[webkit-changes] [215898] trunk/Source/JavaScriptCore

[keith_miller]

Title: [215898] trunk/Source/_javascript_Core

Revision

215898

Author

keith_mil...@apple.com

Date

2017-04-27 15:39:17 -0700 (Thu, 27 Apr 2017)

Log Message

WebAssembly: Don't tier up the same function twice
https://bugs.webkit.org/show_bug.cgi?id=171397

Reviewed by Filip Pizlo.

Because we don't CAS the tier up count on function entry/loop backedge and we use the least significant to indicate whether or not tier up has already started we could see the following:

Threads A and B are running count in memory is (0):

A: load tier up count (0)
B: load tier up count (0)
A: decrement count to -2 and see we need to check for tier up (0)
A: store -2 to count (-2)
A: exchangeOr(1) to tier up count (-1)
B: decrement count to -2 and see we need to check for tier up (-1)
B: store -2 to count (-2)
B: exchangeOr(1) to tier up count (-1)

This would cause us to tier up the same function twice, which we would rather avoid.

* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitTierUpCheck):
* wasm/WasmTierUpCount.h:
(JSC::Wasm::TierUpCount::TierUpCount):
(JSC::Wasm::TierUpCount::loopDecrement):
(JSC::Wasm::TierUpCount::functionEntryDecrement):
(JSC::Wasm::TierUpCount::shouldStartTierUp):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
• trunk/Source/_javascript_Core/wasm/WasmTierUpCount.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (215897 => 215898)

--- trunk/Source/_javascript_Core/ChangeLog	2017-04-27 22:37:29 UTC (rev 215897)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-04-27 22:39:17 UTC (rev 215898)
@@ -1,5 +1,35 @@
 2017-04-27  Keith Miller  <keith_mil...@apple.com>
 
+        WebAssembly: Don't tier up the same function twice
+        https://bugs.webkit.org/show_bug.cgi?id=171397
+
+        Reviewed by Filip Pizlo.
+
+        Because we don't CAS the tier up count on function entry/loop backedge and we use the least significant to indicate whether or not tier up has already started we could see the following:
+
+        Threads A and B are running count in memory is (0):
+
+        A: load tier up count (0)
+        B: load tier up count (0)
+        A: decrement count to -2 and see we need to check for tier up (0)
+        A: store -2 to count (-2)
+        A: exchangeOr(1) to tier up count (-1)
+        B: decrement count to -2 and see we need to check for tier up (-1)
+        B: store -2 to count (-2)
+        B: exchangeOr(1) to tier up count (-1)
+
+        This would cause us to tier up the same function twice, which we would rather avoid.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+        * wasm/WasmTierUpCount.h:
+        (JSC::Wasm::TierUpCount::TierUpCount):
+        (JSC::Wasm::TierUpCount::loopDecrement):
+        (JSC::Wasm::TierUpCount::functionEntryDecrement):
+        (JSC::Wasm::TierUpCount::shouldStartTierUp):
+
+2017-04-27  Keith Miller  <keith_mil...@apple.com>
+
         REGRESSION (r215843): ASSERTION FAILED: !m_completionTasks[0].first in  JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast(JSC::VM &)
         https://bugs.webkit.org/show_bug.cgi?id=171380
 

Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (215897 => 215898)

--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2017-04-27 22:37:29 UTC (rev 215897)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2017-04-27 22:39:17 UTC (rev 215898)
@@ -834,7 +834,6 @@
     if (!m_tierUp)
         return entry;
 
-    ASSERT(!(decrementCount % 2));
     // FIXME: Make this a patchpoint.
     BasicBlock* continuation = m_proc.addBlock();
 

Modified: trunk/Source/_javascript_Core/wasm/WasmTierUpCount.h (215897 => 215898)

--- trunk/Source/_javascript_Core/wasm/WasmTierUpCount.h	2017-04-27 22:37:29 UTC (rev 215897)
+++ trunk/Source/_javascript_Core/wasm/WasmTierUpCount.h	2017-04-27 22:39:17 UTC (rev 215898)
@@ -42,22 +42,23 @@
     WTF_MAKE_NONCOPYABLE(TierUpCount);
 public:
     TierUpCount()
-        : m_count(Options::webAssemblyOMGTierUpCount() * 2)
+        : m_count(Options::webAssemblyOMGTierUpCount())
+        , m_tierUpStarted(false)
     {
     }
 
     TierUpCount(TierUpCount&& other)
     {
-        ASSERT(other.m_count == Options::webAssemblyOMGTierUpCount() * 2);
+        ASSERT(other.m_count == Options::webAssemblyOMGTierUpCount());
         m_count = other.m_count;
     }
 
-    static uint32_t loopDecrement() { return Options::webAssemblyLoopDecrement() * 2; }
-    static uint32_t functionEntryDecrement() { return Options::webAssemblyFunctionEntryDecrement() * 2; }
+    static uint32_t loopDecrement() { return Options::webAssemblyLoopDecrement(); }
+    static uint32_t functionEntryDecrement() { return Options::webAssemblyFunctionEntryDecrement(); }
 
     bool shouldStartTierUp()
     {
-        return !(WTF::atomicExchangeOr(&m_count, 1) & 1);
+        return !m_tierUpStarted.exchange(true);
     }
 
     int32_t count() { return bitwise_cast<int32_t>(m_count); }
@@ -64,6 +65,7 @@
 
 private:
     uint32_t m_count;
+    Atomic<bool> m_tierUpStarted;
 };
     
 } } // namespace JSC::Wasm

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes