IonMonkey Mozilla All-Hands 2011

1,786 views

Published on

Published in: Technology, News & Politics
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,786
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
0
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • IonMonkey Mozilla All-Hands 2011

    1. 1. IonMonkey One JIT To Rule Them AllMozilla All-Hands 2011, San Jose Convention Center
    2. 2. Why?• Existing JITs too specialized
    3. 3. function f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
    4. 4. TraceMonkeyfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...} typeof(x, y, i, ret) == int32
    5. 5. TraceMonkey• Nanojit is too limited • Immutable IR • Poor regalloc• Difficult to capture traces
    6. 6. TraceMonkey• x+y • Store x to stack • Store y to stack • Add x, y • Check overflow
    7. 7. JägerMonkeyfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
    8. 8. JägerMonkey• No real IR or pipeline, just splats assembly• Untyped
    9. 9. JägerMonkey• x+y • Is x int32? • Yes: Is y int32? • Yes: add, check overflow • No: Is y double? • Yes: Convert x to double, add • No: ...
    10. 10. IonMonkey Goals• Clean architecture• Typed compilation• Fastest JS• Shoot lasers from space
    11. 11. Architecture Goals• Ion looks like a textbook compiler • IRs, CFGs, blah blah • Passes are easy to add, remove, debug • Platform for future research and experimentation
    12. 12. Typed Compilation• Any granularity!• Type guards are hoisted as far as they can go
    13. 13. IonMonkeyfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...} typeof(x, y, i, ret) == int32
    14. 14. IonMonkey• x+y • add • check overflow
    15. 15. Astronaut View IR Optimization Register Allocation Code Generation
    16. 16. MIR• Middle-level IR in SSA form• Actual control-flow graph built from SpiderMonkey bytecode • Single pass, yields semi-pruned SSA • Φs pruned in second pass
    17. 17. MIR Typing• Ion has a “type oracle” interface• MIR builds SSA based on oracle results• TypeInference provides an oracle implementation
    18. 18. MIR Pre-Optimization• MIR is untyped, but annotated with hints x y add(x, y)
    19. 19. MIR Pre-Optimization• MIR is untyped, but annotated with hints x y add(x, y) integer
    20. 20. MIR Pre-Optimization• MIR is untyped, but annotated with hints x y Unbox(x, INT32) Unbox(x, INT32) add-i32(x2, y2)
    21. 21. MIR Optimizations• Global Value Numbering • Constant folding • Redundancy elimination• Loop Invariant Code Motion
    22. 22. LIR• Low-level IR, also SSA• Per-architecture differentiation• MIR is transformed to LIR in a single pass• LIR specifies register policies
    23. 23. Two Register Allocators• Greedy • Fast runtime, poor results• Linear Scan • Slow runtime, good results • “Linear Scan Register Allocation on SSA Form” (Wimmer et al)
    24. 24. Code Generation• New macro assembler interface• One codegen function per LIR, per $ARCH• Code is managed by GC
    25. 25. Ion Frames• Ion code runs in its own frames, on the C stack - no js::StackFrame!• VM has limited interface to ask questions about Ion frames
    26. 26. Examplefunction (x, y) { return x + y;}
    27. 27. Example LIRv0 = param0v1 = param1i2 = unbox(v0, INT32)i3 = unbox(v1, INT32)i4 = addi(v2, v3)v5 = box(v4)-- return(v5)
    28. 28. Example Codegen cmp [esp+0x10], INT32Unbox jne _bailout mov [esp+0x14] -> ecx cmp [esp+0x18], INT32Unbox jne _bailout mov [esp+0x1C] -> edx Add add edx -> ecx jo _bailoutReturn mov INT32 -> edx ret
    29. 29. Bailouts• Guards indicate an assumption that must hold for JIT code to continue running• If a guard fails, the current Ion frame is converted to a js::StackFrame• Execution continues in the interpreter
    30. 30. Resume Points• Can only resume at certain points: • Beginning of a basic block • After the result of a non-idempotent operation has been pushed• We might re-run a few idempotent operations
    31. 31. Resume Pointsfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
    32. 32. Resume Pointsfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
    33. 33. Snapshots• Describe how to convert an Ion frame to an interpreter frame • Compressed map of registers/stack• No need to actively maintain interpreter state
    34. 34. On the Horizon• ARM• Type Inference• Method Inlining• Inline Caching• On-Stack Replacement

    ×