Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1045bbc1a8e3b42ef926b776cb315219c1ba0d0d
https://github.com/WebKit/WebKit/commit/1045bbc1a8e3b42ef926b776cb315219c1ba0d0d
Author: Yusuke Suzuki <ysuz...@apple.com>
Date: 2025-09-11 (Thu, 11 Sep 2025)
Changed paths:
M Source/JavaScriptCore/CMakeLists.txt
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M Source/JavaScriptCore/Sources.txt
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
M Source/JavaScriptCore/wasm/WasmBBQJIT.h
M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
M Source/JavaScriptCore/wasm/WasmBBQPlan.h
A Source/JavaScriptCore/wasm/WasmBaselineData.h
M Source/JavaScriptCore/wasm/WasmCallSlot.h
M Source/JavaScriptCore/wasm/WasmCallee.cpp
M Source/JavaScriptCore/wasm/WasmCallee.h
M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
A Source/JavaScriptCore/wasm/WasmMergedProfile.cpp
A Source/JavaScriptCore/wasm/WasmMergedProfile.h
M Source/JavaScriptCore/wasm/WasmModule.cpp
M Source/JavaScriptCore/wasm/WasmModule.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/WasmOperations.h
A Source/JavaScriptCore/wasm/WasmProfileCollection.cpp
A Source/JavaScriptCore/wasm/WasmProfileCollection.h
M Source/JavaScriptCore/wasm/WasmThunks.cpp
M Source/JavaScriptCore/wasm/WasmThunks.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
Log Message:
-----------
[JSC] Profile call_indirect / call_ref monomorphic target and do direct call
/ inlining in OMG
https://bugs.webkit.org/show_bug.cgi?id=298677
rdar://160312708
Reviewed by Yijia Huang.
This patch extends our profiling mechanism for wasm calls.
1. We start collecting per-instance level profiles instead of per-module
level. This is easier for us to collect more information without
locking. Previously, we were only collecting call counts, which is
fine for data race. But we would like to collect more complicated
profile information (like polymorphic call targets), and we do not
want to take a lock.
This per-instance data is chained by thread safe weak set from
module. And compiler will gather information through this backward
reference from module to this data collection.
2. (1)'s data pointer is stored in JSWebAssemblyInstance (to achieve
that, we were working on shrink some of sizes in
JSWebAssemblyInstance, like 299480@main etc.). And BBQ will load it
into GPRInfo::jitDataRegister. So the code can quickly access to this
information.
3. Call profiling is extended to collect boxed callee. Right now, we
only collect (1) init, (2) monomorphic, or (3) megamorphic status.
In OMG, we use this information, and attempt to directly call this
target when it is monomorphic and it is call_indirect / call_ref.
This allows us to remove many weird code around call_indirect etc.
And OMG even inlines calls when the monomorphic call target is small.
Right now, we only collect non-cross-instance calls.
4. The current limitation is this is only handling monomorphic calls. We
also found that polymorphic call collection is useful and effective
for some of real world code. So we will extend it later.
* Source/JavaScriptCore/CMakeLists.txt:
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::BBQJIT):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitIncrementCallSlotCount):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTopLevel):
(JSC::Wasm::BBQJITImpl::BBQJIT::addLoopOSREntrypoint):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitIndirectCall):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCallIndirect):
(JSC::Wasm::parseAndCompileBBQ):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::getGlobal):
(JSC::Wasm::BBQJITImpl::BBQJIT::setGlobal):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::getGlobal):
(JSC::Wasm::BBQJITImpl::BBQJIT::setGlobal):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitAllocateGCArrayUninitialized):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitAllocateGCStructUninitialized):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCallRef):
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::BBQPlan):
(JSC::Wasm::BBQPlan::compileFunction):
* Source/JavaScriptCore/wasm/WasmBBQPlan.h:
* Source/JavaScriptCore/wasm/WasmBaselineData.h: Copied from
Source/JavaScriptCore/wasm/WasmCallSlot.h.
* Source/JavaScriptCore/wasm/WasmCallSlot.h:
(JSC::Wasm::CallSlot::observeCrossInstanceCall):
(JSC::Wasm::CallSlot::observeCallIndirect):
(JSC::Wasm::CallSlot::boxedCallee const):
(JSC::Wasm::CallSlot::offsetOfBoxedCallee):
(JSC::Wasm::CallSlot::addressOfCount): Deleted.
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::IPIntCallee::IPIntCallee):
(JSC::Wasm::IPIntCallee::needsProfiling const):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::jitCompileAndSetHeuristics):
(JSC::IPInt::jitCompileSIMDFunctionSynchronously):
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):
* Source/JavaScriptCore/wasm/WasmMergedProfile.cpp: Copied from
Source/JavaScriptCore/wasm/WasmCallSlot.h.
(JSC::Wasm::MergedProfile::MergedProfile):
(JSC::Wasm::MergedProfile::CallSite::merge):
* Source/JavaScriptCore/wasm/WasmMergedProfile.h: Copied from
Source/JavaScriptCore/wasm/WasmCallSlot.h.
(JSC::Wasm::MergedProfile::CallSite::count const):
(JSC::Wasm::MergedProfile::CallSite::callee const):
(JSC::Wasm::MergedProfile::CallSite::isMegamorphic const):
(JSC::Wasm::MergedProfile::isCalled const):
(JSC::Wasm::MergedProfile::callee const):
(JSC::Wasm::MergedProfile::isMegamorphic const):
(JSC::Wasm::MergedProfile::mutableSpan):
(JSC::Wasm::MergedProfile::span const):
* Source/JavaScriptCore/wasm/WasmModule.cpp:
(JSC::Wasm::Module::createProfiles):
(JSC::Wasm::Module::createMergedProfile):
* Source/JavaScriptCore/wasm/WasmModule.h:
(JSC::Wasm::Module::ipintCallees const):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::OMGIRGenerator):
(JSC::Wasm::OMGIRGenerator::emitIndirectCall):
(JSC::Wasm::OMGIRGenerator::getGlobal):
(JSC::Wasm::OMGIRGenerator::setGlobal):
(JSC::Wasm::OMGIRGenerator::allocatorForWasmGCHeapCellSize):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArrayUninitialized):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCStructUninitialized):
(JSC::Wasm::OMGIRGenerator::addInlinedReturn):
(JSC::Wasm::OMGIRGenerator::canInline const):
(JSC::Wasm::OMGIRGenerator::emitInlineDirectCall):
(JSC::Wasm::OMGIRGenerator::addCall):
(JSC::Wasm::OMGIRGenerator::emitDirectCall):
(JSC::Wasm::OMGIRGenerator::addCallIndirect):
(JSC::Wasm::OMGIRGenerator::addCallRef):
(JSC::Wasm::parseAndCompileOMG):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::OMGIRGenerator):
(JSC::Wasm::OMGIRGenerator::getGlobal):
(JSC::Wasm::OMGIRGenerator::setGlobal):
(JSC::Wasm::OMGIRGenerator::allocatorForWasmGCHeapCellSize):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArrayUninitialized):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCStructUninitialized):
(JSC::Wasm::OMGIRGenerator::canInline const):
(JSC::Wasm::OMGIRGenerator::emitInlineDirectCall):
(JSC::Wasm::OMGIRGenerator::addCallIndirect):
(JSC::Wasm::parseAndCompileOMG):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp:
(JSC::Wasm::OSREntryPlan::work):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperations.h:
* Source/JavaScriptCore/wasm/WasmProfileCollection.cpp: Copied from
Source/JavaScriptCore/wasm/WasmCallSlot.h.
(JSC::Wasm::ProfileCollection::create):
(JSC::Wasm::ProfileCollection::tryGetBaselineData):
(JSC::Wasm::ProfileCollection::registerBaselineData):
* Source/JavaScriptCore/wasm/WasmProfileCollection.h: Copied from
Source/JavaScriptCore/wasm/WasmCallSlot.h.
* Source/JavaScriptCore/wasm/WasmThunks.cpp:
(JSC::Wasm::materializeBaselineDataGenerator):
* Source/JavaScriptCore/wasm/WasmThunks.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::~JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::visitChildrenImpl):
(JSC::JSWebAssemblyInstance::allocationSize):
(JSC::JSWebAssemblyInstance::table):
(JSC::JSWebAssemblyInstance::tableCopy):
(JSC::JSWebAssemblyInstance::elementAt const):
(JSC::JSWebAssemblyInstance::evaluateConstantExpression):
(JSC::JSWebAssemblyInstance::tableInit):
(JSC::JSWebAssemblyInstance::setTable):
(JSC::JSWebAssemblyInstance::ensureBaselineData):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h:
Canonical link: https://commits.webkit.org/299870@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
