Unreviewed, rolling out r234183.
https://bugs.webkit.org/show_bug.cgi?id=187983
cause regression in Kraken gaussian blur and desaturate
(Requested by yusukesuzuki on #webkit).
Reverted changeset:
"[JSC] Record CoW status in ArrayProfile"
https://bugs.webkit.org/show_bug.cgi?id=187949
https://trac.webkit.org/changeset/234183
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@234184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index b06686d..a9b8e5e 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,17 @@
+2018-07-24 Commit Queue <commit-queue@webkit.org>
+
+ Unreviewed, rolling out r234183.
+ https://bugs.webkit.org/show_bug.cgi?id=187983
+
+ cause regression in Kraken gaussian blur and desaturate
+ (Requested by yusukesuzuki on #webkit).
+
+ Reverted changeset:
+
+ "[JSC] Record CoW status in ArrayProfile"
+ https://bugs.webkit.org/show_bug.cgi?id=187949
+ https://trac.webkit.org/changeset/234183
+
2018-07-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Record CoW status in ArrayProfile
diff --git a/JSTests/stress/array-profile-should-record-copy-on-write.js b/JSTests/stress/array-profile-should-record-copy-on-write.js
deleted file mode 100644
index 204b4c4..0000000
--- a/JSTests/stress/array-profile-should-record-copy-on-write.js
+++ /dev/null
@@ -1,39 +0,0 @@
-function shouldBe(actual, expected)
-{
- if (actual !== expected)
- throw new Error('bad value: ' + actual);
-}
-noInline(shouldBe);
-
-function test1(array)
-{
- for (var i = 0; i < 5; ++i) {
- array[0] = array[0] + 1;
- }
- return array;
-}
-noInline(test1);
-
-function test2(array)
-{
- for (var i = 0; i < 5; ++i) {
- array[0] = array[0] + 1;
- }
- return array;
-}
-noInline(test2);
-
-function test3(array)
-{
- for (var i = 0; i < 5; ++i) {
- array[0] = array[0] + 1;
- }
- return array;
-}
-noInline(test3);
-
-for (var i = 0; i < 1e6; ++i) {
- shouldBe(String(test1([0, 1, 2, 3, 4])), `5,1,2,3,4`);
- shouldBe(String(test2([0.1, 1.1, 2.1, 3.1, 4.1])), `5.1,1.1,2.1,3.1,4.1`);
- shouldBe(String(test3(['C', 'o', 'c', 'o', 'a'])), `C11111,o,c,o,a`);
-}
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 8ab3602..a784ca9 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2018-07-24 Commit Queue <commit-queue@webkit.org>
+
+ Unreviewed, rolling out r234183.
+ https://bugs.webkit.org/show_bug.cgi?id=187983
+
+ cause regression in Kraken gaussian blur and desaturate
+ (Requested by yusukesuzuki on #webkit).
+
+ Reverted changeset:
+
+ "[JSC] Record CoW status in ArrayProfile"
+ https://bugs.webkit.org/show_bug.cgi?id=187949
+ https://trac.webkit.org/changeset/234183
+
2018-07-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Record CoW status in ArrayProfile
diff --git a/Source/JavaScriptCore/bytecode/ArrayProfile.cpp b/Source/JavaScriptCore/bytecode/ArrayProfile.cpp
index 349541a..d071b0d 100644
--- a/Source/JavaScriptCore/bytecode/ArrayProfile.cpp
+++ b/Source/JavaScriptCore/bytecode/ArrayProfile.cpp
@@ -165,8 +165,6 @@
out.print(comma, "Intercept");
if (m_usesOriginalArrayStructures)
out.print(comma, "Original");
- if (isCopyOnWrite(m_observedArrayModes))
- out.print(comma, "CopyOnWrite");
return out.toCString();
}
diff --git a/Source/JavaScriptCore/bytecode/ArrayProfile.h b/Source/JavaScriptCore/bytecode/ArrayProfile.h
index 55d3810..220b67e 100644
--- a/Source/JavaScriptCore/bytecode/ArrayProfile.h
+++ b/Source/JavaScriptCore/bytecode/ArrayProfile.h
@@ -39,27 +39,36 @@
// There are 9 typed array types taking the bits 16 to 25.
typedef unsigned ArrayModes;
-// The possible IndexingTypes are limited within (0 - 16, 21, 23, 25).
-// This is because CoW types only appear for JSArrays.
-static_assert(CopyOnWriteArrayWithInt32 == 21, "");
-static_assert(CopyOnWriteArrayWithDouble == 23, "");
-static_assert(CopyOnWriteArrayWithContiguous == 25, "");
-const ArrayModes CopyOnWriteArrayWithInt32ArrayMode = 1 << CopyOnWriteArrayWithInt32;
-const ArrayModes CopyOnWriteArrayWithDoubleArrayMode = 1 << CopyOnWriteArrayWithDouble;
-const ArrayModes CopyOnWriteArrayWithContiguousArrayMode = 1 << CopyOnWriteArrayWithContiguous;
+const ArrayModes CopyOnWriteArrayWithInt32ArrayMode = 1 << 16;
+const ArrayModes CopyOnWriteArrayWithDoubleArrayMode = 1 << 17;
+const ArrayModes CopyOnWriteArrayWithContiguousArrayMode = 1 << 18;
-const ArrayModes Int8ArrayMode = 1 << 16;
-const ArrayModes Int16ArrayMode = 1 << 17;
-const ArrayModes Int32ArrayMode = 1 << 18;
-const ArrayModes Uint8ArrayMode = 1 << 19;
-const ArrayModes Uint8ClampedArrayMode = 1 << 20; // 21 - 25 are used for CoW arrays.
-const ArrayModes Uint16ArrayMode = 1 << 26;
-const ArrayModes Uint32ArrayMode = 1 << 27;
-const ArrayModes Float32ArrayMode = 1 << 28;
-const ArrayModes Float64ArrayMode = 1 << 29;
+const ArrayModes Int8ArrayMode = 1 << 19;
+const ArrayModes Int16ArrayMode = 1 << 20;
+const ArrayModes Int32ArrayMode = 1 << 21;
+const ArrayModes Uint8ArrayMode = 1 << 22;
+const ArrayModes Uint8ClampedArrayMode = 1 << 23;
+const ArrayModes Uint16ArrayMode = 1 << 24;
+const ArrayModes Uint32ArrayMode = 1 << 25;
+const ArrayModes Float32ArrayMode = 1 << 26;
+const ArrayModes Float64ArrayMode = 1 << 27;
inline constexpr ArrayModes asArrayModes(IndexingType indexingMode)
{
+ if (isCopyOnWrite(indexingMode)) {
+ switch (indexingMode) {
+ case CopyOnWriteArrayWithInt32:
+ return CopyOnWriteArrayWithInt32ArrayMode;
+ case CopyOnWriteArrayWithDouble:
+ return CopyOnWriteArrayWithDoubleArrayMode;
+ case CopyOnWriteArrayWithContiguous:
+ return CopyOnWriteArrayWithContiguousArrayMode;
+ default:
+ UNREACHABLE_FOR_PLATFORM();
+ return 0;
+ }
+ }
+
return static_cast<unsigned>(1) << static_cast<unsigned>(indexingMode);
}
@@ -212,15 +221,26 @@
class ArrayProfile {
public:
ArrayProfile()
- : ArrayProfile(std::numeric_limits<unsigned>::max())
- {
- }
-
- explicit ArrayProfile(unsigned bytecodeOffset)
- : m_bytecodeOffset(bytecodeOffset)
+ : m_bytecodeOffset(std::numeric_limits<unsigned>::max())
+ , m_lastSeenStructureID(0)
+ , m_mayStoreToHole(false)
+ , m_outOfBounds(false)
, m_mayInterceptIndexedAccesses(false)
, m_usesOriginalArrayStructures(true)
, m_didPerformFirstRunPruning(false)
+ , m_observedArrayModes(0)
+ {
+ }
+
+ ArrayProfile(unsigned bytecodeOffset)
+ : m_bytecodeOffset(bytecodeOffset)
+ , m_lastSeenStructureID(0)
+ , m_mayStoreToHole(false)
+ , m_outOfBounds(false)
+ , m_mayInterceptIndexedAccesses(false)
+ , m_usesOriginalArrayStructures(true)
+ , m_didPerformFirstRunPruning(false)
+ , m_observedArrayModes(0)
{
}
@@ -232,9 +252,7 @@
void setOutOfBounds() { m_outOfBounds = true; }
bool* addressOfOutOfBounds() { return &m_outOfBounds; }
-
- unsigned* addressOfObservedIndexingModes() { return &m_observedIndexingModes; }
-
+
void observeStructure(Structure* structure)
{
m_lastSeenStructureID = structure->id();
@@ -247,7 +265,6 @@
void observeIndexedRead(VM&, JSCell*, unsigned index);
ArrayModes observedArrayModes(const ConcurrentJSLocker&) const { return m_observedArrayModes; }
- IndexingType observedIndexingModes(const ConcurrentJSLocker&) const { return m_observedIndexingModes; }
bool mayInterceptIndexedAccesses(const ConcurrentJSLocker&) const { return m_mayInterceptIndexedAccesses; }
bool mayStoreToHole(const ConcurrentJSLocker&) const { return m_mayStoreToHole; }
@@ -264,14 +281,13 @@
static Structure* polymorphicStructure() { return static_cast<Structure*>(reinterpret_cast<void*>(1)); }
unsigned m_bytecodeOffset;
- StructureID m_lastSeenStructureID { 0 };
- ArrayModes m_observedArrayModes { 0 };
- unsigned m_observedIndexingModes { 0 };
- bool m_mayStoreToHole { false }; // This flag may become overloaded to indicate other special cases that were encountered during array access, as it depends on indexing type. Since we currently have basically just one indexing type (two variants of ArrayStorage), this flag for now just means exactly what its name implies.
- bool m_outOfBounds { false };
+ StructureID m_lastSeenStructureID;
+ bool m_mayStoreToHole; // This flag may become overloaded to indicate other special cases that were encountered during array access, as it depends on indexing type. Since we currently have basically just one indexing type (two variants of ArrayStorage), this flag for now just means exactly what its name implies.
+ bool m_outOfBounds;
bool m_mayInterceptIndexedAccesses : 1;
bool m_usesOriginalArrayStructures : 1;
bool m_didPerformFirstRunPruning : 1;
+ ArrayModes m_observedArrayModes;
};
typedef SegmentedVector<ArrayProfile, 4> ArrayProfileVector;
diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.cpp b/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
index 8b3087f..dfd68e6 100644
--- a/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArrayMode.cpp
@@ -57,10 +57,6 @@
} else
isArray = Array::Array;
- bool includesCopyOnWrite = isCopyOnWrite(profile->observedIndexingModes(locker));
- if (includesCopyOnWrite && !(observed & asArrayModes(toIndexingShape(type) | ArrayClass | CopyOnWrite)))
- observed |= asArrayModes(toIndexingShape(type) | ArrayClass | CopyOnWrite);
-
if (action == Array::Write && (observed & asArrayModes(toIndexingShape(type) | ArrayClass | CopyOnWrite)))
converts = Array::Convert;
else
diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.h b/Source/JavaScriptCore/dfg/DFGArrayMode.h
index f4b77e8..0ac2ecc 100644
--- a/Source/JavaScriptCore/dfg/DFGArrayMode.h
+++ b/Source/JavaScriptCore/dfg/DFGArrayMode.h
@@ -208,10 +208,9 @@
if (isJSArray()) {
if (profile->usesOriginalArrayStructures(locker) && benefitsFromOriginalArray()) {
ArrayModes arrayModes = profile->observedArrayModes(locker);
- IndexingType observedIndexingModes = profile->observedIndexingModes(locker);
- if ((hasSeenCopyOnWriteArray(arrayModes) || isCopyOnWrite(observedIndexingModes)) && !hasSeenWritableArray(arrayModes))
+ if (hasSeenCopyOnWriteArray(arrayModes) && !hasSeenWritableArray(arrayModes))
myArrayClass = Array::OriginalCopyOnWriteArray;
- else if ((!hasSeenCopyOnWriteArray(arrayModes) && !isCopyOnWrite(observedIndexingModes)) && hasSeenWritableArray(arrayModes))
+ else if (!hasSeenCopyOnWriteArray(arrayModes) && hasSeenWritableArray(arrayModes))
myArrayClass = Array::OriginalArray;
else
myArrayClass = Array::Array;
diff --git a/Source/JavaScriptCore/jit/JITCall.cpp b/Source/JavaScriptCore/jit/JITCall.cpp
index 538c894..50ab48b 100644
--- a/Source/JavaScriptCore/jit/JITCall.cpp
+++ b/Source/JavaScriptCore/jit/JITCall.cpp
@@ -164,13 +164,10 @@
int registerOffset = -instruction[4].u.operand;
if (opcodeID == op_call && shouldEmitProfiling()) {
- ArrayProfile* arrayProfile = instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile;
emitGetVirtualRegister(registerOffset + CallFrame::argumentOffsetIncludingThis(0), regT0);
Jump done = branchIfNotCell(regT0);
- load32(Address(regT0, JSCell::structureIDOffset()), regT1);
- store32(regT1, arrayProfile->addressOfLastSeenStructureID());
- load8(Address(regT0, JSCell::indexingTypeAndMiscOffset()), regT1);
- or32(regT1, AbsoluteAddress(arrayProfile->addressOfObservedIndexingModes()));
+ load32(Address(regT0, JSCell::structureIDOffset()), regT0);
+ store32(regT0, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile->addressOfLastSeenStructureID());
done.link(this);
}
diff --git a/Source/JavaScriptCore/jit/JITCall32_64.cpp b/Source/JavaScriptCore/jit/JITCall32_64.cpp
index d3f7eb0..88bef12 100644
--- a/Source/JavaScriptCore/jit/JITCall32_64.cpp
+++ b/Source/JavaScriptCore/jit/JITCall32_64.cpp
@@ -248,13 +248,10 @@
int registerOffset = -instruction[4].u.operand;
if (opcodeID == op_call && shouldEmitProfiling()) {
- ArrayProfile* arrayProfile = instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile;
emitLoad(registerOffset + CallFrame::argumentOffsetIncludingThis(0), regT0, regT1);
Jump done = branchIfNotCell(regT0);
- loadPtr(Address(regT1, JSCell::structureIDOffset()), regT0);
- storePtr(regT0, arrayProfile->addressOfLastSeenStructureID());
- load8(Address(regT1, JSCell::indexingTypeAndMiscOffset()), regT0);
- or32(regT0, AbsoluteAddress(arrayProfile->addressOfObservedIndexingModes()));
+ loadPtr(Address(regT1, JSCell::structureIDOffset()), regT1);
+ storePtr(regT1, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile->addressOfLastSeenStructureID());
done.link(this);
}
diff --git a/Source/JavaScriptCore/jit/JITInlines.h b/Source/JavaScriptCore/jit/JITInlines.h
index a190b0a..2bb67f1 100644
--- a/Source/JavaScriptCore/jit/JITInlines.h
+++ b/Source/JavaScriptCore/jit/JITInlines.h
@@ -348,8 +348,6 @@
}
load8(Address(cell, JSCell::indexingTypeAndMiscOffset()), indexingType);
- if (shouldEmitProfiling())
- or32(indexingType, AbsoluteAddress(arrayProfile->addressOfObservedIndexingModes()));
}
inline void JIT::emitArrayProfilingSiteForBytecodeIndexWithCell(RegisterID cell, RegisterID indexingType, unsigned bytecodeIndex)
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
index 15bccde..88b80d3 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
@@ -931,7 +931,6 @@
loadi JSCell::m_structureID[cell], scratch
storei scratch, ArrayProfile::m_lastSeenStructureID[profile]
loadb JSCell::m_indexingTypeAndMisc[cell], indexingType
- ori indexingType, ArrayProfile::m_observedIndexingModes[profile]
end
macro skipIfIsRememberedOrInEden(cell, slowPath)
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
index 3982461..80f41d8 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -1990,11 +1990,9 @@
negi t3
bineq ThisArgumentOffset + TagOffset[cfr, t3, 8], CellTag, .done
loadi ThisArgumentOffset + PayloadOffset[cfr, t3, 8], t0
- loadp JSCell::m_structureID[t0], t3
+ loadp JSCell::m_structureID[t0], t0
loadpFromInstruction(CallOpCodeSize - 2, t1)
- storep t3, ArrayProfile::m_lastSeenStructureID[t1]
- loadb JSCell::m_indexingTypeAndMisc[t0], t3
- ori t3, ArrayProfile::m_observedIndexingModes[t1]
+ storep t0, ArrayProfile::m_lastSeenStructureID[t1]
.done:
end
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index d85c855..f867597 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -2033,8 +2033,6 @@
loadpFromInstruction((CallOpCodeSize - 2), t1)
loadi JSCell::m_structureID[t0], t3
storei t3, ArrayProfile::m_lastSeenStructureID[t1]
- loadb JSCell::m_indexingTypeAndMisc[t0], t3
- ori t3, ArrayProfile::m_observedIndexingModes[t1]
.done:
end
