[webkit-changes] [WebKit/WebKit] f2f3c9: DFG should support tuples

Keith Miller noreply at github.com
Fri Mar 24 05:46:46 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f2f3c91fa89c2bef7d30bba0324cdba55aa3ae4f
      https://github.com/WebKit/WebKit/commit/f2f3c91fa89c2bef7d30bba0324cdba55aa3ae4f
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2023-03-24 (Fri, 24 Mar 2023)

  Changed paths:
    M JSTests/stress/for-in-redefine-enumerable.js
    M Source/JavaScriptCore/b3/B3LowerToAir.cpp
    M Source/JavaScriptCore/b3/B3Type.h
    M Source/JavaScriptCore/b3/B3Validate.cpp
    M Source/JavaScriptCore/b3/air/AirCCallingConvention.cpp
    M Source/JavaScriptCore/b3/air/AirCCallingConvention.h
    M Source/JavaScriptCore/b3/air/AirCustom.cpp
    M Source/JavaScriptCore/b3/air/AirCustom.h
    M Source/JavaScriptCore/b3/air/AirLowerAfterRegAlloc.cpp
    M Source/JavaScriptCore/b3/air/AirLowerMacros.cpp
    M Source/JavaScriptCore/b3/air/AirOpcode.opcodes
    M Source/JavaScriptCore/b3/testb3.h
    M Source/JavaScriptCore/b3/testb3_3.cpp
    M Source/JavaScriptCore/b3/testb3_5.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp
    M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGGenerationInfo.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp
    M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGScoreBoard.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGValidate.cpp
    M Source/JavaScriptCore/dfg/DFGVirtualRegisterAllocationPhase.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/ftl/FTLOutput.cpp
    M Source/JavaScriptCore/ftl/FTLOutput.h
    M Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h

  Log Message:
  -----------
  DFG should support tuples
https://bugs.webkit.org/show_bug.cgi?id=253413

Reviewed by Yusuke Suzuki.

This change adds support for tuples in the DFG. It works similarly to how tuples
work in B3 where there is a side buffer which holds most of the metadata for a
tuple. In the DFG there are three pieces of information held here:
    1) The reference count
    2) The result flags
    3) The virtual register

1) tells us if the ExtractFromTuple Node for a given tuple result still exists
(e.g. it could have been constant folded or dead code eliminated). From that we
will decide to fill (3) the virtual register when allocating registers. If we
didn't have the reference count then we would have no way to know that the
virtual registers isn't going to be consumed thus we will leak it. Lastly we
have (2) the result flags for the node. This tells the ExtractFromTuple and
theoretically (as right now the only ExtractFromTuple users produce Int32s) any
 consumers of the ExtractFromTuple what value format the tuple's result will
 be in. For the DFG, we don't need this because we know there's at most one
 ExtractFromTuple for any given tuple index since we don't duplicate code.

When dumping the DFG graph ExtractFromTuple follows the same pattern as B3
and uses `<<X` to denote the offset we are extracting from. So it will look
something like:

  6  1  0:  D at 101:< 1:->    EnumeratorNextUpdateIndexAndMode(Check:Untyped:D at 97, Check:Untyped:D at 98, Check:Untyped:D at 100, Check:Untyped:D at 99, VarArgs, SelectUsingPredictions+NonArray+InBounds+AsIs+Read, enumeratorModes = 4, R:World, W:Heap, Exits, ClobbersExit, bc#115, ExitValid)
  7  1  0:  D at 102:< 1:->    ExtractFromTuple(Check:Untyped:D at 101, Int32|UseAsOther, <<0, bc#115, ExitInvalid)
  8  1  0:  D at 103:<!0:->    MovHint(Check:Untyped:D at 102, MustGen, loc10, W:SideState, ClobbersExit, bc#115, ExitInvalid)
  9  1  0:  D at 104:< 1:->    ExtractFromTuple(Check:Untyped:D at 101, Int32|UseAsOther, <<1, bc#115, ExitInvalid)

This patch also adds support for calling operations in both the FTL/B3 via
CCall. CCall can take exactly the tuple of `{ pointerType(), pointerType() }`,
which, for every calling conevention we support, should be returned in both
the return value registers. As the only way to look into a tuple is via the
B3 prodecure, the first Air::Arg of any CCall/ColdCCall Inst is now the
CCallSpecial for the compiling Air::Code. This gives us access to Air::Code
inside CCallCustom::forEachArg and isValidForm.

* JSTests/stress/for-in-redefine-enumerable.js:
(shouldBe):
* Source/JavaScriptCore/b3/B3LowerToAir.cpp:
* Source/JavaScriptCore/b3/B3Type.h:
(JSC::B3::pointerType):
(JSC::B3::registerType):
* Source/JavaScriptCore/b3/B3Validate.cpp:
* Source/JavaScriptCore/b3/air/AirCCallingConvention.cpp:
(JSC::B3::Air::cCallResultCount):
(JSC::B3::Air::cCallArgumentRegisterWidth):
(JSC::B3::Air::cCallResult):
* Source/JavaScriptCore/b3/air/AirCCallingConvention.h:
* Source/JavaScriptCore/b3/air/AirCustom.cpp:
(JSC::B3::Air::CCallCustom::isValidForm):
* Source/JavaScriptCore/b3/air/AirCustom.h:
(JSC::B3::Air::CCallCustom::forEachArg):
* Source/JavaScriptCore/b3/air/AirLowerAfterRegAlloc.cpp:
(JSC::B3::Air::lowerAfterRegAlloc):
* Source/JavaScriptCore/b3/air/AirLowerMacros.cpp:
(JSC::B3::Air::lowerMacros):
* Source/JavaScriptCore/b3/air/AirOpcode.opcodes:
* Source/JavaScriptCore/b3/testb3.h:
* Source/JavaScriptCore/b3/testb3_3.cpp:
(addCallTests):
* Source/JavaScriptCore/b3/testb3_5.cpp:
(JSC_DEFINE_JIT_OPERATION):
(testCallPairResult):
(testCallPairResultRare):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::setTupleConstant):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::AtTailAbstractState):
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::forTupleNode):
(JSC::DFG::AtTailAbstractState::clearForTupleNode):
(JSC::DFG::AtTailAbstractState::setForTupleNode):
(JSC::DFG::AtTailAbstractState::setTypeForTupleNode):
(JSC::DFG::AtTailAbstractState::setNonCellTypeForTupleNode):
(JSC::DFG::AtTailAbstractState::makeBytecodeTopForTupleNode):
(JSC::DFG::AtTailAbstractState::makeHeapTopForTupleNode):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initFromTupleResult):
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* Source/JavaScriptCore/dfg/DFGGraph.h:
* Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
* Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::forTupleNode):
(JSC::DFG::InPlaceAbstractState::clearForTupleNode):
(JSC::DFG::InPlaceAbstractState::setForTupleNode):
(JSC::DFG::InPlaceAbstractState::setTypeForTupleNode):
(JSC::DFG::InPlaceAbstractState::setNonCellTypeForTupleNode):
(JSC::DFG::InPlaceAbstractState::makeBytecodeTopForTupleNode):
(JSC::DFG::InPlaceAbstractState::makeHeapTopForTupleNode):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::isTuple const):
(JSC::DFG::Node::setTupleOffset):
(JSC::DFG::Node::tupleOffset const):
(JSC::DFG::Node::hasExtractOffset const):
(JSC::DFG::Node::extractOffset const):
(JSC::DFG::Node::tupleIndex const):
(JSC::DFG::Node::tupleSize const):
(JSC::DFG::Node::hasVirtualRegister):
(JSC::DFG::Node::virtualRegister):
(JSC::DFG::Node::setVirtualRegister):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
(JSC::DFG::makeUGPRPair):
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGScoreBoard.h:
(JSC::DFG::ScoreBoard::use):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::strictInt32TupleResultWithoutUsingChildren):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGValidate.cpp:
* Source/JavaScriptCore/dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/ftl/FTLOutput.cpp:
(JSC::FTL::Output::extract):
* Source/JavaScriptCore/ftl/FTLOutput.h:
* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
(JSC::Wasm::AirIRGeneratorBase::emitCCall):

Canonical link: https://commits.webkit.org/262068@main

More information about the webkit-changes mailing list