Closed Bug 1640829 Opened 4 years ago Closed 4 years ago

Generate more efficient code for fallible unbox

Categories

(Core :: JavaScript Engine: JIT, task, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(4 files)

Bug 1640829 part 1 - Add some missing branchTestSymbol and unboxInt32/unboxBoolean overloads. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1640829 part 2 - Add fallibleUnbox* methods to the MacroAssembler. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1640829 part 3 - Use fallibleUnbox* for LUnbox on 64-bit platforms. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1640829 part 4 - Use fallibleUnbox* in EmitLoadAndUnbox. r?iain!
47 bytes, text/x-phabricator-request
Details | Review

Now that we use XOR to unbox Values (since Spectre), we can optimize fallible unboxing a bit more. To unbox a Value in rax to an object in rbx on x64, instead of generating this:

movq       %rax, %r11
shrq       $47, %r11
cmpl       $0x1fffc, %r11d
jne        <bail>
movabsq    $0xfffe000000000000, %rbx
xorq       %rax, %rbx

We can do this:

movabsq    $0xfffe000000000000, %r11
xorq       %rax, %r11
movq       %r11, %rbx
shrq       $47, %r11
jnz        <bail>

The new version on ARM64:

eor       x2, x1, #0xfffe000000000000
cmp       xzr, x2, lsr 47
bne       <bail>

This is a measurable win on some benchmarks with Warp enabled.

On 64-bit platforms we can generate better code for a fallible unbox by first
doing a XOR to unbox and then doing the type check with a right-shift + check-non-zero.

For int32 and boolean we still use a separate branch + unbox: these types can be
unboxed more efficiently because they only use 32 payload bits.

Depends on D76827

Also adds support for object/string/symbol/bigint to the FoldLoadsWithUnbox
optimization pass: with the old unboxing scheme this would have been inefficient
on 64-bit platforms (loading the Value twice, for type guard and unbox) but
fallibleUnboxPtr now does a single load on x64 and ARM64.

Depends on D76829

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e0c0917c6826 part 1 - Add some missing branchTestSymbol and unboxInt32/unboxBoolean overloads. r=iain https://hg.mozilla.org/integration/autoland/rev/b53f40d2b305 part 2 - Add fallibleUnbox* methods to the MacroAssembler. r=iain https://hg.mozilla.org/integration/autoland/rev/abc180c57420 part 3 - Use fallibleUnbox* for LUnbox on 64-bit platforms. r=iain https://hg.mozilla.org/integration/autoland/rev/abab86b25b5f part 4 - Use fallibleUnbox* in EmitLoadAndUnbox. r=iain
Blocks: 1642265
Regressions: 1646045
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: