):

Source/JavaScriptCore:

Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.

This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
changed and we can safely use it. We arrange our existing code to use this protocol.

Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.

This patch improves SixSpeed/template_string_tag.es6.

                                  baseline                  patched

template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* runtime/JSArray.cpp:
(JSC::JSArray::setLengthWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::putIndexedDescriptor):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
(JSC::JSObject::putIndexedDescriptor): Deleted.
* runtime/JSObject.h:
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::SparseArrayValueMap):
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::putDirect):
(JSC::SparseArrayValueMap::getConcurrently):
(JSC::SparseArrayEntry::get const):
(JSC::SparseArrayEntry::getConcurrently const):
(JSC::SparseArrayEntry::put):
(JSC::SparseArrayEntry::getNonSparseMode const):
(JSC::SparseArrayValueMap::visitChildren):
(JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
* runtime/SparseArrayValueMap.h:
(JSC::SparseArrayEntry::SparseArrayEntry):
(JSC::SparseArrayEntry::attributes const):
(JSC::SparseArrayEntry::forceSet):
(JSC::SparseArrayEntry::asValue):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/folding-get-by-val-with-read-only-dont-delete-object.js [new file with mode: 0644]
JSTests/stress/folding-get-by-val-with-read-only-dont-delete-runtime-array.js [new file with mode: 0644]
JSTests/stress/folding-get-by-val-with-read-only-dont-delete.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
Source/JavaScriptCore/runtime/SparseArrayValueMap.h