Closed Bug 1640829 Opened 8 months ago Closed 8 months ago

Generate more efficient code for fallible unbox


(Core :: JavaScript Engine: JIT, task, P2)




Tracking Status
firefox78 --- fixed


(Reporter: jandem, Assigned: jandem)


(Blocks 1 open bug)



(4 files)

Now that we use XOR to unbox Values (since Spectre), we can optimize fallible unboxing a bit more. To unbox a Value in rax to an object in rbx on x64, instead of generating this:

movq       %rax, %r11
shrq       $47, %r11
cmpl       $0x1fffc, %r11d
jne        <bail>
movabsq    $0xfffe000000000000, %rbx
xorq       %rax, %rbx

We can do this:

movabsq    $0xfffe000000000000, %r11
xorq       %rax, %r11
movq       %r11, %rbx
shrq       $47, %r11
jnz        <bail>

The new version on ARM64:

eor       x2, x1, #0xfffe000000000000
cmp       xzr, x2, lsr 47
bne       <bail>

This is a measurable win on some benchmarks with Warp enabled.

On 64-bit platforms we can generate better code for a fallible unbox by first
doing a XOR to unbox and then doing the type check with a right-shift + check-non-zero.

For int32 and boolean we still use a separate branch + unbox: these types can be
unboxed more efficiently because they only use 32 payload bits.

Depends on D76827

Also adds support for object/string/symbol/bigint to the FoldLoadsWithUnbox
optimization pass: with the old unboxing scheme this would have been inefficient
on 64-bit platforms (loading the Value twice, for type guard and unbox) but
fallibleUnboxPtr now does a single load on x64 and ARM64.

Depends on D76829

Pushed by
part 1 - Add some missing branchTestSymbol and unboxInt32/unboxBoolean overloads. r=iain
part 2 - Add fallibleUnbox* methods to the MacroAssembler. r=iain
part 3 - Use fallibleUnbox* for LUnbox on 64-bit platforms. r=iain
part 4 - Use fallibleUnbox* in EmitLoadAndUnbox. r=iain
Blocks: 1642265
Regressions: 1646045
You need to log in before you can comment on or make changes to this bug.