Integrating binary data and type inference in SpiderMonkey

19 July 2013

Since the new version of PJS is going to be based on binary data, we are going to need to have a well-optimized binary data implementation. Nikhil Marathe has prepared an initial implementation, but it is limited to the interpreter. I am looking now at how to integrate binary data into the JIT. The goal is to have accesses get compiled to very efficient generated code. In this blog post, I specifically want to cover the plan for integrating our type inference with binary data.

Metatypes, descriptors, instances

Let’s cover some terminology. In binary data, users create type descriptors as follows:

var PointType = new StructType({x: float64, y: float64});
var LineType = new StructType({start: PointType, end: PointType});

The built-ins for scalars (e.g., float64) are also type descriptors. In contrast, the built-ins StructType and ArrayType are called metatypes because they do not themselves represent types but rather the means to define a type.

It is also possible to create types that include non-scalar data. For example, here is a struct that might be used for a binary tree:

var TreeType = new StructType({value: Any,
                               left: Object,
                               right: Object});

Once you have a type descriptor, you can create instances of that type descriptor using the new operator:

var origin = new PointType({x: 0, y: 0});
var unit = new PointType({x: 1, y: 1});
var line = new LineType({start: origin, end: unit});

You can access the properties of these instances just as you would expect:

var length = Math.sqrt(Math.pow(line.end.x - line.start.x, 2) +
                       Math.pow(line.end.y - line.start.y, 2));

The aim of this work is to optimize an expression like line.end.y so that it can be compiled into a simple load of the relevant data.

Canonical type representations

Each time that a new type descriptor is created, we will create an internal, canonical representation of the type it defines. So, for example, if I created types like so:

var FloatPointType1 = new StructType({x: float64, y: float64});
var FloatPointType2 = new StructType({x: float64, y: float64});
var IntPointType = new StructType({x: uint32, y: uint32});

There would be two canonical type representations created, one for both FloatPointType1 and FloatPointType2 (which both describe the same type) and one for IntPointType. These objects are never exposed to the user. We could either reference count them or make them collectable by the GC; in the latter case, it might be easiest to make them be actual JS objects, albeit ones used in a very specialized way.

Next we will augment the TI type objects for descriptors and instances to contain a pointer to one of these canonical type representations. This means that when the JIT compiler encounters an expression like point.x, it can examine the type set for the object point to find out both that line is a binary data instance and its representation.

Scalar property access

The simple case is when are accessing a scalar property. For example, imagine something like point.x where point is an instance of the following type descriptor:

var PointType = new StructType({x: float64, y: float64});

In this case, the JIT compiler can extract from the type object for point that the property x is a float64 and that it is at offset 0. It can then compile a direct access to load a float from that memory location. Presumably this will require a few extra MIR, such as MLoadFloat(x, 0) which extracts a float out of the binary data instance x at offset 0.

Any and object properties

As mentioned earlier, type descriptors can also include any and object properties, such as this binary tree example;

var TreeType = new StructType({value: Any,
                               left: Object,
                               right: Object});

We can handle these properties in one of two ways. The first option is to always add barriers on every access to an object or any property. This effectively doesn’t make any use of TI information.

The second option is to treat any/object properties the same way that we treat properties on normal objects. We can record a type set for each object property in the instance type object, and then add barriers as we normally would. In some cases, this will allow us to drop type barriers in the jitted code, but it shouldn’t make a large difference in the performance otherwise. Still, if it’s easy to do, it seems worth it to record type sets for object properties.

Chained property access

Remember though that our goal is to enable something like line.end.y. This is a bit more complex, because the property end is a property of complex (non-scalar) type. to us, line.end.y looks like one compound property access, but in the JS interpreter, it is actually two property accesses, one after the other. In other words, an expression like var y = line.end.y is equivalent to a bit of code like this:

var tmp = line.end;
var y = tmp.y;

Here, the first access, line.end, returns a new, derived instance for the point end. This derived instance aliases the original line. So, at runtime, you could depict the objects and the runtime memory as follows:

    line
      |
      +--->  +--------+
             | .start |
    tmp      |  .x    |
      |      |  .y    |
      +--->  | .end   |
             |  .x    |
             |  .y    |
             +--------+

Of course, we’d like the JIT to convert these two distinct property accesses into one load, assuming it has adequate type information. The next few paragraphs lay out my plan for making this happen. I assume a certain amount of familiarity with IonMonkey, or at least compilers and SSA representations.

When the JIT processes the first property access, var tmp = line.end, it will observe from the type set of line that end is a fetch of a complex property, causing it to generate a special MIR opcode, distinct from a normal get property. Let’s denote this as MDerivedStruct(line, PointRepr, 16), meaning that it will create a derived struct instance with the type representation PointRepr at offset 8. Here by PointRepr I am referring to this internal representation of the type descriptor that is contained in the type object. The effect of this MIR is the same as the typical MGetProperty(line, "end"), except that it provides more information about what kind of kind of property will be fetched (such opcodes are also known not to have side effects, unlike general property accesses).

When the JIT then processes the next property access, tmp.y, it will observe the MIR opcode that defines tmp. If this MIR opcode is a MDerivedStruct, we can match the property x against PointRepr and generate the appropriate direct load of the scalar value.

That means that the JIT will generate the following MIR:

var tmp = line.end    >>      tmp = MDerivedStruct(line, PointRepr, 16);
var y = tmp.y         >>      x = MLoadFloat(line, 24)

Note that the value tmp is not used anywhere; the definition of x bypassed the temporary and loaded the scalar value directly from line. The definition of tmp can then be removed by dead code elimination.

In the case where the access to the complex property is the end goal, such as an expression like foo = line.end, then the MDerivedStruct will simply remain in the program. The generated code can then call directly into the runtime functions for creating derived structs (it could even just use the unoptimized, normal path in the interpreter, but that’s suboptimal).

The methods get and set

One implication of the design for accesses like line.end.y is that if the type information is not precise, we will generate an intermediate object, even if it seems unnecessary. For example, this could occur if line is sometimes a normal JS object and sometimes a binary data instance, or if it may be one of many kinds of binary data instances that have distinct types.

Optimizing these cases is more difficult and doesn’t seem particularly important; the former is particularly hard, as it may be that the intermediate value is necessary. To optimize that would either require generalizing our inline caching mechanism to handle multiple property accesses (yuck) or generating a kind of “if-else” in the generated code. Either way, more work than I think is necessary for what seems to be a corner case.

However, there is also an alternate means to avoid allocation. Programmers can instead use the get method that all binary data instances offer. So, line.end.y could be rewritten line.get("end", "y"). Naturally, the JIT will observe calls to get and, if it can determine that line is a binary data object, and the arguments are constants, it will optimize line.get("end", "y") to produce a simple load. But even if it’s information is lacking, the runtime fallback for get can avoid allocating. Of course, this may or may not be faster, depending on how optimized the alloction pathways in the engine are.

Type object canonicalization

Normally, whenever there is some code like new Foo, we will produce one type object per value of Foo (since Foo is typically a global function definition, this means one type object). In the case of binary data, it is plausible that the user defines multiple equivalent type descriptors (e.g., FloatPointType1 and FloatPointType2 from my earlier examples). In such cases, we could canonicalize the type objects so that there is exactly one type object per unique type representation. Similarly, we could canonicalize the type objects for the instances, since having multiple type objects isn’t particularly useful.

Adding handles

For simplicity, I didn’t discuss handles, which are effectively binary data pointers. A handle lets you get a pointer to a subpiece of another binary data object. This is similar to the derived objects I mentioned earlier, except that (1) handles can be used to get a pointer into a field or array element of any type, not just a complex type like a struct; (2) handles can be reused and made to point at other locations. Handles are mostly intended to be used in APIs that wish to hand out a pointer to some subportion of a data structure. For example, the plan for PJS is to use handles when constructing arrays of structs or compound types in parallel to allow the callback to mutate the data in place rather than returning it (which would necessitate a superfluous copy and allocation). Anyway, integrating handles into this scheme is straightforward: like instances and descriptors, type objects for handles would be associated with the type representation of what they point at.

Grungy implementation detail: saving bytes

This section will probably not be of interest to you unless you are a SpiderMonkey developer, and perhaps not even then. It turns out that we generate a lot of type objects and it is important not to add fields to them willy nilly. Therefore, simply adding a new field to all type objects that represents the link from a descriptor/instance type object to the canonical type representation is overly wasteful, since that field is inapplicable to the vast majority of type objects.

In an ideal world, I would make a subtype of TypeObject (BinaryDataTypeObject or some such) to contain the extra field. However, as type objects are GC things, doing that would require adding a new finalizer kind, which would result in distinct arenas for storing binary data type objects vs other type objects. Not good.

So, what we can do is to reuse a technique that Shu uncovered. Basically we can overload the newScript field. This field currently stores a pointer to the constructor function for objects associated with this type object; it is only relevant to code like new Foo where Foo is a user-defined function. This means that it is inapplicable to the type objects for descriptors and instances.

UPDATE 2013.07.19: Tweaked some paragraphs for clarity.