Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (208859 => 208860)
--- trunk/Source/_javascript_Core/ChangeLog 2016-11-17 21:23:45 UTC (rev 208859)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-11-17 21:37:05 UTC (rev 208860)
@@ -1,3 +1,38 @@
+2016-11-17 Filip Pizlo <[email protected]>
+
+ Speculatively disable eager object zero-fill on not-x86 to let the bots decide if that's a problem
+ https://bugs.webkit.org/show_bug.cgi?id=164885
+
+ Reviewed by Mark Lam.
+
+ This adds a useGCFences() function that we use to guard all eager object zero-fill and the
+ related fences. It currently returns true only on x86().
+
+ The goal here is to get the bots to tell us if this code is responsible for perf issues on
+ any non-x86 platforms. We have a few different paths that we can pursue if this turns out
+ to be the case. Eager zero-fill is merely the easiest way to optimize out some fences, but
+ we could get rid of it and instead teach B3 how to think about fences.
+
+ * assembler/CPU.h:
+ (JSC::useGCFences):
+ * bytecode/PolymorphicAccess.cpp:
+ (JSC::AccessCase::generateImpl):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+ (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
+ (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
+ (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+ (JSC::FTL::DFG::LowerDFGToB3::mutatorFence):
+ (JSC::FTL::DFG::LowerDFGToB3::setButterfly):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::mutatorFence):
+ (JSC::AssemblyHelpers::storeButterfly):
+ (JSC::AssemblyHelpers::emitInitializeInlineStorage):
+ (JSC::AssemblyHelpers::emitInitializeOutOfLineStorage):
+
2016-11-17 Keith Miller <[email protected]>
Add rotate to Wasm
Modified: trunk/Source/_javascript_Core/assembler/CPU.h (208859 => 208860)
--- trunk/Source/_javascript_Core/assembler/CPU.h 2016-11-17 21:23:45 UTC (rev 208859)
+++ trunk/Source/_javascript_Core/assembler/CPU.h 2016-11-17 21:37:05 UTC (rev 208860)
@@ -85,5 +85,10 @@
return isX86_64() && Options::useArchitectureSpecificOptimizations();
}
+inline bool useGCFences()
+{
+ return isX86();
+}
+
} // namespace JSC
Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (208859 => 208860)
--- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2016-11-17 21:23:45 UTC (rev 208859)
+++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2016-11-17 21:37:05 UTC (rev 208860)
@@ -1283,8 +1283,10 @@
}
}
- for (size_t offset = oldSize; offset < newSize; offset += sizeof(void*))
- jit.storePtr(CCallHelpers::TrustedImmPtr(0), CCallHelpers::Address(scratchGPR, -static_cast<ptrdiff_t>(offset + sizeof(JSValue) + sizeof(void*))));
+ if (useGCFences()) {
+ for (size_t offset = oldSize; offset < newSize; offset += sizeof(void*))
+ jit.storePtr(CCallHelpers::TrustedImmPtr(0), CCallHelpers::Address(scratchGPR, -static_cast<ptrdiff_t>(offset + sizeof(JSValue) + sizeof(void*))));
+ }
} else {
// Handle the case where we are allocating out-of-line using an operation.
RegisterSet extraRegistersToPreserve;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (208859 => 208860)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-11-17 21:23:45 UTC (rev 208859)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-11-17 21:37:05 UTC (rev 208860)
@@ -7411,11 +7411,13 @@
m_jit.emitAllocate(scratchGPR1, allocator, scratchGPR2, scratchGPR3, slowPath);
m_jit.addPtr(JITCompiler::TrustedImm32(size + sizeof(IndexingHeader)), scratchGPR1);
- for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(size); offset += sizeof(void*))
- m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
-
- m_jit.mutatorFence();
+ if (useGCFences()) {
+ for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(size); offset += sizeof(void*))
+ m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
+ m_jit.mutatorFence();
+ }
+
addSlowPathGenerator(
slowPathCall(slowPath, this, operationAllocatePropertyStorageWithInitialCapacity, scratchGPR1));
@@ -7466,8 +7468,10 @@
m_jit.addPtr(JITCompiler::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR1);
- for (ptrdiff_t offset = oldSize; offset < static_cast<ptrdiff_t>(newSize); offset += sizeof(void*))
- m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
+ if (useGCFences()) {
+ for (ptrdiff_t offset = oldSize; offset < static_cast<ptrdiff_t>(newSize); offset += sizeof(void*))
+ m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
+ }
addSlowPathGenerator(
slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR1, newSize / sizeof(JSValue)));
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (208859 => 208860)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-11-17 21:23:45 UTC (rev 208859)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-11-17 21:37:05 UTC (rev 208860)
@@ -8134,11 +8134,13 @@
ValueFromBlock haveButterfly = m_out.anchor(fastButterflyValue);
- splatWords(
- fastButterflyValue,
- m_out.constInt32(-structure->outOfLineCapacity() - 1),
- m_out.constInt32(-1),
- m_out.int64Zero, m_heaps.properties.atAnyNumber());
+ if (useGCFences()) {
+ splatWords(
+ fastButterflyValue,
+ m_out.constInt32(-structure->outOfLineCapacity() - 1),
+ m_out.constInt32(-1),
+ m_out.int64Zero, m_heaps.properties.atAnyNumber());
+ }
m_out.store32(vectorLength, fastButterflyValue, m_heaps.Butterfly_vectorLength);
@@ -9013,10 +9015,12 @@
LValue result = allocatePropertyStorageWithSizeImpl(initialOutOfLineCapacity);
- splatWords(
- result,
- m_out.constInt32(-initialOutOfLineCapacity - 1), m_out.constInt32(-1),
- m_out.int64Zero, m_heaps.properties.atAnyNumber());
+ if (useGCFences()) {
+ splatWords(
+ result,
+ m_out.constInt32(-initialOutOfLineCapacity - 1), m_out.constInt32(-1),
+ m_out.int64Zero, m_heaps.properties.atAnyNumber());
+ }
setButterfly(result, object);
return result;
@@ -9046,10 +9050,12 @@
m_out.storePtr(loaded, m_out.address(m_heaps.properties.atAnyNumber(), result, offset));
}
- splatWords(
- result,
- m_out.constInt32(-newSize - 1), m_out.constInt32(-oldSize - 1),
- m_out.int64Zero, m_heaps.properties.atAnyNumber());
+ if (useGCFences()) {
+ splatWords(
+ result,
+ m_out.constInt32(-newSize - 1), m_out.constInt32(-oldSize - 1),
+ m_out.int64Zero, m_heaps.properties.atAnyNumber());
+ }
setButterfly(result, object);
@@ -9926,12 +9932,14 @@
LValue allocator, Structure* structure, LValue butterfly, LBasicBlock slowPath)
{
LValue result = allocateCell(allocator, structure, slowPath);
- splatWords(
- result,
- m_out.constInt32(JSFinalObject::offsetOfInlineStorage() / 8),
- m_out.constInt32(JSFinalObject::offsetOfInlineStorage() / 8 + structure->inlineCapacity()),
- m_out.int64Zero,
- m_heaps.properties.atAnyNumber());
+ if (useGCFences()) {
+ splatWords(
+ result,
+ m_out.constInt32(JSFinalObject::offsetOfInlineStorage() / 8),
+ m_out.constInt32(JSFinalObject::offsetOfInlineStorage() / 8 + structure->inlineCapacity()),
+ m_out.int64Zero,
+ m_heaps.properties.atAnyNumber());
+ }
m_out.storePtr(butterfly, result, m_heaps.JSObject_butterfly);
return result;
}
@@ -12571,7 +12579,7 @@
void mutatorFence()
{
- if (isX86()) {
+ if (isX86() || !useGCFences()) {
m_out.fence(&m_heaps.root, nullptr);
return;
}
@@ -12595,7 +12603,7 @@
void setButterfly(LValue butterfly, LValue object)
{
- if (isX86()) {
+ if (isX86() || !useGCFences()) {
m_out.fence(&m_heaps.root, nullptr);
m_out.storePtr(butterfly, object, m_heaps.JSObject_butterfly);
m_out.fence(&m_heaps.root, nullptr);
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (208859 => 208860)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2016-11-17 21:23:45 UTC (rev 208859)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2016-11-17 21:37:05 UTC (rev 208860)
@@ -1363,7 +1363,7 @@
void mutatorFence()
{
- if (isX86())
+ if (isX86() || !useGCFences())
return;
Jump ok = jumpIfMutatorFenceNotNeeded();
storeFence();
@@ -1372,7 +1372,7 @@
void storeButterfly(GPRReg butterfly, GPRReg object)
{
- if (isX86()) {
+ if (isX86() || !useGCFences()) {
storePtr(butterfly, Address(object, JSObject::butterflyOffset()));
return;
}
@@ -1618,6 +1618,8 @@
void emitInitializeInlineStorage(GPRReg baseGPR, unsigned inlineCapacity)
{
+ if (!useGCFences())
+ return;
for (unsigned i = 0; i < inlineCapacity; ++i)
storeTrustedValue(JSValue(), Address(baseGPR, JSObject::offsetOfInlineStorage() + i * sizeof(EncodedJSValue)));
}
@@ -1624,6 +1626,8 @@
void emitInitializeInlineStorage(GPRReg baseGPR, GPRReg inlineCapacity)
{
+ if (!useGCFences())
+ return;
Jump empty = branchTest32(Zero, inlineCapacity);
Label loop = label();
sub32(TrustedImm32(1), inlineCapacity);
@@ -1634,6 +1638,8 @@
void emitInitializeOutOfLineStorage(GPRReg butterflyGPR, unsigned outOfLineCapacity)
{
+ if (!useGCFences())
+ return;
for (unsigned i = 0; i < outOfLineCapacity; ++i)
storeTrustedValue(JSValue(), Address(butterflyGPR, -sizeof(IndexingHeader) - (i + 1) * sizeof(EncodedJSValue)));
}
