Changeset 207166 in webkit

Timestamp:

Oct 11, 2016 2:33:11 PM (8 years ago)

Author:

Yusuke Suzuki

Message:

[DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
​https://bugs.webkit.org/show_bug.cgi?id=163224

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
This global object is necessary to check whether the world is normal before entering
the fast path of looking up the DOM wrapper cache.
We can sometimes constant-fold this GetGlobalObject. For example, if we performed
CheckStructure, the structure can offer the information about the possible result
of GetGlobalObject. By using this constant-folded global object, we can drop some
checks.

This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
constant value, this JSValue is filled with it.

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGDOMJITPatchpointParams.h:

(JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):

• domjit/DOMJITPatchpointParams.h:

(JSC::DOMJIT::PatchpointParams::at):
(JSC::DOMJIT::PatchpointParams::operator[]):
(JSC::DOMJIT::PatchpointParams::PatchpointParams):

• domjit/DOMJITValue.h: Copied from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.

(JSC::DOMJIT::Value::Value):
(JSC::DOMJIT::Value::isGPR):
(JSC::DOMJIT::Value::isFPR):
(JSC::DOMJIT::Value::isJSValueRegs):
(JSC::DOMJIT::Value::gpr):
(JSC::DOMJIT::Value::fpr):
(JSC::DOMJIT::Value::jsValueRegs):
(JSC::DOMJIT::Value::reg):
(JSC::DOMJIT::Value::value):

• ftl/FTLDOMJITPatchpointParams.h:

(JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):

Source/WebCore:

• domjit/DOMJITHelpers.h:

(WebCore::DOMJITHelpers::toWrapper):

• domjit/JSNodeDOMJIT.cpp:

(WebCore::createCallDOMForOffsetAccess):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h (modified) (1 diff)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• JavaScriptCore/domjit/DOMJITPatchpointParams.h (modified) (3 diffs)
• JavaScriptCore/domjit/DOMJITValue.h (copied) (copied from trunk/Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h) (1 diff)
• JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h (modified) (1 diff)
• JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/domjit/DOMJITHelpers.h (modified) (2 diffs)
• WebCore/domjit/JSNodeDOMJIT.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
+        https://bugs.webkit.org/show_bug.cgi?id=163224
+
+        Reviewed by Filip Pizlo.
+
+        We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
+        This global object is necessary to check whether the world is normal before entering
+        the fast path of looking up the DOM wrapper cache.
+        We can sometimes constant-fold this GetGlobalObject. For example, if we performed
+        CheckStructure, the structure can offer the information about the possible result
+        of GetGlobalObject. By using this constant-folded global object, we can drop some
+        checks.
+
+        This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
+        We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
+        This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
+        constant value, this JSValue is filled with it.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGDOMJITPatchpointParams.h:
+        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCallDOM):
+        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
+        * domjit/DOMJITPatchpointParams.h:
+        (JSC::DOMJIT::PatchpointParams::at):
+        (JSC::DOMJIT::PatchpointParams::operator[]):
+        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
+        * domjit/DOMJITValue.h: Copied from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
+        (JSC::DOMJIT::Value::Value):
+        (JSC::DOMJIT::Value::isGPR):
+        (JSC::DOMJIT::Value::isFPR):
+        (JSC::DOMJIT::Value::isJSValueRegs):
+        (JSC::DOMJIT::Value::gpr):
+        (JSC::DOMJIT::Value::fpr):
+        (JSC::DOMJIT::Value::jsValueRegs):
+        (JSC::DOMJIT::Value::reg):
+        (JSC::DOMJIT::Value::value):
+        * ftl/FTLDOMJITPatchpointParams.h:
+        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
+
 2016-10-10  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -2116 +2116 @@
                 E3EF88751B66DF23003F26CB /* JSPropertyNameIterator.h in Headers */ = {isa = PBXBuildFile; fileRef = E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E3FF75331D9CEA1800C7E16D /* DOMJITGetterSetter.h in Headers */ = {isa = PBXBuildFile; fileRef = E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                E3FFC8531DAD7D1500DEA53E /* DOMJITValue.h in Headers */ = {isa = PBXBuildFile; fileRef = E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E49DC16B12EF293E00184A1F /* SourceProviderCache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E49DC15512EF277200184A1F /* SourceProviderCache.cpp */; };
                 E49DC16C12EF294E00184A1F /* SourceProviderCache.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC15112EF272200184A1F /* SourceProviderCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4425 +4426 @@
                 E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPropertyNameIterator.h; sourceTree = "<group>"; };
                 E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITGetterSetter.h; sourceTree = "<group>"; };
+                E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITValue.h; sourceTree = "<group>"; };
                 E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCacheItem.h; sourceTree = "<group>"; };
                 E49DC15112EF272200184A1F /* SourceProviderCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCache.h; sourceTree = "<group>"; };
@@ -7199 +7201 @@
                                 E37AD83B1DA4928000F3D412 /* DOMJITReg.h */,
                                 E3CB1E241DA7540A00FA1E56 /* DOMJITSlowPathCalls.h */,
+                                E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */,
                         );
                         path = domjit;
@@ -7513 +7516 @@
                                 0F338DFE1BED51270013C88F /* AirSimplifyCFG.h in Headers */,
                                 0F3B3A281544C997003ED0FF /* DFGCFGSimplificationPhase.h in Headers */,
+                                E3FFC8531DAD7D1500DEA53E /* DOMJITValue.h in Headers */,
                                 0F9D36951AE9CC33000D4DFB /* DFGCleanUpPhase.h in Headers */,
                                 A77A424017A0BBFD00A8DB81 /* DFGClobberize.h in Headers */,

trunk/Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h

@@ -36 +36 @@
 class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
 public:
-    DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+    DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
         : DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
         , m_jit(jit)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -7135 +7135 @@
     Vector<GPRReg> gpScratch;
     Vector<FPRReg> fpScratch;
-    Vector<DOMJIT::Reg> regs;
+    Vector<DOMJIT::Value> regs;
 
     // FIXME: patchpoint should have a way to tell this can reuse "base" register.
@@ -7144 +7144 @@
 
     regs.append(result.regs());
-    regs.append(globalObject.gpr());
-    regs.append(base.gpr());
+    regs.append(DOMJIT::Value(globalObject.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 0)).value()));
+    regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 1)).value()));
 #if USE(JSVALUE64)
     regs.append(static_cast<GPRReg>(GPRInfo::tagMaskRegister));
@@ -7166 +7166 @@
     Vector<GPRReg> gpScratch;
     Vector<FPRReg> fpScratch;
-    Vector<DOMJIT::Reg> regs;
+    Vector<DOMJIT::Value> regs;
 
     SpeculateCellOperand base(this, node->child1());
     GPRReg baseGPR = base.gpr();
-    regs.append(baseGPR);
+    regs.append(DOMJIT::Value(baseGPR, m_state.forNode(node->child1()).value()));
 
     Vector<GPRTemporary> gpTempraries;

trunk/Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h

@@ -29 +29 @@
 
 #include "CCallHelpers.h"
-#include "DOMJITReg.h"
 #include "DOMJITSlowPathCalls.h"
+#include "DOMJITValue.h"
 #include "JITOperations.h"
 #include "RegisterSet.h"
@@ -42 +42 @@
 
     unsigned size() const { return m_regs.size(); }
-    const Reg& at(unsigned index) const { return m_regs[index]; }
-    const Reg& operator[](unsigned index) const { return at(index); }
+    const Value& at(unsigned index) const { return m_regs[index]; }
+    const Value& operator[](unsigned index) const { return at(index); }
 
     GPRReg gpScratch(unsigned index) const { return m_gpScratch[index]; }
     FPRReg fpScratch(unsigned index) const { return m_fpScratch[index]; }
 
-    PatchpointParams(Vector<Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+    PatchpointParams(Vector<Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
         : m_regs(WTFMove(regs))
         , m_gpScratch(WTFMove(gpScratch))
@@ -66 +66 @@
 #undef JSC_DEFINE_CALL_OPERATIONS
 
-    Vector<Reg> m_regs;
+    Vector<Value> m_regs;
     Vector<GPRReg> m_gpScratch;
     Vector<FPRReg> m_fpScratch;

trunk/Source/JavaScriptCore/domjit/DOMJITValue.h

@@ -26 +26 @@
 #pragma once
 
-#if ENABLE(DFG_JIT)
+#include "DOMJITReg.h"
 
-#include "DOMJITPatchpointParams.h"
+#if ENABLE(JIT)
 
-namespace JSC { namespace DFG {
-    
-class SpeculativeJIT;
+namespace JSC { namespace DOMJIT {
 
-class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
+class Value {
 public:
-    DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
-        : DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
-        , m_jit(jit)
+    Value(Reg reg)
+        : m_reg(reg)
     {
     }
 
+    Value(Reg reg, JSValue value)
+        : m_reg(reg)
+        , m_value(value)
+    {
+    }
+
+    bool isGPR() const { return m_reg.isGPR(); }
+    bool isFPR() const { return m_reg.isFPR(); }
+    bool isJSValueRegs() const { return m_reg.isJSValueRegs(); }
+    GPRReg gpr() const { return m_reg.gpr(); }
+    FPRReg fpr() const { return m_reg.fpr(); }
+    JSValueRegs jsValueRegs() const { return m_reg.jsValueRegs(); }
+
+    Reg reg() const
+    {
+        return m_reg;
+    }
+
+    JSValue value() const
+    {
+        return m_value;
+    }
+
 private:
-#define JSC_DEFINE_CALL_OPERATIONS(OperationType, ResultType, ...) void addSlowPathCallImpl(CCallHelpers::JumpList, CCallHelpers&, OperationType, ResultType, std::tuple<__VA_ARGS__> args) const override;
-    DOMJIT_SLOW_PATH_CALLS(JSC_DEFINE_CALL_OPERATIONS)
-#undef JSC_DEFINE_CALL_OPERATIONS
-
-    SpeculativeJIT* m_jit;
+    Reg m_reg;
+    JSValue m_value;
 };
 

trunk/Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h

@@ -37 +37 @@
 class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
 public:
-    DOMJITPatchpointParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+    DOMJITPatchpointParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<DOMJIT::Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
         : DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
         , m_state(state)

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -8740 +8740 @@
         OSRExitDescriptor* exitDescriptor = appendOSRExitDescriptor(jsValueValue(cell), m_node->child1().node());
         patchpoint->appendColdAnys(buildExitArguments(exitDescriptor, origin.forExit, jsValueValue(cell)));
+        JSValue child1Constant = m_state.forNode(m_node->child1()).value();
 
         patchpoint->setGenerator(
@@ -8745 +8746 @@
                 Vector<GPRReg> gpScratch;
                 Vector<FPRReg> fpScratch;
-                Vector<DOMJIT::Reg> regs;
-
-                regs.append(params[0].gpr());
+                Vector<DOMJIT::Value> regs;
+
+                regs.append(DOMJIT::Value(params[0].gpr(), child1Constant));
 
                 for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)
@@ -8786 +8787 @@
         State* state = &m_ftlState;
         Node* node = m_node;
+        JSValue child1Constant = m_state.forNode(m_graph.varArgChild(m_node, 0)).value();
+        JSValue child2Constant = m_state.forNode(m_graph.varArgChild(m_node, 1)).value();
         patchpoint->setGenerator(
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
@@ -8792 +8795 @@
                 Vector<GPRReg> gpScratch;
                 Vector<FPRReg> fpScratch;
-                Vector<DOMJIT::Reg> regs;
+                Vector<DOMJIT::Value> regs;
 
                 // FIXME: patchpoint should have a way to tell this can reuse "base" register.
                 // Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
                 regs.append(JSValueRegs(params[0].gpr()));
-                regs.append(params[1].gpr());
-                regs.append(params[2].gpr());
+                regs.append(DOMJIT::Value(params[1].gpr(), child1Constant));
+                regs.append(DOMJIT::Value(params[2].gpr(), child2Constant));
 
                 for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
+        https://bugs.webkit.org/show_bug.cgi?id=163224
+
+        Reviewed by Filip Pizlo.
+
+        * domjit/DOMJITHelpers.h:
+        (WebCore::DOMJITHelpers::toWrapper):
+        * domjit/JSNodeDOMJIT.cpp:
+        (WebCore::createCallDOMForOffsetAccess):
+
 2016-10-11  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/domjit/DOMJITHelpers.h

@@ -60 +60 @@
 
 template<typename WrappedType, typename ToJSFunction>
-void toWrapper(CCallHelpers& jit, const JSC::DOMJIT::PatchpointParams& params, GPRReg wrapped, GPRReg globalObject, JSValueRegs result, ToJSFunction function)
+void toWrapper(CCallHelpers& jit, const JSC::DOMJIT::PatchpointParams& params, GPRReg wrapped, GPRReg globalObject, JSValueRegs result, ToJSFunction function, JSC::JSValue globalObjectConstant)
 {
     ASSERT(wrapped != result.payloadGPR());
@@ -66 +66 @@
     GPRReg payloadGPR = result.payloadGPR();
     CCallHelpers::JumpList slowCases;
-    slowCases.append(branchIfNotWorldIsNormal(jit, globalObject));
+
+    if (globalObjectConstant) {
+        if (!JSC::jsCast<JSDOMGlobalObject*>(globalObjectConstant)->worldIsNormal()) {
+            slowCases.append(jit.jump());
+            params.addSlowPathCall(slowCases, jit, function, result, globalObject, wrapped);
+            return;
+        }
+    } else
+        slowCases.append(branchIfNotWorldIsNormal(jit, globalObject));
+
     tryLookUpWrapperCache<WrappedType>(jit, slowCases, wrapped, payloadGPR);
     jit.boxCell(payloadGPR, result);

trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp

@@ -71 +71 @@
         nullCases.append(jit.branchTestPtr(CCallHelpers::Zero, scratch));
 
-        DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>);
+        DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>, params[1].value());
         CCallHelpers::Jump done = jit.jump();