[webkit-changes] [WebKit/WebKit] 3563dd: [JSC] Fast JS-to-Wasm call from FTL

Mon, 23 Jan 2023 16:20:46 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3563dd1840c63e77d1bf18a2017edf52df32f263
      
https://github.com/WebKit/WebKit/commit/3563dd1840c63e77d1bf18a2017edf52df32f263
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2023-01-23 (Mon, 23 Jan 2023)

  Changed paths:
    A JSTests/wasm/stress/js-to-wasm-exception.js
    A JSTests/wasm/stress/js-to-wasm-many-double.js
    A JSTests/wasm/stress/js-to-wasm-many-ref.js
    A JSTests/wasm/stress/js-to-wasm-many.js
    A JSTests/wasm/stress/js-to-wasm.js
    A JSTests/wasm/stress/wasm-to-wasm.js
    R JSTests/wasm/tier-up/js-to-wasm.js
    R JSTests/wasm/tier-up/wasm-to-wasm.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
    M Source/JavaScriptCore/wasm/WasmThunks.cpp
    M Source/JavaScriptCore/wasm/js/WasmToJS.cpp

  Log Message:
  -----------
  [JSC] Fast JS-to-Wasm call from FTL
https://bugs.webkit.org/show_bug.cgi?id=250545
rdar://104214223

Reviewed by Keith Miller.

This patch supports direct Wasm call from FTL. FTL can know type speculations.
We check this in DFG strength reduction phase, and generate appropriate stack 
and register assignment for Wasm call.
This is further more efficient than Wasm IC since,

1. Based on type speculation, we can skip many type checks for arguments.
2. Because FTL can control registers and stacks, we can appropriately configure 
values in the right argument registers
   and stack location in FTL side and directly call Wasm function from FTL. By 
using patchpoint, B3 can assign right registers / stack
   location for them.
3. This removes Wasm IC trampoline between JS and Wasm function. Wasm function 
is now directly called from JS.

To make this work, we require 259139@main. That change allows us to remove a 
hack in unwinding for wasm (wasm function call can modify global state 
(vm.wasmContext.instance),
and unwinding needed to restore them appropriately. The above patch removed 
this necessity).
As a result, we can directly call wasm function from FTL without doing a hack 
in unwinding. And we can also remove save / restore of vm.wasmContext.instance.

We also need to encourage CallWasm in DFG ByteCodeParser. CallWasm needs 
constant-folded callee currently, but it needs to be materialized well from DFG 
ByteCodeParser by inserting
appropriate checks from CallVariant.

Note that we are reporting wasm pinned registers' clobbering from FTL 
patchpoint. This teaches FTL to save and resume these callee-save registers as 
FTL's callee-save registers.
Thus, OSR exit / exception unwinding just works well: FTL cares these registers 
and correctly restore them when OSR exit happens. This is also the reason why 
we cannot apply
this optimization to TailCall right now: wasm function clobbers callee-save 
registers and tail-call needs an adaptor to restore them correctly when 
returning to the caller's caller.
In the future, we should align wasm pinned registers with JS JIT default 
callee-save registers so that we can easily restore then when OSR exit happens 
from DFG too. This is necessary
if we would like to introduce this direct call from DFG side.

This improves JetStream2/richards-wasm Runtime from 13.021 to 16.129, 23% 
improvement.

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToCallWasm):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileCallWasm):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

Canonical link: https://commits.webkit.org/259250@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to