Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ebb72756b2c74492690c9f9dc1e83e29ac16be5e
https://github.com/WebKit/WebKit/commit/ebb72756b2c74492690c9f9dc1e83e29ac16be5e
Author: Yusuke Suzuki <ysuz...@apple.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
A JSTests/stress/array-split-ignore-result.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/dfg/DFGOperations.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
M Source/JavaScriptCore/runtime/ArrayPrototypeInlines.h
M Source/JavaScriptCore/runtime/Intrinsic.h
Log Message:
-----------
[JSC] Array#splice should skip result array creation if it is not used at all
https://bugs.webkit.org/show_bug.cgi?id=259809
rdar://113367762
Reviewed by Keith Miller.
This patch adds ArraySpliceExtract DFG node, which only accepts
`array.splice(x, y)` form, which does not insert any elements.
We leverage call_ignore_result etc.'s feedback information in DFG / FTL: we can
see `array.splice(x, y)` result is not used,
and DFG / FTL tells this hint to the operationArraySpliceExtract function. And
then it can skip the result array creation when
it is not used! This form is particularly frequently seen since
`array.splice(x, y)` is a form of removing some elements in the
middle of arrays.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileArraySpliceExtract):
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
(JSC::getProperty): Deleted.
(JSC::setLength): Deleted.
(JSC::shift): Deleted.
(JSC::unshift): Deleted.
* Source/JavaScriptCore/runtime/ArrayPrototypeInlines.h:
(JSC::getProperty):
(JSC::setLength):
(JSC::shift):
(JSC::unshift):
* Source/JavaScriptCore/runtime/Intrinsic.h:
Canonical link: https://commits.webkit.org/266591@main
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
