[webkit-changes] [WebKit/WebKit] 3563dd: [JSC] Fast JS-to-Wasm call from FTL

Yusuke Suzuki noreply at github.com
Mon Jan 23 16:17:23 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3563dd1840c63e77d1bf18a2017edf52df32f263
      https://github.com/WebKit/WebKit/commit/3563dd1840c63e77d1bf18a2017edf52df32f263
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-01-23 (Mon, 23 Jan 2023)

  Changed paths:
    A JSTests/wasm/stress/js-to-wasm-exception.js
    A JSTests/wasm/stress/js-to-wasm-many-double.js
    A JSTests/wasm/stress/js-to-wasm-many-ref.js
    A JSTests/wasm/stress/js-to-wasm-many.js
    A JSTests/wasm/stress/js-to-wasm.js
    A JSTests/wasm/stress/wasm-to-wasm.js
    R JSTests/wasm/tier-up/js-to-wasm.js
    R JSTests/wasm/tier-up/wasm-to-wasm.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
    M Source/JavaScriptCore/wasm/WasmThunks.cpp
    M Source/JavaScriptCore/wasm/js/WasmToJS.cpp

  Log Message:
  -----------
  [JSC] Fast JS-to-Wasm call from FTL
https://bugs.webkit.org/show_bug.cgi?id=250545
rdar://104214223

Reviewed by Keith Miller.

This patch supports direct Wasm call from FTL. FTL can know type speculations.
We check this in DFG strength reduction phase, and generate appropriate stack and register assignment for Wasm call.
This is further more efficient than Wasm IC since,

1. Based on type speculation, we can skip many type checks for arguments.
2. Because FTL can control registers and stacks, we can appropriately configure values in the right argument registers
   and stack location in FTL side and directly call Wasm function from FTL. By using patchpoint, B3 can assign right registers / stack
   location for them.
3. This removes Wasm IC trampoline between JS and Wasm function. Wasm function is now directly called from JS.

To make this work, we require 259139 at main. That change allows us to remove a hack in unwinding for wasm (wasm function call can modify global state (vm.wasmContext.instance),
and unwinding needed to restore them appropriately. The above patch removed this necessity).
As a result, we can directly call wasm function from FTL without doing a hack in unwinding. And we can also remove save / restore of vm.wasmContext.instance.

We also need to encourage CallWasm in DFG ByteCodeParser. CallWasm needs constant-folded callee currently, but it needs to be materialized well from DFG ByteCodeParser by inserting
appropriate checks from CallVariant.

Note that we are reporting wasm pinned registers' clobbering from FTL patchpoint. This teaches FTL to save and resume these callee-save registers as FTL's callee-save registers.
Thus, OSR exit / exception unwinding just works well: FTL cares these registers and correctly restore them when OSR exit happens. This is also the reason why we cannot apply
this optimization to TailCall right now: wasm function clobbers callee-save registers and tail-call needs an adaptor to restore them correctly when returning to the caller's caller.
In the future, we should align wasm pinned registers with JS JIT default callee-save registers so that we can easily restore then when OSR exit happens from DFG too. This is necessary
if we would like to introduce this direct call from DFG side.

This improves JetStream2/richards-wasm Runtime from 13.021 to 16.129, 23% improvement.

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToCallWasm):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileCallWasm):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

Canonical link: https://commits.webkit.org/259250@main

More information about the webkit-changes mailing list