[webkit-changes] [WebKit/WebKit] eeb0d7: Speculation failure ValueProfile buckets should be...

Keith Miller noreply at github.com
Fri Oct 20 20:58:59 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: eeb0d7b78c6d38aec83236b93e54cb60f89fc41c
      https://github.com/WebKit/WebKit/commit/eeb0d7b78c6d38aec83236b93e54cb60f89fc41c
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2023-10-20 (Fri, 20 Oct 2023)

  Changed paths:
    M JSTests/microbenchmarks/fold-multi-get-by-offset-to-get-by-offset.js
    M JSTests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/CodeBlock.h
    R Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp
    M Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h
    A Source/JavaScriptCore/bytecode/LazyValueProfile.cpp
    A Source/JavaScriptCore/bytecode/LazyValueProfile.h
    M Source/JavaScriptCore/bytecode/MetadataTable.h
    M Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.cpp
    M Source/JavaScriptCore/bytecode/ValueProfile.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGPredictionInjectionPhase.cpp
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
    M Source/JavaScriptCore/tools/HeapVerifier.cpp
    M Source/WTF/wtf/ConcurrentVector.h

  Log Message:
  -----------
  Speculation failure ValueProfile buckets should be lazy
https://bugs.webkit.org/show_bug.cgi?id=263335
rdar://problem/117159824

Reviewed by Yusuke Suzuki.

Currently, ValueProfiles contain two JSValue buckets by default, one for LLInt/Baseline execution
and one for values from speculation failures in the DFG/FTL. These are both stored inline in the
ValueProfile itself. While we regularly use the regular buckets, it's somewhat rare to use the
speculation failure buckets.

This patch makes the speculation failure buckets lazy and part of the same data structure we use
for LazyOperandValueProfiles. Not all ValueProfiles use the new lazy mechanism, arguments'
ValueProfiles still have the speculation failure buckets inline and have a new type
ArgumentValueProfile. This change is about a .2% improvement on our internal memory benchmarks.

This change adds a new `appendConcurrently()` method to ConcurrentVector, which properly fences
between the initialization of the new element and the corresponding size increment.

Also, skip some tests that started failing on 32-bit.

* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setNumParameters):
(JSC::CodeBlock::updateAllNonLazyValueProfilePredictionsAndCountLiveness):
(JSC::CodeBlock::updateAllLazyValueProfilePredictions):
(JSC::CodeBlock::dumpValueProfiles):
(JSC::CodeBlock::valueProfilePredictionForBytecodeIndex):
* Source/JavaScriptCore/bytecode/CodeBlock.h:
(JSC::CodeBlock::valueProfileForArgument):
(JSC::CodeBlock::lazyValueProfiles):
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
* Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp: Removed.
* Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h:
(): Deleted.
* Source/JavaScriptCore/bytecode/LazyValueProfile.cpp: Added.
(JSC::CompressedLazyValueProfileHolder::computeUpdatedPredictions):
(JSC::CompressedLazyValueProfileHolder::initializeData):
(JSC::CompressedLazyValueProfileHolder::addOperandValueProfile):
(JSC::CompressedLazyValueProfileHolder::addSpeculationFailureValueProfile):
(JSC::LazyOperandValueProfileParser::initialize):
(JSC::LazyOperandValueProfileParser::getIfPresent const):
(JSC::LazyOperandValueProfileParser::prediction const):
* Source/JavaScriptCore/bytecode/LazyValueProfile.h: Added.
* Source/JavaScriptCore/bytecode/MetadataTable.h:
(JSC::MetadataTable::valueProfileForOffset):
* Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::emitReportValue const):
* Source/JavaScriptCore/bytecode/ValueProfile.h:
(JSC::ValueProfileBase::computeUpdatedPredictionForExtraValue):
(JSC::MinimalValueProfile::MinimalValueProfile):
(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::offsetOfFirstBucket):
(JSC::ArgumentValueProfile::ArgumentValueProfile):
(JSC::UnlinkedValueProfile::update):
(JSC::ValueProfileWithLogNumberOfBuckets::ValueProfileWithLogNumberOfBuckets): Deleted.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::handleVarargsInlining):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* Source/JavaScriptCore/dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* Source/JavaScriptCore/jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
* Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp:
* Source/JavaScriptCore/llint/LowLevelInterpreter.asm:
* Source/JavaScriptCore/tools/HeapVerifier.cpp:
(JSC::HeapVerifier::validateJSCell):
* Source/WTF/wtf/ConcurrentVector.h:

Canonical link: https://commits.webkit.org/269612@main

More information about the webkit-changes mailing list