wiki:FTLJIT

Version 9 (modified by fpizlo@apple.com, 10 years ago) (diff)

--

JavaScriptCore uses LLVM for a top-tier high-throughput optimizing JIT, which we call the FTL (Fourth Tier LLVM). See https://bugs.webkit.org/show_bug.cgi?id=112840 for the bug that tracked this work. This was done as part of our effort to increase our latency-throughput adaptability range, and included other things like our concurrent JIT implementation; all of the tasks involved can be seen in https://bugs.webkit.org/showdependencytree.cgi?id=112836&hide_resolved=0. A lot of the future work to further improve the FTL JIT is tracked under https://bugs.webkit.org/show_bug.cgi?id=132356.

The FTL JIT is now enabled by default on the Mac port.

Two detailed blog posts have been written about the FTL; they currently serve as the best documentation of the FTL's architecture; see: https://www.webkit.org/blog/3362/introducing-the-webkit-ftl-jit/ and http://blog.llvm.org/2014/07/ftl-webkits-llvm-based-jit.html.

Overview

The FTL is integrated as an alternative backend for the DFG JIT but largely reuses existing DFG functionality. The FTL differs from the DFG as follows:

  • Instead of generating machine code directly from the DFG IR, the DFG IR is lowered to LLVM IR and then the LLVM optimization pipeline and backend are invoked to generate machine code. That machine code is then managed by the JSC executable memory manager no differently than if it were generated by our own backends.
  • Additional DFG phases are used. Running in FTL mode causes the DFG to lower to SSA even before lowering to LLVM IR. Additional optimizations like LICM are performed on the DFG-SSA IR.

The FTL JIT supports key DFG concepts like OSR entry, OSR exit, concurrent compilation, and self-modifying code for inline caches that we use for things like GetById (i.e. v = o.f), PutById (i.e. o.f = v), Call/Construct, and In (i.e. "foo" in o).

Try it out

Building

The FTL JIT is enabled by default, so you shouldn't have to do anything special to build it. All of the Apple WebKit ports' build modes support the FTL: it will be built and enabled via build-jsc, build-webkit, make, and building from Xcode. This is made possible by including binary drops of known-good LLVM versions in the WebKit repository (more on that below).

On non-"Apple WebKit" platforms, the FTL JIT is disabled, but the --ftl-jit flag will force it enabled. Your mileage may vary, though, since currently only Mac and iOS is supported by the FTL JIT. Here's an example of using the --ftl-jit flag:

Tools/Scripts/build-jsc --ftl-jit --debug

or:

Tools/Scripts/build-jsc --ftl-jit --release

Building from binary drops

The WebKit repository includes LLVM binary drops for Mountain Lion and Mavericks in trunk/WebKitLibraries. On those systems, the build system will automatically pull LLVM from those binary drops. This is done in Tools/Scripts/copy-webkitlibraries-to-product-directory.

Building from your own LLVM checkout

The easiest way to build with your own LLVM checkout is to check out llvm into a directory called 'llvm' directly inside your checkout of WebKit. If you do this, build-jsc and friends will automatically configure and make this LLVM tree and pull the binaries into WebKit's build. LLVM's configure script is only run if we detect that you hadn't already run it. The default configuration parameters are kept in Tools/Scripts/copy-webkitlibraries-to-product-directory. You can configure LLVM yourself, so long as you follow the same build directory structure as that script expects: within the llvm directory, we expect a "wkLLVMBuild" subdirectory. This will be used as the build directory.

Note that this handles dependencies pretty well. For example, if you make changes in LLVM that lead to some libraries that WebKit depends on being recompiled, but don't change any LLVM headers, this will still cause the JavaScriptCore framework to be relinked.

There are two alternatives that give you varying degrees of control over how WebKit builds LLVM.

  • You can put your LLVM checkout wherever you like and then make sure that the LLVM_SOURCE_PATH environment variable to tell WebKit's build system where the checkout is. WebKit's build system will still configure/make LLVM as necessary every time you build WebKit.
  • You can build LLVM yourself and opt out of WebKit building it for you. The process for this is a bit convoluted, but it does work. After you build LLVM, use the Tools/Scripts/export-llvm-build script to create tarballs of LLVM's headers and libraries. Then use the LLVM_LIBRARY_PACKAGE and LLVM_INCLUDE_PACKAGE environment variables to tell us where you put those tarballs.

For further information, consult the Tools/Scripts/copy-webkitlibraries-to-product-directory script, which handles all of this magic.

Running and Testing

The FTL JIT is runtime-enabled on those platforms where it is build-time-enabled. The --useFTLJIT flag can be used to disable it. Note that the FTL only kicks in for functions that run many times - 100,000 executions is typically required to ensure that the function is FTL-compiled. Because FTL compilation is queued up and done concurrently, for simple programs even 100,000 executions may not be enough to really trigger the FTL: the program may exit while the FTL compilation task is still queued or on-going. You can disable this by doing:

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --enableConcurrentJIT=false <my JS program>

Note that all jsc command-line options can also be passed as environment variables, which is useful if you're running an application that deeply embeds JavaScriptCore (for example, a browser). In this case you would do:

export JSC_enableConcurrentJIT=false

Looking at IR

Additional options allow for inspecting the IR that the FTL generates.

See if LLVM is being used to compile a function

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --reportCompileTimes=true <my JS program>

Dump all LLVM IR

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --dumpLLVMIR=true <my JS program>

Dump DFG IR and LLVM IR before and after LLVM optimization

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --verboseFTLCompilation=true <my JS program>

This will also tell if why some functions don't get FTL compiled. The FTL doesn't have full coverage over DFG IR yet. If JSC chooses not to use the FTL JIT for a code block, you will see a dump explaining why.

Dump all machine code

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --showDFGDisassembly=true <my JS program>

This will also dump FTL disassembly, using the LLVM disassembler.