Changeset 220625 in webkit for trunk/Source/JavaScriptCore/b3

Timestamp:

Aug 12, 2017, 11:44:48 AM (8 years ago)

Author:

[email protected]

Message:

Caging shouldn't have to use a patchpoint for adding
​https://bugs.webkit.org/show_bug.cgi?id=175483

Reviewed by Mark Lam.
Source/JavaScriptCore:

Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
constants and associative operations dictate that you always want to sink constants. For example,
Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
our current constant reassociation heuristics are wrong is caging. So, we can get away with some
hacks for just stopping B3's reassociation only in this specific case.

Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
that if we cage the same pointer in two places, both places will compute the same value.

This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
enough scale to warrant new opcodes.)

This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
makes the code a bit less ugly.

• b3/B3LowerToAir.cpp:

(JSC::B3::Air::LowerToAir::shouldCopyPropagate):
(JSC::B3::Air::LowerToAir::lower):

• b3/B3Opcode.cpp:

(WTF::printInternal):

• b3/B3Opcode.h:
• b3/B3ReduceStrength.cpp:
• b3/B3Validate.cpp:
• b3/B3Value.cpp:

(JSC::B3::Value::effects const):
(JSC::B3::Value::key const):
(JSC::B3::Value::isFree const):
(JSC::B3::Value::typeFor):

• b3/B3Value.h:
• b3/B3ValueKey.cpp:

(JSC::B3::ValueKey::materialize const):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

• ftl/FTLOutput.cpp:

(JSC::FTL::Output::opaque):

• ftl/FTLOutput.h:

Websites/webkit.org:

Write documentation for the new Opaque opcode.

• docs/b3/intermediate-representation.html:

Location:

trunk/Source/JavaScriptCore/b3

Files:

• B3LowerToAir.cpp (modified) (2 diffs)
• B3Opcode.cpp (modified) (1 diff)
• B3Opcode.h (modified) (2 diffs)
• B3ReduceStrength.cpp (modified) (1 diff)
• B3Validate.cpp (modified) (1 diff)
• B3Value.cpp (modified) (4 diffs)
• B3Value.h (modified) (1 diff)
• B3ValueKey.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/b3/B3LowerToAir.cpp

@@ -190 +190 @@
         case Trunc:
         case Identity:
+        case Opaque:
             return true;
         default:
@@ -3337 +3338 @@
         }
             
-        case Identity: {
+        case Identity:
+        case Opaque: {
             ASSERT(tmp(m_value->child(0)) == tmp(m_value));
             return;

trunk/Source/JavaScriptCore/b3/B3Opcode.cpp

@@ -107 +107 @@
         out.print("Identity");
         return;
+    case Opaque:
+        out.print("Opaque");
+        return;
     case Const32:
         out.print("Const32");

trunk/Source/JavaScriptCore/b3/B3Opcode.h

@@ -44 +44 @@
     // Polymorphic identity, usable with any value type.
     Identity,
+        
+    // This is an identity, but we prohibit the compiler from realizing this until the bitter end. This can
+    // be used to block reassociation and other compiler reasoning, if we find that it's wrong or
+    // unprofitable and we need an escape hatch.
+    Opaque,
 
     // Constants. Use the ConstValue* classes. Constants exist in the control flow, so that we can
@@ -259 +264 @@
     // because it unlocks reordering of users of @result and @phantom.
     //
-    // On X86, this is lowered to a load-load fence and @result uses @phantom directly.
+    // On X86, this is lowered to a load-load fence and @result folds to zero.
     //
     // On ARM, this is lowered as if like:

trunk/Source/JavaScriptCore/b3/B3ReduceStrength.cpp

@@ -486 +486 @@
     {
         switch (m_value->opcode()) {
+        case Opaque:
+            // Turn this: Opaque(Opaque(value))
+            // Into this: Opaque(value)
+            if (m_value->child(0)->opcode() == Opaque) {
+                replaceWithIdentity(m_value->child(0));
+                break;
+            }
+            break;
+            
         case Add:
             handleCommutativity();

trunk/Source/JavaScriptCore/b3/B3Validate.cpp

@@ -140 +140 @@
                 break;
             case Identity:
+            case Opaque:
                 VALIDATE(!value->kind().hasExtraBits(), ("At ", *value));
                 VALIDATE(value->numChildren() == 1, ("At ", *value));

trunk/Source/JavaScriptCore/b3/B3Value.cpp

@@ -547 +547 @@
     case Nop:
     case Identity:
+    case Opaque:
     case Const32:
     case Const64:
@@ -701 +702 @@
 ValueKey Value::key() const
 {
+    // NOTE: Except for exotic things like CheckAdd and friends, we want every case here to have a
+    // corresponding case in ValueKey::materialize().
     switch (opcode()) {
     case FramePointer:
         return ValueKey(kind(), type());
     case Identity:
+    case Opaque:
     case Abs:
     case Ceil:
@@ -795 +799 @@
     case ConstFloat:
     case Identity:
+    case Opaque:
     case Nop:
         return true;
@@ -810 +815 @@
     switch (kind.opcode()) {
     case Identity:
+    case Opaque:
     case Add:
     case Sub:

trunk/Source/JavaScriptCore/b3/B3Value.h

@@ -329 +329 @@
             break;
         case Identity:
+        case Opaque:
         case Neg:
         case Clz:

trunk/Source/JavaScriptCore/b3/B3ValueKey.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -57 +57 @@
 Value* ValueKey::materialize(Procedure& proc, Origin origin) const
 {
+    // NOTE: We sometimes cannot return a Value* for some key, like for Check and friends. That's because
+    // though those nodes have side exit effects. It would be weird to materialize anything that has a side
+    // exit. We can't possibly know enough about a side exit to know where it would be safe to emit one.
     switch (opcode()) {
     case FramePointer:
         return proc.add<Value>(kind(), type(), origin);
     case Identity:
+    case Opaque:
+    case Abs:
+    case Floor:
+    case Ceil:
     case Sqrt:
+    case Neg:
+    case Depend:
     case SExt8:
     case SExt16:
@@ -72 +81 @@
     case FloatToDouble:
     case DoubleToFloat:
-    case Check:
         return proc.add<Value>(kind(), type(), origin, child(proc, 0));
     case Add:
@@ -97 +105 @@
     case AboveEqual:
     case BelowEqual:
+    case EqualOrUnordered:
         return proc.add<Value>(kind(), type(), origin, child(proc, 0), child(proc, 1));
     case Select: