Changeset 156468 in webkit

Timestamp:

Sep 26, 2013 10:16:47 AM (11 years ago)

Author:

mhahnenberg@apple.com

Message:

op_to_this shouldn't use value profiling
​https://bugs.webkit.org/show_bug.cgi?id=121920

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is
to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables
during nursery collections.

This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
ValueProfile.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
(JSC::CodeBlock::updateAllValueProfilePredictions):
(JSC::CodeBlock::updateAllPredictions):
(JSC::CodeBlock::shouldOptimizeNow):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::updateAllValueProfilePredictions):
(JSC::CodeBlock::updateAllPredictions):

• bytecode/LazyOperandValueProfile.cpp:

(JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):

• bytecode/LazyOperandValueProfile.h:
• bytecode/ValueProfile.h:

(JSC::ValueProfileBase::ValueProfileBase):
(JSC::ValueProfileBase::briefDescription):
(JSC::ValueProfileBase::dump):
(JSC::ValueProfileBase::computeUpdatedPrediction):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

LayoutTests:

Updated a couple tests that waited for two DFG compiles, but with this patch we
don't do two compiles any more, so we don't want to wait forever.

• js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-other.js:
• js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-string.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-other.js (modified) (1 diff)
• LayoutTests/js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-string.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (7 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/ValueProfile.h (modified) (7 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        op_to_this shouldn't use value profiling
+        https://bugs.webkit.org/show_bug.cgi?id=121920
+
+        Reviewed by Geoffrey Garen.
+
+        Updated a couple tests that waited for two DFG compiles, but with this patch we 
+        don't do two compiles any more, so we don't want to wait forever.
+
+        * js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-other.js:
+        * js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-string.js:
+
 2013-09-26  Andreas Kling  <akling@apple.com>
 

trunk/LayoutTests/js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-other.js

@@ -12 +12 @@
 noInline(foo);
 
-for (var i = 0; i < 1000; i = dfgIncrement({f:foo, i:dfgIncrement({f:foo, i:i + 1, n:100}), n:500, compiles:2})) {
+for (var i = 0; i < 1000; i = dfgIncrement({f:foo, i:i + 1, n:500})) {
     var me;
     if (i < 150)

trunk/LayoutTests/js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-string.js

@@ -14 +14 @@
 noInline(foo);
 
-for (var i = 0; i < 1000; i = dfgIncrement({f:foo, i:dfgIncrement({f:foo, i:i + 1, n:100}), n:500, compiles:2})) {
+for (var i = 0; i < 1000; i = dfgIncrement({f:foo, i:i + 1, n:500})) {
     var me;
     if (i < 150)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        op_to_this shouldn't use value profiling
+        https://bugs.webkit.org/show_bug.cgi?id=121920
+
+        Reviewed by Geoffrey Garen.
+
+        Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is 
+        to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables 
+        during nursery collections.
+
+        This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
+        m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
+        ValueProfile.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        (JSC::CodeBlock::stronglyVisitStrongReferences):
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+        (JSC::CodeBlock::updateAllValueProfilePredictions):
+        (JSC::CodeBlock::updateAllPredictions):
+        (JSC::CodeBlock::shouldOptimizeNow):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::updateAllValueProfilePredictions):
+        (JSC::CodeBlock::updateAllPredictions):
+        * bytecode/LazyOperandValueProfile.cpp:
+        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
+        * bytecode/LazyOperandValueProfile.h:
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfileBase::ValueProfileBase):
+        (JSC::ValueProfileBase::briefDescription):
+        (JSC::ValueProfileBase::dump):
+        (JSC::ValueProfileBase::computeUpdatedPrediction):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emitSlow_op_to_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emitSlow_op_to_this):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2013-09-25  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1735 +1735 @@
             // fallthrough
         }
-        case op_to_this:
         case op_get_by_id:
         case op_call_varargs: {
@@ -2239 +2238 @@
             case op_get_array_length:
                 break;
+            case op_to_this:
+                if (!curInstruction[2].u.structure || Heap::isMarked(curInstruction[2].u.structure.get()))
+                    break;
+                if (Options::verboseOSR())
+                    dataLogF("Clearing LLInt to_this with structure %p.\n", curInstruction[2].u.structure.get());
+                curInstruction[2].u.structure.clear();
+                break;
             case op_get_callee:
                 if (!curInstruction[2].u.jsCell || Heap::isMarked(curInstruction[2].u.jsCell.get()))
@@ -2419 +2425 @@
         m_objectAllocationProfiles[i].visitAggregate(visitor);
 
-    updateAllPredictions(Collection);
+    updateAllPredictions();
 }
 
@@ -3094 +3100 @@
 }
 
-void CodeBlock::updateAllPredictionsAndCountLiveness(
-    HeapOperation operation, unsigned& numberOfLiveNonArgumentValueProfiles, unsigned& numberOfSamplesInProfiles)
+void CodeBlock::updateAllPredictionsAndCountLiveness(unsigned& numberOfLiveNonArgumentValueProfiles, unsigned& numberOfSamplesInProfiles)
 {
     ConcurrentJITLocker locker(m_lock);
@@ -3108 +3113 @@
         numberOfSamplesInProfiles += numSamples;
         if (profile->m_bytecodeOffset < 0) {
-            profile->computeUpdatedPrediction(locker, operation);
+            profile->computeUpdatedPrediction(locker);
             continue;
         }
         if (profile->numberOfSamples() || profile->m_prediction != SpecNone)
             numberOfLiveNonArgumentValueProfiles++;
-        profile->computeUpdatedPrediction(locker, operation);
+        profile->computeUpdatedPrediction(locker);
     }
     
 #if ENABLE(DFG_JIT)
-    m_lazyOperandValueProfiles.computeUpdatedPredictions(locker, operation);
-#endif
-}
-
-void CodeBlock::updateAllValueProfilePredictions(HeapOperation operation)
+    m_lazyOperandValueProfiles.computeUpdatedPredictions(locker);
+#endif
+}
+
+void CodeBlock::updateAllValueProfilePredictions()
 {
     unsigned ignoredValue1, ignoredValue2;
-    updateAllPredictionsAndCountLiveness(operation, ignoredValue1, ignoredValue2);
+    updateAllPredictionsAndCountLiveness(ignoredValue1, ignoredValue2);
 }
 
@@ -3139 +3144 @@
 }
 
-void CodeBlock::updateAllPredictions(HeapOperation operation)
-{
-    updateAllValueProfilePredictions(operation);
+void CodeBlock::updateAllPredictions()
+{
+    updateAllValueProfilePredictions();
     updateAllArrayPredictions();
 }
@@ -3161 +3166 @@
     unsigned numberOfLiveNonArgumentValueProfiles;
     unsigned numberOfSamplesInProfiles;
-    updateAllPredictionsAndCountLiveness(NoOperation, numberOfLiveNonArgumentValueProfiles, numberOfSamplesInProfiles);
+    updateAllPredictionsAndCountLiveness(numberOfLiveNonArgumentValueProfiles, numberOfSamplesInProfiles);
 
     if (Options::verboseOSR()) {

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -871 +871 @@
 #if ENABLE(VALUE_PROFILER)
     bool shouldOptimizeNow();
-    void updateAllValueProfilePredictions(HeapOperation = NoOperation);
+    void updateAllValueProfilePredictions();
     void updateAllArrayPredictions();
-    void updateAllPredictions(HeapOperation = NoOperation);
+    void updateAllPredictions();
 #else
     bool updateAllPredictionsAndCheckIfShouldOptimizeNow() { return false; }
-    void updateAllValueProfilePredictions(HeapOperation = NoOperation) { }
+    void updateAllValueProfilePredictions() { }
     void updateAllArrayPredictions() { }
-    void updateAllPredictions(HeapOperation = NoOperation) { }
+    void updateAllPredictions() { }
 #endif
 
@@ -942 +942 @@
         
 #if ENABLE(VALUE_PROFILER)
-    void updateAllPredictionsAndCountLiveness(HeapOperation, unsigned& numberOfLiveNonArgumentValueProfiles, unsigned& numberOfSamplesInProfiles);
+    void updateAllPredictionsAndCountLiveness(unsigned& numberOfLiveNonArgumentValueProfiles, unsigned& numberOfSamplesInProfiles);
 #endif
 

trunk/Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp

@@ -36 +36 @@
 CompressedLazyOperandValueProfileHolder::~CompressedLazyOperandValueProfileHolder() { }
 
-void CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions(const ConcurrentJITLocker& locker, HeapOperation operation)
+void CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions(const ConcurrentJITLocker& locker)
 {
     if (!m_data)
@@ -42 +42 @@
     
     for (unsigned i = 0; i < m_data->size(); ++i)
-        m_data->at(i).computeUpdatedPrediction(locker, operation);
+        m_data->at(i).computeUpdatedPrediction(locker);
 }
 

trunk/Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h

@@ -158 +158 @@
     ~CompressedLazyOperandValueProfileHolder();
     
-    void computeUpdatedPredictions(const ConcurrentJITLocker&, HeapOperation);
+    void computeUpdatedPredictions(const ConcurrentJITLocker&);
     
     LazyOperandValueProfile* add(

trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

@@ -56 +56 @@
         , m_prediction(SpecNone)
         , m_numberOfSamplesInPrediction(0)
-        , m_singletonValueIsTop(false)
     {
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i)
@@ -66 +65 @@
         , m_prediction(SpecNone)
         , m_numberOfSamplesInPrediction(0)
-        , m_singletonValueIsTop(false)
     {
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i)
@@ -118 +116 @@
         
         StringPrintStream out;
-        
-        if (m_singletonValueIsTop)
-            out.print("predicting ", SpeculationDump(m_prediction));
-        else if (m_singletonValue)
-            out.print("predicting ", m_singletonValue);
-        
+        out.print("predicting ", SpeculationDump(m_prediction));
         return out.toCString();
     }
@@ -130 +123 @@
     {
         out.print("samples = ", totalNumberOfSamples(), " prediction = ", SpeculationDump(m_prediction));
-        out.printf(", value = ");
-        if (m_singletonValueIsTop)
-            out.printf("TOP");
-        else
-            out.print(m_singletonValue);
         bool first = true;
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
@@ -151 +139 @@
     // Updates the prediction and returns the new one. Never call this from any thread
     // that isn't executing the code.
-    SpeculatedType computeUpdatedPrediction(const ConcurrentJITLocker&, HeapOperation operation = NoOperation)
+    SpeculatedType computeUpdatedPrediction(const ConcurrentJITLocker&)
     {
         for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
@@ -161 +149 @@
             mergeSpeculation(m_prediction, speculationFromValue(value));
             
-            if (!m_singletonValueIsTop && !!value) {
-                if (!m_singletonValue)
-                    m_singletonValue = value;
-                else if (m_singletonValue != value)
-                    m_singletonValueIsTop = true;
-            }
-            
             m_buckets[i] = JSValue::encode(JSValue());
         }
         
-        if (operation == Collection
-            && !m_singletonValueIsTop
-            && !!m_singletonValue
-            && m_singletonValue.isCell()
-            && !Heap::isMarked(m_singletonValue.asCell()))
-            m_singletonValueIsTop = true;
-            
         return m_prediction;
     }
@@ -186 +160 @@
     unsigned m_numberOfSamplesInPrediction;
     
-    bool m_singletonValueIsTop;
-    JSValue m_singletonValue;
-
     EncodedJSValue m_buckets[totalNumberOfBuckets];
 };

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -388 +388 @@
         emitCreateThis(&m_thisRegister);
     } else if (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks) {
-        UnlinkedValueProfile profile = emitProfiledOpcode(op_to_this);
+        emitOpcode(op_to_this);
         instructions().append(kill(&m_thisRegister));
-        instructions().append(profile);
+        instructions().append(0);
     }
     for (size_t i = 0; i < deconstructedParameters.size(); i++) {

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1906 +1906 @@
             Node* op1 = getThis();
             if (op1->op() != ToThis) {
-                ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
-                ValueProfile* profile =
-                    m_inlineStackTop->m_profiledBlock->valueProfileForBytecodeOffset(m_currentIndex);
-                profile->computeUpdatedPrediction(locker);
-#if DFG_ENABLE(DEBUG_VERBOSE)
-                dataLogF("[bc#%u]: profile %p: ", m_currentIndex, profile);
-                profile->dump(WTF::dataFile());
-                dataLogF("\n");
-#endif
-                if (profile->m_singletonValueIsTop
-                    || !profile->m_singletonValue
-                    || !profile->m_singletonValue.isCell()
-                    || profile->m_singletonValue.asCell()->classInfo() != Structure::info()
-                    || static_cast<Structure*>(profile->m_singletonValue.asCell())->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis)
+                Structure* cachedStructure = currentInstruction[2].u.structure.get();
+                if (!cachedStructure
+                    || cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
+                    || m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
+                    || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)) {
                     setThis(addToGraph(ToThis, op1));
-                else {
+                } else {
                     addToGraph(
                         CheckStructure,
-                        OpInfo(m_graph.addStructureSet(jsCast<Structure*>(profile->m_singletonValue.asCell()))),
+                        OpInfo(m_graph.addStructureSet(cachedStructure)),
                         op1);
                 }

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -866 +866 @@
 void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
+    WriteBarrierBase<Structure>* cachedStructure = &currentInstruction[2].u.structure;
     emitGetVirtualRegister(currentInstruction[1].u.operand, regT1);
 
     emitJumpSlowCaseIfNotJSCell(regT1);
     loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
-    if (shouldEmitProfiling())
-        emitValueProfilingSite(regT4);
 
     addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
+    loadPtr(cachedStructure, regT2);
+    addSlowCase(branchPtr(NotEqual, regT0, regT2));
 }
 
@@ -944 +945 @@
 void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
+    linkSlowCase(iter);
     linkSlowCase(iter);
     linkSlowCase(iter);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1181 +1181 @@
 void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
+    WriteBarrierBase<Structure>* cachedStructure = &currentInstruction[2].u.structure;
     int thisRegister = currentInstruction[1].u.operand;
 
@@ -1187 +1188 @@
     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag)));
     loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
-    if (shouldEmitProfiling()) {
-        move(regT3, regT1);
-        emitValueProfilingSite(regT4);
-    }
     addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
+    loadPtr(cachedStructure, regT2);
+    addSlowCase(branchPtr(NotEqual, regT0, regT2));
 }
 
@@ -1197 +1196 @@
 {
     int dst = currentInstruction[1].u.operand;
+    linkSlowCase(iter);
     linkSlowCase(iter);
     linkSlowCase(iter);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -432 +432 @@
     loadp JSCell::m_structure[t0], t0
     bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
-    valueProfile(CellTag, t0, 8, t1)
+    loadpFromInstruction(2, t2)
+    bpneq t0, t2, .opToThisSlow
     dispatch(3)
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -312 +312 @@
     loadp JSCell::m_structure[t0], t0
     bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
-    valueProfile(t0, 2, t1)
+    loadpFromInstruction(2, t2)
+    bpneq t0, t2, .opToThisSlow
     dispatch(3)
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -231 +231 @@
     BEGIN();
     JSValue v1 = OP(1).jsValue();
-#if ENABLE(VALUE_PROFILER)
-    pc[OPCODE_LENGTH(op_to_this) - 1].u.profile->m_buckets[0] =
-        JSValue::encode(v1.structureOrUndefined());
-#endif
+    if (v1.isCell())
+        pc[2].u.structure.set(exec->vm(), exec->codeBlock()->ownerExecutable(), v1.asCell()->structure());
+    else
+        pc[2].u.structure.clear();
     RETURN(v1.toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
 }