Changeset 128219 in webkit

Timestamp:

Sep 11, 2012 1:00:31 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

LLInt should optimize and profile array length accesses
​https://bugs.webkit.org/show_bug.cgi?id=96417

Reviewed by Oliver Hunt.

This fixes the following hole in our array profiling strategy, where the array
is large (more than 1000 elements):

for (var i = 0; i < array.length; ++i) ...

The peeled use of array.length (in the array prologue) will execute only once
before DFG optimization kicks in from the loop's OSR point. Since it executed
only once, it executed in the LLInt. And prior to this patch, the LLInt did
not profile array.length accesses - so the DFG will assume, based on the lack
of profiling, that the access is in fact not an access to the JSArray length
property. That could then impede our ability to hoist the array structure
check, and may make us pessimistic in other ways as well, since the generic
GetById used for the array length access will be viewed as a side-effecting
operation.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::printGetByIdCacheStatus):
(JSC::CodeBlock::finalizeUnconditionally):

• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFromLLInt):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.h:

(JSC::DFG::canCompileOpcode):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (2 diffs)
• bytecode/GetByIdStatus.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCapabilities.h (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (1 diff)
• jit/JIT.cpp (modified) (3 diffs)
• llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• llint/LowLevelInterpreter.asm (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-11  Filip Pizlo  <fpizlo@apple.com>
+
+        LLInt should optimize and profile array length accesses
+        https://bugs.webkit.org/show_bug.cgi?id=96417
+
+        Reviewed by Oliver Hunt.
+
+        This fixes the following hole in our array profiling strategy, where the array
+        is large (more than 1000 elements):
+        
+        for (var i = 0; i < array.length; ++i) ...
+        
+        The peeled use of array.length (in the array prologue) will execute only once
+        before DFG optimization kicks in from the loop's OSR point. Since it executed
+        only once, it executed in the LLInt. And prior to this patch, the LLInt did
+        not profile array.length accesses - so the DFG will assume, based on the lack
+        of profiling, that the access is in fact not an access to the JSArray length
+        property. That could then impede our ability to hoist the array structure
+        check, and may make us pessimistic in other ways as well, since the generic
+        GetById used for the array length access will be viewed as a side-effecting
+        operation.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::printGetByIdCacheStatus):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::canCompileOpcode):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2012-09-11  Raphael Kubo da Costa  <rakuco@webkit.org>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -292 +292 @@
     
 #if ENABLE(LLINT)
-    Structure* structure = instruction[4].u.structure.get();
-    dataLog(" llint(");
-    dumpStructure("struct", exec, structure, ident);
-    dataLog(")");
+    if (exec->interpreter()->getOpcodeID(instruction[0].u.opcode) == op_get_array_length)
+        dataLog(" llint(array_length)");
+    else {
+        Structure* structure = instruction[4].u.structure.get();
+        dataLog(" llint(");
+        dumpStructure("struct", exec, structure, ident);
+        dataLog(")");
+    }
 #endif
 
@@ -2082 +2086 @@
                 curInstruction[0].u.opcode = interpreter->getOpcode(op_put_by_id);
                 break;
+            case op_get_array_length:
+                break;
             default:
                 ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp

@@ -44 +44 @@
     if (instruction[0].u.opcode == LLInt::getOpcode(llint_op_method_check))
         instruction++;
+    
+    if (instruction[0].u.opcode == LLInt::getOpcode(llint_op_get_array_length))
+        return GetByIdStatus(NoInformation, false);
 
     Structure* structure = instruction[4].u.structure.get();

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2277 +2277 @@
         }
         case op_get_by_id:
-        case op_get_by_id_out_of_line: {
+        case op_get_by_id_out_of_line:
+        case op_get_array_length: {
             SpeculatedType prediction = getPrediction();
             

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -121 +121 @@
     case op_get_by_id:
     case op_get_by_id_out_of_line:
+    case op_get_array_length:
     case op_put_by_id:
     case op_put_by_id_out_of_line:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -93 +93 @@
                     fromObserved(arrayProfile->observedArrayModes(), false),
                     m_graph[node.child1()].prediction(),
-                    m_graph[m_compileIndex].prediction());                    
+                    m_graph[m_compileIndex].prediction());
                 if (modeSupportsLength(arrayMode) && arrayProfile->hasDefiniteStructure()) {
                     m_graph.ref(nodePtr->child1());

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -257 +257 @@
         DEFINE_OP(op_eq_null)
         case op_get_by_id_out_of_line:
+        case op_get_array_length:
         DEFINE_OP(op_get_by_id)
         DEFINE_OP(op_get_arguments_length)
@@ -359 +360 @@
         DEFINE_OP(op_to_primitive)
 
-        case op_get_array_length:
         case op_get_by_id_chain:
         case op_get_by_id_generic:
@@ -447 +447 @@
         DEFINE_SLOWCASE_OP(op_eq)
         case op_get_by_id_out_of_line:
+        case op_get_array_length:
         DEFINE_SLOWCASE_OP(op_get_by_id)
         DEFINE_SLOWCASE_OP(op_get_arguments_length)

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -859 +859 @@
     LLINT_CHECK_EXCEPTION();
     LLINT_OP(1) = result;
-
+    
     if (!LLINT_ALWAYS_ACCESS_SLOW
         && baseValue.isCell()
@@ -881 +881 @@
             }
         }
+    }
+
+    if (!LLINT_ALWAYS_ACCESS_SLOW
+        && isJSArray(baseValue)
+        && ident == exec->propertyNames().length) {
+        pc[0].u.opcode = LLInt::getOpcode(llint_op_get_array_length);
+#if ENABLE(VALUE_PROFILER)
+        ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
+        arrayProfile->observeStructure(baseValue.asCell()->structure());
+        pc[4].u.arrayProfile = arrayProfile;
+#endif
     }
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -846 +846 @@
 end
 
-_llint_op_get_array_length:
-    notSupported()
-
 _llint_op_get_by_id_chain:
     notSupported()

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1167 +1167 @@
 _llint_op_get_by_id_out_of_line:
     getById(withOutOfLineStorage)
+
+
+_llint_op_get_array_length:
+    traceExecution()
+    loadi 8[PC], t0
+    loadp 16[PC], t1
+    loadConstantOrVariablePayload(t0, CellTag, t3, .opGetArrayLengthSlot)
+    loadp JSCell::m_structure[t3], t2
+    if VALUE_PROFILER
+        storep t2, ArrayProfile::m_lastSeenStructure[t1]
+    end
+    loadp CodeBlock[cfr], t1
+    loadp CodeBlock::m_globalData[t1], t1
+    loadp JSGlobalData::jsArrayClassInfo[t1], t1
+    bpneq Structure::m_classInfo[t2], t1, .opGetArrayLengthSlow
+    loadi 4[PC], t1
+    loadp 32[PC], t2
+    loadp JSArray::m_storage[t3], t0
+    loadi ArrayStorage::m_length[t0], t0
+    bilt t0, 0, .opGetArrayLengthSlow
+    valueProfile(Int32Tag, t0, t2)
+    storep t0, PayloadOffset[cfr, t1, 8]
+    storep Int32Tag, TagOffset[cfr, t1, 8]
+    dispatch(9)
+
+.opGetArrayLengthSlow:
+    callSlowPath(_llint_slow_path_get_by_id)
+    dispatch(9)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1014 +1014 @@
 _llint_op_get_by_id_out_of_line:
     getById(withOutOfLineStorage)
+
+
+_llint_op_get_array_length:
+    traceExecution()
+    loadis 16[PB, PC, 8], t0
+    loadp 32[PB, PC, 8], t1
+    loadConstantOrVariableCell(t0, t3, .opGetArrayLengthSlow)
+    loadp JSCell::m_structure[t3], t2
+    if VALUE_PROFILER
+        storep t2, ArrayProfile::m_lastSeenStructure[t1]
+    end
+    loadp CodeBlock[cfr], t1
+    loadp CodeBlock::m_globalData[t1], t1
+    loadp JSGlobalData::jsArrayClassInfo[t1], t1
+    bpneq Structure::m_classInfo[t2], t1, .opGetArrayLengthSlow
+    loadis 8[PB, PC, 8], t1
+    loadp 64[PB, PC, 8], t2
+    loadp JSArray::m_storage[t3], t0
+    loadi ArrayStorage::m_length[t0], t0
+    bilt t0, 0, .opGetArrayLengthSlow
+    orp tagTypeNumber, t0
+    valueProfile(t0, t2)
+    storep t0, [cfr, t1, 8]
+    dispatch(9)
+
+.opGetArrayLengthSlow:
+    callSlowPath(_llint_slow_path_get_by_id)
+    dispatch(9)