[webkit-changes] [WebKit/WebKit] eeb0d7: Speculation failure ValueProfile buckets should be...

Fri, 20 Oct 2023 20:59:20 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: eeb0d7b78c6d38aec83236b93e54cb60f89fc41c
      
https://github.com/WebKit/WebKit/commit/eeb0d7b78c6d38aec83236b93e54cb60f89fc41c
  Author: Keith Miller <[email protected]>
  Date:   2023-10-20 (Fri, 20 Oct 2023)

  Changed paths:
    M JSTests/microbenchmarks/fold-multi-get-by-offset-to-get-by-offset.js
    M 
JSTests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/CodeBlock.h
    R Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp
    M Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h
    A Source/JavaScriptCore/bytecode/LazyValueProfile.cpp
    A Source/JavaScriptCore/bytecode/LazyValueProfile.h
    M Source/JavaScriptCore/bytecode/MetadataTable.h
    M Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.cpp
    M Source/JavaScriptCore/bytecode/ValueProfile.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGPredictionInjectionPhase.cpp
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
    M Source/JavaScriptCore/tools/HeapVerifier.cpp
    M Source/WTF/wtf/ConcurrentVector.h

  Log Message:
  -----------
  Speculation failure ValueProfile buckets should be lazy
https://bugs.webkit.org/show_bug.cgi?id=263335
rdar://problem/117159824

Reviewed by Yusuke Suzuki.

Currently, ValueProfiles contain two JSValue buckets by default, one for 
LLInt/Baseline execution
and one for values from speculation failures in the DFG/FTL. These are both 
stored inline in the
ValueProfile itself. While we regularly use the regular buckets, it's somewhat 
rare to use the
speculation failure buckets.

This patch makes the speculation failure buckets lazy and part of the same data 
structure we use
for LazyOperandValueProfiles. Not all ValueProfiles use the new lazy mechanism, 
arguments'
ValueProfiles still have the speculation failure buckets inline and have a new 
type
ArgumentValueProfile. This change is about a .2% improvement on our internal 
memory benchmarks.

This change adds a new `appendConcurrently()` method to ConcurrentVector, which 
properly fences
between the initialization of the new element and the corresponding size 
increment.

Also, skip some tests that started failing on 32-bit.

* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setNumParameters):
(JSC::CodeBlock::updateAllNonLazyValueProfilePredictionsAndCountLiveness):
(JSC::CodeBlock::updateAllLazyValueProfilePredictions):
(JSC::CodeBlock::dumpValueProfiles):
(JSC::CodeBlock::valueProfilePredictionForBytecodeIndex):
* Source/JavaScriptCore/bytecode/CodeBlock.h:
(JSC::CodeBlock::valueProfileForArgument):
(JSC::CodeBlock::lazyValueProfiles):
(JSC::CodeBlock::lazyOperandValueProfiles): Deleted.
* Source/JavaScriptCore/bytecode/LazyOperandValueProfile.cpp: Removed.
* Source/JavaScriptCore/bytecode/LazyOperandValueProfile.h:
(): Deleted.
* Source/JavaScriptCore/bytecode/LazyValueProfile.cpp: Added.
(JSC::CompressedLazyValueProfileHolder::computeUpdatedPredictions):
(JSC::CompressedLazyValueProfileHolder::initializeData):
(JSC::CompressedLazyValueProfileHolder::addOperandValueProfile):
(JSC::CompressedLazyValueProfileHolder::addSpeculationFailureValueProfile):
(JSC::LazyOperandValueProfileParser::initialize):
(JSC::LazyOperandValueProfileParser::getIfPresent const):
(JSC::LazyOperandValueProfileParser::prediction const):
* Source/JavaScriptCore/bytecode/LazyValueProfile.h: Added.
* Source/JavaScriptCore/bytecode/MetadataTable.h:
(JSC::MetadataTable::valueProfileForOffset):
* Source/JavaScriptCore/bytecode/MethodOfGettingAValueProfile.cpp:
(JSC::MethodOfGettingAValueProfile::emitReportValue const):
* Source/JavaScriptCore/bytecode/ValueProfile.h:
(JSC::ValueProfileBase::computeUpdatedPredictionForExtraValue):
(JSC::MinimalValueProfile::MinimalValueProfile):
(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::offsetOfFirstBucket):
(JSC::ArgumentValueProfile::ArgumentValueProfile):
(JSC::UnlinkedValueProfile::update):
(JSC::ValueProfileWithLogNumberOfBuckets::ValueProfileWithLogNumberOfBuckets): 
Deleted.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::handleVarargsInlining):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* Source/JavaScriptCore/dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* Source/JavaScriptCore/jit/JIT.cpp:
(JSC::JIT::compileAndLinkWithoutFinalizing):
* Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp:
* Source/JavaScriptCore/llint/LowLevelInterpreter.asm:
* Source/JavaScriptCore/tools/HeapVerifier.cpp:
(JSC::HeapVerifier::validateJSCell):
* Source/WTF/wtf/ConcurrentVector.h:

Canonical link: https://commits.webkit.org/269612@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to