Changeset 295008 in webkit for trunk/Source/JavaScriptCore/jit

Timestamp:

May 28, 2022, 8:23:06 PM (3 years ago)

Author:

Yijia Huang

Message:

Shrink Structure to 96 Bytes when addresses can be encoded in 36-bits
​https://bugs.webkit.org/show_bug.cgi?id=240407

Reviewed by Yusuke Suzuki.

We have 2% RAMification regression on iOS, which needs a memory performance
improvement. To work towards resolving this regression, this patch is to
reduce JS object's structure size from 112 bytes to 96 bytes for iOS systems.

1. We can reduce 36-bit addresses into 4 bytes when dealing with pointers that

have 16-byte alignment.

2. StructureID can be removed from StructureIDBlob since we can directly compute

the id by encoding the Structure pointer.

CompactPtr and CompactRefPtr classes are introduced for pointers, which can
achieve 8 bytes in MacOS and 4 bytes in iOS.

• PerformanceTests/JetStream2/RexBench/OfflineAssembler/LowLevelInterpreter64.asm:
• PerformanceTests/JetStream2/RexBench/OfflineAssembler/LowLevelInterpreter64.js:
• PerformanceTests/JetStream2/RexBench/OfflineAssembler/expected.js:
• PerformanceTests/RexBench/OfflineAssembler/LowLevelInterpreter64.asm:
• PerformanceTests/RexBench/OfflineAssembler/LowLevelInterpreter64.js:
• PerformanceTests/RexBench/OfflineAssembler/expected.js:
• Source/JavaScriptCore/CMakeLists.txt:
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
• Source/JavaScriptCore/bytecode/GetByValHistory.h:

(JSC::GetByValHistory::observe):

• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp:

(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):

• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

• Source/JavaScriptCore/heap/ConservativeRoots.cpp:

(JSC::ConservativeRoots::genericAddPointer):
(JSC::ConservativeRoots::genericAddSpan):

• Source/JavaScriptCore/heap/ConservativeRoots.h:
• Source/JavaScriptCore/heap/HeapSnapshot.h:
• Source/JavaScriptCore/heap/HeapUtil.h:

(JSC::HeapUtil::findGCObjectPointersForMarking):
(JSC::HeapUtil::isPointerGCObjectJSCell):
(JSC::HeapUtil::isValueGCObject):

• Source/JavaScriptCore/heap/MarkedBlockSet.h:

(JSC::MarkedBlockSet::add):
(JSC::MarkedBlockSet::recomputeFilter):
(JSC::MarkedBlockSet::filter const):

• Source/JavaScriptCore/heap/TinyBloomFilter.h:

(JSC::TinyBloomFilter<Bits>::TinyBloomFilter):
(JSC::TinyBloomFilter<Bits>::add):
(JSC::TinyBloomFilter<Bits>::ruleOut const):
(JSC::TinyBloomFilter<Bits>::reset):
(JSC::TinyBloomFilter::TinyBloomFilter): Deleted.
(JSC::TinyBloomFilter::add): Deleted.
(JSC::TinyBloomFilter::ruleOut const): Deleted.
(JSC::TinyBloomFilter::reset): Deleted.

• Source/JavaScriptCore/jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
(JSC::AssemblyHelpers::emitEncodeStructure):

• Source/JavaScriptCore/jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
(JSC::AssemblyHelpers::loadCompactPtr):
(JSC::AssemblyHelpers::branchCompactPtr):

• Source/JavaScriptCore/jit/JITPropertyAccess.cpp:

(JSC::JIT::generateOpGetFromScopeThunk):
(JSC::JIT::emit_op_put_to_scope):

• Source/JavaScriptCore/runtime/ClassInfo.h:

(JSC::ClassInfo::offsetOfParentClass): Deleted.
(JSC::ClassInfo::isSubClassOf const): Deleted.

• Source/JavaScriptCore/runtime/SamplingProfiler.cpp:

(JSC::SamplingProfiler::processUnverifiedStackTraces):

• Source/JavaScriptCore/runtime/Structure.cpp:

(JSC::Structure::Structure):

• Source/JavaScriptCore/runtime/Structure.h:

(JSC::Structure::id const):
(JSC::Structure::typeInfoBlob const):
(JSC::Structure::classInfoForCells const):
(JSC::Structure::indexingModeIncludingHistoryOffset):
(JSC::Structure::objectInitializationBlob const): Deleted.
(JSC::Structure::idBlob const): Deleted.
(JSC::Structure::structureIDOffset): Deleted.

• Source/JavaScriptCore/runtime/StructureInlines.h:

(JSC::Structure::get):
(JSC::Structure::add):

• Source/JavaScriptCore/runtime/TypeInfoBlob.h: Renamed from Source/JavaScriptCore/runtime/StructureIDBlob.h.

(JSC::TypeInfoBlob::TypeInfoBlob):
(JSC::TypeInfoBlob::operator=):
(JSC::TypeInfoBlob::indexingModeIncludingHistory const):
(JSC::TypeInfoBlob::fencedIndexingModeIncludingHistory):
(JSC::TypeInfoBlob::setIndexingModeIncludingHistory):
(JSC::TypeInfoBlob::type const):
(JSC::TypeInfoBlob::inlineTypeFlags const):
(JSC::TypeInfoBlob::typeInfo const):
(JSC::TypeInfoBlob::blob const):
(JSC::TypeInfoBlob::indexingModeIncludingHistoryOffset):

• Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:

(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

• Source/WTF/WTF.xcodeproj/project.pbxproj:
• Source/WTF/wtf/CMakeLists.txt:
• Source/WTF/wtf/CompactPtr.h: Added.

(WTF::CompactPtr::CompactPtr):
(WTF::CompactPtr::operator* const):
(WTF::CompactPtr::operator-> const):
(WTF::CompactPtr::operator! const):
(WTF::CompactPtr::operator bool const):
(WTF::CompactPtr::operator=):
(WTF::CompactPtr::get const):
(WTF::CompactPtr::set):
(WTF::CompactPtr::exchange):
(WTF::CompactPtr::swap):
(WTF::CompactPtr::encode):
(WTF::CompactPtr::encode const):
(WTF::CompactPtr::decode const):
(WTF::GetPtrHelper<CompactPtr<T>>::getPtr):
(WTF::CompactPtrTraits::exchange):
(WTF::CompactPtrTraits::swap):
(WTF::CompactPtrTraits::unwrap):
(WTF::CompactPtrTraits::hashTableDeletedValue):
(WTF::CompactPtrTraits::isHashTableDeletedValue):

• Source/WTF/wtf/CompactRefPtr.h: Copied from Source/JavaScriptCore/heap/HeapSnapshot.h.
• Source/WTF/wtf/text/StringImpl.cpp:
• Source/WTF/wtf/text/StringImpl.h:
• Tools/TestWebKitAPI/CMakeLists.txt:
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• Tools/TestWebKitAPI/Tests/WTF/AlignedRefLogger.h: Copied from Source/JavaScriptCore/heap/TinyBloomFilter.h.

(TestWebKitAPI::DerivedAlignedRefLogger::DerivedAlignedRefLogger):

• Tools/TestWebKitAPI/Tests/WTF/CompactPtr.cpp: Added.

(TestWebKitAPI::TEST):

• Tools/TestWebKitAPI/Tests/WTF/CompactRefPtr.cpp: Added.

(TestWebKitAPI::TEST):
(TestWebKitAPI::f1):
(TestWebKitAPI::returnConstRefCountedRef):
(TestWebKitAPI::returnRefCountedRef):
(TestWebKitAPI::CompactRefPtrCheckingAlignedRefLogger::CompactRefPtrCheckingAlignedRefLogger):
(TestWebKitAPI::loggerName):
(TestWebKitAPI::CompactRefPtrCheckingAlignedRefLogger::ref):
(TestWebKitAPI::CompactRefPtrCheckingAlignedRefLogger::deref):

• Tools/TestWebKitAPI/Tests/WTF/JSONValue.cpp:

(TestWebKitAPI::TEST):

• Websites/browserbench.org/JetStream2.0/RexBench/OfflineAssembler/LowLevelInterpreter64.asm:
• Websites/browserbench.org/JetStream2.0/RexBench/OfflineAssembler/LowLevelInterpreter64.js:
• Websites/browserbench.org/JetStream2.0/RexBench/OfflineAssembler/expected.js:

Canonical link: ​https://commits.webkit.org/251103@main

Location:

trunk/Source/JavaScriptCore/jit

Files:

• AssemblyHelpers.cpp (modified) (3 diffs)
• AssemblyHelpers.h (modified) (3 diffs)
• JITPropertyAccess.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -333 +333 @@
     const Structure* structurePtr = reinterpret_cast<const Structure*>(structure.m_value);
 #if USE(JSVALUE64)
-    jit.store64(TrustedImm64(structurePtr->idBlob()), MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+    jit.store32(TrustedImm32(structurePtr->id().bits()), MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+    jit.store32(TrustedImm32(structurePtr->typeInfoBlob()), MacroAssembler::Address(dest, JSCell::indexingTypeAndMiscOffset()));
     if (ASSERT_ENABLED) {
         Jump correctStructure = jit.branch32(Equal, MacroAssembler::Address(dest, JSCell::structureIDOffset()), TrustedImm32(structurePtr->id().bits()));
@@ -353 +354 @@
 #else
     // Do a 32-bit wide store to initialize the cell's fields.
-    jit.store32(TrustedImm32(structurePtr->objectInitializationBlob()), MacroAssembler::Address(dest, JSCell::indexingTypeAndMiscOffset()));
+    jit.store32(TrustedImm32(structurePtr->typeInfoBlob()), MacroAssembler::Address(dest, JSCell::indexingTypeAndMiscOffset()));
     jit.storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
 #endif
@@ -427 +428 @@
     load32(MacroAssembler::Address(source, JSCell::structureIDOffset()), dest);
     emitNonNullDecodeZeroExtendedStructureID(dest, dest);
+}
+
+void AssemblyHelpers::emitEncodeStructureID(RegisterID source, RegisterID dest)
+{
+#if ENABLE(STRUCTURE_ID_WITH_SHIFT)
+    urshift64(source, TrustedImm32(StructureID::encodeShiftAmount), dest);
+#elif CPU(ADDRESS64)
+    move(source, dest);
+    static_assert(StructureID::structureIDMask <= UINT32_MAX);
+    and64(TrustedImm32(static_cast<uint32_t>(StructureID::structureIDMask)), dest);
+#else
+    move(source, dest);
+#endif
 }
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1614 +1614 @@
     void emitLoadStructure(VM&, RegisterID source, RegisterID dest);
     void emitLoadPrototype(VM&, GPRReg objectGPR, JSValueRegs resultRegs, JumpList& slowPath);
+    void emitEncodeStructureID(RegisterID source, RegisterID dest);
 
     void emitStoreStructureWithTypeInfo(TrustedImmPtr structure, RegisterID dest, RegisterID)
@@ -1622 +1623 @@
     void emitStoreStructureWithTypeInfo(RegisterID structure, RegisterID dest, RegisterID scratch)
     {
-#if USE(JSVALUE64)
-        load64(MacroAssembler::Address(structure, Structure::structureIDOffset()), scratch);
-        store64(scratch, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
-#else
+        // Store the StructureID
+#if USE(JSVALUE64)
+        emitEncodeStructureID(structure, scratch);
+        store32(scratch, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#else
+        storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#endif
         // Store all the info flags using a single 32-bit wide load and store.
         load32(MacroAssembler::Address(structure, Structure::indexingModeIncludingHistoryOffset()), scratch);
         store32(scratch, MacroAssembler::Address(dest, JSCell::indexingTypeAndMiscOffset()));
-
-        // Store the StructureID
-        storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
-#endif
     }
 
@@ -1915 +1915 @@
             storeTrustedValue(JSValue(), Address(butterflyGPR, -sizeof(IndexingHeader) - (i + 1) * sizeof(EncodedJSValue)));
     }
-    
+
+    void loadCompactPtr(Address address, GPRReg dest)
+    {
+#if HAVE(36BIT_ADDRESS)
+        load32(address, dest);
+        lshift64(TrustedImm32(4), dest);
+#else
+        loadPtr(address, dest);
+#endif
+    }
+
+    Jump branchCompactPtr(RelationalCondition cond, GPRReg left, Address right, GPRReg scratch)
+    {
+#if HAVE(36BIT_ADDRESS)
+        ASSERT(left != scratch);
+        load32(right, scratch);
+        lshift64(TrustedImm32(4), scratch);
+        return branchPtr(cond, left, Address(scratch));
+#else
+        UNUSED_PARAM(scratch);
+        return branchPtr(cond, left, right);
+#endif
+    }
+
 #if USE(JSVALUE64)
     void wangsInt64Hash(GPRReg inputAndResult, GPRReg scratch);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1741 +1741 @@
             jit.loadPtr(Address(metadataGPR, OpGetFromScope::Metadata::offsetOfStructure()), scratchGPR);
             slowCase.append(jit.branchTestPtr(Zero, scratchGPR));
-            jit.load32(Address(scratchGPR, Structure::structureIDOffset()), scratchGPR);
+            jit.emitEncodeStructureID(scratchGPR, scratchGPR);
             slowCase.append(jit.branch32(NotEqual, Address(scopeGPR, JSCell::structureIDOffset()), scratchGPR));
 
@@ -1914 +1914 @@
             emitGetVirtualRegisterPayload(scope, scopeGPR);
             addSlowCase(branchTestPtr(Zero, scratchGPR1));
-            load32(Address(scratchGPR1, Structure::structureIDOffset()), scratchGPR1);
+            emitEncodeStructureID(scratchGPR1, scratchGPR1);
             addSlowCase(branch32(NotEqual, Address(scopeGPR, JSCell::structureIDOffset()), scratchGPR1));