Changeset 254926 in webkit

Timestamp:

Jan 22, 2020 9:06:32 AM (4 years ago)

Author:

sbarati@apple.com

Message:

Throw away baseline code if there is an optimized replacement
​https://bugs.webkit.org/show_bug.cgi?id=202503
<rdar://problem/58552041>

Reviewed by Yusuke Suzuki.

This patch's goal is to help us save JIT executable memory by throwing
away baseline code when it has an optimized replacement. To make it
easy to reason about, we do this when finalizing a GC, when the CodeBlock
is not on the stack, and when no OSR exits are linked to jump to the baseline
code. Also, as a measure to combat a performance regression, we only throw
away code on the second GC cycle in which it is eligible for this.
When we downgrade Baseline to LLInt, we also throw away all JIT data
and unlink all incoming calls.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::resetJITData):
(JSC::CodeBlock::optimizedReplacement):
(JSC::CodeBlock::hasOptimizedReplacement):
(JSC::CodeBlock::tallyFrequentExitSites):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::setJITCode):

• dfg/DFGDriver.cpp:

(JSC::DFG::compileImpl):

• dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::callerReturnPC):
(JSC::DFG::adjustAndJumpToTarget):

• heap/CodeBlockSet.cpp:

(JSC::CodeBlockSet::isCurrentlyExecuting):

• heap/CodeBlockSet.h:
• heap/Heap.cpp:

(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::runEndPhase):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (7 diffs)
• bytecode/CodeBlock.h (modified) (4 diffs)
• dfg/DFGDriver.cpp (modified) (1 diff)
• dfg/DFGOSRExitCompilerCommon.cpp (modified) (2 diffs)
• heap/CodeBlockSet.cpp (modified) (1 diff)
• heap/CodeBlockSet.h (modified) (1 diff)
• heap/Heap.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-01-22  Saam Barati  <sbarati@apple.com>
+
+        Throw away baseline code if there is an optimized replacement
+        https://bugs.webkit.org/show_bug.cgi?id=202503
+        <rdar://problem/58552041>
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch's goal is to help us save JIT executable memory by throwing
+        away baseline code when it has an optimized replacement. To make it
+        easy to reason about, we do this when finalizing a GC, when the CodeBlock
+        is not on the stack, and when no OSR exits are linked to jump to the baseline
+        code. Also, as a measure to combat a performance regression, we only throw
+        away code on the second GC cycle in which it is eligible for this.
+        When we downgrade Baseline to LLInt, we also throw away all JIT data
+        and unlink all incoming calls.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        (JSC::CodeBlock::resetJITData):
+        (JSC::CodeBlock::optimizedReplacement):
+        (JSC::CodeBlock::hasOptimizedReplacement):
+        (JSC::CodeBlock::tallyFrequentExitSites):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::setJITCode):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::callerReturnPC):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::isCurrentlyExecuting):
+        * heap/CodeBlockSet.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        (JSC::Heap::runEndPhase):
+
 2020-01-21  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -296 +296 @@
     , m_didFailFTLCompilation(false)
     , m_hasBeenCompiledWithFTL(false)
+    , m_hasLinkedOSRExit(false)
+    , m_isEligibleForLLIntDowngrade(false) 
     , m_numCalleeLocals(other.m_numCalleeLocals)
     , m_numVars(other.m_numVars)
@@ -355 +357 @@
     , m_didFailFTLCompilation(false)
     , m_hasBeenCompiledWithFTL(false)
+    , m_hasLinkedOSRExit(false)
+    , m_isEligibleForLLIntDowngrade(false) 
     , m_numCalleeLocals(unlinkedCodeBlock->numCalleeLocals())
     , m_numVars(unlinkedCodeBlock->numVars())
@@ -443 +447 @@
                 HandlerInfo& handler = m_rareData->m_exceptionHandlers[i];
 #if ENABLE(JIT)
-                auto instruction = instructions().at(unlinkedHandler.target);
-                MacroAssemblerCodePtr<BytecodePtrTag> codePtr;
-                if (instruction->isWide32())
-                    codePtr = LLInt::getWide32CodePtr<BytecodePtrTag>(op_catch);
-                else if (instruction->isWide16())
-                    codePtr = LLInt::getWide16CodePtr<BytecodePtrTag>(op_catch);
-                else
-                    codePtr = LLInt::getCodePtr<BytecodePtrTag>(op_catch);
+                auto& instruction = *instructions().at(unlinkedHandler.target).ptr();
+                MacroAssemblerCodePtr<BytecodePtrTag> codePtr = LLInt::getCodePtr<BytecodePtrTag>(instruction);
                 handler.initialize(unlinkedHandler, CodeLocationLabel<ExceptionHandlerPtrTag>(codePtr.retagged<ExceptionHandlerPtrTag>()));
 #else
@@ -1382 +1380 @@
 
     updateAllPredictions();
+
+#if ENABLE(JIT)
+    bool isEligibleForLLIntDowngrade = m_isEligibleForLLIntDowngrade;
+    m_isEligibleForLLIntDowngrade = false;
+    // If BaselineJIT code is not executing, and an optimized replacement exists, we attempt
+    // to discard baseline JIT code and reinstall LLInt code to save JIT memory.
+    if (Options::useLLInt() && !m_hasLinkedOSRExit && jitType() == JITType::BaselineJIT && !m_vm->heap.codeBlockSet().isCurrentlyExecuting(this)) {
+        if (CodeBlock* optimizedCodeBlock = optimizedReplacement()) {
+            if (!optimizedCodeBlock->m_osrExitCounter) {
+                if (isEligibleForLLIntDowngrade) {
+                    m_jitCode = nullptr;
+                    LLInt::setEntrypoint(this);
+                    RELEASE_ASSERT(jitType() == JITType::InterpreterThunk);
+
+                    for (size_t i = 0; i < m_unlinkedCode->numberOfExceptionHandlers(); i++) {
+                        const UnlinkedHandlerInfo& unlinkedHandler = m_unlinkedCode->exceptionHandler(i);
+                        HandlerInfo& handler = m_rareData->m_exceptionHandlers[i];
+                        auto& instruction = *instructions().at(unlinkedHandler.target).ptr();
+                        MacroAssemblerCodePtr<BytecodePtrTag> codePtr = LLInt::getCodePtr<BytecodePtrTag>(instruction);
+                        handler.initialize(unlinkedHandler, CodeLocationLabel<ExceptionHandlerPtrTag>(codePtr.retagged<ExceptionHandlerPtrTag>()));
+                    }
+
+                    unlinkIncomingCalls();
+
+                    // It's safe to clear these out here because in finalizeUnconditionally all compiler threads
+                    // are safepointed, meaning they're running either before or after bytecode parser, and bytecode
+                    // parser is the only data structure pointing into the various *infos.
+                    resetJITData();
+                } else
+                    m_isEligibleForLLIntDowngrade = true;
+            }
+        }
+    }
+
+#endif
     
     if (JITCode::couldBeInterpreted(jitType()))
@@ -1592 +1625 @@
         // link infos, or by val infos if we don't have JIT code. Attempts to query these data
         // structures using the concurrent API (getICStatusMap and friends) will return nothing if we
-        // don't have JIT code.
-        jitData->m_stubInfos.clear();
-        jitData->m_callLinkInfos.clear();
-        jitData->m_byValInfos.clear();
+        // don't have JIT code. So it's safe to call this if we fail a baseline JIT compile.
+        //
+        // We also call this from finalizeUnconditionally when we degrade from baseline JIT to LLInt
+        // code. This is safe to do since all compiler threads are safepointed in finalizeUnconditionally,
+        // which means we've made it past bytecode parsing. Only the bytecode parser will hold onto
+        // references to these various *infos via its use of ICStatusMap. Also, OSR exit might point to
+        // these *infos, but when we have an OSR exit linked to this CodeBlock, we won't downgrade
+        // to LLInt.
+
+        for (StructureStubInfo* stubInfo : jitData->m_stubInfos) {
+            stubInfo->aboutToDie();
+            stubInfo->deref();
+        }
+
         // We can clear this because the DFG's queries to these data structures are guarded by whether
         // there is JIT code.
-        jitData->m_rareCaseProfiles.clear();
+
+        m_jitData = nullptr;
     }
 }
@@ -1730 +1774 @@
 
 #if ENABLE(JIT)
+CodeBlock* CodeBlock::optimizedReplacement(JITType typeToReplace)
+{
+    CodeBlock* replacement = this->replacement();
+    if (!replacement)
+        return nullptr;
+    if (JITCode::isHigherTier(replacement->jitType(), typeToReplace))
+        return replacement;
+    return nullptr;
+}
+
+CodeBlock* CodeBlock::optimizedReplacement()
+{
+    return optimizedReplacement(jitType());
+}
+
 bool CodeBlock::hasOptimizedReplacement(JITType typeToReplace)
 {
-    CodeBlock* replacement = this->replacement();
-    return replacement && JITCode::isHigherTier(replacement->jitType(), typeToReplace);
+    return !!optimizedReplacement(typeToReplace);
 }
 
@@ -2777 +2835 @@
 {
     ASSERT(JITCode::isOptimizingJIT(jitType()));
-    ASSERT(alternative()->jitType() == JITType::BaselineJIT);
+    ASSERT(JITCode::isBaselineCode(alternative()->jitType()));
     
     CodeBlock* profiledBlock = alternative();

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -259 +259 @@
     Optional<BytecodeIndex> bytecodeIndexFromCallSiteIndex(CallSiteIndex);
 
+    // Because we might throw out baseline JIT code and all its baseline JIT data (m_jitData),
+    // you need to be careful about the lifetime of when you use the return value of this function.
+    // The return value may have raw pointers into this data structure that gets thrown away.
+    // Specifically, you need to ensure that no GC can be finalized (typically that means no
+    // allocations) between calling this and the last use of it.
     void getICStatusMap(const ConcurrentJSLocker&, ICStatusMap& result);
     void getICStatusMap(ICStatusMap& result);
@@ -413 +418 @@
     void setJITCode(Ref<JITCode>&& code)
     {
-        ASSERT(heap()->isDeferred());
         if (!code->isShared())
             heap()->reportExtraMemoryAllocated(code->size());
@@ -445 +449 @@
     DFG::CapabilityLevel capabilityLevelState() { return static_cast<DFG::CapabilityLevel>(m_capabilityLevelState); }
 
+    CodeBlock* optimizedReplacement(JITType typeToReplace);
+    CodeBlock* optimizedReplacement(); // the typeToReplace is my JITType
     bool hasOptimizedReplacement(JITType typeToReplace);
     bool hasOptimizedReplacement(); // the typeToReplace is my JITType
@@ -864 +870 @@
     bool m_hasBeenCompiledWithFTL : 1;
 
+    bool m_hasLinkedOSRExit : 1;
+    bool m_isEligibleForLLIntDowngrade : 1;
+
     // Internal methods for use by validation code. It would be private if it wasn't
     // for the fact that we use it from anonymous namespaces.

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

@@ -82 +82 @@
     ASSERT(codeBlock);
     ASSERT(codeBlock->alternative());
-    ASSERT(codeBlock->alternative()->jitType() == JITType::BaselineJIT);
+    ASSERT(JITCode::isBaselineCode(codeBlock->alternative()->jitType()));
     ASSERT(!profiledDFGCodeBlock || profiledDFGCodeBlock->jitType() == JITType::DFGJIT);
     

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp

@@ -194 +194 @@
 
     } else {
+        baselineCodeBlockForCaller->m_hasLinkedOSRExit = true;
+
         switch (trueCallerCallKind) {
         case InlineCallFrame::Call:
@@ -414 +416 @@
         jumpTarget = destination.retagged<OSRExitPtrTag>().executableAddress();
     } else {
+        codeBlockForExit->m_hasLinkedOSRExit = true;
+
         BytecodeIndex exitIndex = exit.m_codeOrigin.bytecodeIndex();
         MacroAssemblerCodePtr<JSEntryPtrTag> destination;

trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp

@@ -56 +56 @@
 }
 
+bool CodeBlockSet::isCurrentlyExecuting(CodeBlock* codeBlock)
+{
+    return m_currentlyExecuting.contains(codeBlock);
+}
+
 void CodeBlockSet::dump(PrintStream& out) const
 {

trunk/Source/JavaScriptCore/heap/CodeBlockSet.h

@@ -57 +57 @@
     Lock& getLock() { return m_lock; }
 
+    // This is expected to run only when we're not adding to the set for now. If
+    // this needs to run concurrently in the future, we'll need to lock around this.
+    bool isCurrentlyExecuting(CodeBlock*);
+
     // Visits each CodeBlock in the heap until the visitor function returns true
     // to indicate that it is done iterating, or until every CodeBlock has been

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -606 +606 @@
     finalizeMarkedUnconditionalFinalizers<FunctionExecutable>(vm().functionExecutableSpace.space);
     finalizeMarkedUnconditionalFinalizers<SymbolTable>(vm().symbolTableSpace);
+    finalizeMarkedUnconditionalFinalizers<ExecutableToCodeBlockEdge>(vm().executableToCodeBlockEdgesWithFinalizers); // We run this before CodeBlock's unconditional finalizer since CodeBlock looks at the owner executable's installed CodeBlock in its finalizeUnconditionally.
     vm().forEachCodeBlockSpace(
         [&] (auto& space) {
             this->finalizeMarkedUnconditionalFinalizers<CodeBlock>(space.set);
         });
-    finalizeMarkedUnconditionalFinalizers<ExecutableToCodeBlockEdge>(vm().executableToCodeBlockEdgesWithFinalizers);
     finalizeMarkedUnconditionalFinalizers<StructureRareData>(vm().structureRareDataSpace);
     finalizeMarkedUnconditionalFinalizers<UnlinkedFunctionExecutable>(vm().unlinkedFunctionExecutableSpace.set);
@@ -1510 +1510 @@
     sweepArrayBuffers();
     snapshotUnswept();
-    finalizeUnconditionalFinalizers();
+    finalizeUnconditionalFinalizers(); // We rely on these unconditional finalizers running before clearCurrentlyExecuting since CodeBlock's finalizer relies on querying currently executing.
     removeDeadCompilerWorklistEntries();
     notifyIncrementalSweeper();