'[webkit-changes] [WebKit/WebKit] 55815d: [JSC][armv7] Enable concurrent JIT'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webkit-changes
Subject:    [webkit-changes] [WebKit/WebKit] 55815d: [JSC][armv7] Enable concurrent JIT
From:       jjgriego <noreply () github ! com>
Date:       2024-01-31 18:49:32
Message-ID: WebKit/WebKit/push/refs/heads/main/d4bf0d-55815d () github ! com
[Download RAW message or body]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 55815dc77e790829e87cda3bd37ddbb5c536e5e7
      https://github.com/WebKit/WebKit/commit/55815dc77e790829e87cda3bd37ddbb5c536e5e7
  Author: Joseph Griego <jgriego@igalia.com>
  Date:   2024-01-31 (Wed, 31 Jan 2024)

  Changed paths:
    M LayoutTests/js/script-tests/regress-139548.js
    M Source/JavaScriptCore/bytecode/ValueProfile.h
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/offlineasm/arm.rb
    M Source/JavaScriptCore/offlineasm/instructions.rb
    M Source/JavaScriptCore/runtime/JSCJSValue.h
    M Source/JavaScriptCore/runtime/WriteBarrier.h
    M Source/JavaScriptCore/runtime/WriteBarrierInlines.h
    M Source/WTF/wtf/PlatformEnable.h

  Log Message:
  -----------
  [JSC][armv7] Enable concurrent JIT
https://bugs.webkit.org/show_bug.cgi?id=239821

Reviewed by Justin Michaud.

Here we are again--the goal is to enable concurrent JIT support on ARMv7--the
problem, of course, is we don't have a way to update a JSValue atomically, with
the current encoding.

** Approach

Previous passes at this have tried to cope with the possibility of reading a
"spliced JSValue"--i.e., a value observed with a CellTag and a not-Cell
payload; this seems to work but isn't great and we don't have a way to get
reasonable answers from e.g. value profiles when this happens.

Instead, we develop the following protocol for updating a JSValue:

- Write a newly-reserved tag value, `InvalidTag` to the tag part of the value,
- Write the new payload word
- Write the new tag word

Now, when _reading_ a JSValue from threads other than the mutator, we can use
doubleword atomics and retry until the tag value is not `InvalidTag`.

Unfortunately, although in practice I've been unable to find any hardware where
store reordering seems to be observable, the architecture requires us to insert
store-store fences (`dmb ishst`) between these writes; this isn't free, as
discussed below.

** Implementation

We add a few new primitives for manipulating JSValues in memory that are used in
some key places where JSValues are accessed concurrently: ValueProfiles and any
JSValue behind a WriteBarrier (which addresses most things in the heap.)

As discussed above, for writes, we perform the 3 fenced stores, in order; reads
are retried until the tag is not InvalidTag; and a
`clearEncodedJSValueConcurrent` is provided since this operation does not
require fences (only the tag is modified)

** Performance

The addition of fences adds a nontrivial performance cost, especially for code
that spends a lot of time in the interpreter; however, this is still an
improvement for JetStream2 first-run times on some benchmarks, overall, the
performance is about the same for JS2.

I expect a regression to code size because of the extra stores--though I
believe there's opportunity to optimize some of these away in the JITs based on
speculation--if we know the JSValue is already a cell or non-cell, the
InvalidTag store is unnecssary and can be omitted.

* Source/JavaScriptCore/bytecode/ValueProfile.h:
(JSC::ValueProfileBase::clearBuckets):
(JSC::ValueProfileBase::classInfo const):
(JSC::ValueProfileBase::numberOfSamples const):
(JSC::ValueProfileBase::isLive const):
(JSC::ValueProfileBase::computeUpdatedPrediction):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::storeAndFence32):
(JSC::AssemblyHelpers::storeCell):
(JSC::AssemblyHelpers::storeValue):
(JSC::AssemblyHelpers::storeTrustedValue):
* Source/JavaScriptCore/llint/LowLevelInterpreter.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/offlineasm/arm.rb:
* Source/JavaScriptCore/offlineasm/instructions.rb:
* Source/JavaScriptCore/runtime/JSCJSValue.h:
(JSC::JSValue::decodeConcurrent):
(JSC::updateEncodedJSValueConcurrent):
(JSC::clearEncodedJSValueConcurrent):
* Source/JavaScriptCore/runtime/WriteBarrier.h:
* Source/JavaScriptCore/runtime/WriteBarrierInlines.h:
(JSC::RawValueTraits<Unknown>>::set):
* Source/WTF/wtf/PlatformEnable.h:

Canonical link: https://commits.webkit.org/273841@main

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[prev in list] [next in list] [prev in thread] [next in thread] 