[webkit-changes] [WebKit/WebKit] 1a5636: [JSC] Add JIT optimizations for ResizableArrayBuffers

Thu, 24 Nov 2022 16:48:25 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1a5636acd02ea65e4795ca8d19f1111ae088e413
      
https://github.com/WebKit/WebKit/commit/1a5636acd02ea65e4795ca8d19f1111ae088e413
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2022-11-24 (Thu, 24 Nov 2022)

  Changed paths:
    A JSTests/microbenchmarks/emscripten-cube2hash-resizable.js
    A JSTests/stress/resizable-bytelength.js
    A JSTests/stress/resizable-byteoffset.js
    A JSTests/stress/resizable-length.js
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h
    M Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h
    M Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/AccessCase.h
    M Source/JavaScriptCore/bytecode/IntrinsicGetterAccessCase.h
    M Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
    M Source/JavaScriptCore/bytecode/Repatch.cpp
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGOSRExit.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/jit/IntrinsicEmitter.cpp
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/JSDataView.h
    M Source/JavaScriptCore/runtime/TypedArrayType.cpp
    M Source/JavaScriptCore/runtime/TypedArrayType.h

  Log Message:
  -----------
  [JSC] Add JIT optimizations for ResizableArrayBuffers
https://bugs.webkit.org/show_bug.cgi?id=248206
rdar://problem/102597308

Reviewed by Ross Kirsling.

This patch adds JIT optimizations for resizable ArrayBuffer. Right now, our 
generated code is not so tightly optimized (in terms of code size in 
particular),
but still it offers large improvement already, so this is great step as a first 
implementation.

1. We add JIT getter optimizations for TypedArray intrinsic getters. They are 
implemented in IntrinsicEmitter.
2. We add JIT AccesssCase optimizations for resizable TypedArrays. IC can 
detect resizable TypedArrays, and generate IndexedResizableTypedArray* ICes.
   We do not extend existing TypedArray IC to handle resizable TypedArrays 
since we would like to keep existing ICes super tightly optimized.
   We should generate this IC handling resizable TypedArrays gracefully only 
when we found resizable TypedArrays.
3. We annotate ArrayProfile based on profiling and DFG OSR exit so that we can 
know resizable TypedArrays in DFG / FTL. Based on that, we optimize DFG / FTL
   nodes handling TypedArrays. When we didn't observe resizable TypedArrays, we 
make resizable TypedArrays OSR exit to make node super tightly optimized and
   avoid saying pessimized clobbering information.
4. We implement DFG / FTL nodes handling resizable TypedArrays. We use (1) and 
(2)'s JIT code generation to implement them. Ideally, we can do more optimized 
thing
   in FTL by generating B3 nodes for this instead of using patchpoint. But 
currently B3 lacks AtomicLoad nodes, so we first just use patchpoint to 
implement FTL
   optimization.

This patch improved emscripten-cube2hash-resizable benchmark by 2x.

                                            ToT                     Patched

emscripten-cube2hash-resizable       19.1501+-0.0248     ^      9.1659+-0.0471  
      ^ definitely 2.0893x faster

* JSTests/microbenchmarks/emscripten-cube2hash-resizable.js: Added.
(key.in.Module.Module.hasOwnProperty):
(ENVIRONMENT_IS_NODE.Module.string_appeared_here):
(else.Module.string_appeared_here):
(else.else.Module.string_appeared_here):
(else):
(else.else):
(globalEval):
(Module.string_appeared_here.string_appeared_here.Module.string_appeared_here.Module.string_appeared_here):
(Module.string_appeared_here.Module.string_appeared_here):
(key.in.moduleOverrides.moduleOverrides.hasOwnProperty):
(Runtime.stackSave):
(Runtime.stackRestore):
(Runtime.forceAlign):
(Runtime.isNumberType):
(Runtime.isPointerType):
(Runtime.isStructType):
* JSTests/stress/resizable-bytelength.js: Added.
(shouldBe):
(test):
* JSTests/stress/resizable-byteoffset.js: Added.
(shouldBe):
(test):
* JSTests/stress/resizable-length.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::lshift32):
(JSC::MacroAssemblerARM64::lshift64):
(JSC::MacroAssemblerARM64::loadAcq32):
(JSC::MacroAssemblerARM64::loadAcq64):
(JSC::MacroAssemblerARM64::atomicLoad32):
(JSC::MacroAssemblerARM64::atomicLoad64):
* Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h:
(JSC::MacroAssemblerRISCV64::lshift32):
(JSC::MacroAssemblerRISCV64::lshift64):
(JSC::MacroAssemblerRISCV64::atomicLoad32):
(JSC::MacroAssemblerRISCV64::atomicLoad64):
* Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::lshift32):
(JSC::MacroAssemblerX86Common::atomicLoad32):
* Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::lshift64):
(JSC::MacroAssemblerX86_64::atomicLoad64):
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::needsScratchFPR const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::toTypedArrayType):
(JSC::AccessCase::forResizableTypedArray):
(JSC::AccessCase::runWithDowncast):
(JSC::AccessCase::canBeShared):
* Source/JavaScriptCore/bytecode/AccessCase.h:
* Source/JavaScriptCore/bytecode/IntrinsicGetterAccessCase.h:
* Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheArrayGetByVal):
(JSC::tryCacheArrayPutByVal):
* Source/JavaScriptCore/dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
(JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffsetAsInt52):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitGetTypedArrayByteOffsetExceptSettingResult):
(JSC::FTL::DFG::LowerDFGToB3::typedArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfResizableOrGrowableSharedTypedArrayIsOutOfBounds):
(JSC::AssemblyHelpers::loadTypedArrayByteLengthImpl):
(JSC::AssemblyHelpers::loadTypedArrayByteLength):
(JSC::AssemblyHelpers::loadTypedArrayLength):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
* Source/JavaScriptCore/jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
(JSC::IntrinsicGetterAccessCase::doesCalls const):
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* Source/JavaScriptCore/jit/JITOperations.h:
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSDataView.h:
(JSC::JSDataView::offsetOfBuffer):
* Source/JavaScriptCore/runtime/TypedArrayType.cpp:
* Source/JavaScriptCore/runtime/TypedArrayType.h:

Canonical link: https://commits.webkit.org/257001@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to