[JSC] Record CoW status in ArrayProfile
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Jul 2018 00:41:10 +0000 (00:41 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Jul 2018 00:41:10 +0000 (00:41 +0000)
commit4728d8d8440a4883a4002776e5253f00f77eff54
tree44636e0a72a03ad45c2a40a3719722b5f4dfe7cc
parent935cb6fc7592498f34f2d90d7137915be64233cc
[JSC] Record CoW status in ArrayProfile
https://bugs.webkit.org/show_bug.cgi?id=187949

Reviewed by Saam Barati.

JSTests:

* stress/array-profile-should-record-copy-on-write.js: Added.
(shouldBe):
(test1):
(test2):
(test3):

Source/JavaScriptCore:

Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
CoW arrays.

In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.

This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.

                              baseline                  patched

stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster

* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* bytecode/ArrayProfile.h:
(JSC::asArrayModes):
We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.

(JSC::ArrayProfile::ArrayProfile):
(JSC::ArrayProfile::addressOfObservedIndexingModes):
(JSC::ArrayProfile::observedIndexingModes const):
Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
So storing the union of seen IndexingMode in `unsigned` instead.

* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::withProfile const):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfilingSiteWithCell):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234183 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
JSTests/ChangeLog
JSTests/stress/array-profile-should-record-copy-on-write.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ArrayProfile.cpp
Source/JavaScriptCore/bytecode/ArrayProfile.h
Source/JavaScriptCore/dfg/DFGArrayMode.cpp
Source/JavaScriptCore/dfg/DFGArrayMode.h
Source/JavaScriptCore/jit/JITCall.cpp
Source/JavaScriptCore/jit/JITCall32_64.cpp
Source/JavaScriptCore/jit/JITInlines.h
Source/JavaScriptCore/llint/LowLevelInterpreter.asm
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm