[webkit-changes] [WebKit/WebKit] 9406e8: [JSC] Use Call-Ret for DataIC

Yusuke Suzuki noreply at github.com
Thu Sep 21 10:08:06 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9406e8ac287abb90fa86509ef0519cbdf4d71ed5
      https://github.com/WebKit/WebKit/commit/9406e8ac287abb90fa86509ef0519cbdf4d71ed5
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-09-21 (Thu, 21 Sep 2023)

  Changed paths:
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/InlineAccess.cpp
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.h
    M Source/JavaScriptCore/bytecode/StructureStubInfo.cpp
    M Source/JavaScriptCore/bytecode/StructureStubInfo.h
    M Source/JavaScriptCore/dfg/DFGInlineCacheWrapperInlines.h
    M Source/JavaScriptCore/dfg/DFGJITCode.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/BaselineJITRegisters.h
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/jit/JIT.h
    M Source/JavaScriptCore/jit/JITCall.cpp
    M Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp
    M Source/JavaScriptCore/jit/JITInlineCacheGenerator.h
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/jit/JITPropertyAccess.cpp
    M Source/JavaScriptCore/jit/RegisterSet.h

  Log Message:
  -----------
  [JSC] Use Call-Ret for DataIC
https://bugs.webkit.org/show_bug.cgi?id=261595
rdar://115542885

Reviewed by Keith Miller.

This patch converts Baseline DataIC from farJump-based to call-ret based.
Because we get rid of dependency on CodeBlock and make sp-adjustment work with JITData, now
we can appropriately adjust sp without embedding CodeBlock's information. This makes each Data IC
code independent from CodeBlock, and allowing us to use call-ret to jump to IC: this is the basis of
handler IC. Now we see this Data IC as a large handler. We will split them and chain them with jumps
so that we can minimize compilations and share code in Baseline.

Baseline calls the IC code, and IC returns when it finds a result. And we jump to the slow path code finally,
and slow path invokes operation, then return.

    [        baseline code                         ]
        call |              ^                    ^
             v          ret |                ret |
             [ IC code          ] -> [ slow path ]
                                    call |      ^
                                         v  ret |
                                      [ operation ]

In this way, we can exercise return address predictor well, and sharing slow path code.

* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setupWithUnlinkedBaselineCode):
* Source/JavaScriptCore/bytecode/InlineAccess.cpp:
(JSC::InlineAccess::resetStubAsJumpInAccess):
(JSC::InlineAccess::resetStubAsJumpInAccessNotUsingInlineAccess):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::succeed):
(JSC::getByIdSlowPathCodeGenerator):
(JSC::getByIdWithThisSlowPathCodeGenerator):
(JSC::getByValSlowPathCodeGenerator):
(JSC::getPrivateNameSlowPathCodeGenerator):
(JSC::getByValWithThisSlowPathCodeGenerator):
(JSC::putByIdSlowPathCodeGenerator):
(JSC::putByValSlowPathCodeGenerator):
(JSC::instanceOfSlowPathCodeGenerator):
(JSC::delByIdSlowPathCodeGenerator):
(JSC::delByValSlowPathCodeGenerator):
(JSC::InlineCacheCompiler::generateSlowPathCode):
(JSC::InlineCacheCompiler::generateImpl):
(JSC::InlineCacheCompiler::emitProxyObjectAccess):
(JSC::InlineCacheCompiler::regenerate):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.h:
* Source/JavaScriptCore/bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::initializeFromUnlinkedStructureStubInfo):
* Source/JavaScriptCore/bytecode/StructureStubInfo.h:
* Source/JavaScriptCore/dfg/DFGInlineCacheWrapperInlines.h:
(JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
* Source/JavaScriptCore/dfg/DFGJITCode.h:
* Source/JavaScriptCore/jit/BaselineJITRegisters.h:
* Source/JavaScriptCore/jit/JIT.cpp:
(JSC::JIT::link):
* Source/JavaScriptCore/jit/JIT.h:
* Source/JavaScriptCore/jit/JITCall.cpp:
(JSC::JIT::emitSlow_op_iterator_open):
(JSC::JIT::emit_op_iterator_next):
(JSC::JIT::emitSlow_op_iterator_next):
* Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp:
(JSC::JITInlineCacheGenerator::finalize):
(JSC::JITInlineCacheGenerator::generateBaselineDataICFastPath):
(JSC::JITByIdGenerator::finalize):
(JSC::generateGetByIdInlineAccess):
(JSC::generatePutByIdInlineAccess):
(JSC::JITDelByValGenerator::generateFastPath):
(JSC::JITDelByValGenerator::finalize):
(JSC::JITDelByIdGenerator::generateFastPath):
(JSC::JITDelByIdGenerator::finalize):
(JSC::JITInByValGenerator::generateFastPath):
(JSC::JITInByValGenerator::finalize):
(JSC::generateInByIdInlineAccess):
(JSC::JITInstanceOfGenerator::generateFastPath):
(JSC::JITInstanceOfGenerator::finalize):
(JSC::JITGetByValGenerator::generateFastPath):
(JSC::JITGetByValGenerator::finalize):
(JSC::JITGetByValWithThisGenerator::generateFastPath):
(JSC::JITGetByValWithThisGenerator::finalize):
(JSC::JITPutByValGenerator::generateFastPath):
(JSC::JITPutByValGenerator::finalize):
(JSC::JITPrivateBrandAccessGenerator::generateFastPath):
(JSC::JITPrivateBrandAccessGenerator::finalize):
* Source/JavaScriptCore/jit/JITInlineCacheGenerator.h:
(JSC::JITInlineCacheGenerator::accessType const):
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::slow_op_instanceof_callSlowOperationThenCheckExceptionGenerator): Deleted.
* Source/JavaScriptCore/jit/JITPropertyAccess.cpp:
(JSC::JIT::generateGetByValSlowCase):
(JSC::JIT::emitSlow_op_get_private_name):
(JSC::JIT::emitSlow_op_set_private_brand):
(JSC::JIT::emitSlow_op_check_private_brand):
(JSC::JIT::generatePutByValSlowCase):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::emitSlow_op_del_by_id):
(JSC::JIT::emitSlow_op_del_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_val):
(JSC::JIT::emitHasPrivateSlow):
(JSC::JIT::emitSlow_op_has_private_name):
(JSC::JIT::emitSlow_op_has_private_brand):
(JSC::JIT::emitSlow_op_get_by_val_with_this):
(JSC::JIT::slow_op_get_by_val_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_get_private_name_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_put_by_val_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_put_private_name_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_del_by_id_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_del_by_val_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_get_by_id_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_get_by_id_with_this_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_put_by_id_callSlowOperationThenCheckExceptionGenerator): Deleted.
(JSC::JIT::slow_op_get_by_val_with_this_callSlowOperationThenCheckExceptionGenerator): Deleted.
* Source/JavaScriptCore/jit/RegisterSet.h:
(JSC::RegisterSetBuilder::buildAndValidate const):

Canonical link: https://commits.webkit.org/268259@main

More information about the webkit-changes mailing list