Changeset 91199 in webkit

Timestamp:

Jul 18, 2011 11:55:48 AM (13 years ago)

Author:

commit-queue@webkit.org

Message:

JSC JIT does not inline GC allocation fast paths
​https://bugs.webkit.org/show_bug.cgi?id=64582

Patch by Filip Pizlo <​fpizlo@apple.com> on 2011-07-18
Reviewed by Oliver Hunt.

This addresses inlining allocation for the easiest-to-allocate cases:
op_new_object and op_create_this. Inlining GC allocation fast paths
required three changes. First, the JSGlobalData now saves the vtable
pointer of JSFinalObject, since that's what op_new_object and
op_create_this allocate. Second, the Heap exposes a reference to
the appropriate SizeClass, so that the JIT may inline accesses
directly to the SizeClass for JSFinalObject allocations. And third,
the JIT is extended with code to emit inline fast paths for GC
allocation. A stub call is emitted in the case where the inline fast
path fails.

• heap/Heap.h:

(JSC::Heap::sizeClassFor):
(JSC::Heap::allocate):

• jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateJSFinalObject):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):

• runtime/JSGlobalData.cpp:

(JSC::JSGlobalData::storeVPtrs):

• runtime/JSGlobalData.h:
• runtime/JSObject.h:

(JSC::JSFinalObject::JSFinalObject):
(JSC::JSObject::offsetOfInheritorID):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• heap/Heap.h (modified) (3 diffs)
• jit/JIT.cpp (modified) (2 diffs)
• jit/JIT.h (modified) (3 diffs)
• jit/JITInlineMethods.h (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (3 diffs)
• jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• runtime/JSGlobalData.cpp (modified) (2 diffs)
• runtime/JSGlobalData.h (modified) (1 diff)
• runtime/JSObject.h (modified) (5 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-18  Filip Pizlo  <fpizlo@apple.com>
+
+        JSC JIT does not inline GC allocation fast paths
+        https://bugs.webkit.org/show_bug.cgi?id=64582
+
+        Reviewed by Oliver Hunt.
+
+        This addresses inlining allocation for the easiest-to-allocate cases:
+        op_new_object and op_create_this.  Inlining GC allocation fast paths
+        required three changes.  First, the JSGlobalData now saves the vtable
+        pointer of JSFinalObject, since that's what op_new_object and
+        op_create_this allocate.  Second, the Heap exposes a reference to
+        the appropriate SizeClass, so that the JIT may inline accesses
+        directly to the SizeClass for JSFinalObject allocations.  And third,
+        the JIT is extended with code to emit inline fast paths for GC
+        allocation.  A stub call is emitted in the case where the inline fast
+        path fails.
+
+        * heap/Heap.h:
+        (JSC::Heap::sizeClassFor):
+        (JSC::Heap::allocate):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITInlineMethods.h:
+        (JSC::JIT::emitAllocateJSFinalObject):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emitSlow_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emitSlow_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emitSlow_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emitSlow_op_create_this):
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::storeVPtrs):
+        * runtime/JSGlobalData.h:
+        * runtime/JSObject.h:
+        (JSC::JSFinalObject::JSFinalObject):
+        (JSC::JSObject::offsetOfInheritorID):
+
 2011-07-18  Mark Hahnenberg  <mhahnenberg@apple.com>
 

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -83 +83 @@
 
         void* allocate(size_t);
+        NewSpace::SizeClass& sizeClassFor(size_t);
         void* allocate(NewSpace::SizeClass&);
         void notifyIsSafeToCollect() { m_isSafeToCollect = true; }
@@ -290 +291 @@
     }
     
+    inline NewSpace::SizeClass& Heap::sizeClassFor(size_t bytes)
+    {
+        return m_newSpace.sizeClassFor(bytes);
+    }
+    
     inline void* Heap::allocate(NewSpace::SizeClass& sizeClass)
     {
@@ -304 +310 @@
     {
         ASSERT(isValidAllocation(bytes));
-        NewSpace::SizeClass& sizeClass = m_newSpace.sizeClassFor(bytes);
+        NewSpace::SizeClass& sizeClass = sizeClassFor(bytes);
         return allocate(sizeClass);
     }

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -402 +402 @@
         DEFINE_SLOWCASE_OP(op_construct)
         DEFINE_SLOWCASE_OP(op_convert_this)
+        DEFINE_SLOWCASE_OP(op_create_this)
         DEFINE_SLOWCASE_OP(op_div)
         DEFINE_SLOWCASE_OP(op_eq)
@@ -436 +437 @@
 #endif
         DEFINE_SLOWCASE_OP(op_neq)
+        DEFINE_SLOWCASE_OP(op_new_object)
         DEFINE_SLOWCASE_OP(op_not)
         DEFINE_SLOWCASE_OP(op_nstricteq)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -300 +300 @@
 
         void emitWriteBarrier(RegisterID owner, RegisterID scratch);
+        
+        template<typename T>
+        void emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID scratch);
 
 #if USE(JSVALUE32_64)
@@ -854 +857 @@
         void emitSlow_op_construct(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_convert_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_create_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_div(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_eq(Instruction*, Vector<SlowCaseEntry>::iterator&);
@@ -886 +890 @@
         void emitSlow_op_negate(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_neq(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_new_object(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_not(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_nstricteq(Instruction*, Vector<SlowCaseEntry>::iterator&);

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -375 +375 @@
 }
 
+template<typename T>
+inline void JIT::emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID scratch)
+{
+    NewSpace::SizeClass* sizeClass = &m_globalData->heap.sizeClassFor(sizeof(JSFinalObject));
+    loadPtr(&sizeClass->firstFreeCell, result);
+    addSlowCase(branchTestPtr(Zero, result));
+    
+    // remove the object from the free list
+    loadPtr(Address(result), scratch);
+    storePtr(scratch, &sizeClass->firstFreeCell);
+    
+    // initialize the object's vtable
+    storePtr(ImmPtr(m_globalData->jsFinalObjectVPtr), Address(result));
+    
+    // initialize the object's structure
+    storePtr(structure, Address(result, JSCell::structureOffset()));
+    
+    // initialize the inheritor ID
+    storePtr(ImmPtr(0), Address(result, JSObject::offsetOfInheritorID()));
+    
+    // initialize the object's property storage pointer
+    addPtr(Imm32(sizeof(JSObject)), result, scratch);
+    storePtr(scratch, Address(result, JSObject::offsetOfPropertyStorage()));
+}
+
 #if USE(JSVALUE32_64)
 

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -30 +30 @@
 
 #include "Arguments.h"
+#include "Heap.h"
 #include "JITInlineMethods.h"
 #include "JITStubCall.h"
@@ -331 +332 @@
 void JIT::emit_op_new_object(Instruction* currentInstruction)
 {
+    emitAllocateJSFinalObject(ImmPtr(m_codeBlock->globalObject()->emptyObjectStructure()), regT0, regT1);
+    
+    emitPutVirtualRegister(currentInstruction[1].u.operand);
+}
+
+void JIT::emitSlow_op_new_object(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
     JITStubCall(this, cti_op_new_object).call(currentInstruction[1].u.operand);
 }
@@ -1157 +1166 @@
 void JIT::emit_op_create_this(Instruction* currentInstruction)
 {
+    emitGetVirtualRegister(currentInstruction[2].u.operand, regT2);
+    emitJumpSlowCaseIfNotJSCell(regT2, currentInstruction[2].u.operand);
+    loadPtr(Address(regT2, JSCell::structureOffset()), regT1);
+    addSlowCase(branch8(NotEqual, Address(regT1, Structure::typeInfoTypeOffset()), TrustedImm32(ObjectType)));
+    
+    // now we know that the prototype is an object, but we don't know if it's got an
+    // inheritor ID
+    
+    loadPtr(Address(regT2, JSObject::offsetOfInheritorID()), regT2);
+    addSlowCase(branchTestPtr(Zero, regT2));
+    
+    // now regT2 contains the inheritorID, which is the structure that the newly
+    // allocated object will have.
+    
+    emitAllocateJSFinalObject(regT2, regT0, regT1);
+    
+    emitPutVirtualRegister(currentInstruction[1].u.operand);
+}
+
+void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCaseIfNotJSCell(iter, currentInstruction[2].u.operand); // not a cell
+    linkSlowCase(iter); // not an object
+    linkSlowCase(iter); // doesn't have an inheritor ID
+    linkSlowCase(iter); // allocation failed
     JITStubCall stubCall(this, cti_op_create_this);
     stubCall.addArgument(currentInstruction[2].u.operand, regT1);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -486 +486 @@
 void JIT::emit_op_new_object(Instruction* currentInstruction)
 {
+    emitAllocateJSFinalObject(ImmPtr(m_codeBlock->globalObject()->emptyObjectStructure()), regT0, regT1);
+    
+    emitStoreCell(currentInstruction[1].u.operand, regT0);
+}
+
+void JIT::emitSlow_op_new_object(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
     JITStubCall(this, cti_op_new_object).call(currentInstruction[1].u.operand);
 }
@@ -1439 +1447 @@
 void JIT::emit_op_create_this(Instruction* currentInstruction)
 {
+    emitLoad(currentInstruction[2].u.operand, regT1, regT0);
+    emitJumpSlowCaseIfNotJSCell(currentInstruction[2].u.operand, regT1);
+    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
+    addSlowCase(branch8(NotEqual, Address(regT1, Structure::typeInfoTypeOffset()), TrustedImm32(ObjectType)));
+    
+    // now we know that the prototype is an object, but we don't know if it's got an
+    // inheritor ID
+    
+    loadPtr(Address(regT0, JSObject::offsetOfInheritorID()), regT2);
+    addSlowCase(branchTestPtr(Zero, regT2));
+    
+    // now regT2 contains the inheritorID, which is the structure that the newly
+    // allocated object will have.
+    
+    emitAllocateJSFinalObject(regT2, regT0, regT1);
+
+    emitStoreCell(currentInstruction[1].u.operand, regT0);
+}
+
+void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCaseIfNotJSCell(iter, currentInstruction[2].u.operand); // not a cell
+    linkSlowCase(iter); // not an object
+    linkSlowCase(iter); // doesn't have an inheritor ID
+    linkSlowCase(iter); // allocation failed
     unsigned protoRegister = currentInstruction[2].u.operand;
     emitLoad(protoRegister, regT1, regT0);

trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -114 +114 @@
 extern JSC_CONST_HASHTABLE HashTable stringConstructorTable;
 
+void* JSGlobalData::jsFinalObjectVPtr;
 void* JSGlobalData::jsArrayVPtr;
 void* JSGlobalData::jsByteArrayVPtr;
@@ -133 +134 @@
     // COMPILE_ASSERTS below check that this is true.
     char storage[64];
+
+    COMPILE_ASSERT(sizeof(JSFinalObject) <= sizeof(storage), sizeof_JSFinalObject_must_be_less_than_storage);
+    JSCell* jsFinalObject = new (storage) JSFinalObject(JSFinalObject::VPtrStealingHack);
+    CLOBBER_MEMORY();
+    JSGlobalData::jsFinalObjectVPtr = jsFinalObject->vptr();
 
     COMPILE_ASSERT(sizeof(JSArray) <= sizeof(storage), sizeof_JSArray_must_be_less_than_storage);

trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

@@ -183 +183 @@
 
         static void storeVPtrs();
+        static JS_EXPORTDATA void* jsFinalObjectVPtr;
         static JS_EXPORTDATA void* jsArrayVPtr;
         static JS_EXPORTDATA void* jsByteArrayVPtr;

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -49 +49 @@
     class HashEntry;
     class InternalFunction;
+    class MarkedBlock;
     class PropertyDescriptor;
     class PropertyNameArray;
@@ -76 +77 @@
         friend class JIT;
         friend class JSCell;
+        friend class MarkedBlock;
         friend void setUpStaticFunctionSlot(ExecState* exec, const HashEntry* entry, JSObject* thisObj, const Identifier& propertyName, PropertySlot& slot);
 
@@ -251 +253 @@
         static size_t offsetOfInlineStorage();
         static size_t offsetOfPropertyStorage();
+        static size_t offsetOfInheritorID();
 
         static JS_EXPORTDATA const ClassInfo s_info;
@@ -358 +361 @@
 
     public:
+        explicit JSFinalObject(VPtrStealingHackType)
+            : JSObject(VPtrStealingHack, m_inlineStorage)
+        {
+        }
+        
         static JSFinalObject* create(ExecState* exec, Structure* structure)
         {
@@ -390 +398 @@
 {
     return OBJECT_OFFSETOF(JSObject, m_propertyStorage);
+}
+
+inline size_t JSObject::offsetOfInheritorID()
+{
+    return OBJECT_OFFSETOF(JSObject, m_inheritorID);
 }