Inline DataView accesses into DFG/FTL
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Aug 2018 06:05:21 +0000 (06:05 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 21 Aug 2018 06:05:21 +0000 (06:05 +0000)
commitc875a75dcfe28d5dce35cbdf5c0954e25ab3855e
tree43943943a40d29c7609c3026fc375e94aba76b2b
parent810e56327f1987de5d9d67c0f06b0cf0ef7c6706
Inline DataView accesses into DFG/FTL
https://bugs.webkit.org/show_bug.cgi?id=188573
<rdar://problem/43286746>

Reviewed by Michael Saboff.

JSTests:

* microbenchmarks/data-view-accesses-2.js: Added.
(assert):
(let.p.of.Object.keys.let.str):
(let.p.of.Object.keys):
(test):
* microbenchmarks/data-view-accesses.js: Added.
(assert):
(let.p.of.Object.keys.let.str):
(let.p.of.Object.keys):
* stress/dataview-jit-bounds-checks.js: Added.
(assert):
(let.p.of.Object.keys.let.str):
(let.p.of.Object.keys):
* stress/dataview-jit-get.js: Added.
(assert):
(test1.bigEndian):
(test1.littleEndian):
(test1.biEndian):
(test1):
(test2.bigEndian):
(test2.littleEndian):
(test2.biEndian):
(test2):
(test3.bigEndian):
(test3.littleEndian):
(test3.biEndian):
(test3):
(test4.bigEndian):
(test4.littleEndian):
(test4.biEndian):
(test4):
(test5.bigEndian):
(test5.littleEndian):
(test5.biEndian):
(test5):
(test6.bigEndian):
(test6.littleEndian):
(test6.biEndian):
(test6):
(test7.load):
(test7):
(test8.load):
(test8):
* stress/dataview-jit-neuter.js: Added.
(assert):
(test.load):
(test):
(test2.load):
(test2):
* stress/dataview-jit-set.js: Added.
(assert):
(isLittleEndian):
(readByte):
(readHex):
(test.storeLittleEndian):
(test.storeBigEndian):
(test.store):
(test):
(test2.storeLittleEndian):
(test2.storeBigEndian):
(test2.store):
(test2):
(test3.storeLittleEndian):
(test3.storeBigEndian):
(test3.store):
(test3):
(test4.storeLittleEndian):
(test4.storeBigEndian):
(test4.store):
(test4):
(test5.storeLittleEndian):
(test5.storeBigEndian):
(test5.store):
(test5):
(test6.storeLittleEndian):
(test6.storeBigEndian):
(test6.store):
(test6):
(test7.store):
(test7):
(test8.store):
(test8):
* stress/dataview-jit-unaligned-accesses.js: Added.
(assert):
(let.p.of.Object.keys.let.str):
(let.p.of.Object.keys):

Source/JavaScriptCore:

This patch teaches the DFG/FTL to inline DataView accesses. The approach is
straight forward. We inline the various get*/set* operations as intrinsics.

This patch takes the most obvious approach for now. We OSR exit when:
- An isLittleEndian argument is provided, and is not a boolean.
- The index isn't an integer.
- The |this| isn't a DataView.
- We do an OOB access (or see a neutered array)

To implement this change in a performant way, this patch teaches the macro
assembler how to emit byte swap operations. The semantics of the added functions
are byteSwap + zero extend. This means for the 16bit byte swaps, we need
to actually emit zero extend instructions. For the 32/64bit byte swaps,
the instructions already have these semantics.

This patch is just a lightweight initial implementation. There are some easy
extensions we can do in future changes:
- Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
- CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768

* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::byteSwap16):
(JSC::MacroAssemblerARM64::byteSwap32):
(JSC::MacroAssemblerARM64::byteSwap64):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::byteSwap32):
(JSC::MacroAssemblerX86Common::byteSwap16):
(JSC::MacroAssemblerX86Common::byteSwap64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::bswapl_r):
(JSC::X86Assembler::bswapq_r):
(JSC::X86Assembler::shiftInstruction16):
(JSC::X86Assembler::rolw_i8r):
(JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
* assembler/testmasm.cpp:
(JSC::testByteSwap):
(JSC::run):
* bytecode/DataFormat.h:
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationFromClassInfo):
(JSC::speculationFromJSType):
(JSC::speculationFromString):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::dataViewData):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateDataViewObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
(JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
(JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
(JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSDataViewPrototype.cpp:

Source/WTF:

* wtf/TriState.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235106 268f45cc-cd09-0410-ab3c-d52691b4dbfc
38 files changed:
JSTests/ChangeLog
JSTests/microbenchmarks/data-view-accesses-2.js [new file with mode: 0644]
JSTests/microbenchmarks/data-view-accesses.js [new file with mode: 0644]
JSTests/stress/dataview-jit-bounds-checks.js [new file with mode: 0644]
JSTests/stress/dataview-jit-get.js [new file with mode: 0644]
JSTests/stress/dataview-jit-neuter.js [new file with mode: 0644]
JSTests/stress/dataview-jit-set.js [new file with mode: 0644]
JSTests/stress/dataview-jit-unaligned-accesses.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h
Source/JavaScriptCore/assembler/X86Assembler.h
Source/JavaScriptCore/assembler/testmasm.cpp
Source/JavaScriptCore/bytecode/DataFormat.h
Source/JavaScriptCore/bytecode/SpeculatedType.cpp
Source/JavaScriptCore/bytecode/SpeculatedType.h
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNode.h
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/dfg/DFGUseKind.cpp
Source/JavaScriptCore/dfg/DFGUseKind.h
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/Intrinsic.cpp
Source/JavaScriptCore/runtime/Intrinsic.h
Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/TriState.h