Changeset 277383 in webkit

Timestamp:

May 12, 2021, 12:11:25 PM (4 years ago)

Author:

mark.lam@apple.com

Message:

Implement some common Baseline JIT slow paths using JIT thunks.
​https://bugs.webkit.org/show_bug.cgi?id=225682

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This patch implements the following changes:

1. Implement exception handling thunks:
   1. handleExceptionGenerator, which calls operationLookupExceptionHandler().
   2. handleExceptionWithCallFrameRollbackGenerator, which calls operationLookupExceptionHandlerFromCallerFrame().

All the JIT tiers were emitting their own copy of these routines to call these
operation, one per CodeBlock. We now emit 2 thunks for these and have all the
tiers just jump to them.

PolymorphicAccess also now uses the handleExceptionGenerator thunk.

DFG::JITCompiler::compileExceptionHandlers() has one small behavior difference
before it calls operationLookupExceptionHandlerFromCallerFrame(): it first
re-sets the top of stack for the function where we are about to throw a
StackOverflowError from. This re-setting of top of stack is useless because
we're imminently unwinding out of at least this frame for the StackOverflowError.
Hence, it is ok to use the handleExceptionWithCallFrameRollbackGenerator thunk
here as well. Note that no other tiers does this re-setting of top of stack.

FTLLowerDFGToB3 has one case using operationLookupExceptionHandlerFromCallerFrame()
which cannot be refactored to use these thunks because it does additional
work to throw a StackOverflowError. A different thunk will be needed. I left
it alone for now.

2. Introduce JITThunks::existingCTIStub(ThunkGenerator, NoLockingNecessaryTag) so that a thunk can get a pointer to another thunk without locking the JITThunks lock. Otherwise, deadlock ensues.

3. Change SlowPathCall to emit and use thunks instead of emitting a blob of code to call a slow path function for every bytecode in a CodeBlock.

4. Introduce JITThunks::ctiSlowPathFunctionStub() to manage these SlowPathFunction thunks.

5. Introduce JITThunks::preinitializeAggressiveCTIThunks() to initialize these thunks at VM initialization time. Pre-initializing them has multiple benefits:
   1. the thunks are not scattered through out JIT memory, thereby reducing fragmentation.
   2. we don't spend time at runtime compiling them when the user is interacting with the VM. Conceptually, these thunks can be VM independent and can be shared by VMs process-wide. However, it will require some additional work. For now, the thunks remain bound to a specific VM instance.

These changes are only enabled when ENABLE(EXTRA_CTI_THUNKS), which is currently
only available for ARM64 and non-Windows x86_64.

This patch has passed JSC tests on AS Mac.

With this patch, --dumpLinkBufferStats shows the following changes in emitted
JIT code size (using a single run of the CLI version of JetStream2 on AS Mac):

Base New Diff

BaselineJIT: 89089964 (84.962811 MB) 84624776 (80.704475 MB) 0.95x (reduction)

DFG: 39117360 (37.305222 MB) 36415264 (34.728302 MB) 0.93x (reduction)

Thunk: 23230968 (22.154778 MB) 23130336 (22.058807 MB) 1.00x

InlineCache: 22027416 (21.006981 MB) 21969728 (20.951965 MB) 1.00x

FTL: 6575772 (6.271145 MB) 6097336 (5.814873 MB) 0.93x (reduction)

Wasm: 2302724 (2.196049 MB) 2301956 (2.195316 MB) 1.00x

YarrJIT: 1538956 (1.467663 MB) 1522488 (1.451958 MB) 0.99x

CSSJIT: 0 0

Uncategorized: 0 0

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• bytecode/CodeBlock.h:

(JSC::CodeBlock::offsetOfInstructionsRawPointer):

• bytecode/PolymorphicAccess.cpp:

(JSC::AccessGenerationState::emitExplicitExceptionHandler):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):

• dfg/DFGJITCompiler.h:
• ftl/FTLCompile.cpp:

(JSC::FTL::compile):

• ftl/FTLLink.cpp:

(JSC::FTL::link):

• jit/JIT.cpp:

(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):

• jit/JIT.h:
• jit/JITThunks.cpp:

(JSC::JITThunks::existingCTIStub):
(JSC::JITThunks::ctiSlowPathFunctionStub):
(JSC::JITThunks::preinitializeExtraCTIThunks):

• jit/JITThunks.h:
• jit/SlowPathCall.cpp: Added.

(JSC::JITSlowPathCall::call):
(JSC::JITSlowPathCall::generateThunk):

• jit/SlowPathCall.h:
• jit/ThunkGenerators.cpp:

(JSC::handleExceptionGenerator):
(JSC::handleExceptionWithCallFrameRollbackGenerator):
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):

• jit/ThunkGenerators.h:
• runtime/CommonSlowPaths.h:
• runtime/SlowPathFunction.h: Added.
• runtime/VM.cpp:

(JSC::VM::VM):

Source/WTF:

Introduce ENABLE(EXTRA_CTI_THUNKS) flag to guard the use of these new thunks.
Currently, the thunks are 64-bit only, and only supported for ARM64 and non-Windows
X86_64. The reason it is not supported for Windows as well is because Windows
only has 4 argument registers. In this patch, the thunks do not use that many
registers yet, but there will be more thunks coming that will require the use
of up to 6 argument registers.

• wtf/PlatformEnable.h:

Location:

trunk/Source

Files:

• JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (6 diffs)
• JavaScriptCore/Sources.txt (modified) (1 diff)
• JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/PolymorphicAccess.cpp (modified) (3 diffs)
• JavaScriptCore/dfg/DFGJITCompiler.cpp (modified) (3 diffs)
• JavaScriptCore/dfg/DFGJITCompiler.h (modified) (1 diff)
• JavaScriptCore/ftl/FTLCompile.cpp (modified) (3 diffs)
• JavaScriptCore/ftl/FTLLink.cpp (modified) (3 diffs)
• JavaScriptCore/jit/JIT.cpp (modified) (5 diffs)
• JavaScriptCore/jit/JIT.h (modified) (1 diff)
• JavaScriptCore/jit/JITThunks.cpp (modified) (5 diffs)
• JavaScriptCore/jit/JITThunks.h (modified) (4 diffs)
• JavaScriptCore/jit/SlowPathCall.cpp (added)
• JavaScriptCore/jit/SlowPathCall.h (modified) (4 diffs)
• JavaScriptCore/jit/ThunkGenerators.cpp (modified) (2 diffs)
• JavaScriptCore/jit/ThunkGenerators.h (modified) (2 diffs)
• JavaScriptCore/runtime/CommonSlowPaths.h (modified) (3 diffs)
• JavaScriptCore/runtime/SlowPathFunction.h (added)
• JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/PlatformEnable.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -1064 +1064 @@
     runtime/ScriptFetchParameters.h
     runtime/ScriptFetcher.h
+    runtime/SlowPathFunction.h
     runtime/SlowPathReturnType.h
     runtime/SmallStrings.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-05-12  Mark Lam  <mark.lam@apple.com>
+
+        Implement some common Baseline JIT slow paths using JIT thunks.
+        https://bugs.webkit.org/show_bug.cgi?id=225682
+
+        Reviewed by Filip Pizlo.
+
+        This patch implements the following changes:
+
+        1. Implement exception handling thunks:
+           a. handleExceptionGenerator, which calls operationLookupExceptionHandler().
+           b. handleExceptionWithCallFrameRollbackGenerator, which calls
+              operationLookupExceptionHandlerFromCallerFrame().
+
+           All the JIT tiers were emitting their own copy of these routines to call these
+           operation, one per CodeBlock.  We now emit 2 thunks for these and have all the
+           tiers just jump to them.
+
+           PolymorphicAccess also now uses the handleExceptionGenerator thunk.
+
+           DFG::JITCompiler::compileExceptionHandlers() has one small behavior difference
+           before it calls operationLookupExceptionHandlerFromCallerFrame(): it first
+           re-sets the top of stack for the function where we are about to throw a
+           StackOverflowError from.  This re-setting of top of stack is useless because
+           we're imminently unwinding out of at least this frame for the StackOverflowError.
+           Hence, it is ok to use the handleExceptionWithCallFrameRollbackGenerator thunk
+           here as well.  Note that no other tiers does this re-setting of top of stack.
+
+           FTLLowerDFGToB3 has one case using operationLookupExceptionHandlerFromCallerFrame()
+           which cannot be refactored to use these thunks because it does additional
+           work to throw a StackOverflowError.  A different thunk will be needed.  I left
+           it alone for now.
+
+        2. Introduce JITThunks::existingCTIStub(ThunkGenerator, NoLockingNecessaryTag) so
+           that a thunk can get a pointer to another thunk without locking the JITThunks
+           lock.  Otherwise, deadlock ensues.
+
+        3. Change SlowPathCall to emit and use thunks instead of emitting a blob of code
+           to call a slow path function for every bytecode in a CodeBlock.
+
+        4. Introduce JITThunks::ctiSlowPathFunctionStub() to manage these SlowPathFunction
+           thunks.
+
+        5. Introduce JITThunks::preinitializeAggressiveCTIThunks() to initialize these
+           thunks at VM initialization time.  Pre-initializing them has multiple benefits:
+           a. the thunks are not scattered through out JIT memory, thereby reducing
+              fragmentation.
+           b. we don't spend time at runtime compiling them when the user is interacting
+              with the VM.  Conceptually, these thunks can be VM independent and can be
+              shared by VMs process-wide.  However, it will require some additional work.
+              For now, the thunks remain bound to a specific VM instance.
+
+        These changes are only enabled when ENABLE(EXTRA_CTI_THUNKS), which is currently
+        only available for ARM64 and non-Windows x86_64.
+
+        This patch has passed JSC tests on AS Mac.
+
+        With this patch, --dumpLinkBufferStats shows the following changes in emitted
+        JIT code size (using a single run of the CLI version of JetStream2 on AS Mac):
+
+                        Base                     New                      Diff
+
+           BaselineJIT: 89089964 (84.962811 MB)  84624776 (80.704475 MB)  0.95x (reduction)
+                   DFG: 39117360 (37.305222 MB)  36415264 (34.728302 MB)  0.93x (reduction)
+                 Thunk: 23230968 (22.154778 MB)  23130336 (22.058807 MB)  1.00x
+           InlineCache: 22027416 (21.006981 MB)  21969728 (20.951965 MB)  1.00x
+                   FTL: 6575772 (6.271145 MB)    6097336 (5.814873 MB)    0.93x (reduction)
+                  Wasm: 2302724 (2.196049 MB)    2301956 (2.195316 MB)    1.00x
+               YarrJIT: 1538956 (1.467663 MB)    1522488 (1.451958 MB)    0.99x
+                CSSJIT: 0                        0
+         Uncategorized: 0                        0
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::offsetOfInstructionsRawPointer):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGJITCompiler.h:
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JIT.h:
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::existingCTIStub):
+        (JSC::JITThunks::ctiSlowPathFunctionStub):
+        (JSC::JITThunks::preinitializeExtraCTIThunks):
+        * jit/JITThunks.h:
+        * jit/SlowPathCall.cpp: Added.
+        (JSC::JITSlowPathCall::call):
+        (JSC::JITSlowPathCall::generateThunk):
+        * jit/SlowPathCall.h:
+        * jit/ThunkGenerators.cpp:
+        (JSC::handleExceptionGenerator):
+        (JSC::handleExceptionWithCallFrameRollbackGenerator):
+        (JSC::popThunkStackPreservesAndHandleExceptionGenerator):
+        * jit/ThunkGenerators.h:
+        * runtime/CommonSlowPaths.h:
+        * runtime/SlowPathFunction.h: Added.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+
 2021-05-12  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1989 +1989 @@
                 FE7C41961B97FC4B00F4D598 /* PingPongStackOverflowTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEDA50D41B97F442009A3B4F /* PingPongStackOverflowTest.cpp */; };
                 FE80C1971D775CDD008510C0 /* CatchScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE80C1961D775B27008510C0 /* CatchScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                FE8C0312264A6911001A44AD /* SlowPathFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = FE8C0311264A6910001A44AD /* SlowPathFunction.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE8DE54B23AC1DAD005C9142 /* CacheableIdentifier.h in Headers */ = {isa = PBXBuildFile; fileRef = FE8DE54A23AC1DAD005C9142 /* CacheableIdentifier.h */; };
                 FE8DE54D23AC1E86005C9142 /* CacheableIdentifierInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FE8DE54C23AC1E86005C9142 /* CacheableIdentifierInlines.h */; };
@@ -4011 +4012 @@
                 6A38CFA81E32B58B0060206F /* AsyncStackTrace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncStackTrace.h; sourceTree = "<group>"; };
                 6AD2CB4C19B9140100065719 /* DebuggerEvalEnabler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DebuggerEvalEnabler.h; sourceTree = "<group>"; };
+                6B731CC02647A8370014646F /* SlowPathCall.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = SlowPathCall.cpp; sourceTree = "<group>"; };
                 6BA93C9590484C5BAD9316EA /* JSScriptFetcher.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSScriptFetcher.h; sourceTree = "<group>"; };
                 6BCCEC0325D1FA27000F391D /* VerifierSlotVisitorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VerifierSlotVisitorInlines.h; sourceTree = "<group>"; };
@@ -5363 +5365 @@
                 FE80C1981D775FB4008510C0 /* CatchScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CatchScope.cpp; sourceTree = "<group>"; };
                 FE80C19A1D7768FD008510C0 /* ExceptionEventLocation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExceptionEventLocation.cpp; sourceTree = "<group>"; };
+                FE8C0311264A6910001A44AD /* SlowPathFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SlowPathFunction.h; sourceTree = "<group>"; };
                 FE8DE54A23AC1DAD005C9142 /* CacheableIdentifier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CacheableIdentifier.h; sourceTree = "<group>"; };
                 FE8DE54C23AC1E86005C9142 /* CacheableIdentifierInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CacheableIdentifierInlines.h; sourceTree = "<group>"; };
@@ -6303 +6306 @@
                                 0FEE98421A89227500754E93 /* SetupVarargsFrame.cpp */,
                                 0FEE98401A8865B600754E93 /* SetupVarargsFrame.h */,
+                                6B731CC02647A8370014646F /* SlowPathCall.cpp */,
                                 A709F2EF17A0AC0400512E98 /* SlowPathCall.h */,
                                 E3F23A7B1ECF13E500978D99 /* Snippet.h */,
@@ -7837 +7841 @@
                                 0F2B66D617B6B5AB00A7AE3F /* SimpleTypedArrayController.cpp */,
                                 0F2B66D717B6B5AB00A7AE3F /* SimpleTypedArrayController.h */,
+                                FE8C0311264A6910001A44AD /* SlowPathFunction.h */,
                                 0F5B4A321C84F0D600F1B17E /* SlowPathReturnType.h */,
                                 93303FE80E6A72B500786E6A /* SmallStrings.cpp */,
@@ -10243 +10248 @@
                                 86E3C61B167BABEE006D760A /* JSValueInternal.h in Headers */,
                                 53E1F8F82154715A0001DDBC /* JSValuePrivate.h in Headers */,
+                                FE8C0312264A6911001A44AD /* SlowPathFunction.h in Headers */,
                                 BC18C42C0E16F5CD00B34460 /* JSValueRef.h in Headers */,
                                 86E3C615167BABD7006D760A /* JSVirtualMachine.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -677 +677 @@
 jit/ScratchRegisterAllocator.cpp
 jit/SetupVarargsFrame.cpp
+jit/SlowPathCall.cpp
 jit/TagRegistersMode.cpp
 jit/TempRegisterSet.cpp

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -916 +916 @@
     const void* instructionsRawPointer() { return m_instructionsRawPointer; }
 
+    static ptrdiff_t offsetOfInstructionsRawPointer() { return OBJECT_OFFSETOF(CodeBlock, m_instructionsRawPointer); }
+
     bool loopHintsAreEligibleForFuzzingEarlyReturn()
     {

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -41 +41 @@
 #include "StructureStubInfo.h"
 #include "SuperSampler.h"
+#include "ThunkGenerators.h"
 #include <wtf/CommaPrinter.h>
 #include <wtf/ListDump.h>
@@ -227 +228 @@
             });
     } else {
+#if ENABLE(EXTRA_CTI_THUNKS)
+        CCallHelpers::Jump jumpToExceptionHandler = jit->jump();
+        VM* vm = &m_vm;
+        jit->addLinkTask(
+            [=] (LinkBuffer& linkBuffer) {
+                linkBuffer.link(jumpToExceptionHandler, CodeLocationLabel(vm->getCTIStub(handleExceptionGenerator).retaggedCode<NoPtrTag>()));
+            });
+#else
         jit->setupArguments<decltype(operationLookupExceptionHandler)>(CCallHelpers::TrustedImmPtr(&m_vm));
         jit->prepareCallOperation(m_vm);
@@ -235 +244 @@
             });
         jit->jumpToExceptionHandler(m_vm);
+#endif
     }
 }

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -138 +138 @@
 void JITCompiler::compileExceptionHandlers()
 {
+#if !ENABLE(EXTRA_CTI_THUNKS)
     if (!m_exceptionChecksWithCallFrameRollback.empty()) {
         m_exceptionChecksWithCallFrameRollback.link(this);
@@ -166 +167 @@
         jumpToExceptionHandler(vm());
     }
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 }
 
@@ -282 +284 @@
             linkBuffer.locationOfNearCall<JSInternalPtrTag>(record.call));
     }
-    
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+    if (!m_exceptionChecks.empty())
+        linkBuffer.link(m_exceptionChecks, CodeLocationLabel(vm().getCTIStub(handleExceptionGenerator).retaggedCode<NoPtrTag>()));
+    if (!m_exceptionChecksWithCallFrameRollback.empty())
+        linkBuffer.link(m_exceptionChecksWithCallFrameRollback, CodeLocationLabel(vm().getCTIStub(handleExceptionWithCallFrameRollbackGenerator).retaggedCode<NoPtrTag>()));
+#endif // ENABLE(EXTRA_CTI_THUNKS)
+
     MacroAssemblerCodeRef<JITThunkPtrTag> osrExitThunk = vm().getCTIStub(osrExitGenerationThunkGenerator);
     auto target = CodeLocationLabel<JITThunkPtrTag>(osrExitThunk.code());

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -324 +324 @@
     JumpList m_exceptionChecks;
     JumpList m_exceptionChecksWithCallFrameRollback;
-    
+
     Vector<Label> m_blockHeads;
 

trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp

@@ -41 +41 @@
 #include "LinkBuffer.h"
 #include "PCToCodeOriginMap.h"
+#include "ThunkGenerators.h"
 #include <wtf/RecursableLambda.h>
 
@@ -126 +127 @@
     // Emit the exception handler.
     *state.exceptionHandler = jit.label();
+#if ENABLE(EXTRA_CTI_THUNKS)
+    CCallHelpers::Jump handler = jit.jump();
+    VM* vmPtr = &vm;
+    jit.addLinkTask(
+        [=] (LinkBuffer& linkBuffer) {
+            linkBuffer.link(handler, CodeLocationLabel(vmPtr->getCTIStub(handleExceptionGenerator).retaggedCode<NoPtrTag>()));
+        });
+#else
     jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm.topEntryFrame);
     jit.move(MacroAssembler::TrustedImmPtr(&vm), GPRInfo::argumentGPR0);
@@ -135 +144 @@
             linkBuffer.link(call, FunctionPtr<OperationPtrTag>(operationLookupExceptionHandler));
         });
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
     state.finalizer->b3CodeLinkBuffer = makeUnique<LinkBuffer>(jit, codeBlock, LinkBuffer::Profile::FTL, JITCompilationCanFail);

trunk/Source/JavaScriptCore/ftl/FTLLink.cpp

@@ -146 +146 @@
             CCallHelpers::Call callArityCheck = jit.call(OperationPtrTag);
 
+#if ENABLE(EXTRA_CTI_THUNKS)
+            auto jumpToExceptionHandler = jit.branch32(CCallHelpers::LessThan, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
+#else
             auto noException = jit.branch32(CCallHelpers::GreaterThanOrEqual, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
             jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm.topEntryFrame);
@@ -153 +156 @@
             jit.jumpToExceptionHandler(vm);
             noException.link(&jit);
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
             if (ASSERT_ENABLED) {
@@ -175 +179 @@
             }
             linkBuffer->link(callArityCheck, FunctionPtr<OperationPtrTag>(codeBlock->isConstructor() ? operationConstructArityCheck : operationCallArityCheck));
+#if ENABLE(EXTRA_CTI_THUNKS)
+            linkBuffer->link(jumpToExceptionHandler, CodeLocationLabel(vm.getCTIStub(handleExceptionWithCallFrameRollbackGenerator).retaggedCode<NoPtrTag>()));
+#else
             linkBuffer->link(callLookupExceptionHandlerFromCallerFrame, FunctionPtr<OperationPtrTag>(operationLookupExceptionHandlerFromCallerFrame));
+#endif
             linkBuffer->link(callArityFixup, FunctionPtr<JITThunkPtrTag>(vm.getCTIStub(arityFixupGenerator).code()));
             linkBuffer->link(mainPathJumps, state.generatedFunction);

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -898 +898 @@
     }
 
+#if ENABLE(EXTRA_CTI_THUNKS)
+    if (!m_exceptionChecks.empty())
+        patchBuffer.link(m_exceptionChecks, CodeLocationLabel(vm().getCTIStub(handleExceptionGenerator).retaggedCode<NoPtrTag>()));
+    if (!m_exceptionChecksWithCallFrameRollback.empty())
+        patchBuffer.link(m_exceptionChecksWithCallFrameRollback, CodeLocationLabel(vm().getCTIStub(handleExceptionWithCallFrameRollbackGenerator).retaggedCode<NoPtrTag>()));
+#endif
 
     for (auto& record : m_nearCalls) {
@@ -907 +913 @@
             patchBuffer.link(record.from, record.callee);
     }
-    
+
     finalizeInlineCaches(m_getByIds, patchBuffer);
     finalizeInlineCaches(m_getByVals, patchBuffer);
@@ -919 +925 @@
 
     if (m_byValCompilationInfo.size()) {
+#if ENABLE(EXTRA_CTI_THUNKS)
+        CodeLocationLabel exceptionHandler(vm().getCTIStub(handleExceptionGenerator).retaggedCode<ExceptionHandlerPtrTag>());
+#else
         CodeLocationLabel<ExceptionHandlerPtrTag> exceptionHandler = patchBuffer.locationOf<ExceptionHandlerPtrTag>(m_exceptionHandler);
+#endif
 
         for (const auto& byValCompilationInfo : m_byValCompilationInfo) {
@@ -1010 +1020 @@
 void JIT::privateCompileExceptionHandlers()
 {
+#if !ENABLE(EXTRA_CTI_THUNKS)
     if (!m_exceptionChecksWithCallFrameRollback.empty()) {
         m_exceptionChecksWithCallFrameRollback.link(this);
@@ -1034 +1045 @@
         jumpToExceptionHandler(vm());
     }
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 }
 

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -988 +988 @@
         JumpList m_exceptionChecks;
         JumpList m_exceptionChecksWithCallFrameRollback;
+#if !ENABLE(EXTRA_CTI_THUNKS)
         Label m_exceptionHandler;
+#endif
 
         unsigned m_getByIdIndex { UINT_MAX };

trunk/Source/JavaScriptCore/jit/JITThunks.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #if ENABLE(JIT)
 
+#include "CommonSlowPaths.h"
 #include "JITCode.h"
 #include "JSCJSValueInlines.h"
+#include "SlowPathCall.h"
 #include "ThunkGenerators.h"
 #include "VM.h"
@@ -142 +144 @@
 {
     LockHolder locker(m_lock);
+    return existingCTIStub(generator, NoLockingNecessary);
+}
+
+MacroAssemblerCodeRef<JITThunkPtrTag> JITThunks::existingCTIStub(ThunkGenerator generator, NoLockingNecessaryTag)
+{
     CTIStubMap::iterator entry = m_ctiStubMap.find(generator);
     if (entry == m_ctiStubMap.end())
@@ -147 +154 @@
     return entry->value;
 }
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+
+MacroAssemblerCodeRef<JITThunkPtrTag> JITThunks::ctiSlowPathFunctionStub(VM& vm, SlowPathFunction slowPathFunction)
+{
+    LockHolder locker(m_lock);
+    auto key = bitwise_cast<ThunkGenerator>(slowPathFunction);
+    CTIStubMap::AddResult entry = m_ctiStubMap.add(key, MacroAssemblerCodeRef<JITThunkPtrTag>());
+    if (entry.isNewEntry) {
+        // Compilation thread can only retrieve existing entries.
+        ASSERT(!isCompilationThread());
+        entry.iterator->value = JITSlowPathCall::generateThunk(vm, slowPathFunction);
+    }
+    return entry.iterator->value;
+}
+
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 struct JITThunks::HostKeySearcher {
@@ -234 +258 @@
 }
 
+#if ENABLE(EXTRA_CTI_THUNKS)
+
+void JITThunks::preinitializeExtraCTIThunks(VM& vm)
+{
+    if (!Options::useJIT())
+        return;
+
+    // These 3 should always be initialized first in the following order because
+    // the other thunk generators rely on these already being initialized.
+    ctiStub(vm, handleExceptionGenerator);
+    ctiStub(vm, handleExceptionWithCallFrameRollbackGenerator);
+    ctiStub(vm, popThunkStackPreservesAndHandleExceptionGenerator);
+
+#define INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(name) ctiSlowPathFunctionStub(vm, slow_path_##name)
+
+    // From the BaselineJIT DEFINE_SLOW_OP list:
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(in_by_val);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(less);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(lesseq);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(greater);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(greatereq);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(is_callable);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(is_constructor);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(typeof);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(typeof_is_object);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(typeof_is_function);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(strcat);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(push_with_scope);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_lexical_environment);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(get_by_val_with_this);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(put_by_id_with_this);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(put_by_val_with_this);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(resolve_scope_for_hoisting_func_decl_in_eval);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(define_data_property);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(define_accessor_property);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(unreachable);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(throw_static_error);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(new_array_with_spread);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(new_array_buffer);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(spread);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(get_enumerable_length);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(has_enumerable_property);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(get_property_enumerator);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_index_string);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_direct_arguments);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_scoped_arguments);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_cloned_arguments);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_arguments_butterfly);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_rest);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_promise);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(new_promise);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_generator);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_async_generator);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(new_generator);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(pow);
+
+    // From the BaselineJIT DEFINE_SLOWCASE_SLOW_OP list:
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(unsigned);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(inc);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(dec);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(bitnot);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(bitand);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(bitor);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(bitxor);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(lshift);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(rshift);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(urshift);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(div);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_this);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_promise);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_generator);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(create_async_generator);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_this);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_primitive);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_number);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_numeric);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_string);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_object);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(not);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(stricteq);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(nstricteq);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(get_direct_pname);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(get_prototype_of);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(has_enumerable_structure_property);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(has_own_structure_property);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(in_structure_property);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(resolve_scope);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(check_tdz);
+    INIT_BASELINE_SLOW_PATH_CALL_ROUTINE(to_property_key);
+#undef INIT_BASELINE_ROUTINE
+}
+
+#endif // ENABLE(EXTRA_CTI_THUNKS)
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/JITThunks.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31 +31 @@
 #include "Intrinsic.h"
 #include "MacroAssemblerCodeRef.h"
+#include "SlowPathFunction.h"
 #include "ThunkGenerator.h"
 #include "Weak.h"
@@ -53 +54 @@
     ~JITThunks() final;
 
+#if ENABLE(EXTRA_CTI_THUNKS)
+    void preinitializeExtraCTIThunks(VM&);
+#endif
+
     MacroAssemblerCodePtr<JITThunkPtrTag> ctiNativeCall(VM&);
     MacroAssemblerCodePtr<JITThunkPtrTag> ctiNativeConstruct(VM&);
@@ -62 +67 @@
     MacroAssemblerCodeRef<JITThunkPtrTag> ctiStub(VM&, ThunkGenerator);
     MacroAssemblerCodeRef<JITThunkPtrTag> existingCTIStub(ThunkGenerator);
+    MacroAssemblerCodeRef<JITThunkPtrTag> existingCTIStub(ThunkGenerator, NoLockingNecessaryTag);
+#if ENABLE(EXTRA_CTI_THUNKS)
+    MacroAssemblerCodeRef<JITThunkPtrTag> ctiSlowPathFunctionStub(VM&, SlowPathFunction);
+#endif
 
     NativeExecutable* hostFunctionStub(VM&, TaggedNativeFunction, TaggedNativeFunction constructor, const String& name);

trunk/Source/JavaScriptCore/jit/SlowPathCall.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#include "CommonSlowPaths.h"
+#include "JIT.h"
 #include "MacroAssemblerCodeRef.h"
+#include "SlowPathFunction.h"
 
 #if ENABLE(JIT)
@@ -42 +43 @@
         assertIsCFunctionPtr(slowPathFunction);
     }
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+    void call();
+    static MacroAssemblerCodeRef<JITThunkPtrTag> generateThunk(VM&, SlowPathFunction);
+
+#else // not ENABLE(EXTRA_CTI_THUNKS)
 
     JIT::Call call()
@@ -63 +70 @@
         static_assert(JIT::regT1 == GPRInfo::returnValueGPR2);
 #endif
-        
+
         m_jit->exceptionCheck();
         return call;
     }
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 private:

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -34 +34 @@
 #include "SpecializedThunkJIT.h"
 #include <wtf/InlineASM.h>
+#include <wtf/StdIntExtras.h>
 #include <wtf/StringPrintStream.h>
 #include <wtf/text/StringImpl.h>
@@ -40 +41 @@
 
 namespace JSC {
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+
+MacroAssemblerCodeRef<JITThunkPtrTag> handleExceptionGenerator(VM& vm)
+{
+    CCallHelpers jit;
+
+    jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm.topEntryFrame);
+
+    jit.move(CCallHelpers::TrustedImmPtr(&vm), GPRInfo::argumentGPR0);
+    jit.prepareCallOperation(vm);
+
+    CCallHelpers::Call operation = jit.call(OperationPtrTag);
+
+    jit.jumpToExceptionHandler(vm);
+
+    LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    patchBuffer.link(operation, FunctionPtr<OperationPtrTag>(operationLookupExceptionHandler));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "handleException");
+}
+
+MacroAssemblerCodeRef<JITThunkPtrTag> handleExceptionWithCallFrameRollbackGenerator(VM& vm)
+{
+    CCallHelpers jit;
+
+    jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm.topEntryFrame);
+
+    jit.move(CCallHelpers::TrustedImmPtr(&vm), GPRInfo::argumentGPR0);
+    jit.prepareCallOperation(vm);
+    CCallHelpers::Call operation = jit.call(OperationPtrTag);
+    jit.jumpToExceptionHandler(vm);
+
+    LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    patchBuffer.link(operation, FunctionPtr<OperationPtrTag>(operationLookupExceptionHandlerFromCallerFrame));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "handleExceptionWithCallFrameRollback");
+}
+
+MacroAssemblerCodeRef<JITThunkPtrTag> popThunkStackPreservesAndHandleExceptionGenerator(VM& vm)
+{
+    CCallHelpers jit;
+
+#if CPU(X86_64)
+    jit.addPtr(CCallHelpers::TrustedImm32(2 * sizeof(CPURegister)), X86Registers::esp);
+#elif CPU(ARM64)
+    jit.popPair(CCallHelpers::framePointerRegister, CCallHelpers::linkRegister);
+#endif
+
+    CCallHelpers::Jump continuation = jit.jump();
+
+    LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    auto handler = vm.jitStubs->existingCTIStub(handleExceptionGenerator, NoLockingNecessary);
+    RELEASE_ASSERT(handler);
+    patchBuffer.link(continuation, CodeLocationLabel(handler.retaggedCode<NoPtrTag>()));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "popThunkStackPreservesAndHandleException");
+}
+
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 template<typename TagType>

trunk/Source/JavaScriptCore/jit/ThunkGenerators.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35 +35 @@
 template<PtrTag> class MacroAssemblerCodeRef;
 class VM;
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+
+MacroAssemblerCodeRef<JITThunkPtrTag> handleExceptionGenerator(VM&);
+MacroAssemblerCodeRef<JITThunkPtrTag> handleExceptionWithCallFrameRollbackGenerator(VM&);
+MacroAssemblerCodeRef<JITThunkPtrTag> popThunkStackPreservesAndHandleExceptionGenerator(VM&);
+
+#endif // ENABLE(EXTRA_CTI_THUNKS)
+
 
 MacroAssemblerCodeRef<JITThunkPtrTag> throwExceptionFromCallSlowPathGenerator(VM&);

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 #include "JSImmutableButterfly.h"
 #include "ScopedArguments.h"
-#include "SlowPathReturnType.h"
+#include "SlowPathFunction.h"
 #include "StackAlignment.h"
 #include "VMInlines.h"
@@ -300 +300 @@
 JSC_DECLARE_COMMON_SLOW_PATH(iterator_next_try_fast_wide32);
 
-using SlowPathFunction = SlowPathReturnType(JIT_OPERATION_ATTRIBUTES*)(CallFrame*, const Instruction*);
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -568 +568 @@
         getCTIInternalFunctionTrampolineFor(CodeForCall);
         getCTIInternalFunctionTrampolineFor(CodeForConstruct);
-    }
-#endif
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+        jitStubs->preinitializeExtraCTIThunks(*this);
+#endif
+    }
+#endif // ENABLE(JIT)
 
     if (Options::forceDebuggerBytecodeGeneration() || Options::alwaysUseShadowChicken())

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2021-05-12  Mark Lam  <mark.lam@apple.com>
+
+        Implement some common Baseline JIT slow paths using JIT thunks.
+        https://bugs.webkit.org/show_bug.cgi?id=225682
+
+        Reviewed by Filip Pizlo.
+
+        Introduce ENABLE(EXTRA_CTI_THUNKS) flag to guard the use of these new thunks.
+        Currently, the thunks are 64-bit only, and only supported for ARM64 and non-Windows
+        X86_64.  The reason it is not supported for Windows as well is because Windows
+        only has 4 argument registers.  In this patch, the thunks do not use that many
+        registers yet, but there will be more thunks coming that will require the use
+        of up to 6 argument registers.
+
+        * wtf/PlatformEnable.h:
+
 2021-05-11  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WTF/wtf/PlatformEnable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2021 Apple Inc. All rights reserved.
  * Copyright (C) 2007-2009 Torch Mobile, Inc.
  * Copyright (C) 2010, 2011 Research In Motion Limited. All rights reserved.
@@ -833 +833 @@
 #endif
 
+#if CPU(ARM64) || (CPU(X86_64) && !OS(WINDOWS))
+/* The implementation of these thunks can use up to 6 argument registers, and
+   make use of ARM64 like features. For now, we'll only support them on platforms
+   that have 6 or more argument registers to use.
+*/
+#define ENABLE_EXTRA_CTI_THUNKS 1
+#endif
+
 #if !defined(ENABLE_BINDING_INTEGRITY) && !OS(WINDOWS)
 #define ENABLE_BINDING_INTEGRITY 1