Changeset 96238 in webkit

Timestamp:

Sep 28, 2011 11:05:03 AM (13 years ago)

Author:

barraclough@apple.com

Message:

Value profiling in baseline JIT for JSVALUE32_64
​https://bugs.webkit.org/show_bug.cgi?id=68750

Patch by Yuqiang Xian <​yuqiang.xian@intel.com> on 2011-09-27
Reviewed by Geoff Garen.

• jit/JITArithmetic32_64.cpp:

(JSC::JIT::emit_op_mul):
(JSC::JIT::emit_op_div):

• jit/JITCall32_64.cpp:

(JSC::JIT::emit_op_call_put_result):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_resolve):
(JSC::JIT::emit_op_resolve_base):
(JSC::JIT::emit_op_resolve_skip):
(JSC::JIT::emit_op_resolve_global):
(JSC::JIT::emitSlow_op_resolve_global):
(JSC::JIT::emit_op_resolve_with_base):
(JSC::JIT::emit_op_resolve_with_this):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_method_check):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emit_op_get_scoped_var):
(JSC::JIT::emit_op_get_global_var):

• jit/JITStubCall.h:

(JSC::JITStubCall::callWithValueProfiling):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• jit/JITArithmetic.cpp (modified) (1 diff)
• jit/JITArithmetic32_64.cpp (modified) (5 diffs)
• jit/JITCall32_64.cpp (modified) (1 diff)
• jit/JITOpcodes32_64.cpp (modified) (7 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (7 diffs)
• jit/JITStubCall.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>
+
+        Value profiling in baseline JIT for JSVALUE32_64
+        https://bugs.webkit.org/show_bug.cgi?id=68750
+
+        Reviewed by Geoff Garen.
+
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_op_mul):
+        (JSC::JIT::emit_op_div):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::emit_op_call_put_result):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_resolve):
+        (JSC::JIT::emit_op_resolve_base):
+        (JSC::JIT::emit_op_resolve_skip):
+        (JSC::JIT::emit_op_resolve_global):
+        (JSC::JIT::emitSlow_op_resolve_global):
+        (JSC::JIT::emit_op_resolve_with_base):
+        (JSC::JIT::emit_op_resolve_with_this):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_method_check):
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emit_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emit_op_get_scoped_var):
+        (JSC::JIT::emit_op_get_global_var):
+        * jit/JITStubCall.h:
+        (JSC::JITStubCall::callWithValueProfiling):
+
 2011-09-28  Yuqiang Xian  <yuqiang.xian@intel.com>
 

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp

@@ -1049 +1049 @@
     divDouble(fpRegT1, fpRegT0);
     
-#if ENABLE(DFG_JIT)
+#if ENABLE(VALUE_PROFILER)
     // Is the result actually an integer? The DFG JIT would really like to know. If it's
     // not an integer, we increment a count. If this together with the slow case counter

trunk/Source/JavaScriptCore/jit/JITArithmetic32_64.cpp

@@ -859 +859 @@
                 emitStoreDouble(dst, fpRegT1);
                 break;
-            case op_div:
+            case op_div: {
                 emitLoadDouble(op1, fpRegT1);
                 divDouble(fpRegT0, fpRegT1);
+
+#if ENABLE(VALUE_PROFILER)
+                // Is the result actually an integer? The DFG JIT would really like to know. If it's
+                // not an integer, we increment a count. If this together with the slow case counter
+                // are below threshold then the DFG JIT will compile this division with a specualtion
+                // that the remainder is zero.
+                
+                // As well, there are cases where a double result here would cause an important field
+                // in the heap to sometimes have doubles in it, resulting in double predictions getting
+                // propagated to a use site where it might cause damage (such as the index to an array
+                // access). So if we are DFG compiling anything in the program, we want this code to
+                // ensure that it produces integers whenever possible.
+                
+                // FIXME: This will fail to convert to integer if the result is zero. We should
+                // distinguish between positive zero and negative zero here.
+                
+                JumpList notInteger;
+                branchConvertDoubleToInt32(fpRegT1, regT2, notInteger, fpRegT0);
+                // If we've got an integer, we might as well make that the result of the division.
+                emitStoreInt32(dst, regT2);
+                Jump isInteger = jump();
+                notInteger.link(this);
+                add32(Imm32(1), AbsoluteAddress(&m_codeBlock->specialFastCaseProfileForBytecodeOffset(m_bytecodeOffset)->m_counter));
                 emitStoreDouble(dst, fpRegT1);
-                break;
+                isInteger.link(this);
+#else
+                emitStoreDouble(dst, fpRegT1);
+#endif
+                break;
+            }
             case op_jless:
                 emitLoadDouble(op1, fpRegT2);
@@ -936 +964 @@
                 emitStoreDouble(dst, fpRegT0);
                 break;
-            case op_div:
+            case op_div: {
                 emitLoadDouble(op2, fpRegT2);
                 divDouble(fpRegT2, fpRegT0);
+#if ENABLE(VALUE_PROFILER)
+                // Is the result actually an integer? The DFG JIT would really like to know. If it's
+                // not an integer, we increment a count. If this together with the slow case counter
+                // are below threshold then the DFG JIT will compile this division with a specualtion
+                // that the remainder is zero.
+                
+                // As well, there are cases where a double result here would cause an important field
+                // in the heap to sometimes have doubles in it, resulting in double predictions getting
+                // propagated to a use site where it might cause damage (such as the index to an array
+                // access). So if we are DFG compiling anything in the program, we want this code to
+                // ensure that it produces integers whenever possible.
+                
+                // FIXME: This will fail to convert to integer if the result is zero. We should
+                // distinguish between positive zero and negative zero here.
+                
+                JumpList notInteger;
+                branchConvertDoubleToInt32(fpRegT0, regT2, notInteger, fpRegT1);
+                // If we've got an integer, we might as well make that the result of the division.
+                emitStoreInt32(dst, regT2);
+                Jump isInteger = jump();
+                notInteger.link(this);
+                add32(Imm32(1), AbsoluteAddress(&m_codeBlock->specialFastCaseProfileForBytecodeOffset(m_bytecodeOffset)->m_counter));
                 emitStoreDouble(dst, fpRegT0);
-                break;
+                isInteger.link(this);
+#else
+                emitStoreDouble(dst, fpRegT0);
+#endif
+                break;
+            }
             case op_jless:
                 emitLoadDouble(op2, fpRegT1);
@@ -989 +1044 @@
     unsigned op2 = currentInstruction[3].u.operand;
     OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
+
+#if ENABLE(VALUE_PROFILER)
+    m_codeBlock->addSpecialFastCaseProfile(m_bytecodeOffset);
+#endif
 
     JumpList notInt32Op1;
@@ -1031 +1090 @@
 
     negZero.link(this);
+#if ENABLE(VALUE_PROFILER)
+    // We only get here if we have a genuine negative zero. Record this,
+    // so that the speculative JIT knows that we failed speculation
+    // because of a negative zero.
+    add32(Imm32(1), AbsoluteAddress(&m_codeBlock->specialFastCaseProfileForBytecodeOffset(m_bytecodeOffset)->m_counter));
+#endif
     overflow.link(this);
 
@@ -1063 +1128 @@
     unsigned op2 = currentInstruction[3].u.operand;
     OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
+
+#if ENABLE(VALUE_PROFILER)
+    m_codeBlock->addSpecialFastCaseProfile(m_bytecodeOffset);
+#endif
 
     if (!supportsFloatingPoint()) {

trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp

@@ -59 +59 @@
 {
     int dst = instruction[1].u.operand;
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
 }

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -617 +617 @@
     JITStubCall stubCall(this, cti_op_resolve);
     stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[2].u.operand)));
-    stubCall.call(currentInstruction[1].u.operand);
+    stubCall.callWithValueProfiling(currentInstruction[1].u.operand, FirstProfilingSite);
 }
 
@@ -659 +659 @@
     JITStubCall stubCall(this, currentInstruction[3].u.operand ? cti_op_resolve_base_strict_put : cti_op_resolve_base);
     stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[2].u.operand)));
-    stubCall.call(currentInstruction[1].u.operand);
+    stubCall.callWithValueProfiling(currentInstruction[1].u.operand, FirstProfilingSite);
 }
 
@@ -675 +675 @@
     stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[2].u.operand)));
     stubCall.addArgument(Imm32(currentInstruction[3].u.operand));
-    stubCall.call(currentInstruction[1].u.operand);
+    stubCall.callWithValueProfiling(currentInstruction[1].u.operand, FirstProfilingSite);
 }
 
@@ -700 +700 @@
     load32(BaseIndex(regT2, regT3, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
     load32(BaseIndex(regT2, regT3, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
     map(m_bytecodeOffset + (dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global)), dst, regT1, regT0);
@@ -715 +716 @@
     stubCall.addArgument(TrustedImmPtr(ident));
     stubCall.addArgument(Imm32(currentIndex));
-    stubCall.call(dst);
+    stubCall.callWithValueProfiling(dst, SubsequentProfilingSite);
 }
 
@@ -1113 +1114 @@
     stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[3].u.operand)));
     stubCall.addArgument(Imm32(currentInstruction[1].u.operand));
-    stubCall.call(currentInstruction[2].u.operand);
+    stubCall.callWithValueProfiling(currentInstruction[2].u.operand, FirstProfilingSite);
 }
 
@@ -1121 +1122 @@
     stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[3].u.operand)));
     stubCall.addArgument(Imm32(currentInstruction[1].u.operand));
-    stubCall.call(currentInstruction[2].u.operand);
+    stubCall.callWithValueProfiling(currentInstruction[2].u.operand, FirstProfilingSite);
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -145 +145 @@
     
     match.link(this);
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
     map(m_bytecodeOffset + OPCODE_LENGTH(op_method_check), dst, regT1, regT0);
@@ -217 +218 @@
     addSlowCase(branch32(Equal, regT1, TrustedImm32(JSValue::EmptyValueTag)));
     
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
     map(m_bytecodeOffset + OPCODE_LENGTH(op_get_by_val), dst, regT1, regT0);
@@ -248 +250 @@
     stubCall.addArgument(property);
     stubCall.call(dst);
+
+    emitValueProfilingSite(SubsequentProfilingSite);
 }
 
@@ -311 +315 @@
     emitJumpSlowCaseIfNotJSCell(base, regT1);
     compileGetByIdHotPath();
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
     map(m_bytecodeOffset + OPCODE_LENGTH(op_get_by_id), dst, regT1, regT0);
@@ -354 +359 @@
     
     compileGetByIdSlowCase(dst, base, &(m_codeBlock->identifier(ident)), iter);
+    emitValueProfilingSite(SubsequentProfilingSite);
 }
 
@@ -1018 +1024 @@
 
     emitLoad(index, regT1, regT0, regT2);
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
     map(m_bytecodeOffset + OPCODE_LENGTH(op_get_scoped_var), dst, regT1, regT0);
@@ -1059 +1066 @@
 
     emitLoad(index, regT1, regT0, regT2);
+    emitValueProfilingSite(FirstProfilingSite);
     emitStore(dst, regT1, regT0);
     map(m_bytecodeOffset + OPCODE_LENGTH(op_get_global_var), dst, regT1, regT0);

trunk/Source/JavaScriptCore/jit/JITStubCall.h

@@ -202 +202 @@
         }
         
-        JIT::Call callWithValueProfiling(unsigned dst, JIT::ValueProfilingSiteKind)
-        {
-            return call(dst);
+        JIT::Call callWithValueProfiling(unsigned dst, JIT::ValueProfilingSiteKind kind)
+        {
+            ASSERT(m_returnType == Value || m_returnType == Cell);
+            JIT::Call call = this->call();
+            m_jit->emitValueProfilingSite(kind);
+            if (m_returnType == Value)
+                m_jit->emitStore(dst, JIT::regT1, JIT::regT0);
+            else
+                m_jit->emitStoreCell(dst, JIT::returnValueRegister);
+            return call;
         }
 #else