[webkit-changes] [WebKit/WebKit] fd6ff6: [JSC] DFG should be able to compile-and-inline op_...

Yusuke Suzuki noreply at github.com
Sun Sep 11 18:37:40 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fd6ff6b2f4cb99a6799715307fdde1b7fe6e98cc
      https://github.com/WebKit/WebKit/commit/fd6ff6b2f4cb99a6799715307fdde1b7fe6e98cc
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2022-09-11 (Sun, 11 Sep 2022)

  Changed paths:
    M Source/JavaScriptCore/bytecode/BytecodeList.rb
    M Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp
    M Source/JavaScriptCore/bytecode/BytecodeUseDef.h
    M Source/JavaScriptCore/bytecode/CallLinkInfo.cpp
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/CodeBlock.h
    M Source/JavaScriptCore/bytecode/DirectEvalCodeCache.cpp
    M Source/JavaScriptCore/bytecode/DirectEvalCodeCache.h
    M Source/JavaScriptCore/bytecode/Opcode.h
    M Source/JavaScriptCore/bytecode/OpcodeInlines.h
    M Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp
    M Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h
    M Source/JavaScriptCore/bytecode/UnlinkedCodeBlockGenerator.h
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGCapabilities.cpp
    M Source/JavaScriptCore/dfg/DFGCapabilities.h
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLCompile.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.h
    M Source/JavaScriptCore/jit/BaselineJITRegisters.h
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/jit/JIT.h
    M Source/JavaScriptCore/jit/JITCall.cpp
    M Source/JavaScriptCore/jit/JITOperations.cpp
    M Source/JavaScriptCore/jit/JITOperations.h
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
    M Source/JavaScriptCore/llint/LLIntSlowPaths.h
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
    M Source/JavaScriptCore/runtime/CachedTypes.cpp
    M Source/JavaScriptCore/runtime/FileBasedFuzzerAgent.cpp
    M Source/JavaScriptCore/runtime/FileBasedFuzzerAgentBase.cpp
    M Source/JavaScriptCore/runtime/Gate.h
    M Source/JavaScriptCore/runtime/PredictionFileCreatingFuzzerAgent.cpp

  Log Message:
  -----------
  [JSC] DFG should be able to compile-and-inline op_call_eval
https://bugs.webkit.org/show_bug.cgi?id=245043

Reviewed by Alexey Shvayka.

We found that DFG capability check is consuming some time in Speedometer2.1. And this is wasteful
since op_call_eval is the only bytecode which cannot be included in the inlined function in DFG.
We originally had many bytecodes which cannot be compiled or inlined in DFG, and we continuously
removed them. And this op_call_eval is the last one.

In this patch, we make op_call_eval available in the inlined DFG function and we remove DFG capability
level check function since any new bytecode must be supported in DFG from the beginning. op_call_eval
was not inlinable before since it is relying on thisValue, caller CodeBlock, and scope value in the stack.
But this is achieved by a hack. We should simplify it and support op_call_eval even in the inlined function.

In this patch,

1. op_call_eval should have thisValue and scope VirtualRegister in the bytecode. And it should get them through
   that instead of getting them from CodeBlock implicitly. It also simplifies UseDef definition for op_call_eval.
2. DFG should get thisValue / scope in a normal way in CallEval instead of getting them from the stack. This removes
   a lot of Flush this / scope hacks in DFG. Since we no longer relying on stack's value with DFG's top-level CodeBlock,
   we can inline functions having op_call_eval.
3. Because of (2), DFG capability level check can always say CanCompileAndInline. We remove this costly checks.
4. We always use baseline CodeBlocks' DirectEvalCodeCache now, so we can hit the eval code cache more frequently.

* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp:
(JSC::computeUsesForBytecodeIndexImpl):
* Source/JavaScriptCore/bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeIndex):
* Source/JavaScriptCore/bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* Source/JavaScriptCore/bytecode/DirectEvalCodeCache.h:
(JSC::DirectEvalCodeCache::CacheKey::CacheKey):
(JSC::DirectEvalCodeCache::CacheKey::hash const):
(JSC::DirectEvalCodeCache::CacheKey::operator== const):
(JSC::DirectEvalCodeCache::tryGet):
(JSC::DirectEvalCodeCache::set):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCall):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel): Deleted.
* Source/JavaScriptCore/dfg/DFGCapabilities.h:
(JSC::DFG::canUseOSRExitFuzzing):
(JSC::DFG::evalCapabilityLevel):
(JSC::DFG::programCapabilityLevel):
(JSC::DFG::functionForCallCapabilityLevel):
(JSC::DFG::functionForConstructCapabilityLevel):
(JSC::DFG::inlineFunctionForCallCapabilityLevel):
(JSC::DFG::inlineFunctionForClosureCallCapabilityLevel):
(JSC::DFG::inlineFunctionForConstructCapabilityLevel):
(JSC::DFG::capabilityLevel): Deleted.
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGGraph.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::eval):
* Source/JavaScriptCore/interpreter/Interpreter.h:
* Source/JavaScriptCore/jit/BaselineJITRegisters.h:
* Source/JavaScriptCore/jit/JITCall.cpp:
(JSC::JIT::compileCallEval):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/jit/JITOperations.h:
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::commonCallEval):

Canonical link: https://commits.webkit.org/254367@main

More information about the webkit-changes mailing list