Upcoming SlideShare
×

# IonMonkey Mozilla All-Hands 2011

1,786 views

Published on

Published in: Technology, News & Politics
7 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
1,786
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
0
0
Likes
7
Embeds 0
No embeds

No notes for slide
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• \n
• ### IonMonkey Mozilla All-Hands 2011

1. 1. IonMonkey One JIT To Rule Them AllMozilla All-Hands 2011, San Jose Convention Center
2. 2. Why?• Existing JITs too specialized
3. 3. function f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
4. 4. TraceMonkeyfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...} typeof(x, y, i, ret) == int32
5. 5. TraceMonkey• Nanojit is too limited • Immutable IR • Poor regalloc• Difﬁcult to capture traces
6. 6. TraceMonkey• x+y • Store x to stack • Store y to stack • Add x, y • Check overﬂow
7. 7. JägerMonkeyfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
8. 8. JägerMonkey• No real IR or pipeline, just splats assembly• Untyped
9. 9. JägerMonkey• x+y • Is x int32? • Yes: Is y int32? • Yes: add, check overﬂow • No: Is y double? • Yes: Convert x to double, add • No: ...
10. 10. IonMonkey Goals• Clean architecture• Typed compilation• Fastest JS• Shoot lasers from space
11. 11. Architecture Goals• Ion looks like a textbook compiler • IRs, CFGs, blah blah • Passes are easy to add, remove, debug • Platform for future research and experimentation
12. 12. Typed Compilation• Any granularity!• Type guards are hoisted as far as they can go
13. 13. IonMonkeyfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...} typeof(x, y, i, ret) == int32
14. 14. IonMonkey• x+y • add • check overﬂow
15. 15. Astronaut View IR Optimization Register Allocation Code Generation
16. 16. MIR• Middle-level IR in SSA form• Actual control-ﬂow graph built from SpiderMonkey bytecode • Single pass, yields semi-pruned SSA • Φs pruned in second pass
17. 17. MIR Typing• Ion has a “type oracle” interface• MIR builds SSA based on oracle results• TypeInference provides an oracle implementation
18. 18. MIR Pre-Optimization• MIR is untyped, but annotated with hints x y add(x, y)
19. 19. MIR Pre-Optimization• MIR is untyped, but annotated with hints x y add(x, y) integer
20. 20. MIR Pre-Optimization• MIR is untyped, but annotated with hints x y Unbox(x, INT32) Unbox(x, INT32) add-i32(x2, y2)
21. 21. MIR Optimizations• Global Value Numbering • Constant folding • Redundancy elimination• Loop Invariant Code Motion
22. 22. LIR• Low-level IR, also SSA• Per-architecture differentiation• MIR is transformed to LIR in a single pass• LIR speciﬁes register policies
23. 23. Two Register Allocators• Greedy • Fast runtime, poor results• Linear Scan • Slow runtime, good results • “Linear Scan Register Allocation on SSA Form” (Wimmer et al)
24. 24. Code Generation• New macro assembler interface• One codegen function per LIR, per \$ARCH• Code is managed by GC
25. 25. Ion Frames• Ion code runs in its own frames, on the C stack - no js::StackFrame!• VM has limited interface to ask questions about Ion frames
26. 26. Examplefunction (x, y) { return x + y;}
27. 27. Example LIRv0 = param0v1 = param1i2 = unbox(v0, INT32)i3 = unbox(v1, INT32)i4 = addi(v2, v3)v5 = box(v4)-- return(v5)
28. 28. Example Codegen cmp [esp+0x10], INT32Unbox jne _bailout mov [esp+0x14] -> ecx cmp [esp+0x18], INT32Unbox jne _bailout mov [esp+0x1C] -> edx Add add edx -> ecx jo _bailoutReturn mov INT32 -> edx ret
29. 29. Bailouts• Guards indicate an assumption that must hold for JIT code to continue running• If a guard fails, the current Ion frame is converted to a js::StackFrame• Execution continues in the interpreter
30. 30. Resume Points• Can only resume at certain points: • Beginning of a basic block • After the result of a non-idempotent operation has been pushed• We might re-run a few idempotent operations
31. 31. Resume Pointsfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
32. 32. Resume Pointsfunction f(x, y) { var ret = 0; for (var i = 0; i < 100000; i++) { if (...) ... ret += x + y; } ...}
33. 33. Snapshots• Describe how to convert an Ion frame to an interpreter frame • Compressed map of registers/stack• No need to actively maintain interpreter state
34. 34. On the Horizon• ARM• Type Inference• Method Inlining• Inline Caching• On-Stack Replacement