[webkit-changes] [WebKit/WebKit] 1a5636: [JSC] Add JIT optimizations for ResizableArrayBuffers

Yusuke Suzuki noreply at github.com
Thu Nov 24 16:48:13 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1a5636acd02ea65e4795ca8d19f1111ae088e413
      https://github.com/WebKit/WebKit/commit/1a5636acd02ea65e4795ca8d19f1111ae088e413
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2022-11-24 (Thu, 24 Nov 2022)

  Changed paths:
    A JSTests/microbenchmarks/emscripten-cube2hash-resizable.js
    A JSTests/stress/resizable-bytelength.js
    A JSTests/stress/resizable-byteoffset.js
    A JSTests/stress/resizable-length.js
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h
    M Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/AccessCase.h
    M Source/JavaScriptCore/bytecode/IntrinsicGetterAccessCase.h
    M Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGOSRExit.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/jit/IntrinsicEmitter.cpp
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/JSDataView.h
    M Source/JavaScriptCore/runtime/TypedArrayType.cpp
    M Source/JavaScriptCore/runtime/TypedArrayType.h

  Log Message:
  -----------
  [JSC] Add JIT optimizations for ResizableArrayBuffers
https://bugs.webkit.org/show_bug.cgi?id=248206
rdar://problem/102597308

Reviewed by Ross Kirsling.

This patch adds JIT optimizations for resizable ArrayBuffer. Right now, our generated code is not so tightly optimized (in terms of code size in particular),
but still it offers large improvement already, so this is great step as a first implementation.

1. We add JIT getter optimizations for TypedArray intrinsic getters. They are implemented in IntrinsicEmitter.
2. We add JIT AccesssCase optimizations for resizable TypedArrays. IC can detect resizable TypedArrays, and generate IndexedResizableTypedArray* ICes.
   We do not extend existing TypedArray IC to handle resizable TypedArrays since we would like to keep existing ICes super tightly optimized.
   We should generate this IC handling resizable TypedArrays gracefully only when we found resizable TypedArrays.
3. We annotate ArrayProfile based on profiling and DFG OSR exit so that we can know resizable TypedArrays in DFG / FTL. Based on that, we optimize DFG / FTL
   nodes handling TypedArrays. When we didn't observe resizable TypedArrays, we make resizable TypedArrays OSR exit to make node super tightly optimized and
   avoid saying pessimized clobbering information.
4. We implement DFG / FTL nodes handling resizable TypedArrays. We use (1) and (2)'s JIT code generation to implement them. Ideally, we can do more optimized thing
   in FTL by generating B3 nodes for this instead of using patchpoint. But currently B3 lacks AtomicLoad nodes, so we first just use patchpoint to implement FTL
   optimization.

This patch improved emscripten-cube2hash-resizable benchmark by 2x.

                                            ToT                     Patched

emscripten-cube2hash-resizable       19.1501+-0.0248     ^      9.1659+-0.0471        ^ definitely 2.0893x faster

* JSTests/microbenchmarks/emscripten-cube2hash-resizable.js: Added.
(key.in.Module.Module.hasOwnProperty):
(ENVIRONMENT_IS_NODE.Module.string_appeared_here):
(else.Module.string_appeared_here):
(else.else.Module.string_appeared_here):
(else):
(else.else):
(globalEval):
(Module.string_appeared_here.string_appeared_here.Module.string_appeared_here.Module.string_appeared_here):
(Module.string_appeared_here.Module.string_appeared_here):
(key.in.moduleOverrides.moduleOverrides.hasOwnProperty):
(Runtime.stackSave):
(Runtime.stackRestore):
(Runtime.forceAlign):
(Runtime.isNumberType):
(Runtime.isPointerType):
(Runtime.isStructType):
* JSTests/stress/resizable-bytelength.js: Added.
(shouldBe):
(test):
* JSTests/stress/resizable-byteoffset.js: Added.
(shouldBe):
(test):
* JSTests/stress/resizable-length.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::lshift32):
(JSC::MacroAssemblerARM64::lshift64):
(JSC::MacroAssemblerARM64::loadAcq32):
(JSC::MacroAssemblerARM64::loadAcq64):
(JSC::MacroAssemblerARM64::atomicLoad32):
(JSC::MacroAssemblerARM64::atomicLoad64):
* Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h:
(JSC::MacroAssemblerRISCV64::lshift32):
(JSC::MacroAssemblerRISCV64::lshift64):
(JSC::MacroAssemblerRISCV64::atomicLoad32):
(JSC::MacroAssemblerRISCV64::atomicLoad64):
* Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::lshift32):
(JSC::MacroAssemblerX86Common::atomicLoad32):
* Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::lshift64):
(JSC::MacroAssemblerX86_64::atomicLoad64):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::needsScratchFPR const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::toTypedArrayType):
(JSC::AccessCase::forResizableTypedArray):
(JSC::AccessCase::runWithDowncast):
(JSC::AccessCase::canBeShared):
* Source/JavaScriptCore/bytecode/AccessCase.h:
* Source/JavaScriptCore/bytecode/IntrinsicGetterAccessCase.h:
* Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheArrayGetByVal):
(JSC::tryCacheArrayPutByVal):
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
(JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffsetAsInt52):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitGetTypedArrayByteOffsetExceptSettingResult):
(JSC::FTL::DFG::LowerDFGToB3::typedArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfResizableOrGrowableSharedTypedArrayIsOutOfBounds):
(JSC::AssemblyHelpers::loadTypedArrayByteLengthImpl):
(JSC::AssemblyHelpers::loadTypedArrayByteLength):
(JSC::AssemblyHelpers::loadTypedArrayLength):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
* Source/JavaScriptCore/jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
(JSC::IntrinsicGetterAccessCase::doesCalls const):
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* Source/JavaScriptCore/jit/JITOperations.h:
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSDataView.h:
(JSC::JSDataView::offsetOfBuffer):
* Source/JavaScriptCore/runtime/TypedArrayType.cpp:
* Source/JavaScriptCore/runtime/TypedArrayType.h:

Canonical link: https://commits.webkit.org/257001@main

More information about the webkit-changes mailing list