Skip to content

[JSC] Fix GetButterfly handling in DFG array allocation sinking #47364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[JSC] Fix GetButterfly handling in DFG array allocation sinking #47364

wants to merge 1 commit into from

Conversation

hyjorc1
Copy link
Contributor

@hyjorc1 hyjorc1 commented Jun 30, 2025
edited by webkit-early-warning-system
Loading

2c43384

[JSC] Fix GetButterfly handling in DFG array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=295191
rdar://154419571

Reviewed by NOBODY (OOPS!).

When arrays are sunk and later materialized in DFG object allocation sinking,
GetButterfly nodes that depend on those arrays were not properly updated to
reference the materialized arrays, causing incorrect butterfly references.

The fix tracks GetButterfly nodes as dependencies of array allocations and
creates materialized GetButterfly nodes that reference the materialized arrays
when arrays escape and need to be materialized.

2c43384

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ❌ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ❌ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ❌ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch
✅ 🛠 watch-sim

@hyjorc1 hyjorc1 requested a review from a team as a code owner June 30, 2025 07:02
@hyjorc1 hyjorc1 self-assigned this Jun 30, 2025
@hyjorc1 hyjorc1 added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Jun 30, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 30, 2025
edited
Loading

EWS run on previous version of this PR (hash d98d524)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac 🧪 api-wpe
🧪 ios-wk2-wpt 🧪 mac-wk1 ✅ 🛠 wpe-cairo
🛠 🧪 jsc 🧪 api-ios 🧪 mac-wk2 ✅ 🛠 gtk
🛠 🧪 jsc-arm64 ✅ 🛠 vision 🧪 mac-AS-debug-wk2 🧪 gtk-wk2
✅ 🛠 vision-sim 🧪 mac-wk2-stress 🧪 api-gtk
🧪 vision-wk2 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim 🧪 jsc-armv7-tests
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 30, 2025
edited
Loading

EWS run on previous version of this PR (hash f0be5a6)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ❌ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
❌ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
❌ 🛠 🧪 jsc-arm64 ✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 30, 2025
@hyjorc1
[JSC] Fix GetButterfly handling in DFG array allocation sinking
2c43384 
https://bugs.webkit.org/show_bug.cgi?id=295191
rdar://154419571

Reviewed by NOBODY (OOPS!).

When arrays are sunk and later materialized in DFG object allocation sinking,
GetButterfly nodes that depend on those arrays were not properly updated to
reference the materialized arrays, causing incorrect butterfly references.

The fix tracks GetButterfly nodes as dependencies of array allocations and
creates materialized GetButterfly nodes that reference the materialized arrays
when arrays escape and need to be materialized.
@hyjorc1 hyjorc1 removed the merging-blocked Applied to prevent a change from being merged label Jun 30, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 30, 2025
edited
Loading

EWS run on current version of this PR (hash 2c43384)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ❌ 🛠 wpe ✅ 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ❌ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ❌ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🛠 jsc-armv7
✅ 🛠 tv-sim ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 30, 2025
Constellation
Constellation reviewed Jun 30, 2025
View reviewed changes
Copy link
Member

@Constellation Constellation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed offline with Yijia, and we think that we can make it simpler by introducing PhantomGetButterfly.

Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
@@ -1030,14 +1030,17 @@ class ObjectAllocationSinkingPhase : public Phase {
Node* base = node->child1().node();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's separate GetBufferfly and GetArrayLength handling, which makes code cleaner.

case GetButterfly {
   ...
   break;
}

case GetArrayLength: {
   ...
   break;
}

Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
Comment on lines +2329 to +2333
case GetButterfly:
// GetButterfly nodes will be removed during DCE since they become unused
// after materialization replacement.
break;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think using PhantomGetButterfly would be simpler. Then, without a special handling of dependency, we can just keep it in the phantom tree of creation.

Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
Comment on lines +2202 to +2203
if (escapee->op() != GetButterfly)
populateMaterialization(block, materialization, escapee);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we have PhantomGetButterfly, you do not need to have this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Constellation Constellation Constellation left review comments

Assignees

@hyjorc1 hyjorc1

Labels
JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. merging-blocked Applied to prevent a change from being merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hyjorc1 @webkit-early-warning-system @Constellation @webkit-ews-buildbot