Changeset 161072 in webkit

Timestamp:

Dec 25, 2013 3:44:57 PM (10 years ago)

Author:

fpizlo@apple.com

Message:

DFG PhantomArguments shouldn't rely on a dead Phi graph
​https://bugs.webkit.org/show_bug.cgi?id=126218

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

This change dramatically rationalizes our handling of PhantomArguments (i.e.
speculative elision of arguments object allocation).

It's now the case that if we decide that we can elide arguments allocation, we just
turn the arguments-creating node into a PhantomArguments and mark all locals that
it's stored to as being arguments aliases. Being an arguments alias and being a
PhantomArguments means basically the same thing: in DFG execution you have the empty
value, on OSR exit an arguments object is allocated in your place, and all operations
that use the value now just refer directly to the actual arguments in the call frame
header (or the arguments we know that we passed to the call, in case of inlining).

This means that we no longer have arguments simplification creating a dead Phi graph
that then has to be interpreted by the OSR exit logic. That sort of never made any
sense.

This means that PhantomArguments now has a clear story in SSA: basically SSA just
gets rid of the "locals" but everything else is the same.

Finally, this means that we can more easily get rid of forward exiting. As I was
working on the code to get rid of forward exiting, I realized that I'd have to
carefully preserve the special meanings of MovHint and SetLocal in the case of
PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
our specific treatment of PhantomArguments. After this change this is no longer the
case.

One of the really cool things about this change is that arguments reification now
just becomes a special kind of FlushFormat. This further unifies things: it means
that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
meaning, since both of them dictate that the way we recover the local on exit is by
reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
special handling to accomplish this.

A downside of this approach is that we will now emit code to store the empty value
into aliased arguments variables, and we will even emit code to load that empty value
as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
most profitable in cases where it allows us to simplify control flow and kill the
arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
also eliminates the locals.

• dfg/DFGArgumentsSimplificationPhase.cpp:

(JSC::DFG::ArgumentsSimplificationPhase::run):
(JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):

• dfg/DFGFlushFormat.cpp:

(WTF::printInternal):

• dfg/DFGFlushFormat.h:

(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
(JSC::DFG::dataFormatFor):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCurrentBlock):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGValueSource.h:

(JSC::DFG::ValueSource::ValueSource):
(JSC::DFG::ValueSource::forFlushFormat):

• dfg/DFGVariableAccessData.h:

(JSC::DFG::VariableAccessData::flushFormat):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::buildExitArguments):

LayoutTests:

Reviewed by Oliver Hunt.

Added a test for an obvious case that I don't think we had coverage for in
microbenchmarks. Of course, this case was already covered by more complex tests.

• js/regress/inline-arguments-aliased-access-expected.txt: Added.
• js/regress/inline-arguments-aliased-access.html: Added.
• js/regress/script-tests/inline-arguments-aliased-access.js: Added.

(foo):
(bar):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/inline-arguments-aliased-access-expected.txt (added)
• LayoutTests/js/regress/inline-arguments-aliased-access.html (added)
• LayoutTests/js/regress/script-tests/inline-arguments-aliased-access.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp (modified) (11 diffs)
• Source/JavaScriptCore/dfg/DFGFlushFormat.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFlushFormat.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGValueSource.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGVariableAccessData.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-12-25  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG PhantomArguments shouldn't rely on a dead Phi graph
+        https://bugs.webkit.org/show_bug.cgi?id=126218
+
+        Reviewed by Oliver Hunt.
+        
+        Added a test for an obvious case that I don't think we had coverage for in
+        microbenchmarks. Of course, this case was already covered by more complex tests.
+
+        * js/regress/inline-arguments-aliased-access-expected.txt: Added.
+        * js/regress/inline-arguments-aliased-access.html: Added.
+        * js/regress/script-tests/inline-arguments-aliased-access.js: Added.
+        (foo):
+        (bar):
+
 2013-12-25  Dirk Schulze  <krit@webkit.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-12-25  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG PhantomArguments shouldn't rely on a dead Phi graph
+        https://bugs.webkit.org/show_bug.cgi?id=126218
+
+        Reviewed by Oliver Hunt.
+        
+        This change dramatically rationalizes our handling of PhantomArguments (i.e.
+        speculative elision of arguments object allocation).
+        
+        It's now the case that if we decide that we can elide arguments allocation, we just
+        turn the arguments-creating node into a PhantomArguments and mark all locals that
+        it's stored to as being arguments aliases. Being an arguments alias and being a
+        PhantomArguments means basically the same thing: in DFG execution you have the empty
+        value, on OSR exit an arguments object is allocated in your place, and all operations
+        that use the value now just refer directly to the actual arguments in the call frame
+        header (or the arguments we know that we passed to the call, in case of inlining).
+        
+        This means that we no longer have arguments simplification creating a dead Phi graph
+        that then has to be interpreted by the OSR exit logic. That sort of never made any
+        sense.
+        
+        This means that PhantomArguments now has a clear story in SSA: basically SSA just
+        gets rid of the "locals" but everything else is the same.
+        
+        Finally, this means that we can more easily get rid of forward exiting. As I was
+        working on the code to get rid of forward exiting, I realized that I'd have to
+        carefully preserve the special meanings of MovHint and SetLocal in the case of
+        PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
+        our specific treatment of PhantomArguments. After this change this is no longer the
+        case.
+        
+        One of the really cool things about this change is that arguments reification now
+        just becomes a special kind of FlushFormat. This further unifies things: it means
+        that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
+        meaning, since both of them dictate that the way we recover the local on exit is by
+        reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
+        special handling to accomplish this.
+        
+        A downside of this approach is that we will now emit code to store the empty value
+        into aliased arguments variables, and we will even emit code to load that empty value
+        as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
+        most profitable in cases where it allows us to simplify control flow and kill the
+        arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
+        also eliminates the locals.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
+        * dfg/DFGFlushFormat.cpp:
+        (WTF::printInternal):
+        * dfg/DFGFlushFormat.h:
+        (JSC::DFG::resultFor):
+        (JSC::DFG::useKindFor):
+        (JSC::DFG::dataFormatFor):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValueSource.h:
+        (JSC::DFG::ValueSource::ValueSource):
+        (JSC::DFG::ValueSource::forFlushFormat):
+        * dfg/DFGVariableAccessData.h:
+        (JSC::DFG::VariableAccessData::flushFormat):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
+
 2013-12-23  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp

@@ -396 +396 @@
                         break;
 
-                    ASSERT(!variableAccessData->isCaptured());
-                    
-                    // If this is a store into a VariableAccessData* that is marked as
-                    // arguments aliasing for an InlineCallFrame* that does not create
-                    // arguments, then flag the VariableAccessData as being an
-                    // arguments-aliased. This'll let the OSR exit machinery do the right
-                    // things. Note also that the SetLocal should become dead as soon as
-                    // we replace all uses of this variable with GetMyArgumentsLength and
-                    // GetMyArgumentByVal.
-                    ASSERT(m_argumentsAliasing.find(variableAccessData)->value.isValid());
                     if (variableAccessData->mergeIsArgumentsAlias(true)) {
                         changed = true;
@@ -421 +411 @@
                 }
                     
-                case PhantomLocal: {
-                    VariableAccessData* variableAccessData = node->variableAccessData();
-                    
-                    if (variableAccessData->isCaptured()
-                        || !m_argumentsAliasing.find(variableAccessData)->value.isValid()
-                        || m_createsArguments.contains(node->codeOrigin.inlineCallFrame))
-                        break;
-                    
-                    // Turn PhantomLocals into just GetLocals. This will preserve the threading
-                    // of the local through to this point, but will allow it to die, causing
-                    // only OSR to know about it.
-
-                    node->setOpAndDefaultFlags(GetLocal);
-                    break;
-                }
-
                 case Flush: {
                     VariableAccessData* variableAccessData = node->variableAccessData();
@@ -460 +434 @@
                     //    precisely what we don't want.
                     for (unsigned i = 0; i < AdjacencyList::Size; ++i)
-                        removeArgumentsReferencingPhantomChild(node, i);
+                        detypeArgumentsReferencingPhantomChild(node, i);
                     break;
                 }
@@ -471 +445 @@
                         break;
                     node->convertToPhantom();
-                    node->children.setChild1(Edge());
                     break;
                 }
@@ -489 +462 @@
                         break;
                     
-                    node->children.child1() = node->children.child2();
-                    node->children.child2() = Edge();
+                    insertionSet.insertNode(
+                        indexInBlock, SpecNone, Phantom, node->codeOrigin, node->child1());
+                    
+                    node->child1() = node->child2();
+                    node->child2() = Edge();
                     node->setOpAndDefaultFlags(GetMyArgumentByVal);
                     changed = true;
@@ -504 +480 @@
                         break;
                     
-                    node->children.child1() = Edge();
+                    insertionSet.insertNode(
+                        indexInBlock, SpecNone, Phantom, node->codeOrigin, node->child1());
+                    
+                    node->child1() = Edge();
                     node->setOpAndDefaultFlags(GetMyArgumentsLength);
                     changed = true;
@@ -581 +560 @@
                         codeOrigin);
                     insertionSet.insertNode(
-                        indexInBlock, SpecNone, Phantom, codeOrigin,
-                        children);
+                        indexInBlock, SpecNone, Phantom, codeOrigin, children);
                     
                     changed = true;
@@ -592 +570 @@
                         continue;
                     
-                    node->setOpAndDefaultFlags(Phantom);
-                    node->children.reset();
+                    node->convertToPhantom();
                     break;
                 }
@@ -628 +605 @@
         }
         
+        for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
+            BasicBlock* block = m_graph.block(blockIndex);
+            if (!block)
+                continue;
+            for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+                Node* node = block->at(indexInBlock);
+                if (node->op() != Phantom)
+                    continue;
+                for (unsigned i = 0; i < AdjacencyList::Size; ++i)
+                    detypeArgumentsReferencingPhantomChild(node, i);
+            }
+        }
+        
         if (changed) {
             m_graph.dethread();
@@ -765 +755 @@
     }
     
-    void removeArgumentsReferencingPhantomChild(Node* node, unsigned edgeIndex)
+    void detypeArgumentsReferencingPhantomChild(Node* node, unsigned edgeIndex)
     {
         Edge edge = node->children.child(edgeIndex);
@@ -772 +762 @@
         
         switch (edge->op()) {
-        case Phi: // Arises if we had CSE on a GetLocal of the arguments register.
-        case GetLocal: // Arises if we had CSE on an arguments access to a variable aliased to the arguments.
-        case SetLocal: { // Arises if we had CSE on a GetLocal of the arguments register.
+        case GetLocal: {
             VariableAccessData* variableAccessData = edge->variableAccessData();
-            bool isDeadArgumentsRegister =
-                variableAccessData->local() ==
-                    m_graph.uncheckedArgumentsRegisterFor(edge->codeOrigin)
-                && !m_createsArguments.contains(edge->codeOrigin.inlineCallFrame);
-            bool isAliasedArgumentsRegister =
-                !variableAccessData->isCaptured()
-                && m_argumentsAliasing.find(variableAccessData)->value.isValid()
-                && !m_createsArguments.contains(edge->codeOrigin.inlineCallFrame);
-            if (!isDeadArgumentsRegister && !isAliasedArgumentsRegister)
+            if (!variableAccessData->isArgumentsAlias())
                 break;
-            node->children.removeEdge(edgeIndex);
+            node->children.child(edgeIndex).setUseKind(UntypedUse);
             break;
         }
             
-        case CreateArguments: { // Arises if we CSE two GetLocals to the arguments register and then CSE the second use of the GetLocal to the first.
-            if (m_createsArguments.contains(edge->codeOrigin.inlineCallFrame))
-                break;
-            node->children.removeEdge(edgeIndex);
+        case PhantomArguments: {
+            node->children.child(edgeIndex).setUseKind(UntypedUse);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGFlushFormat.cpp

@@ -57 +57 @@
         out.print("FlushedJSValue");
         return;
+    case FlushedArguments:
+        out.print("FlushedArguments");
+        return;
     case ConflictingFlush:
         out.print("ConflictingFlush");

trunk/Source/JavaScriptCore/dfg/DFGFlushFormat.h

@@ -47 +47 @@
     FlushedBoolean,
     FlushedJSValue,
+    FlushedArguments,
     ConflictingFlush
 };
@@ -57 +58 @@
     case FlushedCell:
     case ConflictingFlush:
+    case FlushedArguments:
         return NodeResultJS;
     case FlushedInt32:
@@ -77 +79 @@
     case FlushedJSValue:
     case ConflictingFlush:
+    case FlushedArguments:
         return UntypedUse;
     case FlushedCell:
@@ -111 +114 @@
     case FlushedBoolean:
         return DataFormatBoolean;
+    case FlushedArguments:
+        return DataFormatArguments;
     }
     RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1437 +1437 @@
         VariableAccessData* variable = node->variableAccessData();
         DataFormat format;
-        if (variable->isArgumentsAlias())
-            format = DataFormatArguments;
-        else if (!node->refCount())
+        if (!node->refCount())
             continue; // No need to record dead SetLocal's.
         else

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1890 +1890 @@
         }
             
-        case FlushedJSValue: {
+        case FlushedJSValue:
+        case FlushedArguments: {
             GPRTemporary result(this);
             GPRTemporary tag(this);
@@ -1976 +1977 @@
         }
             
-        case FlushedJSValue: {
+        case FlushedJSValue:
+        case FlushedArguments: {
             if (generationInfoFromVirtualRegister(node->child1()->virtualRegister()).registerFormat() == DataFormatDouble) {
                 SpeculateDoubleOperand value(this, node->child1(), ManualOperandSpeculation);
@@ -1990 +1992 @@
             noResult(node);
             recordSetLocal(DataFormatJS);
-            
-            // If we're storing an arguments object that has been optimized away,
-            // our variable event stream for OSR exit now reflects the optimized
-            // value (JSValue()). On the slow path, we want an arguments object
-            // instead. We add an additional move hint to show OSR exit that it
-            // needs to reconstruct the arguments object.
-            if (node->child1()->op() == PhantomArguments)
-                compileMovHint(node);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2300 +2300 @@
         }
             
-        case FlushedJSValue: {
+        case FlushedJSValue:
+        case FlushedArguments: {
             JSValueOperand value(this, node->child1());
             m_jit.store64(value.gpr(), JITCompiler::addressFor(node->machineLocal()));
@@ -2306 +2307 @@
             
             recordSetLocal(DataFormatJS);
-            
-            // If we're storing an arguments object that has been optimized away,
-            // our variable event stream for OSR exit now reflects the optimized
-            // value (JSValue()). On the slow path, we want an arguments object
-            // instead. We add an additional move hint to show OSR exit that it
-            // needs to reconstruct the arguments object.
-            if (node->child1()->op() == PhantomArguments)
-                compileMovHint(node);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGValueSource.h

@@ -123 +123 @@
         : m_kind(valueSourceKind)
     {
-        ASSERT(kind() == ArgumentsSource || kind() == SourceIsDead);
+        ASSERT(kind() == ArgumentsSource || kind() == SourceIsDead || kind() == ArgumentsSource);
     }
     
@@ -160 +160 @@
         case FlushedBoolean:
             return ValueSource(BooleanInJSStack, where);
+        case FlushedArguments:
+            return ValueSource(ArgumentsSource);
         }
         RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/dfg/DFGVariableAccessData.h

@@ -329 +329 @@
         ASSERT(find() == this);
         
+        if (isArgumentsAlias())
+            return FlushedArguments;
+        
         if (!shouldUnboxIfPossible())
             return FlushedJSValue;

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -4210 +4210 @@
                 exit.m_values[i] = ExitValue::inJSStackAsDouble(flush.virtualRegister());
                 break;
+                
+            case FlushedArguments:
+                // FIXME: implement PhantomArguments.
+                // https://bugs.webkit.org/show_bug.cgi?id=113986
+                RELEASE_ASSERT_NOT_REACHED();
+                break;
             }
         }