Closed Bug 1687441 Opened 4 years ago Closed 4 years ago

Support large array buffers in the JITs

Categories

(Core :: JavaScript Engine: JIT, task, P3)

task

Tracking

()

RESOLVED FIXED
87 Branch
Tracking Status
firefox87 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(23 files)

48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review

With the patches in bug 1686936, the remaining places where we don't support large ArrayBuffers are mostly JSAPIs and JIT code.

JIT support isn't trivial because we will need to do 64-bit bounds checks and sign-extend 32-bit indexes for that. I hope this will be acceptable perf-wise, else we could do this in Warp code only in zones that have created large ArrayBuffer views.

Depends on: 1687449

I have a working prototype for this that passes all jit-tests. I'm pretty happy with how it all turned out.

Needs more work and testing, but I'm going to start splitting it up and land preliminary pieces.

Based on convertDoubleToInt32.

On 32-bit platforms this is equivalent to convertDoubleToInt32 which will be
sufficient because the length limit doesn't change there. On 64-bit platforms
this will let us support large index values.

Based on spectreBoundsCheck32.

Depends on D102427

This matches branchAdd32 and branchSub32.

We will use branchSubPtr with Register and Imm32 in EmitDataViewBoundsCheck.

Depends on D102428

The next patch will add spectreMaskIndexPtr.

Depends on D102429

Baesd on spectreMaskIndex32 and cmp32Move32.

Depends on D102430

Keywords: leave-open
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7f2bc0012c45 part 1 - Add convertDoubleToPtr to the MacroAssembler. r=anba https://hg.mozilla.org/integration/autoland/rev/4c037df6bd90 part 2 - Add move32SignExtendToPtr to the MacroAssembler. r=anba https://hg.mozilla.org/integration/autoland/rev/ca92ee4304ac part 3 - Add spectreBoundsCheckPtr to the MacroAssembler. r=anba https://hg.mozilla.org/integration/autoland/rev/d034802fb52f part 4 - Templatize branchAddPtr and branchSubPtr. r=anba https://hg.mozilla.org/integration/autoland/rev/52db39728006 part 5 - Rename spectreMaskIndex to spectreMaskIndex32. r=anba https://hg.mozilla.org/integration/autoland/rev/609249cb8b2c part 6 - Add spectreMaskIndexPtr to the MacroAssembler. r=anba

Tests based on the Int32 tests, with changes/tests for very large/small values.

This matches what we do for similar cases like MLoadUnboxedScalar.

A later patch will change the operand type to MIRType::IntPtr and that's easier
if there's no type policy to worry about.

Depends on D102724

This is the type that will be used to represent indexes/offsets into TypedArray
and DataView objects.

Depends on D102725

This will be used later for transpiling LoadTypedArrayElementExistsResult.

Depends on D102726

The alternative is to add support for MIRType::IntPtr to MSub and MMinMax which
seemed more complicated.

This also matches the IC code in EmitDataViewBoundsCheck. A later patch will
change codegen to branchSubPtr.

Depends on D102727

This will be useful for folding constant indexes to IntPtr in later patches.

Because we can't have different MConstant constructors with int64_t and intptr_t
arguments, reuse the one that takes int64_t by adding a MIRType argument to it.

Depends on D102728

Depends on D102729

This is similar to ValueTagOperandId. Later patches will use this type.

Depends on D102730

The variants that load an int32 value now take an optional Label that's used if
the index doesn't fit in an int32.

The Label argument is optional at this point so that we don't have to touch all
the callers, but later patches will change that.

Depends on D102731

Eventually we should optimize the result-is-double case too.

Depends on D102732

This also adds the IntPtr implementation that will later be used for bounds checks.

Depends on D102734

This switches all CacheIR and MIR instructions that use a TypedArray or DataView
index from Int32 to IntPtr.

The int32-index and non-int32-index cases in the GetElem/SetElem/In CacheIR generators
are now unified into a single method. This way it's easy to see that in-bounds Int32
and Double indexes are handled exactly the same way.

The IRGenerators call IRGenerator::guardToIntPtrIndex to convert key values to an
IntPtrOperandId. All TypedArray/DataView accesses optimized by CacheIR go through
there now.

The GuardToTypedArrayIndex CacheIR and MIR instruction is replaced with a similar
GuardNumberToIntPtrIndex instruction. It accepts a Number instead of a Value.

Depends on D102738

Attachment #9198642 - Attachment description: Bug 1687441 part 22 - Add JIT support for large buffers. r?anba! → Bug 1687441 part 23 - Add JIT support for large buffers. r?anba!

Adds useRegisterOrIndexConstant to check this during lowering, and also uses
ArrayOffsetFitsInInt32 in codegen to assert no overflow.

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f48f084d1b07 part 7 - Add NumberEqualsInt64 and NumberIsInt64 to MFBT. r=sg https://hg.mozilla.org/integration/autoland/rev/55faa30d1d32 part 8 - Don't use a type policy for the index argument for atomics. r=anba https://hg.mozilla.org/integration/autoland/rev/cdd1a0427206 part 9 - Add MIRType::IntPtr. r=anba https://hg.mozilla.org/integration/autoland/rev/242a6e9d5466 part 10 - Add MCompare::Compare_UIntPtr. r=anba https://hg.mozilla.org/integration/autoland/rev/c8f373bd71a5 part 11 - Add MAdjustDataViewLength. r=anba https://hg.mozilla.org/integration/autoland/rev/9dbff11bb583 part 12 - Add support for IntPtr MConstants. r=anba https://hg.mozilla.org/integration/autoland/rev/11f74ecada8f part 13 - Add MInt32ToIntPtr. r=anba
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/165c5f46f3b6 part 14 - Add IntPtrOperandId. r=anba https://hg.mozilla.org/integration/autoland/rev/7a28b297920d part 15 - MacroAssembler changes for loading buffer lengths/offsets. r=anba https://hg.mozilla.org/integration/autoland/rev/10359c97a16d part 16 - Guard ArrayBuffer byteLength fits in int32 for JIT fast paths. r=anba https://hg.mozilla.org/integration/autoland/rev/4feb15e5cb8c part 17 - Guard ArrayBufferView byteOffset fits in int32 for JIT fast paths. r=anba https://hg.mozilla.org/integration/autoland/rev/32f439b0662a part 18 - Guard ArrayBufferView length fits in int32 for JIT fast paths. r=anba
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9263fbf533e0 part 19 - Add IntPtr support to MBoundsCheck and MSpectreMaskIndex. r=anba https://hg.mozilla.org/integration/autoland/rev/ed004d2c8864 part 20 - Support bounds check optimizations when the index is MInt32ToIntPtr. r=anba,iain https://hg.mozilla.org/integration/autoland/rev/44be7a953533 part 21 - Change Atomics VM functions to take index as size_t instead of int32_t. r=anba https://hg.mozilla.org/integration/autoland/rev/29c981446c38 part 22 - Guard against int32 overflow in offset computations. r=anba https://hg.mozilla.org/integration/autoland/rev/2610d2d33a73 part 23 - Add JIT support for large buffers. r=anba
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
Regressions: 1693662
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: