Changeset 128790 in webkit

Timestamp:

Sep 17, 2012 12:07:32 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

Array profiling has convergence issues
​https://bugs.webkit.org/show_bug.cgi?id=96891

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

Now each array profiling site merges in the indexing type it observed into
the m_observedArrayModes bitset. The ArrayProfile also uses this to detect
cases where the structure must have gone polymorphic (if the bitset is
polymorphic then the structure must be). This achieves something like the
best of both worlds: on the one hand, we get a probabilistic structure that
we can use to optimize the monomorphic structure case, but on the other hand,
we get an accurate view of the set of types that were encountered.

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::or32):
(MacroAssemblerARMv7):

• assembler/MacroAssemblerX86.h:

(JSC::MacroAssemblerX86::or32):
(MacroAssemblerX86):

• assembler/MacroAssemblerX86_64.h:

(JSC::MacroAssemblerX86_64::or32):
(MacroAssemblerX86_64):

• assembler/X86Assembler.h:

(X86Assembler):
(JSC::X86Assembler::orl_rm):

• bytecode/ArrayProfile.cpp:

(JSC::ArrayProfile::computeUpdatedPrediction):

• bytecode/ArrayProfile.h:

(JSC::ArrayProfile::addressOfArrayModes):
(JSC::ArrayProfile::structureIsPolymorphic):

• jit/JIT.h:

(JIT):

• jit/JITInlineMethods.h:

(JSC):
(JSC::JIT::emitArrayProfilingSite):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::privateCompilePatchGetArrayLength):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::privateCompilePatchGetArrayLength):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

Source/WTF:

Added functions for testing if something is a power of 2.

• wtf/MathExtras.h:

(hasZeroOrOneBitsSet):
(hasTwoOrMoreBitsSet):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/assembler/MacroAssemblerARMv7.h (modified) (1 diff)
• JavaScriptCore/assembler/MacroAssemblerX86.h (modified) (1 diff)
• JavaScriptCore/assembler/MacroAssemblerX86_64.h (modified) (1 diff)
• JavaScriptCore/assembler/X86Assembler.h (modified) (1 diff)
• JavaScriptCore/bytecode/ArrayProfile.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/ArrayProfile.h (modified) (2 diffs)
• JavaScriptCore/jit/JIT.h (modified) (1 diff)
• JavaScriptCore/jit/JITInlineMethods.h (modified) (1 diff)
• JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (3 diffs)
• JavaScriptCore/jit/JITPropertyAccess32_64.cpp (modified) (3 diffs)
• JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (3 diffs)
• JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (3 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/MathExtras.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-17  Filip Pizlo  <fpizlo@apple.com>
+
+        Array profiling has convergence issues
+        https://bugs.webkit.org/show_bug.cgi?id=96891
+
+        Reviewed by Gavin Barraclough.
+
+        Now each array profiling site merges in the indexing type it observed into
+        the m_observedArrayModes bitset. The ArrayProfile also uses this to detect
+        cases where the structure must have gone polymorphic (if the bitset is
+        polymorphic then the structure must be). This achieves something like the
+        best of both worlds: on the one hand, we get a probabilistic structure that
+        we can use to optimize the monomorphic structure case, but on the other hand,
+        we get an accurate view of the set of types that were encountered.
+
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::or32):
+        (MacroAssemblerARMv7):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::or32):
+        (MacroAssemblerX86):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::or32):
+        (MacroAssemblerX86_64):
+        * assembler/X86Assembler.h:
+        (X86Assembler):
+        (JSC::X86Assembler::orl_rm):
+        * bytecode/ArrayProfile.cpp:
+        (JSC::ArrayProfile::computeUpdatedPrediction):
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::addressOfArrayModes):
+        (JSC::ArrayProfile::structureIsPolymorphic):
+        * jit/JIT.h:
+        (JIT):
+        * jit/JITInlineMethods.h:
+        (JSC):
+        (JSC::JIT::emitArrayProfilingSite):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2012-09-17  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

@@ -314 +314 @@
         m_assembler.orr(dest, dest, src);
     }
+    
+    void or32(RegisterID src, AbsoluteAddress dest)
+    {
+        move(TrustedImmPtr(dest.m_ptr), addressTempRegister);
+        load32(addressTempRegister, dataTempRegister);
+        or32(src, dataTempRegister);
+        store32(dataTempRegister, addressTempRegister);
+    }
 
     void or32(TrustedImm32 imm, RegisterID dest)

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h

@@ -85 +85 @@
     }
     
+    void or32(RegisterID reg, AbsoluteAddress address)
+    {
+        m_assembler.orl_rm(reg, address.m_ptr);
+    }
+    
     void sub32(TrustedImm32 imm, AbsoluteAddress address)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h

@@ -76 +76 @@
     }
 
+    void or32(RegisterID reg, AbsoluteAddress address)
+    {
+        move(TrustedImmPtr(address.m_ptr), scratchRegister);
+        or32(reg, Address(scratchRegister));
+    }
+
     void sub32(TrustedImm32 imm, AbsoluteAddress address)
     {

trunk/Source/JavaScriptCore/assembler/X86Assembler.h

@@ -542 +542 @@
         }
     }
+
+    void orl_rm(RegisterID src, const void* addr)
+    {
+        m_formatter.oneByteOp(OP_OR_EvGv, src, addr);
+    }
 #endif
 

trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp

@@ -44 +44 @@
     }
     
+    if (hasTwoOrMoreBitsSet(m_observedArrayModes)) {
+        m_structureIsPolymorphic = true;
+        m_expectedStructure = 0;
+    }
+    
     if (operation == Collection
         && m_expectedStructure

trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h

@@ -71 +71 @@
     
     Structure** addressOfLastSeenStructure() { return &m_lastSeenStructure; }
+    ArrayModes* addressOfArrayModes() { return &m_observedArrayModes; }
     
     void observeStructure(Structure* structure)
@@ -80 +81 @@
     
     Structure* expectedStructure() const { return m_expectedStructure; }
-    bool structureIsPolymorphic() const { return m_structureIsPolymorphic; }
+    bool structureIsPolymorphic() const
+    {
+        return m_structureIsPolymorphic;
+    }
     bool hasDefiniteStructure() const
     {

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -450 +450 @@
         void emitValueProfilingSite() { }
 #endif
+        void emitArrayProfilingSite(RegisterID structureAndIndexingType, RegisterID scratch, ArrayProfile*);
+        void emitArrayProfilingSiteForBytecodeIndex(RegisterID structureAndIndexingType, RegisterID scratch, unsigned bytecodeIndex);
 
         enum FinalObjectMode { MayBeFinal, KnownNotFinal };

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -530 +530 @@
     emitValueProfilingSite(m_bytecodeOffset);
 }
-#endif
+#endif // ENABLE(VALUE_PROFILER)
+
+inline void JIT::emitArrayProfilingSite(RegisterID structureAndIndexingType, RegisterID scratch, ArrayProfile* arrayProfile)
+{
+    RegisterID structure = structureAndIndexingType;
+    RegisterID indexingType = structureAndIndexingType;
+    
+    if (canBeOptimized()) {
+        storePtr(structure, arrayProfile->addressOfLastSeenStructure());
+        load8(Address(structure, Structure::indexingTypeOffset()), indexingType);
+        move(TrustedImm32(1), scratch);
+        lshift32(indexingType, scratch);
+        or32(scratch, AbsoluteAddress(arrayProfile->addressOfArrayModes()));
+    } else
+        load8(Address(structure, Structure::indexingTypeOffset()), indexingType);
+}
+
+inline void JIT::emitArrayProfilingSiteForBytecodeIndex(RegisterID structureAndIndexingType, RegisterID scratch, unsigned bytecodeIndex)
+{
+#if ENABLE(VALUE_PROFILER)
+    emitArrayProfilingSite(structureAndIndexingType, scratch, m_codeBlock->getOrAddArrayProfile(bytecodeIndex));
+#else
+    emitArrayProfilingSite(structureAndIndexingType, scratch, 0);
+#endif
+}
 
 #if USE(JSVALUE32_64)

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -112 +112 @@
     emitJumpSlowCaseIfNotJSCell(regT0, base);
     loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-#if ENABLE(VALUE_PROFILER)
-    storePtr(regT2, currentInstruction[4].u.arrayProfile->addressOfLastSeenStructure());
-#endif
-    addSlowCase(branchTest8(Zero, Address(regT2, Structure::indexingTypeOffset()), TrustedImm32(HasArrayStorage)));
+    emitArrayProfilingSite(regT2, regT3, currentInstruction[4].u.arrayProfile);
+    addSlowCase(branchTest32(Zero, regT2, TrustedImm32(HasArrayStorage)));
 
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
@@ -237 +235 @@
     emitJumpSlowCaseIfNotJSCell(regT0, base);
     loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-#if ENABLE(VALUE_PROFILER)
-    storePtr(regT2, currentInstruction[4].u.arrayProfile->addressOfLastSeenStructure());
-#endif
-    addSlowCase(branchTest8(Zero, Address(regT2, Structure::indexingTypeOffset()), TrustedImm32(HasArrayStorage)));
+    emitArrayProfilingSite(regT2, regT3, currentInstruction[4].u.arrayProfile);
+    addSlowCase(branchTest32(Zero, regT2, TrustedImm32(HasArrayStorage)));
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     addSlowCase(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
@@ -657 +653 @@
 
     // Check eax is an array
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT3);
-#if ENABLE(VALUE_PROFILER)
-    storePtr(regT3, m_codeBlock->getOrAddArrayProfile(stubInfo->bytecodeIndex)->addressOfLastSeenStructure());
-#endif
-    load8(Address(regT3, Structure::indexingTypeOffset()), regT3);
-    Jump failureCases1 = branchTest32(Zero, regT3, TrustedImm32(IsArray));
-    Jump failureCases2 = branchTest32(Zero, regT3, TrustedImm32(HasArrayStorage));
+    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
+    emitArrayProfilingSiteForBytecodeIndex(regT2, regT1, stubInfo->bytecodeIndex);
+    Jump failureCases1 = branchTest32(Zero, regT2, TrustedImm32(IsArray));
+    Jump failureCases2 = branchTest32(Zero, regT2, TrustedImm32(HasArrayStorage));
 
     // Checks out okay! - get the length from the storage

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -211 +211 @@
     emitJumpSlowCaseIfNotJSCell(base, regT1);
     loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-#if ENABLE(VALUE_PROFILER)
-    storePtr(regT1, currentInstruction[4].u.arrayProfile->addressOfLastSeenStructure());
-#endif
-    addSlowCase(branchTest8(Zero, Address(regT1, Structure::indexingTypeOffset()), TrustedImm32(HasArrayStorage)));
+    emitArrayProfilingSite(regT1, regT3, currentInstruction[4].u.arrayProfile);
+    addSlowCase(branchTest32(Zero, regT1, TrustedImm32(HasArrayStorage)));
     
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
@@ -270 +268 @@
     emitJumpSlowCaseIfNotJSCell(base, regT1);
     loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-#if ENABLE(VALUE_PROFILER)
-    storePtr(regT1, currentInstruction[4].u.arrayProfile->addressOfLastSeenStructure());
-#endif
-    addSlowCase(branchTest8(Zero, Address(regT1, Structure::indexingTypeOffset()), TrustedImm32(HasArrayStorage)));
+    emitArrayProfilingSite(regT1, regT3, currentInstruction[4].u.arrayProfile);
+    addSlowCase(branchTest32(Zero, regT1, TrustedImm32(HasArrayStorage)));
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
     addSlowCase(branch32(AboveOrEqual, regT2, Address(regT3, ArrayStorage::vectorLengthOffset())));
@@ -618 +614 @@
     // Check for array
     loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-#if ENABLE(VALUE_PROFILER)
-    storePtr(regT2, m_codeBlock->getOrAddArrayProfile(stubInfo->bytecodeIndex)->addressOfLastSeenStructure());
-#endif
-    load8(Address(regT2, Structure::indexingTypeOffset()), regT3);
+    emitArrayProfilingSiteForBytecodeIndex(regT2, regT3, stubInfo->bytecodeIndex);
     Jump failureCases1 = branchTest32(Zero, regT2, TrustedImm32(IsArray));
     Jump failureCases2 = branchTest32(Zero, regT2, TrustedImm32(HasArrayStorage));

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -186 +186 @@
             end
         end)
+end
+
+macro arrayProfile(structureAndIndexingType, profile, scratch)
+    const structure = structureAndIndexingType
+    const indexingType = structureAndIndexingType
+    if VALUE_PROFILER
+        storep structure, ArrayProfile::m_lastSeenStructure[profile]
+        loadb Structure::m_indexingType[structure], indexingType
+        move 1, scratch
+        lshifti indexingType, scratch
+        ori scratch, ArrayProfile::m_observedArrayModes[profile]
+    else
+        loadb Structure::m_indexingType[structure], indexingType
+    end
 end
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1177 +1177 @@
     loadConstantOrVariablePayload(t0, CellTag, t3, .opGetArrayLengthSlow)
     loadp JSCell::m_structure[t3], t2
-    if VALUE_PROFILER
-        storep t2, ArrayProfile::m_lastSeenStructure[t1]
-    end
-    loadb Structure::m_indexingType[t2], t1
-    btiz t1, IsArray, .opGetArrayLengthSlow
-    btiz t1, HasArrayStorage, .opGetArrayLengthSlow
+    arrayProfile(t2, t1, t0)
+    btiz t2, IsArray, .opGetArrayLengthSlow
+    btiz t2, HasArrayStorage, .opGetArrayLengthSlow
     loadi 4[PC], t1
     loadp 32[PC], t2
@@ -1309 +1306 @@
     traceExecution()
     loadi 8[PC], t2
+    loadConstantOrVariablePayload(t2, CellTag, t0, .opGetByValSlow)
+    loadp JSCell::m_structure[t0], t2
+    loadp 16[PC], t3
+    arrayProfile(t2, t3, t1)
+    btiz t2, HasArrayStorage, .opGetByValSlow
     loadi 12[PC], t3
-    loadConstantOrVariablePayload(t2, CellTag, t0, .opGetByValSlow)
     loadConstantOrVariablePayload(t3, Int32Tag, t1, .opGetByValSlow)
-    loadp JSCell::m_structure[t0], t3
-    loadp 16[PC], t2
-    if VALUE_PROFILER
-        storep t3, ArrayProfile::m_lastSeenStructure[t2]
-    end
-    btpz Structure::m_indexingType[t3], HasArrayStorage, .opGetByValSlow
     loadp JSObject::m_butterfly[t0], t3
     biaeq t1, -sizeof IndexingHeader + IndexingHeader::m_vectorLength[t0], .opGetByValSlow
@@ -1393 +1388 @@
     loadi 4[PC], t0
     loadConstantOrVariablePayload(t0, CellTag, t1, .opPutByValSlow)
+    loadp JSCell::m_structure[t1], t2
+    loadp 16[PC], t0
+    arrayProfile(t2, t0, t3)
+    btiz t2, HasArrayStorage, .opPutByValSlow
     loadi 8[PC], t0
     loadConstantOrVariablePayload(t0, Int32Tag, t2, .opPutByValSlow)
-    loadp JSCell::m_structure[t1], t3
-    loadp 16[PC], t0
-    if VALUE_PROFILER
-        storep t3, ArrayProfile::m_lastSeenStructure[t0]
-    end
-    btpz Structure::m_indexingType[t3], HasArrayStorage, .opPutByValSlow
     loadp JSObject::m_butterfly[t1], t0
     biaeq t2, -sizeof IndexingHeader + IndexingHeader::m_vectorLength[t0], .opPutByValSlow

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1024 +1024 @@
     loadConstantOrVariableCell(t0, t3, .opGetArrayLengthSlow)
     loadp JSCell::m_structure[t3], t2
-    if VALUE_PROFILER
-        storep t2, ArrayProfile::m_lastSeenStructure[t1]
-    end
-    loadb Structure::m_indexingType[t2], t1
-    btiz t1, IsArray, .opGetArrayLengthSlow
-    btiz t1, HasArrayStorage, .opGetArrayLengthSlow
+    arrayProfile(t2, t1, t0)
+    btiz t2, IsArray, .opGetArrayLengthSlow
+    btiz t2, HasArrayStorage, .opGetArrayLengthSlow
     loadis 8[PB, PC, 8], t1
     loadp 64[PB, PC, 8], t2
@@ -1153 +1150 @@
     traceExecution()
     loadis 16[PB, PC, 8], t2
+    loadConstantOrVariableCell(t2, t0, .opGetByValSlow)
+    loadp JSCell::m_structure[t0], t2
+    loadp 32[PB, PC, 8], t3
+    arrayProfile(t2, t3, t1)
     loadis 24[PB, PC, 8], t3
-    loadConstantOrVariableCell(t2, t0, .opGetByValSlow)
+    btiz t2, HasArrayStorage, .opGetByValSlow
     loadConstantOrVariableInt32(t3, t1, .opGetByValSlow)
     sxi2p t1, t1
-    loadp JSCell::m_structure[t0], t3
-    loadp 32[PB, PC, 8], t2
-    if VALUE_PROFILER
-        storep t3, ArrayProfile::m_lastSeenStructure[t2]
-    end
-    btbz Structure::m_indexingType[t3], HasArrayStorage, .opGetByValSlow
     loadp JSObject::m_butterfly[t0], t3
     biaeq t1, -sizeof IndexingHeader + IndexingHeader::m_vectorLength[t3], .opGetByValSlow
@@ -1236 +1231 @@
     loadis 8[PB, PC, 8], t0
     loadConstantOrVariableCell(t0, t1, .opPutByValSlow)
+    loadp JSCell::m_structure[t1], t2
+    loadp 32[PB, PC, 8], t0
+    arrayProfile(t2, t0, t3)
+    btiz t2, HasArrayStorage, .opPutByValSlow
     loadis 16[PB, PC, 8], t0
     loadConstantOrVariableInt32(t0, t2, .opPutByValSlow)
     sxi2p t2, t2
-    loadp JSCell::m_structure[t1], t3
-    loadp 32[PB, PC, 8], t0
-    if VALUE_PROFILER
-        storep t3, ArrayProfile::m_lastSeenStructure[t0]
-    end
-    btbz Structure::m_indexingType[t3], HasArrayStorage, .opPutByValSlow
     loadp JSObject::m_butterfly[t1], t0
     biaeq t2, -sizeof IndexingHeader + IndexingHeader::m_vectorLength[t0], .opPutByValSlow

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2012-09-17  Filip Pizlo  <fpizlo@apple.com>
+
+        Array profiling has convergence issues
+        https://bugs.webkit.org/show_bug.cgi?id=96891
+
+        Reviewed by Gavin Barraclough.
+
+        Added functions for testing if something is a power of 2.
+
+        * wtf/MathExtras.h:
+        (hasZeroOrOneBitsSet):
+        (hasTwoOrMoreBitsSet):
+
 2012-09-17  Ilya Tikhonovsky  <loislo@chromium.org>
 

trunk/Source/WTF/wtf/MathExtras.h

@@ -295 +295 @@
 }
 
+template<typename T> inline bool hasZeroOrOneBitsSet(T value)
+{
+    return !((value - 1) & value);
+}
+
+template<typename T> inline bool hasTwoOrMoreBitsSet(T value)
+{
+    return !hasZeroOrOneBitsSet(value);
+}
+
 #if !COMPILER(MSVC) && !COMPILER(RVCT) && !OS(SOLARIS)
 using std::isfinite;