Changeset 206314 in webkit

Timestamp:

Sep 23, 2016 11:09:44 AM (8 years ago)

Author:

fpizlo@apple.com

Message:

Source/JavaScriptCore:
Need a store-load fence between setting cell state and visiting the object in SlotVisitor
​https://bugs.webkit.org/show_bug.cgi?id=162354

Reviewed by Mark Lam.

This was meant to be a small change, but then it became bigger as I found small
opportunities for improving this code. This adds a store-load fence and is performance-
neutral. That's probably partly due to other optimizations that I did to visitChildren().

Initially, I found that adding an mfence as a store-load fence was terribly expensive. So,
I thought that I needed to buffer up a bunch of objects, set their states, do one mfence,
and then visit all of them. This seemed like a win, so I went with it. Unfortunately, this
made no sense for two reasons:

• I shouldn't use mfence. I should use ortop (lock orl $0, (%rsp)) instead. Ortop is basically free, and it's what WTF now uses for storeLoadFence().

• My data saying that buffering up objects was not a slow-down was wrong. That was actually almost as expensive as the mfence.

But in order to implement that, I made some other improvements that I think we should stick
with:

• SlotVisitor::visitChildren() now uses a switch on type. This replaces what used to be some nasty ClassInfo look-ups.

• We no longer save the object's old CellState. We would do that so that we would know what state the object had been before we blackened it. But I believe that the more logical solution is to have two kinds of black - one for black-for-the-first-time objects and one for repeat offenders. This is a lot easier to reason about, since you can now just figure this out by looking at the cell directly.

The latter change meant rewiring a bunch of barriers. It didn't make them any more
expensive.

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):

• heap/CellState.h:

(JSC::blacken):

• heap/Heap.cpp:

(JSC::Heap::addToRememberedSet):

• heap/Heap.h:
• heap/HeapInlines.h:

(JSC::Heap::writeBarrier):
(JSC::Heap::reportExtraMemoryVisited):
(JSC::Heap::reportExternalMemoryVisited):

• heap/MarkStack.cpp:
• heap/MarkStack.h:
• heap/SlotVisitor.cpp:

(JSC::SlotVisitor::visitChildren):

• heap/SlotVisitor.h:
• heap/SlotVisitorInlines.h:

(JSC::SlotVisitor::reportExtraMemoryVisited):
(JSC::SlotVisitor::reportExternalMemoryVisited):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::jumpIfIsRememberedOrInEden):

• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/JSObject.h:

(JSC::isJSFinalObject):

Source/WTF:
REGRESSION(r194387): Crash on github.com in IntlDateTimeFormat::resolvedOptions in C locale
​https://bugs.webkit.org/show_bug.cgi?id=162139

Patch by Carlos Garcia Campos <​cgarcia@igalia.com> on 2016-09-23
Reviewed by Michael Catanzaro.

Handle the case of "C" or "POSIX" locale and use "en-US" as default. That matches what ICU and other ports do,
as well as what layout tests expect (some tests like js/intl-collator.html pass in the bots only because we use
en-US as system locale in those bots).

• wtf/PlatformUserPreferredLanguagesUnix.cpp:

(WTF::platformLanguage):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• JavaScriptCore/heap/CellState.h (modified) (2 diffs)
• JavaScriptCore/heap/Heap.cpp (modified) (2 diffs)
• JavaScriptCore/heap/Heap.h (modified) (1 diff)
• JavaScriptCore/heap/HeapInlines.h (modified) (4 diffs)
• JavaScriptCore/heap/MarkStack.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkStack.h (modified) (1 diff)
• JavaScriptCore/heap/SlotVisitor.cpp (modified) (3 diffs)
• JavaScriptCore/heap/SlotVisitor.h (modified) (1 diff)
• JavaScriptCore/heap/SlotVisitorInlines.h (modified) (2 diffs)
• JavaScriptCore/jit/AssemblyHelpers.h (modified) (2 diffs)
• JavaScriptCore/llint/LLIntData.cpp (modified) (1 diff)
• JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (2 diffs)
• JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (4 diffs)
• JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (3 diffs)
• JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Atomics.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-09-22  Filip Pizlo  <fpizlo@apple.com>
+
+        Need a store-load fence between setting cell state and visiting the object in SlotVisitor
+        https://bugs.webkit.org/show_bug.cgi?id=162354
+
+        Reviewed by Mark Lam.
+        
+        This was meant to be a small change, but then it became bigger as I found small
+        opportunities for improving this code. This adds a store-load fence and is performance-
+        neutral. That's probably partly due to other optimizations that I did to visitChildren().
+        
+        Initially, I found that adding an mfence as a store-load fence was terribly expensive. So,
+        I thought that I needed to buffer up a bunch of objects, set their states, do one mfence,
+        and then visit all of them. This seemed like a win, so I went with it. Unfortunately, this
+        made no sense for two reasons:
+        
+        - I shouldn't use mfence. I should use ortop (lock orl $0, (%rsp)) instead. Ortop is
+          basically free, and it's what WTF now uses for storeLoadFence().
+        
+        - My data saying that buffering up objects was not a slow-down was wrong. That was actually
+          almost as expensive as the mfence.
+        
+        But in order to implement that, I made some other improvements that I think we should stick
+        with:
+        
+        - SlotVisitor::visitChildren() now uses a switch on type. This replaces what used to be
+          some nasty ClassInfo look-ups.
+        
+        - We no longer save the object's old CellState. We would do that so that we would know what
+          state the object had been before we blackened it. But I believe that the more logical
+          solution is to have two kinds of black - one for black-for-the-first-time objects and one
+          for repeat offenders. This is a lot easier to reason about, since you can now just figure
+          this out by looking at the cell directly.
+        
+        The latter change meant rewiring a bunch of barriers. It didn't make them any more
+        expensive.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
+        * heap/CellState.h:
+        (JSC::blacken):
+        * heap/Heap.cpp:
+        (JSC::Heap::addToRememberedSet):
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::writeBarrier):
+        (JSC::Heap::reportExtraMemoryVisited):
+        (JSC::Heap::reportExternalMemoryVisited):
+        * heap/MarkStack.cpp:
+        * heap/MarkStack.h:
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::visitChildren):
+        * heap/SlotVisitor.h:
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::reportExtraMemoryVisited):
+        (JSC::SlotVisitor::reportExternalMemoryVisited):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::jumpIfIsRememberedOrInEden):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSObject.h:
+        (JSC::isJSFinalObject):
+
 2016-09-23  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11436 +11436 @@
 
         m_out.branch(
-            m_out.notZero32(loadCellState(base)), usually(continuation), rarely(slowPath));
+            m_out.above(loadCellState(base), m_out.constInt32(blackThreshold)),
+            usually(continuation), rarely(slowPath));
 
         LBasicBlock lastNext = m_out.appendTo(slowPath, continuation);

trunk/Source/JavaScriptCore/heap/CellState.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #define CellState_h
 
+#include <wtf/Assertions.h>
+
 namespace JSC {
 
 enum class CellState : uint8_t {
-    // The object is black as far as this GC is concerned. When not in GC, this just means that it's an
-    // old gen object. Note that we deliberately arrange OldBlack to be zero, so that the store barrier on
-    // a target object "from" is just:
-    //
-    // if (!from->cellState())
-    //     slowPath(from);
-    //
-    // There is a bunch of code in the LLInt and JITs that rely on this being the case. You'd have to
-    // change a lot of code if you ever wanted the store barrier to be anything but a non-zero check on
-    // cellState.
-    OldBlack = 0,
+    // The object is black for the first time during this GC.
+    NewBlack = 0,
+    
+    // The object is black for the Nth time during this full GC cycle (N > 1). An object may get to
+    // this state if it transitions from black back to grey during a concurrent GC, or because it
+    // wound up in the remembered set because of a generational barrier.
+    OldBlack = 1,
     
     // The object is in eden. During GC, this means that the object has not been marked yet.
-    NewWhite = 1,
+    NewWhite = 2,
+
+    // The object is grey - i.e. it will be scanned - and this is the first time in this GC that we are
+    // going to scan it. If this is an eden GC, this also means that the object is in eden.
+    NewGrey = 3,
 
     // The object is grey - i.e. it will be scanned - but it either belongs to old gen (if this is eden
     // GC) or it is grey a second time in this current GC (because a concurrent store barrier requested
     // re-greying).
-    OldGrey = 2,
+    OldGrey = 4
+};
 
-    // The object is grey - i.e. it will be scanned - and this is the first time in this GC that we are
-    // going to scan it. If this is an eden GC, this also means that the object is in eden.
-    NewGrey = 3
-};
+static const unsigned blackThreshold = 1; // x <= blackThreshold means x is black.
+
+inline bool isBlack(CellState cellState)
+{
+    return static_cast<unsigned>(cellState) <= blackThreshold;
+}
+
+inline CellState blacken(CellState cellState)
+{
+    if (cellState == CellState::NewGrey)
+        return CellState::NewBlack;
+    ASSERT(cellState == CellState::NewBlack || cellState == CellState::OldBlack || cellState == CellState::OldGrey);
+    return CellState::OldBlack;
+}
 
 } // namespace JSC

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -29 +29 @@
 #include "GCActivityCallback.h"
 #include "GCIncomingRefCountedSetInlines.h"
+#include "GCSegmentedArrayInlines.h"
 #include "GCTypeMap.h"
 #include "HasOwnPropertyCache.h"
@@ -915 +916 @@
     ASSERT(cell);
     ASSERT(!Options::useConcurrentJIT() || !isCompilationThread());
-    ASSERT(cell->cellState() == CellState::OldBlack);
+    ASSERT(isBlack(cell->cellState()));
     // Indicate that this object is grey and that it's one of the following:
     // - A re-greyed object during a concurrent collection.

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -176 +176 @@
     // memory growth.
     void reportExtraMemoryAllocated(size_t);
-    void reportExtraMemoryVisited(CellState cellStateBeforeVisiting, size_t);
+    void reportExtraMemoryVisited(JSCell*, size_t);
 
 #if ENABLE(RESOURCE_USAGE)
     // Use this API to report the subset of extra memory that lives outside this process.
-    void reportExternalMemoryVisited(CellState cellStateBeforeVisiting, size_t);
+    void reportExternalMemoryVisited(JSCell*, size_t);
     size_t externalMemorySize() { return m_externalMemorySize; }
 #endif

trunk/Source/JavaScriptCore/heap/HeapInlines.h

@@ -126 +126 @@
     WriteBarrierCounters::countWriteBarrier();
 #endif
-    if (!from || from->cellState() != CellState::OldBlack)
+    if (!from || !isBlack(from->cellState()))
         return;
     if (!to || to->cellState() != CellState::NewWhite)
@@ -136 +136 @@
 {
     ASSERT_GC_OBJECT_LOOKS_VALID(const_cast<JSCell*>(from));
-    if (!from || from->cellState() != CellState::OldBlack)
+    if (!from || !isBlack(from->cellState()))
         return;
     addToRememberedSet(from);
@@ -147 +147 @@
 }
 
-inline void Heap::reportExtraMemoryVisited(CellState dataBeforeVisiting, size_t size)
+inline void Heap::reportExtraMemoryVisited(JSCell* cell, size_t size)
 {
     // We don't want to double-count the extra memory that was reported in previous collections.
-    if (operationInProgress() == EdenCollection && dataBeforeVisiting == CellState::OldGrey)
+    if (operationInProgress() == EdenCollection && cell->cellState() == CellState::OldBlack)
         return;
 
@@ -163 +163 @@
 
 #if ENABLE(RESOURCE_USAGE)
-inline void Heap::reportExternalMemoryVisited(CellState dataBeforeVisiting, size_t size)
+inline void Heap::reportExternalMemoryVisited(JSCell* cell, size_t size)
 {
     // We don't want to double-count the external memory that was reported in previous collections.
-    if (operationInProgress() == EdenCollection && dataBeforeVisiting == CellState::OldGrey)
+    if (operationInProgress() == EdenCollection && cell->cellState() == CellState::OldBlack)
         return;
 

trunk/Source/JavaScriptCore/heap/MarkStack.cpp

@@ -27 +27 @@
 #include "MarkStack.h"
 
+#include "GCSegmentedArrayInlines.h"
 #include "JSCInlines.h"
 

trunk/Source/JavaScriptCore/heap/MarkStack.h

@@ -27 +27 @@
 #define MarkStack_h
 
-#include "GCSegmentedArrayInlines.h"
+#include "GCSegmentedArray.h"
 
 namespace JSC {

trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp

@@ -26 +26 @@
 #include "config.h"
 #include "SlotVisitor.h"
-#include "SlotVisitorInlines.h"
 
 #include "ConservativeRoots.h"
+#include "GCSegmentedArrayInlines.h"
 #include "HeapCellInlines.h"
 #include "HeapProfiler.h"
@@ -37 +37 @@
 #include "JSString.h"
 #include "JSCInlines.h"
+#include "SlotVisitorInlines.h"
 #include "SuperSampler.h"
 #include "VM.h"
@@ -297 +298 @@
     SetCurrentCellScope currentCellScope(*this, cell);
     
-    m_currentObjectCellStateBeforeVisiting = cell->cellState();
-    cell->setCellState(CellState::OldBlack);
-    
-    if (isJSString(cell)) {
+    cell->setCellState(blacken(cell->cellState()));
+    
+    // FIXME: Make this work on ARM also.
+    // https://bugs.webkit.org/show_bug.cgi?id=162461
+    if (isX86())
+        WTF::storeLoadFence();
+    
+    switch (cell->type()) {
+    case StringType:
         JSString::visitChildren(const_cast<JSCell*>(cell), *this);
-        return;
-    }
-
-    if (isJSFinalObject(cell)) {
+        break;
+        
+    case FinalObjectType:
         JSFinalObject::visitChildren(const_cast<JSCell*>(cell), *this);
-        return;
-    }
-
-    if (isJSArray(cell)) {
+        break;
+
+    case ArrayType:
         JSArray::visitChildren(const_cast<JSCell*>(cell), *this);
-        return;
-    }
-
-    cell->methodTable()->visitChildren(const_cast<JSCell*>(cell), *this);
+        break;
+        
+    default:
+        // FIXME: This could be so much better.
+        // https://bugs.webkit.org/show_bug.cgi?id=162462
+        cell->methodTable()->visitChildren(const_cast<JSCell*>(cell), *this);
+        break;
+    }
 }
 

trunk/Source/JavaScriptCore/heap/SlotVisitor.h

@@ -169 +169 @@
     JSCell* m_currentCell { nullptr };
 
-    CellState m_currentObjectCellStateBeforeVisiting { CellState::NewWhite };
-
 public:
 #if !ASSERT_DISABLED

trunk/Source/JavaScriptCore/heap/SlotVisitorInlines.h

@@ -107 +107 @@
 inline void SlotVisitor::reportExtraMemoryVisited(size_t size)
 {
-    heap()->reportExtraMemoryVisited(m_currentObjectCellStateBeforeVisiting, size);
+    heap()->reportExtraMemoryVisited(m_currentCell, size);
 }
 
@@ -113 +113 @@
 inline void SlotVisitor::reportExternalMemoryVisited(size_t size)
 {
-    heap()->reportExternalMemoryVisited(m_currentObjectCellStateBeforeVisiting, size);
+    heap()->reportExternalMemoryVisited(m_currentCell, size);
 }
 #endif

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1309 +1309 @@
     Jump jumpIfIsRememberedOrInEden(GPRReg cell)
     {
-        return branchTest8(MacroAssembler::NonZero, MacroAssembler::Address(cell, JSCell::cellStateOffset()));
+        return branch8(Above, Address(cell, JSCell::cellStateOffset()), TrustedImm32(blackThreshold));
     }
 
@@ -1315 +1315 @@
     {
         uint8_t* address = reinterpret_cast<uint8_t*>(cell) + JSCell::cellStateOffset();
-        return branchTest8(MacroAssembler::NonZero, MacroAssembler::AbsoluteAddress(address));
+        return branch8(Above, AbsoluteAddress(address), TrustedImm32(blackThreshold));
     }
     

trunk/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -215 +215 @@
 
     STATIC_ASSERT(MarkedBlock::blockSize == 16 * 1024);
+    STATIC_ASSERT(blackThreshold == 1);
 
     ASSERT(bitwise_cast<uintptr_t>(ShadowChicken::Packet::tailMarker()) == static_cast<uintptr_t>(0x7a11));

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -409 +409 @@
 const MarkedBlockSize = 16 * 1024
 const MarkedBlockMask = ~(MarkedBlockSize - 1)
+
+const BlackThreshold = 1
 
 # Allocation constants
@@ -889 +891 @@
 end
 
-macro skipIfIsRememberedOrInEden(cell, scratch1, scratch2, continuation)
-    loadb JSCell::m_cellState[cell], scratch1
-    continuation(scratch1)
+macro skipIfIsRememberedOrInEden(cell, slowPath)
+    bba JSCell::m_cellState[cell], BlackThreshold, .done
+    slowPath()
+.done:
 end
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -501 +501 @@
     loadisFromInstruction(cellOperand, t1)
     loadConstantOrVariablePayload(t1, CellTag, t2, .writeBarrierDone)
-    skipIfIsRememberedOrInEden(t2, t1, t3, 
-        macro(cellState)
-            btbnz cellState, .writeBarrierDone
+    skipIfIsRememberedOrInEden(
+        t2, 
+        macro()
             push cfr, PC
             # We make two extra slots because cCall2 will poke.
@@ -512 +512 @@
             addp 8, sp
             pop PC, cfr
-        end
-    )
+        end)
 .writeBarrierDone:
 end
@@ -533 +532 @@
     loadHelper(t3)
 
-    skipIfIsRememberedOrInEden(t3, t1, t2,
-        macro(gcData)
-            btbnz gcData, .writeBarrierDone
+    skipIfIsRememberedOrInEden(
+        t3,
+        macro()
             push cfr, PC
             # We make two extra slots because cCall2 will poke.
@@ -544 +543 @@
             addp 8, sp
             pop PC, cfr
-        end
-    )
+        end)
 .writeBarrierDone:
 end

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -405 +405 @@
     loadisFromInstruction(cellOperand, t1)
     loadConstantOrVariableCell(t1, t2, .writeBarrierDone)
-    skipIfIsRememberedOrInEden(t2, t1, t3, 
-        macro(cellState)
-            btbnz cellState, .writeBarrierDone
+    skipIfIsRememberedOrInEden(
+        t2,
+        macro()
             push PB, PC
             move t2, a1 # t2 can be a0 (not on 64 bits, but better safe than sorry)
@@ -413 +413 @@
             cCall2Void(_llint_write_barrier_slow)
             pop PC, PB
-        end
-    )
+        end)
 .writeBarrierDone:
 end
@@ -433 +432 @@
 
     loadHelper(t3)
-    skipIfIsRememberedOrInEden(t3, t1, t2,
-        macro(gcData)
-            btbnz gcData, .writeBarrierDone
+    skipIfIsRememberedOrInEden(
+        t3,
+        macro()
             push PB, PC
             move cfr, a0

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -1094 +1094 @@
 inline bool isJSFinalObject(JSCell* cell)
 {
-    return cell->classInfo() == JSFinalObject::info();
+    return cell->type() == FinalObjectType;
 }
 

trunk/Source/WTF/ChangeLog

@@ -12 +12 @@
         * wtf/PlatformUserPreferredLanguagesUnix.cpp:
         (WTF::platformLanguage):
+
+2016-09-22  Filip Pizlo  <fpizlo@apple.com>
+
+        Need a store-load fence between setting cell state and visiting the object in SlotVisitor
+        https://bugs.webkit.org/show_bug.cgi?id=162354
+
+        Reviewed by Mark Lam.
+        
+        Fix this on x86-32.
+
+        * wtf/Atomics.h:
+        (WTF::x86_ortop):
 
 2016-09-22  Filip Pizlo  <fpizlo@apple.com>

trunk/Source/WTF/wtf/Atomics.h

@@ -176 +176 @@
     // investigate if that is actually better.
     MemoryBarrier();
-#else
+#elif CPU(X86_64)
     // This has acqrel semantics and is much cheaper than mfence. For exampe, in the JSC GC, using
     // mfence as a store-load fence was a 9% slow-down on Octane/splay while using this was neutral.
     asm volatile("lock; orl $0, (%%rsp)" ::: "memory");
+#else
+    asm volatile("lock; orl $0, (%%esp)" ::: "memory");
 #endif
 }