Changeset 222382 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Sep 22, 2017, 3:25:58 AM (8 years ago)

Author:

Yusuke Suzuki

Message:

Unreviewed, rolling out r222380.
​https://bugs.webkit.org/show_bug.cgi?id=177352

Octane/box2d shows 8% regression (Requested by yusukesuzuki on
#webkit).

Reverted changeset:

"[DFG][FTL] Profile array vector length for array allocation"
​https://bugs.webkit.org/show_bug.cgi?id=177051
​http://trac.webkit.org/changeset/222380

Patch by Commit Queue <​[email protected]> on 2017-09-22

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/ArrayAllocationProfile.cpp (modified) (2 diffs)
• bytecode/ArrayAllocationProfile.h (modified) (3 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• dfg/DFGGraph.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (2 diffs)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (8 diffs)
• runtime/ArrayConventions.h (modified) (1 diff)
• runtime/JSArray.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-09-22  Commit Queue  <[email protected]>
+
+        Unreviewed, rolling out r222380.
+        https://bugs.webkit.org/show_bug.cgi?id=177352
+
+        Octane/box2d shows 8% regression (Requested by yusukesuzuki on
+        #webkit).
+
+        Reverted changeset:
+
+        "[DFG][FTL] Profile array vector length for array allocation"
+        https://bugs.webkit.org/show_bug.cgi?id=177051
+        http://trac.webkit.org/changeset/222380
+
 2017-09-21  Yusuke Suzuki  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp

@@ -31 +31 @@
 namespace JSC {
 
-void ArrayAllocationProfile::updateProfile()
+void ArrayAllocationProfile::updateIndexingType()
 {
     // This is awkwardly racy but totally sound even when executed concurrently. The
@@ -50 +50 @@
     if (!lastArray)
         return;
-    if (LIKELY(Options::useArrayAllocationProfiling())) {
+    if (LIKELY(Options::useArrayAllocationProfiling()))
         m_currentIndexingType = leastUpperBoundOfIndexingTypes(m_currentIndexingType, lastArray->indexingType());
-        m_largestSeenVectorLength = std::min(std::max(m_largestSeenVectorLength, lastArray->getVectorLength()), BASE_CONTIGUOUS_VECTOR_LEN_MAX);
-    }
-    m_lastArray = nullptr;
+    m_lastArray = 0;
 }
 

trunk/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.h

@@ -33 +33 @@
 class ArrayAllocationProfile {
 public:
+    ArrayAllocationProfile()
+        : m_currentIndexingType(ArrayWithUndecided)
+        , m_lastArray(0)
+    {
+    }
+    
     IndexingType selectIndexingType()
     {
         JSArray* lastArray = m_lastArray;
         if (lastArray && UNLIKELY(lastArray->indexingType() != m_currentIndexingType))
-            updateProfile();
+            updateIndexingType();
         return m_currentIndexingType;
-    }
-
-    // vector length hint becomes [0, BASE_CONTIGUOUS_VECTOR_LEN_MAX].
-    unsigned vectorLengthHint()
-    {
-        JSArray* lastArray = m_lastArray;
-        if (lastArray && (m_largestSeenVectorLength != BASE_CONTIGUOUS_VECTOR_LEN_MAX) && UNLIKELY(lastArray->getVectorLength() > m_largestSeenVectorLength))
-            updateProfile();
-        return m_largestSeenVectorLength;
     }
     
@@ -56 +53 @@
     }
     
-    JS_EXPORT_PRIVATE void updateProfile();
+    JS_EXPORT_PRIVATE void updateIndexingType();
     
     static IndexingType selectIndexingTypeFor(ArrayAllocationProfile* profile)
@@ -74 +71 @@
 private:
     
-    IndexingType m_currentIndexingType { ArrayWithUndecided };
-    unsigned m_largestSeenVectorLength { 0 };
-    JSArray* m_lastArray { nullptr };
+    IndexingType m_currentIndexingType;
+    JSArray* m_lastArray;
 };
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -2569 +2569 @@
     // Don't count these either, for similar reasons.
     for (unsigned i = m_arrayAllocationProfiles.size(); i--;)
-        m_arrayAllocationProfiles[i].updateProfile();
+        m_arrayAllocationProfiles[i].updateIndexingType();
 }
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4400 +4400 @@
             data.numConstants = numConstants;
             data.indexingType = profile->selectIndexingType();
-            data.vectorLengthHint = std::max<unsigned>(profile->vectorLengthHint(), numConstants);
 
             // If this statement has never executed, we'll have the wrong indexing type in the profile.
@@ -4410 +4409 @@
             }
             
-            m_graph.m_newArrayBufferData.append(WTFMove(data));
+            m_graph.m_newArrayBufferData.append(data);
             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(NewArrayBuffer, OpInfo(&m_graph.m_newArrayBufferData.last())));
             NEXT_OPCODE(op_new_array_buffer);

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -322 +322 @@
             out.print(anotherComma, pointerDumpInContext(freeze(m_codeBlock->constantBuffer(node->startConstant())[i]), context));
         out.print("]");
-        out.print(comma, "vectorLengthHint = ", node->vectorLengthHint());
     }
     if (node->hasLazyJSValue())

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -100 +100 @@
     unsigned startConstant;
     unsigned numConstants;
-    unsigned vectorLengthHint;
     IndexingType indexingType;
 };
@@ -1116 +1115 @@
     {
         return newArrayBufferData()->numConstants;
-    }
-
-    unsigned vectorLengthHint()
-    {
-        return newArrayBufferData()->vectorLengthHint;
     }
     

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1312 +1312 @@
 }
 
-char* JIT_OPERATION operationNewArrayWithSizeAndHint(ExecState* exec, Structure* arrayStructure, int32_t size, int32_t vectorLengthHint, Butterfly* butterfly)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    if (UNLIKELY(size < 0))
-        return bitwise_cast<char*>(throwException(exec, scope, createRangeError(exec, ASCIILiteral("Array size is not a small enough positive integer."))));
-
-    JSArray* result;
-    if (butterfly)
-        result = JSArray::createWithButterfly(vm, nullptr, arrayStructure, butterfly);
-    else {
-        result = JSArray::tryCreate(vm, arrayStructure, size, vectorLengthHint);
-        ASSERT(result);
-    }
-    return bitwise_cast<char*>(result);
-}
-
 char* JIT_OPERATION operationNewArrayBuffer(ExecState* exec, Structure* arrayStructure, size_t start, size_t size)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -82 +82 @@
 char* JIT_OPERATION operationNewEmptyArray(ExecState*, Structure*) WTF_INTERNAL;
 char* JIT_OPERATION operationNewArrayWithSize(ExecState*, Structure*, int32_t, Butterfly*) WTF_INTERNAL;
-char* JIT_OPERATION operationNewArrayWithSizeAndHint(ExecState*, Structure*, int32_t, int32_t, Butterfly*) WTF_INTERNAL;
 char* JIT_OPERATION operationNewInt8ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
 char* JIT_OPERATION operationNewInt8ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4239 +4239 @@
         if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(indexingType)) {
             unsigned numElements = node->numConstants();
-            unsigned vectorLengthHint = node->vectorLengthHint();
-            ASSERT(vectorLengthHint >= numElements);
             
             GPRTemporary result(this);
@@ -4248 +4246 @@
             GPRReg storageGPR = storage.gpr();
 
-            emitAllocateRawObject(resultGPR, m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)), storageGPR, numElements, vectorLengthHint);
+            emitAllocateRawObject(resultGPR, m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)), storageGPR, numElements, numElements);
             
             DFG_ASSERT(m_jit.graph(), node, indexingType & IsArray);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -4190 +4190 @@
                     weakStructure(m_graph.registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous))),
                     weakStructure(m_graph.registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithDouble)))));
-            arrayResult = allocateJSArray(resultLength, resultLength, structure, indexingType, false, false);
+            arrayResult = allocateJSArray(resultLength, structure, indexingType, false, false);
         }
 
@@ -5115 +5115 @@
         if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(m_node->indexingType())) {
             unsigned numElements = m_node->numConstants();
-            unsigned vectorLengthHint = m_node->vectorLengthHint();
-           
-            ASSERT(vectorLengthHint >= numElements);
+            
             ArrayValues arrayValues =
-                allocateUninitializedContiguousJSArray(numElements, vectorLengthHint, structure);
+                allocateUninitializedContiguousJSArray(m_out.constInt32(numElements), structure);
             
             JSValue* data = codeBlock()->constantBuffer(m_node->startConstant());
@@ -5158 +5156 @@
             setJSValue(
                 allocateJSArray(
-                    publicLength, publicLength, weakPointer(globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)), m_out.constInt32(indexingType)).array);
+                    publicLength, weakPointer(globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)), m_out.constInt32(indexingType)).array);
             mutatorFence();
             return;
@@ -11444 +11442 @@
     };
 
-    ArrayValues allocateJSArray(LValue publicLength, LValue vectorLength, LValue structure, LValue indexingType, bool shouldInitializeElements = true, bool shouldLargeArraySizeCreateArrayStorage = true)
+    ArrayValues allocateJSArray(LValue publicLength, LValue structure, LValue indexingType, bool shouldInitializeElements = true, bool shouldLargeArraySizeCreateArrayStorage = true)
     {
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
@@ -11463 +11461 @@
         
         LBasicBlock lastNext = m_out.insertNewBlocksBefore(fastCase);
-
-        if (vectorLength->hasInt32() && structure->hasIntPtr()) {
-            unsigned vectorLengthConst = static_cast<unsigned>(vectorLength->asInt32());
-            if (vectorLengthConst <= MAX_STORAGE_VECTOR_LENGTH) {
-                vectorLength = m_out.constInt32(
-                    Butterfly::optimalContiguousVectorLength(
-                        bitwise_cast<Structure*>(structure->asIntPtr())->outOfLineCapacity(), vectorLengthConst));
-            }
-        } else {
-            // We don't compute the optimal vector length for new Array(blah) where blah is not
-            // statically known, since the compute effort of doing it here is probably not worth it.
-        }
         
         ValueFromBlock noButterfly = m_out.anchor(m_out.intPtrZero);
@@ -11487 +11473 @@
         
         m_out.appendTo(fastCase, largeCase);
+
+        LValue vectorLength = nullptr;
+        if (publicLength->hasInt32() && structure->hasIntPtr()) {
+            unsigned publicLengthConst = static_cast<unsigned>(publicLength->asInt32());
+            if (publicLengthConst <= MAX_STORAGE_VECTOR_LENGTH) {
+                vectorLength = m_out.constInt32(
+                    Butterfly::optimalContiguousVectorLength(
+                        bitwise_cast<Structure*>(structure->asIntPtr())->outOfLineCapacity(), publicLengthConst));
+            }
+        }
+        
+        if (!vectorLength) {
+            // We don't compute the optimal vector length for new Array(blah) where blah is not
+            // statically known, since the compute effort of doing it here is probably not worth it.
+            vectorLength = publicLength;
+        }
             
         LValue payloadSize =
@@ -11532 +11534 @@
             [=, &vm] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
                 return createLazyCallGenerator(vm,
-                    operationNewArrayWithSizeAndHint, locations[0].directGPR(),
-                    locations[1].directGPR(), locations[2].directGPR(), locations[3].directGPR(), locations[4].directGPR());
+                    operationNewArrayWithSize, locations[0].directGPR(),
+                    locations[1].directGPR(), locations[2].directGPR(), locations[3].directGPR());
             },
-            structureValue, publicLength, vectorLength, butterflyValue);
+            structureValue, publicLength, butterflyValue);
         ValueFromBlock slowResult = m_out.anchor(slowResultValue);
         ValueFromBlock slowButterfly = m_out.anchor(
@@ -11547 +11549 @@
     }
     
-    ArrayValues allocateUninitializedContiguousJSArrayInternal(LValue publicLength, LValue vectorLength, RegisteredStructure structure)
+    ArrayValues allocateUninitializedContiguousJSArray(LValue publicLength, RegisteredStructure structure)
     {
         bool shouldInitializeElements = false;
         bool shouldLargeArraySizeCreateArrayStorage = false;
         return allocateJSArray(
-            publicLength, vectorLength, weakStructure(structure), m_out.constInt32(structure->indexingType()), shouldInitializeElements,
+            publicLength, weakStructure(structure), m_out.constInt32(structure->indexingType()), shouldInitializeElements,
             shouldLargeArraySizeCreateArrayStorage);
-    }
-
-    ArrayValues allocateUninitializedContiguousJSArray(LValue publicLength, RegisteredStructure structure)
-    {
-        return allocateUninitializedContiguousJSArrayInternal(publicLength, publicLength, structure);
-    }
-
-    ArrayValues allocateUninitializedContiguousJSArray(unsigned publicLength, unsigned vectorLength, RegisteredStructure structure)
-    {
-        ASSERT(vectorLength >= publicLength);
-        return allocateUninitializedContiguousJSArrayInternal(m_out.constInt32(publicLength), m_out.constInt32(vectorLength), structure);
     }
     

trunk/Source/JavaScriptCore/runtime/ArrayConventions.h

@@ -78 +78 @@
 #define BASE_CONTIGUOUS_VECTOR_LEN 3U
 #define BASE_CONTIGUOUS_VECTOR_LEN_EMPTY 5U
-#define BASE_CONTIGUOUS_VECTOR_LEN_MIN 3U
-#define BASE_CONTIGUOUS_VECTOR_LEN_MAX 25U
 #define BASE_ARRAY_STORAGE_VECTOR_LEN 4U
 

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -55 +55 @@
 public:
     static JSArray* tryCreate(VM&, Structure*, unsigned initialLength = 0);
-    static JSArray* tryCreate(VM&, Structure*, unsigned initialLength, unsigned vectorLengthHint);
     static JSArray* create(VM&, Structure*, unsigned initialLength = 0);
     static JSArray* createWithButterfly(VM&, GCDeferralContext*, Structure*, Butterfly*);
@@ -217 +216 @@
     VM&, JSCell* intendedOwner, unsigned initialLength);
 
-inline JSArray* JSArray::tryCreate(VM& vm, Structure* structure, unsigned initialLength, unsigned vectorLengthHint)
-{
-    ASSERT(vectorLengthHint >= initialLength);
+inline JSArray* JSArray::tryCreate(VM& vm, Structure* structure, unsigned initialLength)
+{
     unsigned outOfLineStorage = structure->outOfLineCapacity();
 
@@ -231 +229 @@
             || hasContiguous(indexingType));
 
-        if (UNLIKELY(vectorLengthHint > MAX_STORAGE_VECTOR_LENGTH))
+        if (UNLIKELY(initialLength > MAX_STORAGE_VECTOR_LENGTH))
             return nullptr;
 
-        unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, vectorLengthHint);
+        unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
         void* temp = vm.jsValueGigacageAuxiliarySpace.tryAllocate(nullptr, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
         if (!temp)
@@ -259 +257 @@
 }
 
-inline JSArray* JSArray::tryCreate(VM& vm, Structure* structure, unsigned initialLength)
-{
-    return tryCreate(vm, structure, initialLength, initialLength);
-}
-
 inline JSArray* JSArray::create(VM& vm, Structure* structure, unsigned initialLength)
 {