Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JSC] Bracket compound assignment should resolve property key at most once #25526

Merged
merged 1 commit into from
Mar 12, 2024
Merged

[JSC] Bracket compound assignment should resolve property key at most once #25526

merged 1 commit into from
Mar 12, 2024

Conversation

rkirsling
Copy link
Member

@rkirsling rkirsling commented Mar 6, 2024
edited by webkit-early-warning-system

c9e7ab3

[JSC] Bracket compound assignment should resolve property key at most once
https://bugs.webkit.org/show_bug.cgi?id=270563

Reviewed by Yusuke Suzuki.

Just as we did for `obj[prop]++` (275531@main), we need to make sure `obj[prop] += 1;` doesn't double-evaluate `prop`.

The existing solution, however, is not of reasonable performance when `prop` is a Number value -- it is, of course,
unacceptable for `arr[i]++` to be slow. To this end, this patch also introduces OpToPropertyKeyOrNumber, which will
return numbers unchanged, just as it does with strings and symbols.

* JSTests/test262/expectations.yaml: Mark 22 test cases as passing.
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitBracket):
(JSC::PrefixNode::emitBracket):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ShortCircuitReadModifyBracketNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue const):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
* Source/JavaScriptCore/jit/JIT.cpp:
* Source/JavaScriptCore/jit/JIT.h:
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
* Source/JavaScriptCore/runtime/CommonSlowPaths.h:

Canonical link: https://commits.webkit.org/275944@main

a1b832b

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ merge βœ… πŸ›  watch βœ… πŸ›  jsc-armv7
βœ… πŸ›  watch-sim βœ… πŸ§ͺ jsc-armv7-tests

@rkirsling rkirsling requested a review from a team as a code owner March 6, 2024 07:59
@rkirsling rkirsling self-assigned this Mar 6, 2024
@rkirsling rkirsling added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Mar 6, 2024
@webkit-early-warning-system
Copy link
Collaborator

EWS run on previous version of this PR (hash cff3852)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ api-gtk
βœ… πŸ›  watch βœ… πŸ›  jsc-armv7
βœ… πŸ›  watch-sim βœ… πŸ§ͺ jsc-armv7-tests

Constellation
Constellation requested changes Mar 6, 2024
View reviewed changes
Copy link
Member

@Constellation Constellation left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this has a problem that it always makes the result as string while it can be a number. And we are observing perf regressions in some of JetStream2 tests. We should not do atom string generation if the input is a number, so probably some special bytecode and Baseline / DFG / FTL handling is necessary.

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Mar 6, 2024
@rkirsling rkirsling removed the merging-blocked Applied to prevent a change from being merged label Mar 7, 2024
@rkirsling rkirsling force-pushed the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch from cff3852 to 93f81c9 Compare March 7, 2024 07:49
@webkit-early-warning-system
Copy link
Collaborator

EWS run on previous version of this PR (hash 93f81c9)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug   πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2   πŸ§ͺ api-mac   πŸ§ͺ api-wpe
⏳ πŸ§ͺ ios-wk2-wpt   πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
  πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios   πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
  πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv   πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim   πŸ§ͺ api-gtk
βœ… πŸ›  watch ❌ πŸ›  jsc-armv7
βœ… πŸ›  watch-sim ❌ πŸ§ͺ jsc-armv7-tests

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Mar 7, 2024
@rkirsling rkirsling removed the merging-blocked Applied to prevent a change from being merged label Mar 7, 2024
@rkirsling rkirsling force-pushed the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch from 93f81c9 to fefe1af Compare March 7, 2024 08:29
@webkit-early-warning-system
Copy link
Collaborator

EWS run on previous version of this PR (hash fefe1af)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
❌ πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
❌ πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv ❌ πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ api-gtk
βœ… πŸ›  watch βœ… πŸ›  jsc-armv7
βœ… πŸ›  watch-sim ❌ πŸ§ͺ jsc-armv7-tests

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Mar 7, 2024
@rkirsling rkirsling removed the merging-blocked Applied to prevent a change from being merged label Mar 8, 2024
@rkirsling rkirsling force-pushed the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch from fefe1af to 47e17cb Compare March 8, 2024 03:26
@webkit-early-warning-system
Copy link
Collaborator

EWS run on previous version of this PR (hash 47e17cb)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug ⏳ πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
  πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
  πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
❌ πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv ❌ πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ gtk-wk2
  πŸ›  tv-sim ⏳ πŸ§ͺ api-gtk
βœ… πŸ›  watch βœ… πŸ›  jsc-armv7
  πŸ›  watch-sim ⏳ πŸ§ͺ jsc-armv7-tests

@rkirsling rkirsling force-pushed the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch from 47e17cb to 3ab3620 Compare March 8, 2024 05:52
@webkit-early-warning-system
Copy link
Collaborator

EWS run on previous version of this PR (hash 3ab3620)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug ⏳ πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
  πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
  πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv ❌ πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ gtk-wk2
  πŸ›  tv-sim ⏳ πŸ§ͺ api-gtk
βœ… πŸ›  watch βœ… πŸ›  jsc-armv7
βœ… πŸ›  watch-sim βœ… πŸ§ͺ jsc-armv7-tests

@rkirsling rkirsling force-pushed the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch from 3ab3620 to a1b832b Compare March 8, 2024 07:28
@webkit-early-warning-system
Copy link
Collaborator

EWS run on current version of this PR (hash a1b832b)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ merge βœ… πŸ›  watch βœ… πŸ›  jsc-armv7
βœ… πŸ›  watch-sim βœ… πŸ§ͺ jsc-armv7-tests

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Mar 8, 2024
@rkirsling rkirsling removed the merging-blocked Applied to prevent a change from being merged label Mar 8, 2024
@rkirsling
Copy link
Member Author

Just a reminder that this is ready for review.

@rkirsling rkirsling mentioned this pull request Mar 11, 2024
Closed
Constellation
Constellation approved these changes Mar 11, 2024
View reviewed changes
Copy link
Member

@Constellation Constellation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me

@rkirsling rkirsling added the merge-queue Applied to send a pull request to merge-queue label Mar 12, 2024
@rkirsling
[JSC] Bracket compound assignment should resolve property key at most…
c9e7ab3 
… once

https://bugs.webkit.org/show_bug.cgi?id=270563

Reviewed by Yusuke Suzuki.

Just as we did for `obj[prop]++` (275531@main), we need to make sure `obj[prop] += 1;` doesn't double-evaluate `prop`.

The existing solution, however, is not of reasonable performance when `prop` is a Number value -- it is, of course,
unacceptable for `arr[i]++` to be slow. To this end, this patch also introduces OpToPropertyKeyOrNumber, which will
return numbers unchanged, just as it does with strings and symbols.

* JSTests/test262/expectations.yaml: Mark 22 test cases as passing.
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitBracket):
(JSC::PrefixNode::emitBracket):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ShortCircuitReadModifyBracketNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue const):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
* Source/JavaScriptCore/jit/JIT.cpp:
* Source/JavaScriptCore/jit/JIT.h:
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
* Source/JavaScriptCore/runtime/CommonSlowPaths.h:

Canonical link: https://commits.webkit.org/275944@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch from a1b832b to c9e7ab3 Compare March 12, 2024 01:28
@webkit-commit-queue
Copy link
Collaborator

Committed 275944@main (c9e7ab3): https://commits.webkit.org/275944@main

Reviewed commits have been landed. Closing PR #25526 and removing active labels.

@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Mar 12, 2024
@webkit-commit-queue webkit-commit-queue merged commit c9e7ab3 into WebKit:main Mar 12, 2024
@rkirsling rkirsling deleted the eng/JSC-Bracket-compound-assignment-should-resolve-property-key-at-most-once branch March 12, 2024 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Constellation Constellation Constellation approved these changes

Assignees

@rkirsling rkirsling

Labels
JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.
Projects
None yet
Milestone
No milestone
5 participants
@rkirsling @webkit-early-warning-system @webkit-commit-queue @Constellation @webkit-ews-buildbot