Changeset 211224 in webkit

Timestamp:

Jan 26, 2017 11:52:35 AM (7 years ago)

Author:

jfbastien@apple.com

Message:

OSR entry: delay outer-loop compilation when at inner-loop
​https://bugs.webkit.org/show_bug.cgi?id=167149

Reviewed by Filip Pizlo.

JSTests:

Try to be mean to OSR entry by using nested loops, and having
non-int32 types or truly varying types.

Mandelbrot currently never tiers up to FTL because it exits too
many times before this. That shouldn't happen because it's just
numbers and int32s. I'll file a bug to fix this.

• microbenchmarks/mandelbrot.js: Added.

(mandelbrot):
(printable):

• microbenchmarks/nonude.js: Added.

(Array.prototype.remove):
(const.u):
(const.load):
(const.scan):
(const.main):

Source/JavaScriptCore:

As of ​https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
compilation can be kicked off for an entry into an outer-loop,
while executing an inner-loop. This is desirable because often the
codegen from an inner-entry isn't as good as the codegen from an
outer-entry, but execution from an inner-loop is often pretty hot
and likely to kick off compilation. This approach provided nice
speedups on Kraken because we'd select to enter to the outer-loop
very reliably, which reduces variability (the inner-loop was
selected roughly 1/5 times from my unscientific measurements).

When compilation starts we take a snapshot of the JSValues at the
current execution state using OSR's recovery mechanism. These
values are passed to the compiler and are used as way to perform
type profiling, and could be used to observe cell types as well as
to perform predictions such as through constant propagation.

It's therefore desired to enter from the outer-loop when we can,
but we need to be executing from that location to capture the
right JSValues, otherwise we're confusing the compiler and giving
it inaccurate JSValues which can lead it to predict the wrong
things, leading to suboptimal code or recompilation due to
misprediction, or in super-corner-cases a crash.

These effects are pretty hard to measure: Fil points out that
marsalis-osr-entry really needs mustHandleValues (the JSValues
from the point of execution) because right now it just happens to
correctly guess int32. I tried removing mustHandleValues entirely
and saw no slowdowns, but our benchmarks probably aren't
sufficient to reliably find issues, sometimes because we happen to
have sufficient mitigations.

DFG tier-up was added here:
​https://bugs.webkit.org/show_bug.cgi?id=112838

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGJITCode.h:
• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::JITCompiler):

• dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):

• dfg/DFGOSREntry.h:

(JSC::DFG::prepareOSREntry):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGTierUpEntryTrigger.h: Copied from Source/JavaScriptCore/ftl/FTLOSREntry.h.
• dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:

(JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
(JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
(JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
(JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):

• dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
• ftl/FTLOSREntry.cpp:

(JSC::FTL::prepareOSREntry):

• ftl/FTLOSREntry.h:
• jit/JITOperations.cpp:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/microbenchmarks/mandelbrot.js (added)
• JSTests/microbenchmarks/nonude.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGJITCode.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSREntry.cpp (modified) (10 diffs)
• Source/JavaScriptCore/dfg/DFGOSREntry.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (12 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGTierUpEntryTrigger.h (copied) (copied from trunk/Source/JavaScriptCore/ftl/FTLOSREntry.h) (2 diffs)
• Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h (modified) (3 diffs)
• Source/JavaScriptCore/ftl/FTLOSREntry.cpp (modified) (3 diffs)
• Source/JavaScriptCore/ftl/FTLOSREntry.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-01-26  JF Bastien  <jfbastien@apple.com>
+
+        OSR entry: delay outer-loop compilation when at inner-loop
+        https://bugs.webkit.org/show_bug.cgi?id=167149
+
+        Reviewed by Filip Pizlo.
+
+        Try to be mean to OSR entry by using nested loops, and having
+        non-int32 types or truly varying types.
+
+        Mandelbrot currently never tiers up to FTL because it exits too
+        many times before this. That shouldn't happen because it's just
+        numbers and int32s. I'll file a bug to fix this.
+
+        * microbenchmarks/mandelbrot.js: Added.
+        (mandelbrot):
+        (printable):
+        * microbenchmarks/nonude.js: Added.
+        (Array.prototype.remove):
+        (const.u):
+        (const.load):
+        (const.scan):
+        (const.main):
+
 2017-01-25  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-01-26  JF Bastien  <jfbastien@apple.com>
+
+        OSR entry: delay outer-loop compilation when at inner-loop
+        https://bugs.webkit.org/show_bug.cgi?id=167149
+
+        Reviewed by Filip Pizlo.
+
+        As of https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
+        compilation can be kicked off for an entry into an outer-loop,
+        while executing an inner-loop. This is desirable because often the
+        codegen from an inner-entry isn't as good as the codegen from an
+        outer-entry, but execution from an inner-loop is often pretty hot
+        and likely to kick off compilation. This approach provided nice
+        speedups on Kraken because we'd select to enter to the outer-loop
+        very reliably, which reduces variability (the inner-loop was
+        selected roughly 1/5 times from my unscientific measurements).
+
+        When compilation starts we take a snapshot of the JSValues at the
+        current execution state using OSR's recovery mechanism. These
+        values are passed to the compiler and are used as way to perform
+        type profiling, and could be used to observe cell types as well as
+        to perform predictions such as through constant propagation.
+
+        It's therefore desired to enter from the outer-loop when we can,
+        but we need to be executing from that location to capture the
+        right JSValues, otherwise we're confusing the compiler and giving
+        it inaccurate JSValues which can lead it to predict the wrong
+        things, leading to suboptimal code or recompilation due to
+        misprediction, or in super-corner-cases a crash.
+
+        These effects are pretty hard to measure: Fil points out that
+        marsalis-osr-entry really needs mustHandleValues (the JSValues
+        from the point of execution) because right now it just happens to
+        correctly guess int32. I tried removing mustHandleValues entirely
+        and saw no slowdowns, but our benchmarks probably aren't
+        sufficient to reliably find issues, sometimes because we happen to
+        have sufficient mitigations.
+
+        DFG tier-up was added here:
+        https://bugs.webkit.org/show_bug.cgi?id=112838
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGJITCode.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::JITCompiler):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSREntry.h:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGTierUpEntryTrigger.h: Copied from Source/JavaScriptCore/ftl/FTLOSREntry.h.
+        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
+        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
+        (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
+        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
+        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
+        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+        * ftl/FTLOSREntry.h:
+        * jit/JITOperations.cpp:
+
 2017-01-25  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -2060 +2060 @@
                 ADE8029C1E08F1DE0058DE78 /* WebAssemblyLinkErrorPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = ADE802971E08F1C90058DE78 /* WebAssemblyLinkErrorPrototype.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 ADE8029E1E08F2280058DE78 /* WebAssemblyLinkErrorConstructor.cpp in Sources */ = {isa = PBXBuildFile; fileRef = ADE8029D1E08F2260058DE78 /* WebAssemblyLinkErrorConstructor.cpp */; };
+                ADFF2F701E319DE3001EA54E /* DFGTierUpEntryTrigger.h in Headers */ = {isa = PBXBuildFile; fileRef = ADFF2F6F1E319DD0001EA54E /* DFGTierUpEntryTrigger.h */; };
                 B59F89391891F29F00D5CCDC /* UnlinkedInstructionStream.cpp in Sources */ = {isa = PBXBuildFile; fileRef = B59F89381891ADB500D5CCDC /* UnlinkedInstructionStream.cpp */; };
                 BC02E90D0E1839DB000F9297 /* ErrorConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = BC02E9050E1839DB000F9297 /* ErrorConstructor.h */; };
@@ -4572 +4573 @@
                 ADE802971E08F1C90058DE78 /* WebAssemblyLinkErrorPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = WebAssemblyLinkErrorPrototype.h; path = js/WebAssemblyLinkErrorPrototype.h; sourceTree = "<group>"; };
                 ADE8029D1E08F2260058DE78 /* WebAssemblyLinkErrorConstructor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = WebAssemblyLinkErrorConstructor.cpp; path = js/WebAssemblyLinkErrorConstructor.cpp; sourceTree = "<group>"; };
+                ADFF2F6F1E319DD0001EA54E /* DFGTierUpEntryTrigger.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGTierUpEntryTrigger.h; path = dfg/DFGTierUpEntryTrigger.h; sourceTree = "<group>"; };
                 B59F89371891AD3300D5CCDC /* UnlinkedInstructionStream.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UnlinkedInstructionStream.h; sourceTree = "<group>"; };
                 B59F89381891ADB500D5CCDC /* UnlinkedInstructionStream.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = UnlinkedInstructionStream.cpp; sourceTree = "<group>"; };
@@ -7130 +7132 @@
                                 0FD8A31F17D51F5700CA2C40 /* DFGTierUpCheckInjectionPhase.cpp */,
                                 0FD8A32017D51F5700CA2C40 /* DFGTierUpCheckInjectionPhase.h */,
+                                ADFF2F6F1E319DD0001EA54E /* DFGTierUpEntryTrigger.h */,
                                 0FD8A32117D51F5700CA2C40 /* DFGToFTLDeferredCompilationCallback.cpp */,
                                 0FD8A32217D51F5700CA2C40 /* DFGToFTLDeferredCompilationCallback.h */,
@@ -8812 +8815 @@
                                 A1A009C01831A22D00CF8711 /* MacroAssemblerARM64.h in Headers */,
                                 86ADD1460FDDEA980006EEC2 /* MacroAssemblerARMv7.h in Headers */,
+                                ADFF2F701E319DE3001EA54E /* DFGTierUpEntryTrigger.h in Headers */,
                                 863B23E00FC6118900703AA4 /* MacroAssemblerCodeRef.h in Headers */,
                                 E32AB2441DCD75F400D7533A /* MacroAssemblerHelpers.h in Headers */,

trunk/Source/JavaScriptCore/dfg/DFGJITCode.h

@@ -34 +34 @@
 #include "DFGOSREntry.h"
 #include "DFGOSRExit.h"
+#include "DFGTierUpEntryTrigger.h"
 #include "DFGVariableEventStream.h"
 #include "ExecutionCounter.h"
@@ -155 +156 @@
     // This can never be modified after it has been initialized since the addresses of the triggers
     // are used by the JIT.
-    HashMap<unsigned, uint8_t> tierUpEntryTriggers;
+    HashMap<unsigned, TierUpEntryTrigger> tierUpEntryTriggers;
 
     // Set of bytecode that were the target of a TierUp operation.

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -61 +61 @@
     m_jitCode->tierUpInLoopHierarchy = WTFMove(m_graph.m_plan.tierUpInLoopHierarchy);
     for (unsigned tierUpBytecode : m_graph.m_plan.tierUpAndOSREnterBytecodes)
-        m_jitCode->tierUpEntryTriggers.add(tierUpBytecode, 0);
+        m_jitCode->tierUpEntryTriggers.add(tierUpBytecode, TierUpEntryTrigger::None);
 #endif
 }

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

@@ -92 +92 @@
 
 SUPPRESS_ASAN
-void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex)
+Expected<void*, OSREntryFail> prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex)
 {
     ASSERT(JITCode::isOptimizingJIT(codeBlock->jitType()));
@@ -100 +100 @@
 
     if (!Options::useOSREntryToDFG())
-        return 0;
+        return makeUnexpected(OSREntryFail::Disabled);
 
     if (Options::verboseOSR()) {
@@ -137 +137 @@
         if (Options::verboseOSR())
             dataLog("    OSR failed because the target code block is not DFG.\n");
-        return 0;
+        return makeUnexpected(OSREntryFail::TargetNotDFG);
     }
     
@@ -146 +146 @@
         if (Options::verboseOSR())
             dataLogF("    OSR failed because the entrypoint was optimized out.\n");
-        return 0;
+        return makeUnexpected(OSREntryFail::TargetOptimizedOut);
     }
     
@@ -182 +182 @@
                 dataLogF(".\n");
             }
-            return 0;
+            return makeUnexpected(OSREntryFail::BadPrediction);
         }
         
@@ -197 +197 @@
                     ", expected ", entry->m_expectedValues.argument(argument), ".\n");
             }
-            return 0;
+            return makeUnexpected(OSREntryFail::BadPrediction);
         }
     }
@@ -210 +210 @@
                         exec->registers()[localOffset].asanUnsafeJSValue(), ", expected number.\n");
                 }
-                return 0;
+                return makeUnexpected(OSREntryFail::BadPrediction);
             }
             continue;
@@ -222 +222 @@
                         "machine int.\n");
                 }
-                return 0;
+                return makeUnexpected(OSREntryFail::BadPrediction);
             }
             continue;
@@ -233 +233 @@
                     entry->m_expectedValues.local(local), ".\n");
             }
-            return 0;
+            return makeUnexpected(OSREntryFail::BadPrediction);
         }
     }
@@ -248 +248 @@
         if (Options::verboseOSR())
             dataLogF("    OSR failed because stack growth failed.\n");
-        return 0;
+        return makeUnexpected(OSREntryFail::StackGrowthFailed);
     }
     

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.h

@@ -29 +29 @@
 #include "Operands.h"
 #include <wtf/BitVector.h>
+#include <wtf/Expected.h>
 
 namespace JSC {
@@ -36 +37 @@
 
 namespace DFG {
+
+enum class OSREntryFail {
+    Disabled,
+    TargetNotDFG,
+    TargetOptimizedOut,
+    BadPrediction,
+    StackGrowthFailed,
+};
 
 #if ENABLE(DFG_JIT)
@@ -70 +79 @@
 }
 
-// Returns a pointer to a data buffer that the OSR entry thunk will recognize and
-// parse. If this returns null, it means 
-void* prepareOSREntry(ExecState*, CodeBlock*, unsigned bytecodeIndex);
+// Returns a pointer to a data buffer that the OSR entry thunk will recognize and parse.
+Expected<void*, OSREntryFail> prepareOSREntry(ExecState*, CodeBlock*, unsigned bytecodeIndex);
 #else
-inline void* prepareOSREntry(ExecState*, CodeBlock*, unsigned) { return 0; }
+inline Expected<void*, OSREntryFail> prepareOSREntry(ExecState*, CodeBlock*, unsigned) { return makeUnexpected(OSREntryFail::Disabled); }
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -2315 +2315 @@
     }
 
+    // This updates the execution counter.
     if (shouldTriggerFTLCompile(codeBlock, jitCode))
         triggerFTLReplacementCompile(vm, codeBlock, jitCode);
@@ -2338 +2339 @@
 }
 
-static char* tierUpCommon(ExecState* exec, unsigned originBytecodeIndex, unsigned osrEntryBytecodeIndex)
-{
-    VM* vm = &exec->vm();
-    CodeBlock* codeBlock = exec->codeBlock();
+enum class EntryReason {
+    Spurious,
+    CheckingUpOnHowCompilationIsGoing,
+    HaveOSREntryReady,
+    ShouldStartCompiling,
+    ShouldStartCompilingRightNow,
+    CompilationFailed,
+};
+
+static EntryReason whatHaveYouDoneAndWhyAmIHere(VM* vm, CodeBlock* codeBlock, JITCode* jitCode, unsigned bytecodeIndex, CodeBlock*& osrEntryBlock)
+{
+    // Gather facts about why we could be here.
 
     // Resolve any pending plan for OSR Enter on this function.
     Worklist::State worklistState;
-    if (Worklist* worklist = existingGlobalFTLWorklistOrNull()) {
-        worklistState = worklist->completeAllReadyPlansForVM(
-            *vm, CompilationKey(codeBlock->baselineVersion(), FTLForOSREntryMode));
-    } else
+    if (Worklist* worklist = existingGlobalFTLWorklistOrNull())
+        worklistState = worklist->completeAllReadyPlansForVM(*vm, CompilationKey(codeBlock->baselineVersion(), FTLForOSREntryMode));
+    else
         worklistState = Worklist::NotKnown;
 
-    JITCode* jitCode = codeBlock->jitCode()->dfg();
-    if (worklistState == Worklist::Compiling) {
+    osrEntryBlock = jitCode->osrEntryBlock();
+
+    // Was the tier-up entry trigger set to slow-path?
+    bool triggeredSlowPath = false;
+    auto tierUpEntryTriggers = jitCode->tierUpEntryTriggers.find(bytecodeIndex);
+    if (tierUpEntryTriggers != jitCode->tierUpEntryTriggers.end()) {
+        if (tierUpEntryTriggers->value == TierUpEntryTrigger::TakeSlowPath) {
+            // We were asked to enter as soon as possible. Unset this trigger so we don't continually enter.
+            if (Options::verboseOSR())
+                dataLog("EntryTrigger for ", *codeBlock, " forced slow-path.\n");
+            triggeredSlowPath = true;
+            tierUpEntryTriggers->value = TierUpEntryTrigger::None;
+        }
+    }
+
+    // Put those facts together to make a final determination.
+
+    switch (worklistState) {
+    case Worklist::NotKnown:
+        if (osrEntryBlock)
+            return EntryReason::HaveOSREntryReady;
+        if (triggeredSlowPath) {
+            // Someone went through the trouble of forcing us into slow-path, they really wanted us to compile.
+            return EntryReason::ShouldStartCompilingRightNow;
+        }
+        return EntryReason::ShouldStartCompiling;
+
+    case Worklist::Compiling:
+        if (triggeredSlowPath) {
+            // We're already compiling, and can't OSR enter. We therefore must
+            // have set our slow-path trigger as well as another slow path
+            // trigger, hoping one of these would kick off a compilation. Sure
+            // enough another bytecode location did kick off a compilation
+            // before this one got a chance to do so. There's nothing for us to
+            // do but wait.
+            return EntryReason::Spurious;
+        }
+        return EntryReason::CheckingUpOnHowCompilationIsGoing;
+
+    case Worklist::Compiled:
+        return EntryReason::CompilationFailed;
+    }
+
+    RELEASE_ASSERT_NOT_REACHED();
+    return EntryReason::Spurious;
+}
+
+enum class CanOSREnterFromHere {
+    No,
+    Yes,
+};
+
+static char* tierUpCommon(VM* vm, ExecState* exec, CodeBlock* codeBlock, JITCode* jitCode, unsigned bytecodeIndex, CanOSREnterFromHere canOSREnterFromHere)
+{
+    CodeBlock* osrEntryBlock;
+    EntryReason entryReason = whatHaveYouDoneAndWhyAmIHere(vm, codeBlock, jitCode, bytecodeIndex, osrEntryBlock);
+
+    switch (entryReason) {
+    case EntryReason::CheckingUpOnHowCompilationIsGoing:
         CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("still compiling"));
         jitCode->setOptimizationThresholdBasedOnCompilationResult(
             codeBlock, CompilationDeferred);
         return nullptr;
-    }
-
-    if (worklistState == Worklist::Compiled) {
+
+    case EntryReason::CompilationFailed:
         CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("compiled and failed"));
-        // This means that compilation failed and we already set the thresholds.
+        // We've already set the thresholds.
         if (Options::verboseOSR())
             dataLog("Code block ", *codeBlock, " was compiled but it doesn't have an optimized replacement.\n");
         return nullptr;
-    }
-
-    // If we can OSR Enter, do it right away.
-    if (originBytecodeIndex == osrEntryBytecodeIndex) {
-        unsigned streamIndex = jitCode->bytecodeIndexToStreamIndex.get(originBytecodeIndex);
-        if (CodeBlock* entryBlock = jitCode->osrEntryBlock()) {
-            if (void* address = FTL::prepareOSREntry(exec, codeBlock, entryBlock, originBytecodeIndex, streamIndex)) {
-                CODEBLOCK_LOG_EVENT(entryBlock, "osrEntry", ("at bc#", originBytecodeIndex));
+
+    case EntryReason::HaveOSREntryReady:
+        if (canOSREnterFromHere == CanOSREnterFromHere::No)
+            break; // OSR entry is for another location.
+
+        {
+            // If we can OSR Enter, do it right away.
+            unsigned streamIndex = jitCode->bytecodeIndexToStreamIndex.get(bytecodeIndex);
+            auto osrEntryPreparation = FTL::prepareOSREntry(exec, codeBlock, osrEntryBlock, bytecodeIndex, streamIndex);
+            if (osrEntryPreparation) {
+                CODEBLOCK_LOG_EVENT(osrEntryBlock, "osrEntry", ("at bc#", bytecodeIndex));
+                void* address = osrEntryPreparation.value();
+                ASSERT(address);
                 return static_cast<char*>(address);
             }
+            switch (osrEntryPreparation.error()) {
+            case FTL::OSREntryFail::StackGrowthFailed:
+                break;
+            case FTL::OSREntryFail::WrongBytecode:
+                // Above we checked that an entry was possible from the current
+                // location, but we didn't know whether the compiled OSR entry
+                // was for this location. Now we know it's not.
+                break;
+            }
+
+            break;
         }
+
+    case EntryReason::ShouldStartCompiling:
+    case EntryReason::ShouldStartCompilingRightNow:
+        // We'll take care of that below.
+        break;
+
+    case EntryReason::Spurious:
+        if (Options::verboseOSR())
+            dataLog("Code block ", *codeBlock, " was spuriously woken up, compilation is already under way.\n");
+        jitCode->checkIfOptimizationThresholdReached(codeBlock);
+        return nullptr;
     }
 
@@ -2382 +2473 @@
     // - If we couldn't enter for a while, then trigger OSR entry.
 
+    // This updates the execution counter.
     if (!shouldTriggerFTLCompile(codeBlock, jitCode))
         return nullptr;
@@ -2399 +2491 @@
         CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("avoiding replacement compile"));
 
-    // It's time to try to compile code for OSR entry.
-    if (CodeBlock* entryBlock = jitCode->osrEntryBlock()) {
+    if (osrEntryBlock) {
+        // We have a compiled OSR entry for this function, but didn't enter.
+
         if (jitCode->osrEntryRetry < Options::ftlOSREntryRetryThreshold()) {
             CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("OSR entry failed, OSR entry threshold not met"));
@@ -2409 +2502 @@
         }
 
-        FTL::ForOSREntryJITCode* entryCode = entryBlock->jitCode()->ftlForOSREntry();
+        FTL::ForOSREntryJITCode* entryCode = osrEntryBlock->jitCode()->ftlForOSREntry();
         entryCode->countEntryFailure();
         if (entryCode->entryFailureCount() <
@@ -2422 +2515 @@
         // without exponential backoff and we only do this for the entry code block.
         CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("OSR entry failed too many times"));
-        unsigned osrEntryBytecode = entryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
+        unsigned osrEntryBytecode = osrEntryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
         jitCode->clearOSREntryBlock();
         jitCode->osrEntryRetry = 0;
-        jitCode->tierUpEntryTriggers.set(osrEntryBytecode, 0);
+        jitCode->tierUpEntryTriggers.set(osrEntryBytecode, TierUpEntryTrigger::None);
         jitCode->setOptimizationThresholdBasedOnCompilationResult(
             codeBlock, CompilationDeferred);
@@ -2431 +2524 @@
     }
 
-    unsigned streamIndex = jitCode->bytecodeIndexToStreamIndex.get(osrEntryBytecodeIndex);
-    auto tierUpHierarchyEntry = jitCode->tierUpInLoopHierarchy.find(osrEntryBytecodeIndex);
-    if (tierUpHierarchyEntry != jitCode->tierUpInLoopHierarchy.end()) {
-        for (unsigned osrEntryCandidate : tierUpHierarchyEntry->value) {
-            if (jitCode->tierUpEntrySeen.contains(osrEntryCandidate)) {
-                osrEntryBytecodeIndex = osrEntryCandidate;
-                streamIndex = jitCode->bytecodeIndexToStreamIndex.get(osrEntryBytecodeIndex);
+    // We aren't compiling and haven't compiled anything for OSR entry. So, try to compile something.
+
+    if (entryReason != EntryReason::ShouldStartCompilingRightNow) {
+        // We entered because our threshold was set, not because someone is forcing us to compile.
+        // Try to see if there would be a better place to compile from than where we currently are.
+
+        // Compiling an outer-loop for OSR entry often generates better code than an inner-loop because
+        // the entry is less disruptive. If we're at an inner-loop be smart and mark the outer-loop as
+        // needing compilation ASAP. Once execution reaches the outer-loop compilation will trigger.
+        auto tierUpHierarchyEntry = jitCode->tierUpInLoopHierarchy.find(bytecodeIndex);
+        if (tierUpHierarchyEntry != jitCode->tierUpInLoopHierarchy.end() && !tierUpHierarchyEntry->value.isEmpty()) {
+            // Traverse the loop hierarchy from the outer-most loop, to the inner-most one.
+            for (auto iterator = tierUpHierarchyEntry->value.rbegin(), end = tierUpHierarchyEntry->value.rend(); iterator != end; ++iterator) {
+                unsigned osrEntryCandidate = *iterator;
+                if (jitCode->tierUpEntrySeen.contains(osrEntryCandidate)) {
+                    unsigned outerLoopOsrEntryBytecodeIndex = osrEntryCandidate;
+
+                    // We found an outer-loop which would be a better OSR entry
+                    // than the current location:
+                    //  - Set its trigger so it takes the slow-path ASAP;
+                    //  - Tell the codeblock to stop its counter slow-path for a
+                    //    while, because it should wait for the outer-loop to
+                    //    trigger.
+                    //
+                    // If we slow-path again then one of these is true:
+                    //  1. We enter from the outer-loop because of its trigger,
+                    //     it un-sets its trigger, kicks off a compile,
+                    //     everything is good;
+                    //  2. We enter from anywhere and a compile is under way,
+                    //     just chill as usual;
+                    //  3. We never got to that outer-loop and the counter
+                    //     tripped again, bummer!
+                    //
+                    // We can detect 3. because the outer-loop's trigger is
+                    // set. It's still a great place to enter, so leave its
+                    // trigger set, but also:
+                    //  - Set the trigger for the next loop in, hope that one triggers;
+                    //  - Backoff the counter as before.
+                    // That is, unless all the inner-loop's parent triggers are
+                    // set. In that case just optimize the innermost-loop: it
+                    // won't generate as good code, but the outer-loops aren't
+                    // triggering so we may as we tier up where we can.
+                    auto outerLoopTierUpEntryTriggers = jitCode->tierUpEntryTriggers.find(outerLoopOsrEntryBytecodeIndex);
+                    ASSERT(outerLoopTierUpEntryTriggers != jitCode->tierUpEntryTriggers.end());
+
+                    if (outerLoopTierUpEntryTriggers->value != TierUpEntryTrigger::TakeSlowPath) {
+                        if (Options::verboseOSR())
+                            dataLog("Forcibly FTL-optimize outer-loop bc#", outerLoopOsrEntryBytecodeIndex, " in ", *codeBlock, "by setting its trigger.\n");
+
+                        CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("OSR entry request from inner-loop for outer-loop"));
+                        jitCode->tierUpEntryTriggers.set(outerLoopOsrEntryBytecodeIndex, TierUpEntryTrigger::TakeSlowPath);
+                        jitCode->optimizeSoon(codeBlock);
+                        return nullptr;
+                    }
+
+                    if (Options::verboseOSR())
+                        dataLog("Trying to forcibly FTL-optimize outer-loop bc#", outerLoopOsrEntryBytecodeIndex, " in ", *codeBlock, ", but trigger is already set.\n");
+                }
             }
+
+            // All the outer-loops have their trigger set, but none have been entered.
+
+            if (canOSREnterFromHere == CanOSREnterFromHere::No) {
+                // We just can't enter from here, we've asked everyone we know
+                // to please optimize ASAP, nobody has heeded our call. Keep
+                // hoping one of the outer loops triggers get to their slow
+                // path. Stop the counter, there's nothing we can do.
+                jitCode->dontOptimizeAnytimeSoon(codeBlock);
+                return nullptr;
+            }
+
+            if (Options::verboseOSR())
+                dataLog("Tried to forcibly-optimize outer-loop, but falling back to bc#", bytecodeIndex, " in ", *codeBlock, ", outer-loop triggers didn't work.\n");
         }
     }
 
-    // We aren't compiling and haven't compiled anything for OSR entry. So, try to compile
-    // something.
-    auto triggerIterator = jitCode->tierUpEntryTriggers.find(osrEntryBytecodeIndex);
+    RELEASE_ASSERT(canOSREnterFromHere == CanOSREnterFromHere::Yes);
+
+    unsigned streamIndex = jitCode->bytecodeIndexToStreamIndex.get(bytecodeIndex);
+
+    // We're not trying to kick off a compile of an outer-loop from within an
+    // inner-loop. We can compile right here, right now.
+    auto triggerIterator = jitCode->tierUpEntryTriggers.find(bytecodeIndex);
     RELEASE_ASSERT(triggerIterator != jitCode->tierUpEntryTriggers.end());
-    uint8_t* triggerAddress = &(triggerIterator->value);
-
+    TierUpEntryTrigger* triggerAddress = &(triggerIterator->value);
+
+    // Use OSR reconstruction to generate a snapshot of JSValues at the current
+    // location of execution. The optimizer is happy when it can look at real
+    // and live values, as opposed to mere type traces.
     Operands<JSValue> mustHandleValues;
     jitCode->reconstruct(
-        exec, codeBlock, CodeOrigin(osrEntryBytecodeIndex), streamIndex, mustHandleValues);
+        exec, codeBlock, CodeOrigin(bytecodeIndex), streamIndex, mustHandleValues);
     CodeBlock* replacementCodeBlock = codeBlock->newReplacement();
 
     CODEBLOCK_LOG_EVENT(codeBlock, "triggerFTLOSR", ());
     CompilationResult forEntryResult = compile(
-        *vm, replacementCodeBlock, codeBlock, FTLForOSREntryMode, osrEntryBytecodeIndex,
+        *vm, replacementCodeBlock, codeBlock, FTLForOSREntryMode, bytecodeIndex,
         mustHandleValues, ToFTLForOSREntryDeferredCompilationCallback::create(triggerAddress));
 
@@ -2467 +2632 @@
         return nullptr;
     }
-    
-    CODEBLOCK_LOG_EVENT(jitCode->osrEntryBlock(), "osrEntry", ("at bc#", originBytecodeIndex));
-    // It's possible that the for-entry compile already succeeded. In that case OSR
-    // entry will succeed unless we ran out of stack. It's not clear what we should do.
-    // We signal to try again after a while if that happens.
-    void* address = FTL::prepareOSREntry(
-        exec, codeBlock, jitCode->osrEntryBlock(), originBytecodeIndex, streamIndex);
-    return static_cast<char*>(address);
+
+    // It's possible that the for-entry compile already succeeded. In that case
+    // OSR entry will succeed unless we ran out of stack.
+    auto osrEntryPreparation = FTL::prepareOSREntry(exec, codeBlock, jitCode->osrEntryBlock(), bytecodeIndex, streamIndex);
+    if (osrEntryPreparation) {
+        CODEBLOCK_LOG_EVENT(jitCode->osrEntryBlock(), "osrEntry", ("at bc#", bytecodeIndex));
+        void* address = osrEntryPreparation.value();
+        ASSERT(address);
+        return static_cast<char*>(address);
+    }
+    switch (osrEntryPreparation.error()) {
+    case FTL::OSREntryFail::StackGrowthFailed:
+        // It's not clear what we should do. We signal to try again after a
+        // while if that happens.
+        return nullptr;
+    case FTL::OSREntryFail::WrongBytecode:
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+
+    RELEASE_ASSERT_NOT_REACHED();
+    return nullptr;
 }
 
@@ -2497 +2675 @@
     }
 
+    // It's impossible to OSR enter from the current bytecode index: CheckTierUpInLoop is only even generated for non-OSR-entry bytecodes.
+    // It's nonetheless a good spot to request that a nearby loop get optimized the next time it's entered.
+
     auto tierUpHierarchyEntry = jitCode->tierUpInLoopHierarchy.find(bytecodeIndex);
     if (tierUpHierarchyEntry != jitCode->tierUpInLoopHierarchy.end()
         && !tierUpHierarchyEntry->value.isEmpty()) {
-        tierUpCommon(exec, bytecodeIndex, tierUpHierarchyEntry->value.first());
-    } else if (shouldTriggerFTLCompile(codeBlock, jitCode))
+        // There is a suitable loop to OSR enter from.
+        tierUpCommon(vm, exec, codeBlock, jitCode, bytecodeIndex, CanOSREnterFromHere::No);
+    } else if (shouldTriggerFTLCompile(codeBlock, jitCode)) // This updates the execution counter.
         triggerFTLReplacementCompile(vm, codeBlock, jitCode);
 
@@ -2511 +2693 @@
 }
 
-char* JIT_OPERATION triggerOSREntryNow(ExecState* exec, unsigned bytecodeIndex)
+char* JIT_OPERATION checkTierUpAndOSREnterNow(ExecState* exec, unsigned bytecodeIndex)
 {
     VM* vm = &exec->vm();
@@ -2524 +2706 @@
 
     JITCode* jitCode = codeBlock->jitCode()->dfg();
-    jitCode->tierUpEntrySeen.add(bytecodeIndex);
 
     if (Options::verboseOSR()) {
@@ -2532 +2713 @@
     }
 
-    return tierUpCommon(exec, bytecodeIndex, bytecodeIndex);
+    jitCode->tierUpEntrySeen.add(bytecodeIndex);
+    return tierUpCommon(vm, exec, codeBlock, jitCode, bytecodeIndex, CanOSREnterFromHere::Yes);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -221 +221 @@
 void JIT_OPERATION triggerTierUpNow(ExecState*) WTF_INTERNAL;
 void JIT_OPERATION triggerTierUpNowInLoop(ExecState*, unsigned bytecodeIndex) WTF_INTERNAL;
-char* JIT_OPERATION triggerOSREntryNow(ExecState*, unsigned bytecodeIndex) WTF_INTERNAL;
+char* JIT_OPERATION checkTierUpAndOSREnterNow(ExecState*, unsigned bytecodeIndex) WTF_INTERNAL;
 #endif // ENABLE(FTL_JIT)
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -5782 +5782 @@
         auto triggerIterator = m_jit.jitCode()->tierUpEntryTriggers.find(bytecodeIndex);
         DFG_ASSERT(m_jit.graph(), node, triggerIterator != m_jit.jitCode()->tierUpEntryTriggers.end());
-        uint8_t* forceEntryTrigger = &(m_jit.jitCode()->tierUpEntryTriggers.find(bytecodeIndex)->value);
-
+        TierUpEntryTrigger* forceEntryTrigger = &(m_jit.jitCode()->tierUpEntryTriggers.find(bytecodeIndex)->value);
+
+        static_assert(sizeof(TierUpEntryTrigger) == 1, "8-bit load is generated below");
+        static_assert(!static_cast<uint8_t>(TierUpEntryTrigger::None), "NonZero test below depends on this");
         MacroAssembler::Jump forceOSREntry = m_jit.branchTest8(MacroAssembler::NonZero, MacroAssembler::AbsoluteAddress(forceEntryTrigger));
         MacroAssembler::Jump overflowedCounter = m_jit.branchAdd32(
@@ -5803 +5805 @@
             silentSpill(savePlans);
             m_jit.setupArgumentsWithExecState(TrustedImm32(bytecodeIndex));
-            appendCallSetResult(triggerOSREntryNow, tempGPR);
+            appendCallSetResult(checkTierUpAndOSREnterNow, tempGPR);
 
             if (savePlans.isEmpty())

trunk/Source/JavaScriptCore/dfg/DFGTierUpEntryTrigger.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#if ENABLE(FTL_JIT)
+#if ENABLE(DFG_JIT)
 
-namespace JSC {
+namespace JSC { namespace DFG {
 
-class CodeBlock;
-class ExecState;
+enum class TierUpEntryTrigger : uint8_t {
+    None = 0, // Must stay zero: JIT-compiled code takes the triggerOSREntryNow slow-path when non-zero.
+    TakeSlowPath, // The slow path can be taken because the compilation needs to be started, or it's ready and we should OSR enter.
+};
 
-namespace FTL {
+} } // namespace JSC::DFG
 
-void* prepareOSREntry(
-    ExecState*, CodeBlock* dfgCodeBlock, CodeBlock* entryCodeBlock, unsigned bytecodeIndex,
-    unsigned streamIndex);
-
-} } // namespace JSC::FTL
-
-#endif // ENABLE(FTL_JIT)
+#endif // ENABLE(DFG_JIT)

trunk/Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp

@@ -36 +36 @@
 namespace JSC { namespace DFG {
 
-ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback(uint8_t* forcedOSREntryTrigger)
+ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback(TierUpEntryTrigger* forcedOSREntryTrigger)
     : m_forcedOSREntryTrigger(forcedOSREntryTrigger)
 {
@@ -45 +45 @@
 }
 
-Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create(uint8_t* forcedOSREntryTrigger)
+Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create(TierUpEntryTrigger* forcedOSREntryTrigger)
 {
     return adoptRef(*new ToFTLForOSREntryDeferredCompilationCallback(forcedOSREntryTrigger));
@@ -59 +59 @@
     }
 
-    *m_forcedOSREntryTrigger = 1;
+    *m_forcedOSREntryTrigger = TierUpEntryTrigger::TakeSlowPath;
 }
 
@@ -77 +77 @@
         jitCode->setOSREntryBlock(*codeBlock->vm(), profiledDFGCodeBlock, codeBlock);
         unsigned osrEntryBytecode = codeBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
-        jitCode->tierUpEntryTriggers.set(osrEntryBytecode, 1);
+        jitCode->tierUpEntryTriggers.set(osrEntryBytecode, TierUpEntryTrigger::TakeSlowPath);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h

@@ -28 +28 @@
 #if ENABLE(FTL_JIT)
 
+#include "DFGTierUpEntryTrigger.h"
 #include "DeferredCompilationCallback.h"
 #include <wtf/RefPtr.h>
@@ -39 +40 @@
 class ToFTLForOSREntryDeferredCompilationCallback : public DeferredCompilationCallback {
 protected:
-    ToFTLForOSREntryDeferredCompilationCallback(uint8_t* forcedOSREntryTrigger);
+    ToFTLForOSREntryDeferredCompilationCallback(TierUpEntryTrigger* forcedOSREntryTrigger);
 
 public:
     virtual ~ToFTLForOSREntryDeferredCompilationCallback();
 
-    static Ref<ToFTLForOSREntryDeferredCompilationCallback> create(uint8_t* forcedOSREntryTrigger);
+    static Ref<ToFTLForOSREntryDeferredCompilationCallback> create(TierUpEntryTrigger* forcedOSREntryTrigger);
     
     virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*, CodeBlock* profiledDFGCodeBlock);
@@ -50 +51 @@
 
 private:
-    uint8_t* m_forcedOSREntryTrigger;
+    TierUpEntryTrigger* m_forcedOSREntryTrigger;
 };
 

trunk/Source/JavaScriptCore/ftl/FTLOSREntry.cpp

@@ -40 +40 @@
 
 SUPPRESS_ASAN
-void* prepareOSREntry(
+Expected<void*, OSREntryFail> prepareOSREntry(
     ExecState* exec, CodeBlock* dfgCodeBlock, CodeBlock* entryCodeBlock,
     unsigned bytecodeIndex, unsigned streamIndex)
@@ -62 +62 @@
         if (Options::verboseOSR())
             dataLog("    OSR failed because we don't have an entrypoint for bc#", bytecodeIndex, "; ours is for bc#", entryCode->bytecodeIndex(), "\n");
-        return 0;
+        return makeUnexpected(OSREntryFail::WrongBytecode);
     }
     
@@ -96 +96 @@
         if (Options::verboseOSR())
             dataLog("    OSR failed because stack growth failed.\n");
-        return 0;
+        return makeUnexpected(OSREntryFail::StackGrowthFailed);
     }
     

trunk/Source/JavaScriptCore/ftl/FTLOSREntry.h

@@ -28 +28 @@
 #if ENABLE(FTL_JIT)
 
+#include <wtf/Expected.h>
+
 namespace JSC {
 
@@ -35 +37 @@
 namespace FTL {
 
-void* prepareOSREntry(
+enum class OSREntryFail {
+    WrongBytecode,
+    StackGrowthFailed,
+};
+
+Expected<void*, OSREntryFail> prepareOSREntry(
     ExecState*, CodeBlock* dfgCodeBlock, CodeBlock* entryCodeBlock, unsigned bytecodeIndex,
     unsigned streamIndex);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1424 +1424 @@
     ASSERT(JITCode::isOptimizingJIT(optimizedCodeBlock->jitType()));
     
-    if (void* dataBuffer = DFG::prepareOSREntry(exec, optimizedCodeBlock, bytecodeIndex)) {
+    if (auto osrEntryPreparation = DFG::prepareOSREntry(exec, optimizedCodeBlock, bytecodeIndex)) {
+        void* dataBuffer = osrEntryPreparation.value();
         CODEBLOCK_LOG_EVENT(optimizedCodeBlock, "osrEntry", ("at bc#", bytecodeIndex));
         if (Options::verboseOSR()) {