Changeset 130359 in webkit for trunk/Source/JavaScriptCore/llint

Timestamp:

Oct 3, 2012, 9:03:14 PM (13 years ago)

Author:

[email protected]

Message:

Removed the assumption that "final" objects have a fixed number of inline slots
​https://bugs.webkit.org/show_bug.cgi?id=98332

Reviewed by Filip Pizlo.

This is a step toward object size inference.

I replaced the inline storage capacity constant with a data member per
structure, set the the maximum supported value for the constant to 100,
then fixed what broke. (Note that even though this patch increases the
theoretical maximum inline capacity, it doesn't change any actual inline
capacity.)

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::compileGetDirectOffset): These functions just get a rename:
the constant they need is the first out of line offset along the offset
number line, which is not necessarily the same thing (and is, in this
patch, never the same thing) as the inline capacity of any given object.

(JSC::JIT::emit_op_get_by_pname):

• jit/JITPropertyAccess32_64.cpp: This function changes functionality,

since it needs to convert from the abstract offset number line to an
actual offset in memory, and it can't assume that inline and out-of-line
offsets are contiguous on the number line.

(JSC::JIT::compileGetDirectOffset): Updated for rename.

(JSC::JIT::emit_op_get_by_pname): Same as emit_op_get_by_pname above.

• llint/LowLevelInterpreter.asm: Updated to mirror changes in PropertyOffset.h,

since we duplicate values from there.

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm: Just like the JIT, most things are just

renames, and get_by_pname changes to do more math. I also standardized
offset calculations to use a hard-coded "-2", to match the JIT. This
isn't really better, but it makes global search and replace easier,
should we choose to refactor this code not to hard-code constants.

I also renamed loadPropertyAtVariableOffsetKnownNotFinal to
loadPropertyAtVariableOffsetKnownNotInline in order to sever the assumption
that inline capacity is tied to object type, and I changed the 64bit LLInt
to use this -- not using this previously seems to have been an oversight.

• runtime/JSObject.cpp:

(JSC::JSObject::visitChildren):
(JSC::JSFinalObject::visitChildren):

• runtime/JSObject.h:

(JSC::JSObject::offsetForLocation):
(JSNonFinalObject):
(JSC::JSFinalObject::createStructure):
(JSFinalObject):
(JSC::JSFinalObject::finishCreation): Updated for above changes.

• runtime/JSPropertyNameIterator.h:

(JSPropertyNameIterator):
(JSC::JSPropertyNameIterator::finishCreation): Store the inline capacity
of our object, since it's not a constant.

(JSC::JSPropertyNameIterator::getOffset): Removed. This function was
wrong. Luckily, it was also unused, since the C++ interpreter is gone.

• runtime/PropertyMapHashTable.h:

(PropertyTable): Use a helper function instead of hard-coding assumptions
about object types.

(JSC::PropertyTable::nextOffset):

• runtime/PropertyOffset.h:

(JSC):
(JSC::checkOffset):
(JSC::validateOffset):
(JSC::isInlineOffset):
(JSC::numberOfSlotsForLastOffset):
(JSC::propertyOffsetFor): Refactored these functions to take inline capacity
as an argument, since it's not fixed at compile time anymore.

• runtime/Structure.cpp:

(JSC::Structure::Structure):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::putSpecificValue):

• runtime/Structure.h:

(Structure):
(JSC::Structure::outOfLineCapacity):
(JSC::Structure::hasInlineStorage):
(JSC::Structure::inlineCapacity):
(JSC::Structure::inlineSize):
(JSC::Structure::firstValidOffset):
(JSC::Structure::lastValidOffset):
(JSC::Structure::create): Removed some hard-coded assumptions about inline
capacity and object type, and replaced with more liberal use of helper functions.

Location:

trunk/Source/JavaScriptCore/llint

Files:

• LowLevelInterpreter.asm (modified) (1 diff)
• LowLevelInterpreter32_64.asm (modified) (3 diffs)
• LowLevelInterpreter64.asm (modified) (4 diffs)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -90 +90 @@
 const HashFlags8BitBuffer = 64
 
-# Property storage constants
-if JSVALUE64
-    const InlineStorageCapacity = 6
-else
-    const InlineStorageCapacity = 7
-end
+# Copied from PropertyOffset.h
+const firstOutOfLineOffset = 100
 
 # Allocation constants

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -938 +938 @@
 
 
-macro loadPropertyAtVariableOffsetKnownNotFinal(propertyOffset, objectAndStorage, tag, payload)
-    assert(macro (ok) bigteq propertyOffset, InlineStorageCapacity, ok end)
+macro loadPropertyAtVariableOffsetKnownNotInline(propertyOffset, objectAndStorage, tag, payload)
+    assert(macro (ok) bigteq propertyOffset, firstOutOfLineOffset, ok end)
     negi propertyOffset
     loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
-    loadi TagOffset + (InlineStorageCapacity - 1) * 8 - sizeof IndexingHeader[objectAndStorage, propertyOffset, 8], tag
-    loadi PayloadOffset + (InlineStorageCapacity - 1) * 8 - sizeof IndexingHeader[objectAndStorage, propertyOffset, 8], payload
+    loadi TagOffset + (firstOutOfLineOffset - 2) * 8[objectAndStorage, propertyOffset, 8], tag
+    loadi PayloadOffset + (firstOutOfLineOffset - 2) * 8[objectAndStorage, propertyOffset, 8], payload
 end
 
 macro loadPropertyAtVariableOffset(propertyOffset, objectAndStorage, tag, payload)
-    bilt propertyOffset, InlineStorageCapacity, .isInline
+    bilt propertyOffset, firstOutOfLineOffset, .isInline
     loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
     negi propertyOffset
     jmp .ready
 .isInline:
-    addp JSFinalObject::m_inlineStorage - (InlineStorageCapacity - 1) * 8 + sizeof IndexingHeader, objectAndStorage
+    addp JSFinalObject::m_inlineStorage - (firstOutOfLineOffset - 2) * 8, objectAndStorage
 .ready:
-    loadi TagOffset + (InlineStorageCapacity - 1) * 8 - sizeof IndexingHeader[objectAndStorage, propertyOffset, 8], tag
-    loadi PayloadOffset + (InlineStorageCapacity - 1) * 8 - sizeof IndexingHeader[objectAndStorage, propertyOffset, 8], payload
+    loadi TagOffset + (firstOutOfLineOffset - 2) * 8[objectAndStorage, propertyOffset, 8], tag
+    loadi PayloadOffset + (firstOutOfLineOffset - 2) * 8[objectAndStorage, propertyOffset, 8], payload
 end
 
@@ -969 +969 @@
     bpneq t1, 12[PC], slow
     loadi 16[PC], t1
-    loadPropertyAtVariableOffsetKnownNotFinal(t1, t0, t2, t3)
+    loadPropertyAtVariableOffsetKnownNotInline(t1, t0, t2, t3)
     loadi 4[PC], t0
     storei t2, TagOffset[cfr, t0, 8]
@@ -1365 +1365 @@
     subi 1, t0
     biaeq t0, JSPropertyNameIterator::m_numCacheableSlots[t3], .opGetByPnameSlow
-    addi JSPropertyNameIterator::m_offsetBase[t3], t0
+    bilt t0, JSPropertyNameIterator::m_cachedStructureInlineCapacity[t3], .opGetByPnameInlineProperty
+    addi firstOutOfLineOffset, t0
+    subi JSPropertyNameIterator::m_cachedStructureInlineCapacity[t3], t0
+.opGetByPnameInlineProperty:
     loadPropertyAtVariableOffset(t0, t2, t1, t3)
     loadi 4[PC], t0

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -797 +797 @@
 
 
-macro loadPropertyAtVariableOffsetKnownNotFinal(propertyOffsetAsPointer, objectAndStorage, value)
-    assert(macro (ok) bigteq propertyOffsetAsPointer, InlineStorageCapacity, ok end)
+macro loadPropertyAtVariableOffsetKnownNotInline(propertyOffsetAsPointer, objectAndStorage, value)
+    assert(macro (ok) bigteq propertyOffsetAsPointer, firstOutOfLineOffset, ok end)
     negp propertyOffsetAsPointer
     loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
-    loadp (InlineStorageCapacity - 1) * 8 - sizeof IndexingHeader[objectAndStorage, propertyOffsetAsPointer, 8], value
+    loadp (firstOutOfLineOffset - 2) * 8[objectAndStorage, propertyOffsetAsPointer, 8], value
 end
 
 macro loadPropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value)
-    bilt propertyOffsetAsInt, InlineStorageCapacity, .isInline
+    bilt propertyOffsetAsInt, firstOutOfLineOffset, .isInline
     loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
     negi propertyOffsetAsInt
@@ -811 +811 @@
     jmp .ready
 .isInline:
-    addp JSFinalObject::m_inlineStorage - (InlineStorageCapacity - 1) * 8 + sizeof IndexingHeader, objectAndStorage
+    addp JSFinalObject::m_inlineStorage - (firstOutOfLineOffset - 2) * 8, objectAndStorage
 .ready:
-    loadp (InlineStorageCapacity - 1) * 8 - sizeof IndexingHeader[objectAndStorage, propertyOffsetAsInt, 8], value
+    loadp (firstOutOfLineOffset - 2) * 8[objectAndStorage, propertyOffsetAsInt, 8], value
 end
 
@@ -827 +827 @@
     bpneq t1, 24[PB, PC, 8], slow
     loadis 32[PB, PC, 8], t1
-    loadPropertyAtVariableOffset(t1, t0, t2)
+    loadPropertyAtVariableOffsetKnownNotInline(t1, t0, t2)
     loadis 8[PB, PC, 8], t0
     storep t2, [cfr, t0, 8]
@@ -1209 +1209 @@
     subi 1, t3
     biaeq t3, JSPropertyNameIterator::m_numCacheableSlots[t1], .opGetByPnameSlow
-    addi JSPropertyNameIterator::m_offsetBase[t1], t3
+    bilt t3, JSPropertyNameIterator::m_cachedStructureInlineCapacity[t1], .opGetByPnameInlineProperty
+    addi firstOutOfLineOffset, t3
+    subi JSPropertyNameIterator::m_cachedStructureInlineCapacity[t1], t3
+.opGetByPnameInlineProperty:
     loadPropertyAtVariableOffset(t3, t0, t0)
     loadis 8[PB, PC, 8], t1