[Webkit-unassigned] [Bug 72311] Inline caches that refer to otherwise dead objects should be cleared
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 15 02:24:39 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=72311
--- Comment #2 from Filip Pizlo <fpizlo at apple.com> 2011-11-15 02:24:39 PST ---
(In reply to comment #1)
> The simple thing to do would be to clear inline caches on a full GC. Removing collected entries from IC entries would be better of course, but more complicated.
That would be the simple thing, but see https://bugs.webkit.org/show_bug.cgi?id=72312. The DFG will "inline" inline caches. That is, if the old JIT had built up an IC for a monomorphic heap read, then the DFG will simplify the code to:
CheckStructure(OpInfo(the structure), base)
GetByOffset(OpInfo(some offset), base)
This leads to a number of profitable optimizations:
1) The slow case of the IC is omitted, leading to code size reduction. This is by itself a large win.
2) Multiple CheckStructure's on the same base with no interleaved side-effecting ops can be CSE'd, so that only the first one remains.
3) Information gleaned from a CheckStructure can be forward-propagated by the CFA, which can eliminate some type checks (say that a bit later the DFG emitted code that required that 'base' is a JSFinalObject, and the structure corresponds to a strict subset of JSFinalObjects - then the JSFinalObject check can be elided).
4) The GetByOffset is now known to be a pure operation, so can be subject to CSE, and will not interfere with CSE of other operations.
But this also means that we can't just take the approach of blowing away inline caches on full GC, since this is no longer an inline cache, in the traditional sense - it's an intrinsic part of the code. So we have to have a way of triggering OSR points on those "inlined" inline caches that are no longer valid if the structure in question is dead. That's what I'm working on now.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list