[WebKit] javascriptcore analysis-advanced article (ii) type inference)

Type derivation is the most important foundation of dfg JIT. The official website of WebKit has explained this and translated the following as a reference for learning.

Type inference is implemented through profiling values. It first predicts which types of operations are analyzed, then adds the type check, and finally establishes type statistics based on the results of the type check.

The following example is used to describe the process:

O.X * o. x + O. Y * O. Y

Here, O is an object, and X and Y are its attributes. They are not accessors but general attributes. We can also say that these two attribute values return double type values, but sometimes return integer data. Javascriptcore uses int32 to represent integer data, rather than double data.

1. For expression o. x, check whether O has any special access attribute processing. For example, if it is a DOM object, its attribute access operations are not visible. Without special processing, JSC will find the property named 'X' in the object attributes. The object is a table that maps strings to values or accessors. If the string you are looking for points to an accessors, The accessors will be called, if it refers to a value, it is returned directly. For example, if 'X' cannot be found in object o, it is found in its prototype in sequence. Type derivation has no effect on these operations.

2. The multiplication operation of binary elements, such as 'o. x * O. x', first checks the type of the operand (operands. If the operand is an object, it is to call its valueof method. If the operand is a string, it must be converted to a value first. After the two operands have been converted to equivalent values (if possible), JSC checks whether they are all integers. If yes, the result is a multiplication of integers. If overflow occurs, the double type is multiplied and then calculated. If one of the operands is a double value, they all convert to the double type and perform the Double Type Multiplication operation. Therefore, the result returned by 'o. x * O. x' is either an integer or a floating point number (double ).

3. for the expression 'o. x * o. X + O. y * o. y' is similar to the above, except that the operand is a string. The '+' in the middle may be a string merge operation. However, here we can easily determine that the returned value is still either an integer or a floating point number (double ).

The Type derivation of JSC is that if I can guess the input data type, we can give the type that is most likely to be returned after the numerical operation and its path. A series of induction steps are used here. If we can predict its input, we can predict its output. For some non-local variables, such as values retrieved from the heap (such as O. x), and function return values are called heap values. All operations that grant heap values to local variables are considered heap oerpations ).
Value profiling is used for type prediction. llint and baseline JIT record the most common values in any heap oerpation. Each heap operation has a corresponding value profile bucket, and each value profile bucket stores a recent value.

To put it simply, the type derivation of JSC is to take the type of the most common value in value profile as the type to be used later. In this way, all variables become predictable types. In fact, there is a second content in each value profile, which can include the data type of a portion of the existing data values. This type uses the speculatedtype (or spectype) system, which is implemented in speculatedtype. h. Each value
In profile, this type is set to specnone first (that is, there is no data ). When the baseline JIT execution times exceed the threshold (JIT. JIT: emitoptimizationcheck in CPP), which generates a new type and can make the last type and the most common value conform to this type. It may trigger dfg, or allow baseline to be executed several more times. After entering dfg jitf, each value profile usually has a type that can accommodate multiple different values.

Spectypes is feasible because the operations and variables in the function both use the standard forward data flow specification to achieve the so-called fixed point unrelated to the process ). this is the first phase of dfg compilation. The baseline JIT determines whether to activate it based on the number of executions (dfgpredictionpropagationphase. CPP ).

In each function that uses the prediction data type, we insert the prediction-based type check operation. If the type check fails, it will be rolled back to baseline JIT. Next, let's take a look at how the 'A + B 'additional operations are executed. Suppose both A and B are predicted to be specint32:

Check if A is int32-> otherwise OSR exit to baseline JIT

Check if B is int32-> otherwise OSR exit to baseline JIT

Result = a + B // integer addition

Check if overflow-> otherwise OSR exit to baseline JIT

After the operation is completed, we can know:

• 'A' is an integer..
• 'B' is sorting.
• The result is also an integer..

The subsequent operations do not need to check the type of 'A' or 'B '.,There is an operation to eliminate the type check, which is completed through the second data flow analysis, known as dfg CFA(Dfgcfaphase. cpp
And
Dfgabstractstate. cpp). It also implements sparse conditional constant propagation, allowing it to determine whether certain values are constants just like the type.

For the expression 'o.X * o. x + O. Y * O. Y '. You only need to perform type check when taking O. X and O. Y. Then we know that their values are doubles, that is, only the double multiplication and addition are triggered. Most dfg type checks usually occur when the heap data is loaded.

In-depth reading:

Fast and precise hybrid type inference for Javascript

Dynamically view the result of type inference

Type inference in spidermonkey

Address: http://trac.webkit.org/wiki/JavaScriptCore

Reprinted please indicate the source: http://blog.csdn.net/horkychen

Series indexes:

Basics (1) JSC and WebCore

Basics (ii) interpreter basics and JSC Core Components

Basic (3) code implementation from script code to JIT compilation

Basic (4) page parsing and JavaScript element execution

Advanced Article (1) SSA (Static Single Assignment)

Advanced (ii) type inference)

Advanced (iii) register allocation & trampoline