[webkit-changes] [WebKit/WebKit] 861ea3: [JSC] Add linkThunk mechanism

Yusuke Suzuki noreply at github.com
Sat Dec 9 04:16:39 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 861ea3bcbb70d59653d4ad40c99368c75e232844
      https://github.com/WebKit/WebKit/commit/861ea3bcbb70d59653d4ad40c99368c75e232844
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-12-09 (Sat, 09 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/assembler/ARM64Assembler.h
    M Source/JavaScriptCore/assembler/ARMv7Assembler.h
    M Source/JavaScriptCore/assembler/AbstractMacroAssembler.h
    M Source/JavaScriptCore/assembler/LinkBuffer.cpp
    M Source/JavaScriptCore/assembler/MacroAssembler.h
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h
    M Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
    M Source/JavaScriptCore/bytecode/AccessCaseSnippetParams.cpp
    M Source/JavaScriptCore/bytecode/InlineAccess.cpp
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
    M Source/JavaScriptCore/dfg/DFGJITCompiler.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLCompile.cpp
    M Source/JavaScriptCore/ftl/FTLLazySlowPath.cpp
    M Source/JavaScriptCore/ftl/FTLLink.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/ftl/FTLOSRExitHandle.cpp
    M Source/JavaScriptCore/ftl/FTLThunks.cpp
    M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/jit/JIT.h
    M Source/JavaScriptCore/jit/JITCall.cpp
    M Source/JavaScriptCore/jit/JITInlines.h
    M Source/JavaScriptCore/jit/JITMathIC.h
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/jit/JITPropertyAccess.cpp
    M Source/JavaScriptCore/jit/SlowPathCall.cpp
    M Source/JavaScriptCore/jit/SpecializedThunkJIT.h
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
    M Source/JavaScriptCore/wasm/WasmThunks.cpp
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
    M Source/JavaScriptCore/wasm/js/WasmToJS.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

  Log Message:
  -----------
  [JSC] Add linkThunk mechanism
https://bugs.webkit.org/show_bug.cgi?id=265854
rdar://119171337

Reviewed by Mark Lam.

This patch adds linkThunk mechanism to Jump and Call. Previously, we were using LinkBuffer::link when jumping to a thunk or calling a thunk.
But the implementation of this is really costly and it was not so good. (1) it uses performJITMemcpy to rewrite code, which does JIT memory
permission switch every time. And (2) it does not leverage branch compaction. So even though it is thunk address, we never do branch compaction
and typically we have several nops around it.

Instead, we have linkThunk mechanism which can just link Jump and Call to a thunk. On ARM64, this is fully integrated into our branch compaction
mechanism so that we can repatch it through LinkBuffer's branch compaction. On the other architectures, it is the same to the current behavior.

* Source/JavaScriptCore/assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::LinkRecord::LinkRecord):
(JSC::ARM64Assembler::LinkRecord::isThunk const):
* Source/JavaScriptCore/assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::LinkRecord::setFrom):
(JSC::ARMv7Assembler::LinkRecord::to const):
* Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::Jump::linkThunk const):
(JSC::AbstractMacroAssembler::JumpList::linkTo const):
(JSC::AbstractMacroAssembler::JumpList::linkThunk const):
* Source/JavaScriptCore/assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::callOperation):
(JSC::MacroAssemblerARM64::callThunk):
(JSC::MacroAssemblerARM64::jumpThunk):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::callOperation):
* Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::callOperation):
(JSC::MacroAssemblerARMv7::callThunk):
(JSC::MacroAssemblerARMv7::jumpThunk):
* Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h:
(JSC::MacroAssemblerRISCV64::callOperation):
(JSC::MacroAssemblerRISCV64::callThunk):
(JSC::MacroAssemblerRISCV64::jumpThunk):
* Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callOperation):
(JSC::MacroAssemblerX86_64::callThunk):
(JSC::MacroAssemblerX86_64::jumpThunk):
* Source/JavaScriptCore/bytecode/AccessCaseSnippetParams.cpp:
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::emitExplicitExceptionHandler):
(JSC::getByIdSlowPathCodeGenerator):
(JSC::getByIdWithThisSlowPathCodeGenerator):
(JSC::getByValSlowPathCodeGenerator):
(JSC::getPrivateNameSlowPathCodeGenerator):
(JSC::getByValWithThisSlowPathCodeGenerator):
(JSC::putByIdSlowPathCodeGenerator):
(JSC::putByValSlowPathCodeGenerator):
(JSC::instanceOfSlowPathCodeGenerator):
(JSC::delByIdSlowPathCodeGenerator):
(JSC::delByValSlowPathCodeGenerator):
(JSC::InlineCacheCompiler::generateImpl):
(JSC::InlineCacheCompiler::regenerate):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::linkPolymorphicCall):
* Source/JavaScriptCore/ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* Source/JavaScriptCore/ftl/FTLLink.cpp:
(JSC::FTL::link):
* Source/JavaScriptCore/jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::link):
* Source/JavaScriptCore/jit/JITMathIC.h:
(JSC::JITMathIC::generateOutOfLine):
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
(JSC::JIT::op_check_traps_handlerGenerator):
* Source/JavaScriptCore/jit/JITPropertyAccess.cpp:
(JSC::JIT::slow_op_resolve_scopeGenerator):
(JSC::JIT::slow_op_put_to_scopeGenerator):
* Source/JavaScriptCore/jit/SlowPathCall.cpp:
(JSC::JITSlowPathCall::generateThunk):
* Source/JavaScriptCore/jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* Source/JavaScriptCore/jit/ThunkGenerators.cpp:
(JSC::popThunkStackPreservesAndHandleExceptionGenerator):
(JSC::checkExceptionGenerator):
(JSC::nativeForGenerator):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::emitExceptionCheck):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::emitWriteBarrier):
(JSC::Wasm::BBQJIT::emitThrowException):
(JSC::Wasm::BBQJIT::addTopLevel):
(JSC::Wasm::BBQJIT::addLoopOSREntrypoint):
* Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h:
(JSC::Wasm::emitRethrowImpl):
(JSC::Wasm::emitThrowImpl):
* Source/JavaScriptCore/wasm/WasmThunks.cpp:
(JSC::Wasm::catchInWasmThunkGenerator):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::marshallJSResult):
* Source/JavaScriptCore/wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
(JSC::Wasm::emitThrowWasmToJSException):

Canonical link: https://commits.webkit.org/271801@main

More information about the webkit-changes mailing list