Changeset 93466 in webkit

Timestamp:

Aug 19, 2011 7:17:49 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

The JSC JIT currently has no facility to profile and report
the types of values
​https://bugs.webkit.org/show_bug.cgi?id=65901

Reviewed by Gavin Barraclough.

Added the ability to profile the values seen at function calls (both
arguments and results) and heap loads. This is done with emphasis
on performance. A value profiling site consists of: add, and,
move, and store; no branching is necessary. Each value profiling
site (called a ValueProfile) has a ring buffer of 8 recently-seen
values. ValueProfiles are stored in the CodeBlock; there will be
one for each argument (excluding this) and each heap load or callsite.
Each time a value profiling site executes, it stores the value into
a pseudo-random element in the ValueProfile buffer. The point is
that for frequently executed code, we will have 8 somewhat recent
values in the buffer and will be able to not only figure out what
type it is, but also to be able to reason about the actual values
if we wish to do so.

This feature is currently disabled by default. When enabled, it
results in a 3.7% slow-down on SunSpider.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::~CodeBlock):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::addValueProfile):
(JSC::CodeBlock::numberOfValueProfiles):
(JSC::CodeBlock::valueProfile):
(JSC::CodeBlock::valueProfileForBytecodeOffset):

• bytecode/ValueProfile.h: Added.

(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::numberOfSamples):
(JSC::ValueProfile::computeProbability):
(JSC::ValueProfile::numberOfInt32s):
(JSC::ValueProfile::numberOfDoubles):
(JSC::ValueProfile::numberOfCells):
(JSC::ValueProfile::probabilityOfInt32):
(JSC::ValueProfile::probabilityOfDouble):
(JSC::ValueProfile::probabilityOfCell):
(JSC::getValueProfileBytecodeOffset):

• jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::privateCompile):

• jit/JIT.h:

(JSC::JIT::emitValueProfilingSite):

• jit/JITCall.cpp:

(JSC::JIT::emit_op_call_put_result):

• jit/JITInlineMethods.h:

(JSC::JIT::emitValueProfilingSite):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_method_check):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):

• jit/JSInterfaceJIT.h:
• wtf/Platform.h:
• wtf/StdLibExtras.h:

(WTF::binarySearch):
(WTF::genericBinarySearch):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/CodeBlock.h (modified) (3 diffs)
• bytecode/ValueProfile.h (added)
• jit/JIT.cpp (modified) (3 diffs)
• jit/JIT.h (modified) (1 diff)
• jit/JITCall.cpp (modified) (1 diff)
• jit/JITInlineMethods.h (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (5 diffs)
• jit/JSInterfaceJIT.h (modified) (1 diff)
• wtf/Platform.h (modified) (1 diff)
• wtf/StdLibExtras.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        The JSC JIT currently has no facility to profile and report
+        the types of values
+        https://bugs.webkit.org/show_bug.cgi?id=65901
+
+        Reviewed by Gavin Barraclough.
+        
+        Added the ability to profile the values seen at function calls (both
+        arguments and results) and heap loads.  This is done with emphasis
+        on performance.  A value profiling site consists of: add, and,
+        move, and store; no branching is necessary.  Each value profiling
+        site (called a ValueProfile) has a ring buffer of 8 recently-seen
+        values.  ValueProfiles are stored in the CodeBlock; there will be
+        one for each argument (excluding this) and each heap load or callsite.
+        Each time a value profiling site executes, it stores the value into
+        a pseudo-random element in the ValueProfile buffer.  The point is
+        that for frequently executed code, we will have 8 somewhat recent
+        values in the buffer and will be able to not only figure out what
+        type it is, but also to be able to reason about the actual values
+        if we wish to do so.
+        
+        This feature is currently disabled by default.  When enabled, it
+        results in a 3.7% slow-down on SunSpider.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::~CodeBlock):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addValueProfile):
+        (JSC::CodeBlock::numberOfValueProfiles):
+        (JSC::CodeBlock::valueProfile):
+        (JSC::CodeBlock::valueProfileForBytecodeOffset):
+        * bytecode/ValueProfile.h: Added.
+        (JSC::ValueProfile::ValueProfile):
+        (JSC::ValueProfile::numberOfSamples):
+        (JSC::ValueProfile::computeProbability):
+        (JSC::ValueProfile::numberOfInt32s):
+        (JSC::ValueProfile::numberOfDoubles):
+        (JSC::ValueProfile::numberOfCells):
+        (JSC::ValueProfile::probabilityOfInt32):
+        (JSC::ValueProfile::probabilityOfDouble):
+        (JSC::ValueProfile::probabilityOfCell):
+        (JSC::getValueProfileBytecodeOffset):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::privateCompile):
+        * jit/JIT.h:
+        (JSC::JIT::emitValueProfilingSite):
+        * jit/JITCall.cpp:
+        (JSC::JIT::emit_op_call_put_result):
+        * jit/JITInlineMethods.h:
+        (JSC::JIT::emitValueProfilingSite):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emit_op_method_check):
+        (JSC::JIT::emit_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        * jit/JSInterfaceJIT.h:
+        * wtf/Platform.h:
+        * wtf/StdLibExtras.h:
+        (WTF::binarySearch):
+        (WTF::genericBinarySearch):
+
 2011-08-19  Daniel Bates  <dbates@webkit.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -50 +50 @@
                 0BF28A2911A33DC300638F84 /* SizeLimits.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0BF28A2811A33DC300638F84 /* SizeLimits.cpp */; };
                 0F29479C126E698C00B3ABF5 /* DecimalNumber.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F29479B126E698C00B3ABF5 /* DecimalNumber.cpp */; };
+                0F963B3813FC6FE90002D9B2 /* ValueProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F963B3613FC6FDE0002D9B2 /* ValueProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 1400067712A6F7830064D123 /* OSAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 1400067612A6F7830064D123 /* OSAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 1400069312A6F9E10064D123 /* OSAllocatorPosix.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1400069212A6F9E10064D123 /* OSAllocatorPosix.cpp */; };
@@ -730 +731 @@
                 0BF28A2811A33DC300638F84 /* SizeLimits.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SizeLimits.cpp; sourceTree = "<group>"; };
                 0F29479B126E698C00B3ABF5 /* DecimalNumber.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DecimalNumber.cpp; sourceTree = "<group>"; };
+                0F963B3613FC6FDE0002D9B2 /* ValueProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ValueProfile.h; sourceTree = "<group>"; };
                 1400067612A6F7830064D123 /* OSAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OSAllocator.h; sourceTree = "<group>"; };
                 1400069212A6F9E10064D123 /* OSAllocatorPosix.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = OSAllocatorPosix.cpp; sourceTree = "<group>"; };
@@ -2164 +2166 @@
                         isa = PBXGroup;
                         children = (
+                                0F963B3613FC6FDE0002D9B2 /* ValueProfile.h */,
                                 969A07900ED1D3AE00F1F681 /* CodeBlock.cpp */,
                                 969A07910ED1D3AE00F1F681 /* CodeBlock.h */,
@@ -2231 +2234 @@
                                 86ADD1450FDDEA980006EEC2 /* ARMv7Assembler.h in Headers */,
                                 BC18C3E60E16F5CD00B34460 /* ArrayConstructor.h in Headers */,
+                                0F963B3813FC6FE90002D9B2 /* ValueProfile.h in Headers */,
                                 BC18C3E70E16F5CD00B34460 /* ArrayPrototype.h in Headers */,
                                 BC18C5240E16FC8A00B34460 /* ArrayPrototype.lut.h in Headers */,

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1433 +1433 @@
 CodeBlock::~CodeBlock()
 {
+#if ENABLE(VERBOSE_VALUE_PROFILE)
+    printf("ValueProfile for %p:\n", this);
+    for (unsigned i = 0; i < numberOfValueProfiles(); ++i) {
+        ValueProfile* profile = valueProfile(i);
+        if (profile->bytecodeOffset < 0) {
+            ASSERT(profile->bytecodeOffset == -1);
+            printf("   arg = %u: ", i + 1);
+        } else
+            printf("   bc = %d: ", profile->bytecodeOffset);
+        printf("samples = %u, int32 = %u, double = %u, cell = %u\n",
+               profile->numberOfSamples(),
+               profile->probabilityOfInt32(),
+               profile->probabilityOfDouble(),
+               profile->probabilityOfCell());
+    }
+#endif
+
 #if ENABLE(JIT)
     for (size_t size = m_structureStubInfos.size(), i = 0; i < size; ++i)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -40 +40 @@
 #include "RegExpObject.h"
 #include "UString.h"
+#include "ValueProfile.h"
 #include <wtf/FastAllocBase.h>
 #include <wtf/PassOwnPtr.h>
 #include <wtf/RefPtr.h>
+#include <wtf/SegmentedVector.h>
 #include <wtf/Vector.h>
 
@@ -382 +384 @@
         MethodCallLinkInfo& methodCallLinkInfo(int index) { return m_methodCallLinkInfos[index]; }
 #endif
+        
+#if ENABLE(VALUE_PROFILER)
+        ValueProfile* addValueProfile(int bytecodeOffset)
+        {
+            m_valueProfiles.append(ValueProfile(bytecodeOffset));
+            return &m_valueProfiles.last();
+        }
+        unsigned numberOfValueProfiles() { return m_valueProfiles.size(); }
+        ValueProfile* valueProfile(int index) { return &m_valueProfiles[index]; }
+        ValueProfile* valueProfileForBytecodeOffset(int bytecodeOffset)
+        {
+            return WTF::genericBinarySearch<ValueProfile, int, getValueProfileBytecodeOffset>(m_valueProfiles, m_valueProfiles.size(), bytecodeOffset);
+        }
+#endif
+
         unsigned globalResolveInfoCount() const
         {
@@ -576 +593 @@
         Vector<CallLinkInfo> m_callLinkInfos;
         Vector<MethodCallLinkInfo> m_methodCallLinkInfos;
+#endif
+#if ENABLE(VALUE_PROFILER)
+        SegmentedVector<ValueProfile, 8> m_valueProfiles;
 #endif
 

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -373 +373 @@
     m_globalResolveInfoIndex = 0;
     m_callLinkInfoIndex = 0;
+    
+#if !ASSERT_DISABLED && ENABLE(VALUE_PROFILER)
+    // Use this to assert that slow-path code associates new profiling sites with existing
+    // ValueProfiles rather than creating new ones. This ensures that for a given instruction
+    // (say, get_by_id) we get combined statistics for both the fast-path executions of that
+    // instructions and the slow-path executions. Furthermore, if the slow-path code created
+    // new ValueProfiles then the ValueProfiles would no longer be sorted by bytecode offset,
+    // which would break the invariant necessary to use CodeBlock::valueProfileForBytecodeOffset().
+    unsigned numberOfValueProfiles = m_codeBlock->numberOfValueProfiles();
+#endif
 
     for (Vector<SlowCaseEntry>::iterator iter = m_slowCases.begin(); iter != m_slowCases.end();) {
@@ -462 +472 @@
     ASSERT(m_propertyAccessInstructionIndex == m_propertyAccessCompilationInfo.size());
     ASSERT(m_callLinkInfoIndex == m_callStructureStubCompilationInfo.size());
+#if ENABLE(VALUE_PROFILER)
+    ASSERT(numberOfValueProfiles == m_codeBlock->numberOfValueProfiles());
+#endif
 
 #ifndef NDEBUG
@@ -491 +504 @@
         static SamplingCounter counter("orignalJIT");
         emitCount(counter);
+#endif
+
+#if ENABLE(VALUE_PROFILER)
+        ASSERT(m_bytecodeOffset == (unsigned)-1);
+        for (int argumentRegister = -RegisterFile::CallFrameHeaderSize - m_codeBlock->m_numParameters + 1; argumentRegister < -RegisterFile::CallFrameHeaderSize; ++argumentRegister) {
+            loadPtr(Address(callFrameRegister, argumentRegister * sizeof(Register)), regT0);
+            emitValueProfilingSite(FirstProfilingSite);
+        }
 #endif
 

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -305 +305 @@
         template<typename T> void emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID storagePtr);
         void emitAllocateJSFunction(FunctionExecutable*, RegisterID scopeChain, RegisterID result, RegisterID storagePtr);
+        
+        enum ValueProfilingSiteKind { FirstProfilingSite, SubsequentProfilingSite };
+#if ENABLE(VALUE_PROFILER)
+        // This assumes that the value to profile is in regT0 and that regT3 is available for
+        // scratch.
+        void emitValueProfilingSite(ValueProfilingSiteKind);
+#else
+        void emitValueProfilingSite(ValueProfilingSiteKind) { }
+#endif
 
 #if USE(JSVALUE32_64)

trunk/Source/JavaScriptCore/jit/JITCall.cpp

@@ -59 +59 @@
 {
     int dst = instruction[1].u.operand;
+    emitValueProfilingSite(FirstProfilingSite);
     emitPutVirtualRegister(dst);
 }

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -431 +431 @@
 }
 
+#if ENABLE(VALUE_PROFILER)
+inline void JIT::emitValueProfilingSite(ValueProfilingSiteKind siteKind)
+{
+    const RegisterID value = regT0;
+    const RegisterID scratch = regT3;
+    
+    ValueProfile* valueProfile;
+    if (siteKind == FirstProfilingSite)
+        valueProfile = m_codeBlock->addValueProfile(m_bytecodeOffset);
+    else {
+        ASSERT(siteKind == SubsequentProfilingSite);
+        valueProfile = m_codeBlock->valueProfileForBytecodeOffset(m_bytecodeOffset);
+    }
+    
+    ASSERT(valueProfile);
+    
+    if (m_randomGenerator.getUint32() & 1)
+        add32(Imm32(1), bucketCounterRegister);
+    else
+        add32(Imm32(3), bucketCounterRegister);
+    and32(Imm32(ValueProfile::bucketIndexMask), bucketCounterRegister);
+    move(ImmPtr(valueProfile->buckets), scratch);
+    storePtr(value, BaseIndex(scratch, bucketCounterRegister, TimesEight));
+}
+#endif
+
 #if USE(JSVALUE32_64)
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -108 +108 @@
     addSlowCase(branchTestPtr(Zero, regT0));
 
+    emitValueProfilingSite(FirstProfilingSite);
     emitPutVirtualRegister(dst);
 }
@@ -137 +138 @@
     stubCall.addArgument(property, regT2);
     stubCall.call(dst);
+
+    emitValueProfilingSite(SubsequentProfilingSite);
 }
 
@@ -319 +322 @@
 
     match.link(this);
+    emitValueProfilingSite(FirstProfilingSite);
     emitPutVirtualRegister(resultVReg);
 
@@ -346 +350 @@
     emitGetVirtualRegister(baseVReg, regT0);
     compileGetByIdHotPath(baseVReg, ident);
+    emitValueProfilingSite(FirstProfilingSite);
     emitPutVirtualRegister(resultVReg);
 }
@@ -388 +393 @@
 
     compileGetByIdSlowCase(resultVReg, baseVReg, ident, iter, false);
+    emitValueProfilingSite(SubsequentProfilingSite);
 }
 

trunk/Source/JavaScriptCore/jit/JSInterfaceJIT.h

@@ -56 +56 @@
         static const RegisterID firstArgumentRegister = X86Registers::edi;
         
+#if ENABLE(VALUE_PROFILER)
+        static const RegisterID bucketCounterRegister = X86Registers::r10;
+#endif
+        
         static const RegisterID timeoutCheckRegister = X86Registers::r12;
         static const RegisterID callFrameRegister = X86Registers::r13;

trunk/Source/JavaScriptCore/wtf/Platform.h

@@ -969 +969 @@
 #endif
 
+/* Currently only implemented for JSVALUE64, only tested on PLATFORM(MAC) */
+#if !defined(ENABLE_VALUE_PROFILER) && ENABLE(JIT) && USE(JSVALUE64) && PLATFORM(MAC)
+#define ENABLE_VALUE_PROFILER 0
+#endif
+
+#if !defined(ENABLE_VERBOSE_VALUE_PROFILE) && ENABLE(VALUE_PROFILER)
+#define ENABLE_VERBOSE_VALUE_PROFILE 0
+#endif
+
 /* Ensure that either the JIT or the interpreter has been enabled. */
 #if !defined(ENABLE_INTERPRETER) && !ENABLE(JIT)

trunk/Source/JavaScriptCore/wtf/StdLibExtras.h

@@ -131 +131 @@
 // Binary search algorithm, calls extractKey on pre-sorted elements in array,
 // compares result with key (KeyTypes should be comparable with '--', '<', '>').
-template<typename ArrayType, typename KeyType, KeyType(*extractKey)(ArrayType*)>
-inline ArrayType* binarySearch(ArrayType* array, size_t size, KeyType key, BinarySearchMode mode = KeyMustBePresentInArray)
+template<typename ArrayElementType, typename KeyType, KeyType(*extractKey)(ArrayElementType*)>
+inline ArrayElementType* binarySearch(ArrayElementType* array, size_t size, KeyType key, BinarySearchMode mode = KeyMustBePresentInArray)
 {
     // The array must contain at least one element (pre-condition, array does contain key).
@@ -169 +169 @@
 }
 
+// Modified binarySearch() algorithm designed for array-like classes that support
+// operator[] but not operator+=. One example of a class that qualifies is
+// SegmentedVector.
+template<typename ArrayElementType, typename KeyType, KeyType(*extractKey)(ArrayElementType*), typename ArrayType>
+inline ArrayElementType* genericBinarySearch(ArrayType& array, size_t size, KeyType key)
+{
+    // The array must contain at least one element (pre-condition, array does conatin key).
+    // If the array only contains one element, no need to do the comparison.
+    size_t offset = 0;
+    while (size > 1) {
+        // Pick an element to check, half way through the array, and read the value.
+        int pos = (size - 1) >> 1;
+        KeyType val = extractKey(&array[offset + pos]);
+        
+        // If the key matches, success!
+        if (val == key)
+            return &array[offset + pos];
+        // The item we are looking for is smaller than the item being check; reduce the value of 'size',
+        // chopping off the right hand half of the array.
+        if (key < val)
+            size = pos;
+        // Discard all values in the left hand half of the array, up to and including the item at pos.
+        else {
+            size -= (pos + 1);
+            offset += (pos + 1);
+        }
+
+        // 'size' should never reach zero.
+        ASSERT(size);
+    }
+    
+    // If we reach this point we've chopped down to one element, no need to check it matches
+    ASSERT(size == 1);
+    ASSERT(key == extractKey(&array[offset]));
+    return &array[offset];
+}
+
 } // namespace WTF