Changeset 220625 in webkit

Timestamp:

Aug 12, 2017 11:44:48 AM (7 years ago)

Author:

fpizlo@apple.com

Message:

Caging shouldn't have to use a patchpoint for adding
​https://bugs.webkit.org/show_bug.cgi?id=175483

Reviewed by Mark Lam.
Source/JavaScriptCore:

Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
constants and associative operations dictate that you always want to sink constants. For example,
Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
our current constant reassociation heuristics are wrong is caging. So, we can get away with some
hacks for just stopping B3's reassociation only in this specific case.

Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
that if we cage the same pointer in two places, both places will compute the same value.

This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
enough scale to warrant new opcodes.)

This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
makes the code a bit less ugly.

• b3/B3LowerToAir.cpp:

(JSC::B3::Air::LowerToAir::shouldCopyPropagate):
(JSC::B3::Air::LowerToAir::lower):

• b3/B3Opcode.cpp:

(WTF::printInternal):

• b3/B3Opcode.h:
• b3/B3ReduceStrength.cpp:
• b3/B3Validate.cpp:
• b3/B3Value.cpp:

(JSC::B3::Value::effects const):
(JSC::B3::Value::key const):
(JSC::B3::Value::isFree const):
(JSC::B3::Value::typeFor):

• b3/B3Value.h:
• b3/B3ValueKey.cpp:

(JSC::B3::ValueKey::materialize const):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

• ftl/FTLOutput.cpp:

(JSC::FTL::Output::opaque):

• ftl/FTLOutput.h:

Websites/webkit.org:

Write documentation for the new Opaque opcode.

• docs/b3/intermediate-representation.html:

Location:

trunk

Files:

• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/b3/B3LowerToAir.cpp (modified) (2 diffs)
• Source/JavaScriptCore/b3/B3Opcode.cpp (modified) (1 diff)
• Source/JavaScriptCore/b3/B3Opcode.h (modified) (2 diffs)
• Source/JavaScriptCore/b3/B3ReduceStrength.cpp (modified) (1 diff)
• Source/JavaScriptCore/b3/B3Validate.cpp (modified) (1 diff)
• Source/JavaScriptCore/b3/B3Value.cpp (modified) (4 diffs)
• Source/JavaScriptCore/b3/B3Value.h (modified) (1 diff)
• Source/JavaScriptCore/b3/B3ValueKey.cpp (modified) (4 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOutput.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOutput.h (modified) (1 diff)
• Websites/webkit.org/ChangeLog (modified) (1 diff)
• Websites/webkit.org/docs/b3/intermediate-representation.html (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-11  Filip Pizlo  <fpizlo@apple.com>
+
+        Caging shouldn't have to use a patchpoint for adding
+        https://bugs.webkit.org/show_bug.cgi?id=175483
+
+        Reviewed by Mark Lam.
+
+        Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
+        constants and associative operations dictate that you always want to sink constants. For example,
+        Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
+        typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
+        we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
+        sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
+        reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
+        constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
+        It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
+        hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
+        our current constant reassociation heuristics are wrong is caging. So, we can get away with some
+        hacks for just stopping B3's reassociation only in this specific case.
+        
+        Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
+        OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
+        the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
+        that if we cage the same pointer in two places, both places will compute the same value.
+        
+        This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
+        if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
+        they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
+        that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
+        up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
+        enough scale to warrant new opcodes.)
+        
+        This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
+        makes the code a bit less ugly.
+
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
+        (JSC::B3::Air::LowerToAir::lower):
+        * b3/B3Opcode.cpp:
+        (WTF::printInternal):
+        * b3/B3Opcode.h:
+        * b3/B3ReduceStrength.cpp:
+        * b3/B3Validate.cpp:
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::effects const):
+        (JSC::B3::Value::key const):
+        (JSC::B3::Value::isFree const):
+        (JSC::B3::Value::typeFor):
+        * b3/B3Value.h:
+        * b3/B3ValueKey.cpp:
+        (JSC::B3::ValueKey::materialize const):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::opaque):
+        * ftl/FTLOutput.h:
+
 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/b3/B3LowerToAir.cpp

@@ -190 +190 @@
         case Trunc:
         case Identity:
+        case Opaque:
             return true;
         default:
@@ -3337 +3338 @@
         }
             
-        case Identity: {
+        case Identity:
+        case Opaque: {
             ASSERT(tmp(m_value->child(0)) == tmp(m_value));
             return;

trunk/Source/JavaScriptCore/b3/B3Opcode.cpp

@@ -107 +107 @@
         out.print("Identity");
         return;
+    case Opaque:
+        out.print("Opaque");
+        return;
     case Const32:
         out.print("Const32");

trunk/Source/JavaScriptCore/b3/B3Opcode.h

@@ -44 +44 @@
     // Polymorphic identity, usable with any value type.
     Identity,
+        
+    // This is an identity, but we prohibit the compiler from realizing this until the bitter end. This can
+    // be used to block reassociation and other compiler reasoning, if we find that it's wrong or
+    // unprofitable and we need an escape hatch.
+    Opaque,
 
     // Constants. Use the ConstValue* classes. Constants exist in the control flow, so that we can
@@ -259 +264 @@
     // because it unlocks reordering of users of @result and @phantom.
     //
-    // On X86, this is lowered to a load-load fence and @result uses @phantom directly.
+    // On X86, this is lowered to a load-load fence and @result folds to zero.
     //
     // On ARM, this is lowered as if like:

trunk/Source/JavaScriptCore/b3/B3ReduceStrength.cpp

@@ -486 +486 @@
     {
         switch (m_value->opcode()) {
+        case Opaque:
+            // Turn this: Opaque(Opaque(value))
+            // Into this: Opaque(value)
+            if (m_value->child(0)->opcode() == Opaque) {
+                replaceWithIdentity(m_value->child(0));
+                break;
+            }
+            break;
+            
         case Add:
             handleCommutativity();

trunk/Source/JavaScriptCore/b3/B3Validate.cpp

@@ -140 +140 @@
                 break;
             case Identity:
+            case Opaque:
                 VALIDATE(!value->kind().hasExtraBits(), ("At ", *value));
                 VALIDATE(value->numChildren() == 1, ("At ", *value));

trunk/Source/JavaScriptCore/b3/B3Value.cpp

@@ -547 +547 @@
     case Nop:
     case Identity:
+    case Opaque:
     case Const32:
     case Const64:
@@ -701 +702 @@
 ValueKey Value::key() const
 {
+    // NOTE: Except for exotic things like CheckAdd and friends, we want every case here to have a
+    // corresponding case in ValueKey::materialize().
     switch (opcode()) {
     case FramePointer:
         return ValueKey(kind(), type());
     case Identity:
+    case Opaque:
     case Abs:
     case Ceil:
@@ -795 +799 @@
     case ConstFloat:
     case Identity:
+    case Opaque:
     case Nop:
         return true;
@@ -810 +815 @@
     switch (kind.opcode()) {
     case Identity:
+    case Opaque:
     case Add:
     case Sub:

trunk/Source/JavaScriptCore/b3/B3Value.h

@@ -329 +329 @@
             break;
         case Identity:
+        case Opaque:
         case Neg:
         case Clz:

trunk/Source/JavaScriptCore/b3/B3ValueKey.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -57 +57 @@
 Value* ValueKey::materialize(Procedure& proc, Origin origin) const
 {
+    // NOTE: We sometimes cannot return a Value* for some key, like for Check and friends. That's because
+    // though those nodes have side exit effects. It would be weird to materialize anything that has a side
+    // exit. We can't possibly know enough about a side exit to know where it would be safe to emit one.
     switch (opcode()) {
     case FramePointer:
         return proc.add<Value>(kind(), type(), origin);
     case Identity:
+    case Opaque:
+    case Abs:
+    case Floor:
+    case Ceil:
     case Sqrt:
+    case Neg:
+    case Depend:
     case SExt8:
     case SExt16:
@@ -72 +81 @@
     case FloatToDouble:
     case DoubleToFloat:
-    case Check:
         return proc.add<Value>(kind(), type(), origin, child(proc, 0));
     case Add:
@@ -97 +105 @@
     case AboveEqual:
     case BelowEqual:
+    case EqualOrUnordered:
         return proc.add<Value>(kind(), type(), origin, child(proc, 0), child(proc, 1));
     case Select:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11627 +11627 @@
         LValue mask = m_out.constIntPtr(GIGACAGE_MASK);
         
-        // We don't have to worry about B3 messing up the bitAnd. Also, we want to get B3's excellent
-        // codegen for 2-operand andq on x86-64.
         LValue masked = m_out.bitAnd(ptr, mask);
-        
-        // But B3 will currently mess up the code generation of this add. Basically, any offset from what we
-        // compute here will get reassociated and folded with Gigacage::basePtr. There's a world in which
-        // moveConstants() observes that it needs to reassociate in order to hoist the big constants. But
-        // it's much easier to just block B3's badness here. That's what we do for now.
-        // FIXME: It would be better if we didn't have to do this hack.
-        // https://bugs.webkit.org/show_bug.cgi?id=175483
-        PatchpointValue* patchpoint = m_out.patchpoint(pointerType());
-        patchpoint->appendSomeRegister(basePtr);
-        patchpoint->appendSomeRegister(masked);
-        patchpoint->setGenerator(
-            [] (CCallHelpers& jit, const StackmapGenerationParams& params) {
-                jit.addPtr(params[1].gpr(), params[2].gpr(), params[0].gpr());
-            });
-        patchpoint->effects = Effects::none();
-        return patchpoint;
+        LValue result = m_out.add(masked, basePtr);
+
+        // Make sure that B3 doesn't try to do smart reassociation of these pointer bits.
+        // FIXME: In an ideal world, B3 would not do harmful reassociations, and if it did, it would be able
+        // to undo them during constant hoisting and regalloc. As it stands, if you remove this then Octane
+        // gets 1.6% slower and Kraken gets 5% slower. It's all because the basePtr, which is a constant,
+        // gets reassociated out of the add above and into the address arithmetic. This disables hoisting of
+        // the basePtr constant. Hoisting that constant is worth a lot more perf than the reassociation. One
+        // way to make this all work happily is to combine offset legalization with constant hoisting, and
+        // then teach it reassociation. So, Add(Add(a, b), const) where a is loop-invariant while b isn't
+        // will turn into Add(Add(a, const), b) by the constant hoister. We would have to teach B3 to do this
+        // and possibly other smart things if we want to be able to remove this opaque.
+        // https://bugs.webkit.org/show_bug.cgi?id=175493
+        return m_out.opaque(result);
     }
     

trunk/Source/JavaScriptCore/ftl/FTLOutput.cpp

@@ -128 +128 @@
 }
 
+LValue Output::opaque(LValue value)
+{
+    return m_block->appendNew<Value>(m_proc, Opaque, origin(), value);
+}
+
 LValue Output::add(LValue left, LValue right)
 {

trunk/Source/JavaScriptCore/ftl/FTLOutput.h

@@ -152 +152 @@
     template<typename... Params>
     void addIncomingToPhi(LValue phi, ValueFromBlock, Params... theRest);
+    
+    LValue opaque(LValue);
 
     LValue add(LValue, LValue);

trunk/Websites/webkit.org/ChangeLog

@@ +1 @@
+2017-08-11  Filip Pizlo  <fpizlo@apple.com>
+
+        Caging shouldn't have to use a patchpoint for adding
+        https://bugs.webkit.org/show_bug.cgi?id=175483
+
+        Reviewed by Mark Lam.
+        
+        Write documentation for the new Opaque opcode.
+
+        * docs/b3/intermediate-representation.html:
+
 2017-08-07  Jon Davis  <jond@apple.com>
 

trunk/Websites/webkit.org/docs/b3/intermediate-representation.html

@@ -216 +216 @@
         to an Identity by doing convertToIdentity(otherValue).  If the value is Void,
         convertToIdentity() converts it to a Nop instead.</dd>
+
+      <dt>T Opaque(T)</dt>
+      <dd>Returns the passed value.  May be used for any type except Void.  This opcode is provided as a hack
+        for avoiding B3 optimizations that the client finds unprofitable.  B3 treats Opaque as an identity
+        only during instruction selection.  All prior optimizations (including all B3 IR optimizations) do
+        not know what Opaque does, other than Opaque(x) == Opaque(x) and Opaque(Opaque(x)) == Opaque(x).</dd>
 
       <dt>Int32 Const32(constant)</dt>