Closed Bug 1544429 Opened 5 years ago Closed 4 years ago

Improve IonBuilder's TI interface

Categories

(Core :: JavaScript Engine: JIT, enhancement, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jandem, Assigned: iain)

References

Details

Attachments

(2 files, 10 obsolete files)

Bug 1544429: Part 0: Fix non-unified ARM build r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1544429: Part 1: Add TIOracle r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review

IonBuilder currently uses raw TypeSets and object/group pointers but it can be hard to reason about the invariants and there's unnecessary boilerplate.

After some brainstorming, Ted and I came up with the following design:

  • Add a TISnapshot class with higher-level methods for all TI-related queries.

  • IonBuilder will stop using raw JSObject*, TypeSet*, ObjectKey. Instead, it will have opaque types/handles (TISnapshot::Object, TISnapshot::HeapTypeSet) it can pass to (and get from) TISnapshot.

  • The goal is to make the TISnapshot class hard to misuse. The few places that want to do tricky things can (temporarily) opt-in via unsafeFoo() methods we can audit.

  • TI queries will be modeled (as much as possible) after VM operations. For example, to check if a TISnapshot::Object has a property: snapshot.hasOwnProperty(object, id). TISnapshot will add the right constraints.

Another pattern that we observe happening in IonBuilder is accessing unguarded Object/TI data to decide if an optimization would apply before any constraints are fired. This is error-prone but could be handled relatively straightforward by having an RAII transaction class. The sequence of constraints would be collected during transaction and on abort they would be discarded before being applied. In practice, we would only have small amounts of constraints here since current code is manually juggling the constraints so doesn't get very complicated.

Depends on: 1545428

To add some notes here. I've been doing some relevant investigation into Ion invalidations during page-load, in bug 1543385. I have yet to summarize and report the findings, but there is some preliminary data there.

What I'm finding is that the amount of specificity in TI typesets (both stack typesets and heap typesets) is too high. There are a large number of invalidations coming from situations where we are adding a new type to a type-set that is already full.

Specifically, things like "add null to a type-set containing void,int,string,object", or "add Group-A to a type-set containing Group-B,Group-C,Group-D,Group-E". The existing type-set specificity in these cases is not enough to provide any additional optimization opportunity over the new (modified) type-set, yet there is a freeze taken on the specific contents.

Ion does not benefit from type-specialization with TI beyond monomorphic types. The type-sets currently are designed to introduce specificity in contexts that doesn't help us, and additionally introduce invalidations that should be spurious (we should have and probably are optimizing on the generalized type, but we are freezing on the list of specific types).

Part of this TI interface improvement can include a significant simplification of typesets. I would suggest that type-sets should generalize aggressively - quickly moving towards an any type.

(In reply to Kannan Vijayan [:djvj] from comment #2)

What I'm finding is that the amount of specificity in TI typesets (both stack typesets and heap typesets) is too high. There are a large number of invalidations coming from situations where we are adding a new type to a type-set that is already full.

This sounds orthogonal to the issue which is mentioned here, which is purely a cosmetic layer on top of what is implemented today, such that C++ type system enforces us to make use of TI to poke at GC things.

Basically what is described here is a membrane which you always have to go through, and which happen to record TI information as you query it.

status-firefox68: --- → fix-optional
Priority: -- → P2

It's somewhat orthogonal to the specific intention here. However - given that some of the implementation choices will end up running across each other, I thought it worthwhile to mention.

For example, fixing up the type-punning around objectSet (which can alternatively be an ObjectKey* (single object), ObjectKey** (array), or ObjectKey** (hashtable). Now, cleaning all of that up might be a bit redundant when we expect to eliminate the idea of storing multiple ObjectGroups in a single type-set in the first place.

So providing a safe wrapper type (ObjectKey instead of ObjectKey*) makes sense. We may care less about fixing up the array and hash-table punning of the double-indirection pointer type of TypeSet.objectSet.

Attachment #9064541 - Flags: feedback?(tcampbell)

Depends on D30963

Depends on D31332

Depends on D31334

Attachment #9064541 - Attachment is obsolete: true
Attachment #9064541 - Flags: feedback?(tcampbell)
Attachment #9065191 - Attachment is obsolete: true
Attachment #9065192 - Attachment is obsolete: true
Attachment #9065193 - Attachment is obsolete: true
Attachment #9065194 - Attachment is obsolete: true

When I added TIOracle.cpp, this missing header broke the unified ARM build. (We don't test non-unified ARM builds by default.)

Depends on D38729

"ExtraIndexedProperty" is overly vague. What we're actually querying is whether a hole in the dense elements array implies that the element is undefined, or whether holes may be defined (whether by a non-data property or somewhere on the prototype chain). If the query returns false, then JSWhyMagic::JS_ELEMENTS_HOLE can be safely interpreted as undefined (and constraints will be added to enforce that). If it returns true, then we have to go look up the property elsewhere.

ElementAccessHasExtraIndexedProperty and TypeCanHaveExtraIndexedProperties are folded together.

Depends on D38731

Depends on D38732

Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/20e1a3ecd04a
Part 0: Fix non-unified ARM build r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/20e1a3ecd04a

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Assignee: nobody → iireland

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox69: --- → ?

Forgot the darn leave-open tag.

Status: RESOLVED → REOPENED
status-firefox69: ? → ---
status-firefox70: fixed → ---
Keywords: leave-open
Resolution: FIXED → ---
status-firefox68: fix-optional → ---
Target Milestone: mozilla70 → ---
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6d1d7fc0e34c
Part 1: Add TIOracle r=tcampbell,jandem
Attachment #9079473 - Attachment is obsolete: true
Attachment #9079474 - Attachment is obsolete: true
Attachment #9079475 - Attachment is obsolete: true
Attachment #9079476 - Attachment is obsolete: true
Attachment #9079477 - Attachment is obsolete: true

Our new plan for fixing the TI interface is to remove TI completely and use WarpBuilder instead. This bug is no longer relevant.

Status: REOPENED → RESOLVED
Closed: 5 years ago4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: