Closed Bug 1817385 Opened 1 year ago Closed 1 year ago

wasm-gc: reduce cost of allocation and GC paths

Categories

(Core :: JavaScript: WebAssembly, enhancement)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox112 --- fixed

People

(Reporter: jseward, Assigned: jseward)

References

(Blocks 1 open bug)

Details

Attachments

(5 files)

bug1817385-1-remove-AllocArgs.diff-7 (WIP)
30.59 KB, patch
Details | Diff | Splinter Review
bug1817385-2-enable-Nursery.diff-4 (WIP)
16.93 KB, patch
Details | Diff | Splinter Review
bug1817385-3-recycling-trailers.diff-3 (WIP)
30.79 KB, patch
Details | Diff | Splinter Review
Bug 1817385 - part 1: remove WasmGcObject::AllocArgs. r=rhunt.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1817385 - part 2: allow nursery allocation for all Wasm{Array,Struct}Objects. r=rhunt.
48 bytes, text/x-phabricator-request
Details | Review

The Dart Barista-3 benchmark is (wasm-gc-object-) allocation-intensive. It is
therefore important to minimise the cost of both the object allocation paths
and of the implied (induced) garbage collection. Starting this bug off with
two patches:

  • one to remove the use of AllocArgs in the allocation paths for wasm-gc
    structs and arrays

  • one to allow structs and arrays to fully participate in generational GC, by
    allowing them to be allocated in a Nursery even though they may contain
    pointers to OOL malloc'd storage ("trailers").

Another patch:

  • when a struct/array with a trailer doesn't make it out of the nursery,
    place it on a freelist for later reuse, to avoid malloc/free overhead.
    This more than halves the number of mallocs/frees resulting from
    running (excluding compilation) of Barista-3.
Blocks: 1820120

(In reply to Julian Seward [:jseward] from comment #1)

  • when a struct/array with a trailer doesn't make it out of the nursery,
    place it on a freelist for later reuse, to avoid malloc/free overhead.

I've moved this patch to bug 1820120, since it's much more extensive
than the other two patches, and I don't want to delay them further.

Allocation of Wasm{Array,Struct}Object currently involves copying info from a
TypeDefInstanceData into a WasmGcObject::AllocArgs. The AllocArgs is
subsequently used to initialise certain fields in the object.

This patch removes AllocArgs and instead passes a TypeDefInstanceData* to the
allocation methods, which provides the info the AllocArgs would have supplied.
A js::gc::InitialHeap is now also required. The result is generally simpler,
clearer, and faster; in particular, the use of Rooted<..> inside AllocArgs was
a source of inefficiency.

The following test case allocates 100M objects in a loop. Running on
baseline, without this patch the per-iteration cost is 263 instructions. With
the patch it is 239 instructions, a 24-instruction reduction.

(type $structAA (struct (field i32) (field f64)))
(func (export "mkAAloopy")
(local $i i32)
(loop $cont
(struct.new_default $structAA)
drop
(local.set $i (i32.add (local.get $i) (i32.const 1)))
(br_if $cont (i32.lt_u (local.get $i) (i32.const 10000000)))
)
)

This patch allows Wasm{Array,Struct}Objects to be nursery allocated even
though they may have OOL block pointers. It uses the existing mechanism that
js::Nursery provides for managing such blocks:

  • WasmArrayObject::createArray / WasmStructObject::createStruct allocate the
    OOL area with js_malloc as before. However, this area is now registered
    with the nursery by calling Nursery::registerMallocedBuffer.

  • Wasm{Array,Struct}Object::obj_moved identify objects which are tenured
    during minor (nursery) GCs. OOL block pointers of such objects are
    deregistered with the nursery by calling
    Nursery::removeMallocedBufferDuringMinorGC.

  • (no code change) at the end of minor GCs, the remaining "registered"
    pointers are js_freed by the GC. This takes care of freeing blocks owned by
    objects which didn't get tenured.

  • (no code change) Wasm{Array,Struct}Object::obj_finalize is called for
    objects which did get tenured, but are now dead. It hands the OOL pointers
    to js_free. Hence the blocks owned by objects which did get tenured are
    eventually freed.

TypeDefInstanceData::initialHeap is removed, because the initial heap is now
determined for all (array/struct) objects by the gc::AllocSite mechanism.

Depends on D171542

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/46a676970946
part 1: remove WasmGcObject::AllocArgs.  r=rhunt.
https://hg.mozilla.org/integration/autoland/rev/310855ad98f9
part 2: allow nursery allocation for all Wasm{Array,Struct}Objects.  r=rhunt.

https://hg.mozilla.org/mozilla-central/rev/46a676970946
https://hg.mozilla.org/mozilla-central/rev/310855ad98f9

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: