Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3563dd1840c63e77d1bf18a2017edf52df32f263
https://github.com/WebKit/WebKit/commit/3563dd1840c63e77d1bf18a2017edf52df32f263
Author: Yusuke Suzuki <[email protected]>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
A JSTests/wasm/stress/js-to-wasm-exception.js
A JSTests/wasm/stress/js-to-wasm-many-double.js
A JSTests/wasm/stress/js-to-wasm-many-ref.js
A JSTests/wasm/stress/js-to-wasm-many.js
A JSTests/wasm/stress/js-to-wasm.js
A JSTests/wasm/stress/wasm-to-wasm.js
R JSTests/wasm/tier-up/js-to-wasm.js
R JSTests/wasm/tier-up/wasm-to-wasm.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGMayExit.cpp
M Source/JavaScriptCore/dfg/DFGNode.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
M Source/JavaScriptCore/jit/AssemblyHelpers.h
M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
M Source/JavaScriptCore/wasm/WasmThunks.cpp
M Source/JavaScriptCore/wasm/js/WasmToJS.cpp
Log Message:
-----------
[JSC] Fast JS-to-Wasm call from FTL
https://bugs.webkit.org/show_bug.cgi?id=250545
rdar://104214223
Reviewed by Keith Miller.
This patch supports direct Wasm call from FTL. FTL can know type speculations.
We check this in DFG strength reduction phase, and generate appropriate stack
and register assignment for Wasm call.
This is further more efficient than Wasm IC since,
1. Based on type speculation, we can skip many type checks for arguments.
2. Because FTL can control registers and stacks, we can appropriately configure
values in the right argument registers
and stack location in FTL side and directly call Wasm function from FTL. By
using patchpoint, B3 can assign right registers / stack
location for them.
3. This removes Wasm IC trampoline between JS and Wasm function. Wasm function
is now directly called from JS.
To make this work, we require 259139@main. That change allows us to remove a
hack in unwinding for wasm (wasm function call can modify global state
(vm.wasmContext.instance),
and unwinding needed to restore them appropriately. The above patch removed
this necessity).
As a result, we can directly call wasm function from FTL without doing a hack
in unwinding. And we can also remove save / restore of vm.wasmContext.instance.
We also need to encourage CallWasm in DFG ByteCodeParser. CallWasm needs
constant-folded callee currently, but it needs to be materialized well from DFG
ByteCodeParser by inserting
appropriate checks from CallVariant.
Note that we are reporting wasm pinned registers' clobbering from FTL
patchpoint. This teaches FTL to save and resume these callee-save registers as
FTL's callee-save registers.
Thus, OSR exit / exception unwinding just works well: FTL cares these registers
and correctly restore them when OSR exit happens. This is also the reason why
we cannot apply
this optimization to TailCall right now: wasm function clobbers callee-save
registers and tail-call needs an adaptor to restore them correctly when
returning to the caller's caller.
In the future, we should align wasm pinned registers with JS JIT default
callee-save registers so that we can easily restore then when OSR exit happens
from DFG too. This is necessary
if we would like to introduce this direct call from DFG side.
This improves JetStream2/richards-wasm Runtime from 13.021 to 16.129, 23%
improvement.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToCallWasm):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileCallWasm):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/259250@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
