Changeset 118555 in webkit

Timestamp:

May 25, 2012 1:19:55 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

DFG ConvertThis should just be a CheckStructure if the structure is known
​https://bugs.webkit.org/show_bug.cgi?id=87057

Reviewed by Gavin Barraclough.

Merged r118021 from dfgopt.

This gives ValueProfile the ability to track singleton values - i.e. profiling
sites that always see the same value.

That is then used to profile the structure in op_convert_this.

This is then used to optimize op_convert_this into a CheckStructure if the
structure is always the same.

That then results in better CSE in inlined code that uses 'this', since
previously we couldn't CSE accesses on 'this' from different inline call frames.

Also fixed a bug where we were unnecessarily flushing 'this'.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):
(JSC::CodeBlock::stronglyVisitStrongReferences):

• bytecode/LazyOperandValueProfile.cpp:

(JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):

• bytecode/LazyOperandValueProfile.h:

(CompressedLazyOperandValueProfileHolder):

• bytecode/Opcode.h:

(JSC):
(JSC::padOpcodeName):

• bytecode/ValueProfile.h:

(JSC::ValueProfileBase::ValueProfileBase):
(JSC::ValueProfileBase::dump):
(JSC::ValueProfileBase::computeUpdatedPrediction):
(ValueProfileBase):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::parseBlock):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_convert_this):
(JSC::JIT::emitSlow_op_convert_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_convert_this):
(JSC::JIT::emitSlow_op_convert_this):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/JSValue.h:

(JSValue):

• runtime/Structure.h:

(JSC::JSValue::structureOrUndefined):
(JSC):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (2 diffs)
• bytecode/LazyOperandValueProfile.cpp (modified) (2 diffs)
• bytecode/LazyOperandValueProfile.h (modified) (1 diff)
• bytecode/Opcode.h (modified) (1 diff)
• bytecode/ValueProfile.h (modified) (7 diffs)
• bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• jit/JITOpcodes.cpp (modified) (2 diffs)
• jit/JITOpcodes32_64.cpp (modified) (3 diffs)
• llint/LLIntSlowPaths.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/JSValue.h (modified) (1 diff)
• runtime/Structure.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-05-21  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG ConvertThis should just be a CheckStructure if the structure is known
+        https://bugs.webkit.org/show_bug.cgi?id=87057
+
+        Reviewed by Gavin Barraclough.
+        
+        Merged r118021 from dfgopt.
+        
+        This gives ValueProfile the ability to track singleton values - i.e. profiling
+        sites that always see the same value.
+        
+        That is then used to profile the structure in op_convert_this.
+        
+        This is then used to optimize op_convert_this into a CheckStructure if the
+        structure is always the same.
+        
+        That then results in better CSE in inlined code that uses 'this', since
+        previously we couldn't CSE accesses on 'this' from different inline call frames.
+        
+        Also fixed a bug where we were unnecessarily flushing 'this'.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        (JSC::CodeBlock::stronglyVisitStrongReferences):
+        * bytecode/LazyOperandValueProfile.cpp:
+        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
+        * bytecode/LazyOperandValueProfile.h:
+        (CompressedLazyOperandValueProfileHolder):
+        * bytecode/Opcode.h:
+        (JSC):
+        (JSC::padOpcodeName):
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfileBase::ValueProfileBase):
+        (JSC::ValueProfileBase::dump):
+        (JSC::ValueProfileBase::computeUpdatedPrediction):
+        (ValueProfileBase):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::setArgument):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_convert_this):
+        (JSC::JIT::emitSlow_op_convert_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_convert_this):
+        (JSC::JIT::emitSlow_op_convert_this):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSValue.h:
+        (JSValue):
+        * runtime/Structure.h:
+        (JSC::JSValue::structureOrUndefined):
+        (JSC):
+
 2012-05-24  Tim Horton  <timothy_horton@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -671 +671 @@
             int r0 = (++it)->u.operand;
             dataLog("[%4d] convert_this\t %s\n", location, registerName(exec, r0).data());
+            ++it; // Skip value profile.
             break;
         }
@@ -2086 +2087 @@
     }
     
-    m_lazyOperandValueProfiles.computeUpdatedPredictions();
+    m_lazyOperandValueProfiles.computeUpdatedPredictions(Collection);
 #endif
 
 #if ENABLE(VALUE_PROFILER)
     for (unsigned profileIndex = 0; profileIndex < numberOfArgumentValueProfiles(); ++profileIndex)
-        valueProfileForArgument(profileIndex)->computeUpdatedPrediction();
+        valueProfileForArgument(profileIndex)->computeUpdatedPrediction(Collection);
     for (unsigned profileIndex = 0; profileIndex < numberOfValueProfiles(); ++profileIndex)
-        valueProfile(profileIndex)->computeUpdatedPrediction();
+        valueProfile(profileIndex)->computeUpdatedPrediction(Collection);
 #endif
 }

trunk/Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp

@@ -34 +34 @@
 CompressedLazyOperandValueProfileHolder::~CompressedLazyOperandValueProfileHolder() { }
 
-void CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions()
+void CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions(OperationInProgress operation)
 {
     if (!m_data)
@@ -40 +40 @@
     
     for (unsigned i = 0; i < m_data->size(); ++i)
-        m_data->at(i).computeUpdatedPrediction();
+        m_data->at(i).computeUpdatedPrediction(operation);
 }
 

trunk/Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h

@@ -156 +156 @@
     ~CompressedLazyOperandValueProfileHolder();
     
-    void computeUpdatedPredictions();
+    void computeUpdatedPredictions(OperationInProgress);
     
     LazyOperandValueProfile* add(const LazyOperandValueProfileKey& key);

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -44 +44 @@
         macro(op_create_arguments, 2) \
         macro(op_create_this, 2) \
-        macro(op_convert_this, 2) \
+        macro(op_convert_this, 3) \
         \
         macro(op_new_object, 2) \

trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

@@ -34 +34 @@
 #if ENABLE(VALUE_PROFILER)
 
+#include "Heap.h"
 #include "JSArray.h"
 #include "PredictedType.h"
@@ -52 +53 @@
         , m_prediction(PredictNone)
         , m_numberOfSamplesInPrediction(0)
+        , m_singletonValueIsTop(false)
     {
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i)
@@ -61 +63 @@
         , m_prediction(PredictNone)
         , m_numberOfSamplesInPrediction(0)
+        , m_singletonValueIsTop(false)
     {
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i)
@@ -113 +116 @@
                 totalNumberOfSamples(),
                 predictionToString(m_prediction));
+        fprintf(out, ", value = ");
+        if (m_singletonValueIsTop)
+            fprintf(out, "TOP");
+        else
+            fprintf(out, "%s", m_singletonValue.description());
         bool first = true;
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
@@ -128 +136 @@
     
     // Updates the prediction and returns the new one.
-    PredictedType computeUpdatedPrediction()
+    PredictedType computeUpdatedPrediction(OperationInProgress operation = NoOperation)
     {
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
@@ -138 +146 @@
             mergePrediction(m_prediction, predictionFromValue(value));
             
+            if (!m_singletonValueIsTop && !!value) {
+                if (!m_singletonValue)
+                    m_singletonValue = value;
+                else if (m_singletonValue != value)
+                    m_singletonValueIsTop = true;
+            }
+            
             m_buckets[i] = JSValue::encode(JSValue());
         }
         
+        if (operation == Collection
+            && !m_singletonValueIsTop
+            && !!m_singletonValue
+            && m_singletonValue.isCell()
+            && !Heap::isMarked(m_singletonValue.asCell()))
+            m_singletonValueIsTop = true;
+            
         return m_prediction;
     }
@@ -149 +171 @@
     unsigned m_numberOfSamplesInPrediction;
     
+    bool m_singletonValueIsTop;
+    JSValue m_singletonValue;
+
     EncodedJSValue m_buckets[totalNumberOfBuckets];
 };

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -446 +446 @@
         instructions().append(m_thisRegister.index());
     } else if (!codeBlock->isStrictMode() && (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks)) {
-        emitOpcode(op_convert_this);
+        ValueProfile* profile = emitProfiledOpcode(op_convert_this);
         instructions().append(m_thisRegister.index());
+        instructions().append(profile);
     }
 }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -351 +351 @@
         NodeIndex nodeIndex = addToGraph(SetLocal, OpInfo(variableAccessData), value);
         m_currentBlock->variablesAtTail.argument(argument) = nodeIndex;
-        // Always flush arguments.
-        addToGraph(Flush, OpInfo(variableAccessData), nodeIndex);
+        // Always flush arguments, except for 'this'.
+        if (argument)
+            addToGraph(Flush, OpInfo(variableAccessData), nodeIndex);
     }
     
@@ -1583 +1584 @@
         case op_convert_this: {
             NodeIndex op1 = getThis();
-            if (m_graph[op1].op() == ConvertThis)
-                setThis(op1);
-            else
-                setThis(addToGraph(ConvertThis, op1));
+            if (m_graph[op1].op() != ConvertThis) {
+                ValueProfile* profile =
+                    m_inlineStackTop->m_profiledBlock->valueProfileForBytecodeOffset(m_currentProfilingIndex);
+                profile->computeUpdatedPrediction();
+#if DFG_ENABLE(DEBUG_VERBOSE)
+                dataLog("[@%lu bc#%u]: profile %p: ", m_graph.size(), m_currentProfilingIndex, profile);
+                profile->dump(WTF::dataFile());
+                dataLog("\n");
+#endif
+                if (profile->m_singletonValueIsTop
+                    || !profile->m_singletonValue
+                    || !profile->m_singletonValue.isCell()
+                    || profile->m_singletonValue.asCell()->classInfo() != &Structure::s_info)
+                    setThis(addToGraph(ConvertThis, op1));
+                else {
+                    addToGraph(
+                        CheckStructure,
+                        OpInfo(m_graph.addStructureSet(jsCast<Structure*>(profile->m_singletonValue.asCell()))),
+                        op1);
+                }
+            }
             NEXT_OPCODE(op_convert_this);
         }

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1258 +1258 @@
 void JIT::emit_op_convert_this(Instruction* currentInstruction)
 {
-    emitGetVirtualRegister(currentInstruction[1].u.operand, regT0);
-
-    emitJumpSlowCaseIfNotJSCell(regT0);
-    addSlowCase(branchPtr(Equal, Address(regT0, JSCell::classInfoOffset()), TrustedImmPtr(&JSString::s_info)));
+    emitGetVirtualRegister(currentInstruction[1].u.operand, regT1);
+
+    emitJumpSlowCaseIfNotJSCell(regT1);
+    if (shouldEmitProfiling()) {
+        loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
+        emitValueProfilingSite();
+    }
+    addSlowCase(branchPtr(Equal, Address(regT1, JSCell::classInfoOffset()), TrustedImmPtr(&JSString::s_info)));
 }
 
@@ -1316 +1320 @@
 
     linkSlowCase(iter);
-    Jump isNotUndefined = branchPtr(NotEqual, regT0, TrustedImmPtr(JSValue::encode(jsUndefined())));
+    if (shouldEmitProfiling())
+        move(TrustedImmPtr(bitwise_cast<void*>(JSValue::encode(jsUndefined()))), regT0);
+    Jump isNotUndefined = branchPtr(NotEqual, regT1, TrustedImmPtr(JSValue::encode(jsUndefined())));
+    emitValueProfilingSite();
     move(TrustedImmPtr(globalThis), regT0);
     emitPutVirtualRegister(currentInstruction[1].u.operand, regT0);
     emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
 
+    linkSlowCase(iter);
+    if (shouldEmitProfiling())
+        move(TrustedImmPtr(bitwise_cast<void*>(JSValue::encode(m_globalData->stringStructure.get()))), regT0);
     isNotUndefined.link(this);
-    linkSlowCase(iter);
+    emitValueProfilingSite();
     JITStubCall stubCall(this, cti_op_convert_this);
-    stubCall.addArgument(regT0);
+    stubCall.addArgument(regT1);
     stubCall.call(currentInstruction[1].u.operand);
 }

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1549 +1549 @@
     unsigned thisRegister = currentInstruction[1].u.operand;
 
-    emitLoad(thisRegister, regT1, regT0);
-
-    addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
-    addSlowCase(branchPtr(Equal, Address(regT0, JSCell::classInfoOffset()), TrustedImmPtr(&JSString::s_info)));
-
-    map(m_bytecodeOffset + OPCODE_LENGTH(op_convert_this), thisRegister, regT1, regT0);
+    emitLoad(thisRegister, regT3, regT2);
+
+    addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag)));
+    if (shouldEmitProfiling()) {
+        loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
+        move(regT3, regT1);
+        emitValueProfilingSite();
+    }
+    addSlowCase(branchPtr(Equal, Address(regT2, JSCell::classInfoOffset()), TrustedImmPtr(&JSString::s_info)));
 }
 
@@ -1563 +1566 @@
 
     linkSlowCase(iter);
-    Jump isNotUndefined = branch32(NotEqual, regT1, TrustedImm32(JSValue::UndefinedTag));
+    if (shouldEmitProfiling()) {
+        move(TrustedImm32(JSValue::UndefinedTag), regT1);
+        move(TrustedImm32(0), regT0);
+    }
+    Jump isNotUndefined = branch32(NotEqual, regT3, TrustedImm32(JSValue::UndefinedTag));
+    emitValueProfilingSite();
     move(TrustedImmPtr(globalThis), regT0);
     move(TrustedImm32(JSValue::CellTag), regT1);
@@ -1569 +1577 @@
     emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
 
+    linkSlowCase(iter);
+    if (shouldEmitProfiling()) {
+        move(TrustedImm32(JSValue::CellTag), regT1);
+        move(TrustedImmPtr(m_globalData->stringStructure.get()), regT0);
+    }
     isNotUndefined.link(this);
-    linkSlowCase(iter);
+    emitValueProfilingSite();
     JITStubCall stubCall(this, cti_op_convert_this);
-    stubCall.addArgument(regT1, regT0);
+    stubCall.addArgument(regT3, regT2);
     stubCall.call(thisRegister);
 }

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -468 +468 @@
     JSValue v1 = LLINT_OP(1).jsValue();
     ASSERT(v1.isPrimitive());
+    pc[OPCODE_LENGTH(op_convert_this) - 1].u.profile->m_buckets[0] =
+        JSValue::encode(v1.structureOrUndefined());
     LLINT_RETURN(v1.toThisObject(exec));
 }

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -365 +365 @@
     loadp JSCell::m_structure[t0], t0
     bbb Structure::m_typeInfo + TypeInfo::m_type[t0], ObjectType, .opConvertThisSlow
-    dispatch(2)
+    loadi 8[PC], t1
+    valueProfile(CellTag, t0, t1)
+    dispatch(3)
 
 .opConvertThisSlow:
     callSlowPath(_llint_slow_path_convert_this)
-    dispatch(2)
+    dispatch(3)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -242 +242 @@
     loadp JSCell::m_structure[t0], t0
     bbb Structure::m_typeInfo + TypeInfo::m_type[t0], ObjectType, .opConvertThisSlow
-    dispatch(2)
+    loadp 16[PB, PC, 8], t1
+    valueProfile(t0, t1)
+    dispatch(3)
 
 .opConvertThisSlow:
     callSlowPath(_llint_slow_path_convert_this)
-    dispatch(2)
+    dispatch(3)
 
 

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -240 +240 @@
         JSCell* asCell() const;
         JS_EXPORT_PRIVATE bool isValidCallee();
+        
+        JSValue structureOrUndefined() const;
 
         char* description() const;

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -333 +333 @@
     }
     
+    inline JSValue JSValue::structureOrUndefined() const
+    {
+        if (isCell())
+            return JSValue(asCell()->structure());
+        return jsUndefined();
+    }
+
     inline bool JSCell::isObject() const
     {