[webkit-changes] [WebKit/WebKit] 13455c: [JSC] Reland Handler IC

Yusuke Suzuki noreply at github.com
Sat May 4 00:05:09 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 13455c7affe3713294333e8fa829a3089f36f2e4
      https://github.com/WebKit/WebKit/commit/13455c7affe3713294333e8fa829a3089f36f2e4
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-05-04 (Sat, 04 May 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/AccessCase.h
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/GetByStatus.cpp
    M Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp
    M Source/JavaScriptCore/bytecode/GetterSetterAccessCase.h
    M Source/JavaScriptCore/bytecode/InlineAccess.cpp
    M Source/JavaScriptCore/bytecode/InlineAccess.h
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.h
    M Source/JavaScriptCore/bytecode/PutByStatus.cpp
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/bytecode/SharedJITStubSet.h
    M Source/JavaScriptCore/bytecode/StructureStubInfo.cpp
    M Source/JavaScriptCore/bytecode/StructureStubInfo.h
    M Source/JavaScriptCore/dfg/DFGJITCode.cpp
    M Source/JavaScriptCore/heap/JITStubRoutineSet.cpp
    M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp
    M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h
    M Source/JavaScriptCore/runtime/StructureID.h
    M Source/WTF/wtf/FixedVector.h
    M Source/WTF/wtf/HashCountedSet.h

  Log Message:
  -----------
  [JSC] Reland Handler IC
https://bugs.webkit.org/show_bug.cgi?id=273693
rdar://127496851

Reviewed by Keith Miller.

This patch enables limited variant of Handler IC. The limitation means,

1. Only enabled for Baseline JIT.
2. Getter and Setter are not supported yet.
3. We are caching entire code as an one handler. This is not the final form we would like to have.
   Next step is splitting them into one per AccessCase and chain them.
4. After (3) gets done, we would like to put more data into InlineCacheHandler itself so that code
   can be more and more sharable.

But even with this limited form, we are already observing good cache hit rate. So we take an approach starting with this,
and further extending Handler IC based on the above milestones.

We enable Handler IC, which is only enabled for Baseline JIT right now.
The IC is hash-consed via SharedJITStubSet. And InlineCacheCompiler first search for an already compiled stub, if it finds it,
we register watchpoint to this stub and use it without new compilation. If it is not found, we compile a new stub and register it to this table if possible.
When nobody uses this stub, then refCount becomes zero, and it automatically unregister itself from the table.
Each StructureStubInfo site's access cases is always subsumes stub's access cases. So GC will check validity via this StructureStubInfo's access cases, and
drop stub when it is no longer valid (as the same to the current IC).

The major difference from the last patch is adding multiple owners to the shared JIT IC.
Stubs are unregistering themselves from SharedJITStubSet when it reaches to zero-ref-count.
But this does not work well since CodeBlock can be destroyed lazily: if CodeBlock is dead, during that,
no GC scanning happens to this stub while ref-count is still non-zero.
For normal JIT stubs, we have owner concept for JIT stub. At GC end phase, we iterate stubs and check whether the owner is already dead.
And if it is dead, we mark it m_ownerIsDead. But shared JIT stub does not have this concept.
Instead, we have HashCountedSet for shared JIT stub, and register multiple owners for shared JIT stub. And at GC end phase, we scan owners
to wipe dead owners, and when live owners become zero, we mark the stub as m_ownerIsDead too.

* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::tryGetAlternateBaseImpl const):
(JSC::AccessCase::canBeShared):
(JSC::AccessCase::tryGetAlternateBase const):
(JSC::AccessCase::hasAlternateBaseImpl const): Deleted.
(JSC::AccessCase::alternateBaseImpl const): Deleted.
(JSC::AccessCase::hasAlternateBase const): Deleted.
(JSC::AccessCase::alternateBase const): Deleted.
* Source/JavaScriptCore/bytecode/AccessCase.h:
(JSC::AccessCase::identifier const):
(JSC::AccessCase::dumpImpl const):
(JSC::AccessCase::updateIdentifier): Deleted.
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
* Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::tryGetAlternateBaseImpl const):
(JSC::GetterSetterAccessCase::hasAlternateBaseImpl const): Deleted.
(JSC::GetterSetterAccessCase::alternateBaseImpl const): Deleted.
* Source/JavaScriptCore/bytecode/GetterSetterAccessCase.h:
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::generateImpl):
(JSC::InlineCacheCompiler::regenerate):
(JSC::isMegamorphicById): Deleted.
* Source/JavaScriptCore/bytecode/PutByStatus.cpp:
(JSC::PutByStatus::computeForStubInfo):
* Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h:
(JSC::PolymorphicAccessJITStubRoutine::isStillValid const):
* Source/JavaScriptCore/runtime/StructureID.h:

Canonical link: https://commits.webkit.org/278369@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list