Changeset 266242 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Aug 27, 2020, 10:10:18 AM (5 years ago)

Author:

[email protected]

Message:

OSR availability validation should run for any node with exitOK
​https://bugs.webkit.org/show_bug.cgi?id=215672

Reviewed by Saam Barati.

Currently we only validate OSR exit availability if a node would
say mayExit(graph, node) != DoesNotExit and the node is marked
as exitOK. However, it would be perfectly valid to insert a node
that exits anywhere we have a node marked exitOK. So with this
patch we now validate all places where it would ever be possible
to OSR exit.

Relaxing our criteria revealed a number of bugs however. Which I
will describe below in, IMO, increasing complexity/subtly.

First, we currently don't mark arity fixup during inlining as not
exitOK. However, since our arity code says its code origin is
OpEnter, we assume arity fixup has already happened.

Second, OpGetScope, should not mark its first argument as used
since it's not actually used. This is problematic because we could
have a loop where OpGetScope is the first bytecode, namely when
doing tail recursive inlining. If we were in that position, there
could be a local that was used at a merge point at the loop
backedge that had two MovHint defs from both predecessors. In DFG
IR this would look like:

BB#1:
@1: MovHint(Undefined, loc1)
...
Jump(#2)

BB#2:
... loc1 is live here in bytecode
@2: MovHint(@scopeObject, loc1)
@3: SetLocal(@scopeObject, loc1)
Branch(#3, #4) #4 is the successor of the tail call loop

BB#3:
@4 MovHint(Undefined, loc1)
...
Jump(#2)

When we do CPS conversion the MovHints at @1 and @4 will be seen
as different variables (there's no GetLocal). Then, after, during
SSA conversion we won't insert a phi connecting them, making the
argument to OpGetScope, in this case loc1, unrecoverable there are
conflicting nodes and the value isn't saved on the stack.

There were also issues with MovHintRemoval Phase but rather than
fix them we opted to just remove the phase as it didn't show any
performance impact. I'll describe the issues I found below for
completeness, however.

Third, MovHint removal phase had a bug where it would not mark
sections where a zombied MovHint has yet to be killed as not
exitOK. So in theory another phase could come along and insert an
exiting node there.

Fourth, MovHint removal phase had a second bug where a MovHint
that was not killed in the current block would be zombied, which
is wrong for SSA. It's wrong because the MovHinted value could
still be live for OSR exit in a successor block.

Lastly, this patch adds some new verbose options as well as the ability to
dump a DFG::BasicBlock without dereferencing it.

• bytecode/BytecodeUseDef.cpp:

(JSC::computeUsesForBytecodeIndexImpl):

• dfg/DFGBasicBlock.cpp:

(WTF::printInternal):

• dfg/DFGBasicBlock.h:
• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::inlineCall):

• dfg/DFGCPSRethreadingPhase.cpp:

(JSC::DFG::CPSRethreadingPhase::propagatePhis):

• dfg/DFGEpoch.h:

(JSC::DFG::Epoch::operator bool const):

• dfg/DFGOSRAvailabilityAnalysisPhase.cpp:

(JSC::DFG::OSRAvailabilityAnalysisPhase::run):

• dfg/DFGSSACalculator.cpp:

(JSC::DFG::SSACalculator::dump const):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/BytecodeUseDef.cpp (modified) (1 diff)
• dfg/DFGBasicBlock.cpp (modified) (1 diff)
• dfg/DFGBasicBlock.h (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCPSRethreadingPhase.cpp (modified) (5 diffs)
• dfg/DFGEpoch.h (modified) (1 diff)
• dfg/DFGOSRAvailabilityAnalysisPhase.cpp (modified) (2 diffs)
• dfg/DFGSSACalculator.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-08-27  Keith Miller  <[email protected]>
+
+        OSR availability validation should run for any node with exitOK
+        https://bugs.webkit.org/show_bug.cgi?id=215672
+
+        Reviewed by Saam Barati.
+
+        Currently we only validate OSR exit availability if a node would
+        say `mayExit(graph, node) != DoesNotExit` and the node is marked
+        as exitOK. However, it would be perfectly valid to insert a node
+        that exits anywhere we have a node marked exitOK. So with this
+        patch we now validate all places where it would ever be possible
+        to OSR exit.
+
+        Relaxing our criteria revealed a number of bugs however. Which I
+        will describe below in, IMO, increasing complexity/subtly.
+
+        First, we currently don't mark arity fixup during inlining as not
+        exitOK. However, since our arity code says its code origin is
+        OpEnter, we assume arity fixup has already happened.
+
+        Second, OpGetScope, should not mark its first argument as used
+        since it's not actually used. This is problematic because we could
+        have a loop where OpGetScope is the first bytecode, namely when
+        doing tail recursive inlining. If we were in that position, there
+        could be a local that was used at a merge point at the loop
+        backedge that had two MovHint defs from both predecessors. In DFG
+        IR this would look like:
+
+        BB#1:
+        @1: MovHint(Undefined, loc1)
+        ...
+        Jump(#2)
+
+        BB#2:
+        ... // loc1 is live here in bytecode
+        @2: MovHint(@scopeObject, loc1)
+        @3: SetLocal(@scopeObject, loc1)
+        Branch(#3, #4) // #4 is the successor of the tail call loop
+
+        BB#3:
+        @4 MovHint(Undefined, loc1)
+        ...
+        Jump(#2)
+
+        When we do CPS conversion the MovHints at @1 and @4 will be seen
+        as different variables (there's no GetLocal). Then, after, during
+        SSA conversion we won't insert a phi connecting them, making the
+        argument to OpGetScope, in this case loc1, unrecoverable there are
+        conflicting nodes and the value isn't saved on the stack.
+
+        There were also issues with MovHintRemoval Phase but rather than
+        fix them we opted to just remove the phase as it didn't show any
+        performance impact. I'll describe the issues I found below for
+        completeness, however.
+
+        Third, MovHint removal phase had a bug where it would not mark
+        sections where a zombied MovHint has yet to be killed as not
+        exitOK. So in theory another phase could come along and insert an
+        exiting node there.
+
+        Fourth, MovHint removal phase had a second bug where a MovHint
+        that was not killed in the current block would be zombied, which
+        is wrong for SSA. It's wrong because the MovHinted value could
+        still be live for OSR exit in a successor block.
+
+        Lastly, this patch adds some new verbose options as well as the ability to
+        dump a DFG::BasicBlock without dereferencing it.
+
+        * bytecode/BytecodeUseDef.cpp:
+        (JSC::computeUsesForBytecodeIndexImpl):
+        * dfg/DFGBasicBlock.cpp:
+        (WTF::printInternal):
+        * dfg/DFGBasicBlock.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        * dfg/DFGCPSRethreadingPhase.cpp:
+        (JSC::DFG::CPSRethreadingPhase::propagatePhis):
+        * dfg/DFGEpoch.h:
+        (JSC::DFG::Epoch::operator bool const):
+        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
+        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
+        * dfg/DFGSSACalculator.cpp:
+        (JSC::DFG::SSACalculator::dump const):
+
 2020-08-27  Keith Miller  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp

@@ -101 +101 @@
     case op_super_sampler_begin:
     case op_super_sampler_end:
-        return;
-
-    USES(OpGetScope, dst)
+    case op_get_scope:
+        return;
+
     USES(OpToThis, srcDst)
     USES(OpCheckTdz, targetVirtualRegister)

trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp

@@ -151 +151 @@
 } } // namespace JSC::DFG
 
+namespace WTF {
+
+void printInternal(PrintStream& out, JSC::DFG::BasicBlock* block)
+{
+    out.print(*block);
+}
+
+}
+
 #endif // ENABLE(DFG_JIT)
 

trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h

@@ -276 +276 @@
 } } // namespace JSC::DFG
 
+namespace WTF {
+void printInternal(PrintStream&, JSC::DFG::BasicBlock*);
+}
+
 #endif // ENABLE(DFG_JIT)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1722 +1722 @@
     BytecodeIndex oldIndex = m_currentIndex;
     m_currentIndex = BytecodeIndex(0);
+
+    // We don't want to exit here since we could do things like arity fixup which complicates OSR exit availability.
+    m_exitOK = false;
 
     switch (kind) {

trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp

@@ -36 +36 @@
 
 class CPSRethreadingPhase : public Phase {
+    static constexpr bool verbose = false;
 public:
     CPSRethreadingPhase(Graph& graph)
@@ -426 +427 @@
             size_t index = entry.m_index;
             
+            if (verbose) {
+                dataLog(" Iterating on phi from block ", block, " ");
+                m_graph.dump(WTF::dataFile(), "", currentPhi);
+            }
+
             for (size_t i = predecessors.size(); i--;) {
                 BasicBlock* predecessorBlock = predecessors[i];
@@ -434 +440 @@
                     predecessorBlock->variablesAtTail.atFor<operandKind>(index) = variableInPrevious;
                     predecessorBlock->variablesAtHead.atFor<operandKind>(index) = variableInPrevious;
+                    dataLogLnIf(verbose, "    No variable in predecessor ", predecessorBlock, " creating a new phi: ", variableInPrevious);
                 } else {
                     switch (variableInPrevious->op()) {
@@ -439 +446 @@
                     case PhantomLocal:
                     case Flush:
+                        dataLogLnIf(verbose, "    Variable in predecessor ", predecessorBlock, " ", variableInPrevious, " needs to be forwarded to first child ", variableInPrevious->child1().node());
                         ASSERT(variableInPrevious->variableAccessData() == variableInPrevious->child1()->variableAccessData());
                         variableInPrevious = variableInPrevious->child1().node();
@@ -453 +461 @@
                     || variableInPrevious->op() == SetArgumentMaybe);
           
+                if (verbose)
+                    m_graph.dump(WTF::dataFile(), "    Adding new variable from predecessor ", variableInPrevious);
+
                 if (!currentPhi->child1()) {
                     currentPhi->children.setChild1(Edge(variableInPrevious));

trunk/Source/JavaScriptCore/dfg/DFGEpoch.h

@@ -65 +65 @@
     }
     
+    explicit operator bool() const
+    {
+        return !!*this;
+    }
+    
     Epoch next() const
     {

trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp

@@ -135 +135 @@
                 for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
                     Node* node = block->at(nodeIndex);
-                    // FIXME: The mayExit status of a node doesn't seem like it should mean we don't need to have everything available.
-                    if (mayExit(m_graph, node) != DoesNotExit && node->origin.exitOK) {
+                    if (node->origin.exitOK) {
                         // If we're allowed to exit here, the heap must be in a state
                         // where exiting wouldn't crash. These particular fields are
@@ -144 +143 @@
 
                         CodeOrigin exitOrigin = node->origin.forExit;
-                        AvailabilityMap& availabilityMap = calculator.m_availability;
+                        // FIXME: availabilityMap seems like it should be able to be a reference to the calculator's map. https://bugs.webkit.org/show_bug.cgi?id=215675
+                        AvailabilityMap availabilityMap = calculator.m_availability;
                         availabilityMap.pruneByLiveness(m_graph, exitOrigin);
 

trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.cpp

@@ -116 +116 @@
         m_variables[i].dumpVerbose(out);
     }
-    out.print("], Defs: [");
+    out.print("], \nDefs: [");
     comma = CommaPrinter();
     for (Def* def : const_cast<SSACalculator*>(this)->m_defs)
         out.print(comma, *def);
-    out.print("], Phis: [");
+    out.print("], \nPhis: [");
     comma = CommaPrinter();
     for (Def* def : const_cast<SSACalculator*>(this)->m_phis)
         out.print(comma, *def);
-    out.print("], Block data: [");
-    comma = CommaPrinter();
+    out.print("], \nBlock data: [");
+    comma = CommaPrinter(",\n");
     for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
         BasicBlock* block = m_graph.block(blockIndex);