Closed Bug 516347 Opened 12 years ago Closed 12 years ago

nanojit: avoid premature regalloc state updates in the i386 backend

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: n.nethercote, Assigned: n.nethercote)

References

Details

(Whiteboard: fixed-in-nanojit, fixed-in-tracemonkey, fixed-in-tamarin)

Attachments

(1 file, 1 obsolete file)

patch v2
82.46 KB, patch
edwsmith
: review+
dvander
: review+
Details | Diff | Splinter Review
Attached patch patch (obsolete) — Splinter Review 
This patch is a first step towards fixing bug 513615, and lays the
groundwork for some future bugs.  It's deliberately very small, so the
general approach can be evaluated carefully.

- prepResultReg() and freeRsrcOf() are two prematurely-updating functions
  that need to be removed eventually.  For now, I've added
  prepareResultReg() and freeResourcesOf() which are safer versions.  (I'm
  not particularly attached to the new names, but I don't like freeRsrcOf()
  because it's cryptic and I find it hard to type.)

- asm_output2 has been added, which is the same as asm_output but takes an
  additional parameter which is 'PPost' if the current register state is
  the post-state, 'PPre' if it's the pre-state, and 'PNone' if it's neither
  (useful for the middle of sequences of generated instructions, when we 
  don't bother to keep the state consistent).

  asm_output(...) is now equivalent to asm_output2(PPre, ...).  Eventually all
  occurrences will print the post-state and all asm_output2 occurrences can be
  replaced with asm_output occurrences.  The output now indicates which state
  is being printed, eg:

      rp_offset = int 8
               mov eax,8              post: eax(rp_offset) ecx(ld1527) esi(cx) edi(sp)
      ld1526 = ld add156[0]
               mov   ecx,0(ecx+eax*1) pre:  eax(rp_offset) ecx(ld1527) esi(cx) edi(sp)

  and (an example involving PNone):

      not46 = not ld35
      mov eax,edx
      not eax                         post: eax(not46) ecx(ld36) edx(ld35) ebx(an d724) esi(ld33) edi(sp) xmm0(js_UnboxDouble65)

- asm_int() and asm_neg_not() have been modified to use the new state-update
  functions.  This required adding 'pp' parameters to several of the codegen
  macros;  these are passed on to asm_output2.

The plan after this patch is to continue modifying parts of the i386
back-end similarly to the way that asm_int() and asm_neg_not() were 
modified.  At some point, Assembler.cpp will need to be modified and then
parts of all the back-ends will have to be modified in sync as the
generic/arch-specific interface will change.
Attachment #400448 - Flags: review?(rreitmai)
Attachment #400448 - Flags: review?(edwsmith)
Blocks: 513615
Comment on attachment 400448 [details] [diff] [review]
patch

This one needs some more work before it's ready to be reviewed.
Attachment #400448 - Flags: review?(rreitmai)
Attachment #400448 - Flags: review?(edwsmith)
Depends on: 516909
Renaming this to just be about the i386 backend.
Summary: nanojit: start avoiding premature register allocation state updates → nanojit: avoid premature regalloc state updates in the i386 backend
Depends on: 531347
Attached patch patch v2Splinter Review 
This patch overhauls Assembler.cpp and most of Nativei386.cpp so that regstate
updates are handled in a more obvious and less error-prone manner.

The starting point is the introduction of prepareResultReg() and
freeResourcesOf(), which are similar to the old prepResultReg() and
freeRsrcOf(), except that the new ones can be used in a 

    prepareResultReg(ins, allow);
    GENERATE_CODE();
    freeResourcesOf(ins);

instead of:

    prepResultReg(ins, allow);
    GENERATE_CODE();

where prepResultReg() called freeRsrcOf(ins) and so you had to be very careful
not to accidentally reuse the register holding 'ins' when generating code.
asm_int() and asm_neg_not() are simple examples that are worth looking at first
to get a sense of the change.

The patch doesn't fully convert the i386 backend to the new scheme.  I only
changed those functions where it was easy for the new version to generate
identical code to the old version, and easy for me to test in TM.  I did
this so I could test it all carefully, by diffing the old and new code
generated for all of SunSpider.  I'll do the remainder in a follow-up bug.
This should help avoid regressions, and make any introduced regressions
easier to find.

The patch also adds a number of comments explaining non-obvious aspects of the
code generation, and does some minor formatting and naming clean-ups (e.g.
using 'ins' consistently for LIns variables, instead of 'i' or 'l' or 'p').
And it adds a few more assertions.
Attachment #400448 - Attachment is obsolete: true
Attachment #417434 - Flags: review?(edwsmith)
Attachment #417434 - Flags: review?(dvander)
Comment on attachment 417434 [details] [diff] [review]
patch v2

>             r = nRegisterAllocFromSet(set);
>             _allocator.addActive(r, ins);
>             ins->setReg(r);
>+
>         } else {

That seems unnecessary.

>     void Assembler::findRegFor2(RegisterMask allow, LIns* ia, Register& ra, LIns* ib, Register& rb)
>     {
>         if (ia == ib) {
>             ra = rb = findRegFor(ia, allow);
>+
>         } else {

That too.

>+
>+                // 'ins' is in 'allow', in register r (different to the old r);
>+                //  s is the old r.
>                 if ((rmask(s) & GpRegs) && (rmask(r) & GpRegs)) {
> #ifdef NANOJIT_ARM
>-                    MOV(s, r);  // ie. move 'ins' from its pre-state reg to its post-state reg
>+                    MOV(s, r);  // move 'ins' from its pre-state reg (r) to its post-state reg (s)
> #else
>                     MR(s, r);
> #endif

Since you are in Rome, maybe you want to fix this and put a define into the arm backend.
> > #ifdef NANOJIT_ARM
> >-                    MOV(s, r);  // ie. move 'ins' from its pre-state reg to its post-state reg
> >+                    MOV(s, r);  // move 'ins' from its pre-state reg (r) to its post-state reg (s)
> > #else
> >                     MR(s, r);
> > #endif
> 
> Since you are in Rome, maybe you want to fix this and put a define into the arm
> backend.

Actually, it's already there: http://hg.mozilla.org/tracemonkey/file/21d3b1b65758/js/src/nanojit/NativeARM.h#l630
Attachment #417434 - Flags: review?(dvander) → review+
(In reply to comment #4)
> (From update of attachment 417434 [details] [diff] [review])
> >             r = nRegisterAllocFromSet(set);
> >             _allocator.addActive(r, ins);
> >             ins->setReg(r);
> >+
> >         } else {
> 
> That seems unnecessary.

You mean the blank line?  I can remove it, I initially added a lot more comments about the register state but then I removed most of them, I think this was a leftover related to that.

> > #ifdef NANOJIT_ARM
> >-                    MOV(s, r);  // ie. move 'ins' from its pre-state reg to its post-state reg
> >+                    MOV(s, r);  // move 'ins' from its pre-state reg (r) to its post-state reg (s)
> > #else
> >                     MR(s, r);
> > #endif
> 
> Since you are in Rome, maybe you want to fix this and put a define into the arm
> backend.

Sure, I'll do that too.
Okay, I read all this code carefully and I'm convinced it's good.  I ran it on tamarin, though, and this assertion fires:

Assertion failed: !ins->getArIndex() (/Users/edwsmith/vm/njn/nanojit/Nativei386.cpp:438)

it's in asm_restore for the LIR_param case where we attempt to load stack args directly from the stack instead of spilling them:

>            int d = (arg - abi_regcount) * sizeof(intptr_t) + 8;
>            LD(r, d, FP);
>            NanoAssert(!ins->getArIndex());     // rematerializable; shouldn't be in a spill slot
>            ins->markAsClear();

I can help diagnose this if you like.  It is possible its due to me applying the patch to the wrong point (I just sync'd tamarin-redux backwards until the patch applied cleanly).

Anyway, I'm marking this R+ since you know how to run the regressions and use the sandbox.

fwiw, here's the details on what I tested:

macos 10.5.8
configure.py --enable-shell --enable-debug --enable-debugger
runtests.py -E (that binary) --vmargs="-Ojit -Dnodebugger"
Attachment #417434 - Flags: review?(edwsmith) → review+
I thought that rematerializable things like 32-bit constants could end up in spill slots.  Turns out they can due to the findMemFor() call in handleLoopCarriedExprs(), but this doesn't manifest in TM.  So I just reverted those assertions back to tests, as was in the original code.  After that, TR acceptance tests all passed fine.

Pushed to NJ-central:

http://hg.mozilla.org/projects/nanojit-central/rev/e7b2c0d805eb
Whiteboard: fixed-in-nanojit
http://hg.mozilla.org/tracemonkey/rev/8f1f371590cb
Whiteboard: fixed-in-nanojit → fixed-in-nanojit, fixed-in-tracemonkey
http://hg.mozilla.org/tamarin-redux/rev/d1bb609bb3fe
Whiteboard: fixed-in-nanojit, fixed-in-tracemonkey → fixed-in-nanojit, fixed-in-tracemonkey, fixed-in-tamarin
Merge to TM the Sparc bustage fix:

http://hg.mozilla.org/tracemonkey/rev/c6fbac9adb8b
http://hg.mozilla.org/mozilla-central/rev/8f1f371590cb
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.