rfc:jit

PHP RFC: JIT

Introduction

It's no secret that the performance jump of PHP 7 was originally initiated by attempts to implement JIT for PHP. We started these efforts at Zend (mostly by Dmitry) back in 2011 and since that time tried 3 different implementations. We never moved forward to propose to release any of them, for three main reasons: They resulted in no substantial performance gains for typical Web apps; They were complex to develop and maintain; We still had additional directions we could explore to improve performance without having to use JIT.

The Case for JIT Today

Even though most of the fundamentals for JIT-enabling PHP haven't changed - we believe there is a good case today for JIT-enabling PHP.

First, we believe we've reached the extent of our ability to improve PHP's performance using other optimization strategies. In other words - we can't further improve the performance of PHP unless we use JIT.

Secondly - using JIT may open the door for PHP being more frequently used in other, non-Web, CPU-intensive scenarios - where the performance benefits will actually be very substantial - and for which PHP is probably not even being considered today.

Lastly - making JIT available can provide us (with additional efforts) with the ability to develop built-in functions in PHP, instead of (or in addition to) C - without suffering the huge performance penalty that would be associated with such a strategy in today's, non-JITted engine. This, in turn, can open the door to faster innovation - and also more secure implementations, that would be less susceptible to memory management, overflows and similar issues associated with C-based development.

Proposal

We propose to include JIT in PHP 8 and provide additional efforts to increase its performance and usability.

In addition, we propose to consider including JIT in PHP 7.4 as an experimental feature (disabled by default).

PHP JIT is implemented as an almost independent part of OPcache. It may be enabled/disabled at PHP compile time and at run-time. When enabled, native code of PHP files is stored in an additional region of the OPcache shared memory and op_array→opcodes[].handler(s) keep pointers to the entry points of JIT-ed code. This approach doesn't require engine modification at all.

We use DynAsm (developed for LuaJIT project) for generation of native code. It's a very lightweight and advanced tool, but does assume good, and very low-level development knowledge of target assembler languages. In the past we tried LLVM, but its code generation speed was almost 100 times slower, making it prohibitively expensive to use. Currently we support only x86 and x86_64 on POSIX platforms. Windows support should be relatively straightforward, but was (and still is) a low priority for us. DynAsm also supports ARM. ARM64, MIPS, MIPS64 and PPC, so in theory we should be able to support all of the platforms that are popular for PHP deployments (given enough efforts).

PHP JIT doesn't introduce any additional IR (Intermediate Representation) form. It generates native code directly from PHP byte-code and information collected by SSA static analyses framework (a part of opcache optimizer). Code is usually generated separately for each PHP byte-code instruction. Only few combinations are considered together (e.g. compare + conditional jump).

If type of PHP variable is exactly inferred (in SSA) to LONG or DOUBLE, and it can't be accessed indirectly, JIT may store its value directly in CPU registers, avoiding memory stores and loads. PHP JIT liner-scan register allocation algorithm, tat combines high speed with reasonable quality.

The quality of the JIT may be demonstrated on Mandelbrot benchmark published at https://gist.github.com/dstogov/12323ad13d3240aee8f1, where it improves performance more than 4 times (0.011 sec vs 0.046 sec on PHP 7.4).

    function iterate($x,$y)
    {
        $cr = $y-0.5;
        $ci = $x;
        $zr = 0.0;
        $zi = 0.0;
        $i = 0;
        while (true) {
            $i++;
            $temp = $zr * $zi;
            $zr2 = $zr * $zr;
            $zi2 = $zi * $zi;
            $zr = $zr2 - $zi2 + $cr;
            $zi = $temp + $temp + $ci;
            if ($zi2 + $zr2 > BAILOUT)
                return $i;
            if ($i > MAX_ITERATIONS)
                return 0;
        }
 
    }

The following is the complete assembler code generated for the PHP function above, with the main loop code visible between .L5 and .L7:

JIT$Mandelbrot::iterate: ; (/home/dmitry/php/bench/b.php)
	sub $0x10, %esp
	cmp $0x1, 0x1c(%esi)
	jb .L14
	jmp .L1
.ENTRY1:
	sub $0x10, %esp
.L1:
	cmp $0x2, 0x1c(%esi)
	jb .L15
	mov $0xec3800f0, %edi
	jmp .L2
.ENTRY2:
	sub $0x10, %esp
.L2:
	cmp $0x5, 0x48(%esi)
	jnz .L16
	vmovsd 0x40(%esi), %xmm1
	vsubsd 0xec380068, %xmm1, %xmm1
.L3:
	mov 0x30(%esi), %eax
	mov 0x34(%esi), %edx
	mov %eax, 0x60(%esi)
	mov %edx, 0x64(%esi)
	mov 0x38(%esi), %edx
	mov %edx, 0x68(%esi)
	test $0x1, %dh
	jz .L4
	add $0x1, (%eax)
.L4:
	vxorps %xmm2, %xmm2, %xmm2
	vxorps %xmm3, %xmm3, %xmm3
	xor %edx, %edx
.L5:
	cmp $0x0, EG(vm_interrupt)
	jnz .L18
	add $0x1, %edx
	vmulsd %xmm3, %xmm2, %xmm4
	vmulsd %xmm2, %xmm2, %xmm5
	vmulsd %xmm3, %xmm3, %xmm6
	vsubsd %xmm6, %xmm5, %xmm7
	vaddsd %xmm7, %xmm1, %xmm2
	vaddsd %xmm4, %xmm4, %xmm4
	cmp $0x5, 0x68(%esi)
	jnz .L19
	vaddsd 0x60(%esi), %xmm4, %xmm3
.L6:
	vaddsd %xmm5, %xmm6, %xmm6
	vucomisd 0xec3800a8, %xmm6
	jp .L13
	jbe .L13
	mov 0x8(%esi), %ecx
	test %ecx, %ecx
	jz .L7
	mov %edx, (%ecx)
	mov $0x4, 0x8(%ecx)
.L7:
	test $0x1, 0x39(%esi)
	jnz .L21
.L8:
	test $0x1, 0x49(%esi)
	jnz .L23
.L9:
	test $0x1, 0x69(%esi)
	jnz .L25
.L10:
	movzx 0x1a(%esi), %ecx
	test $0x496, %ecx
	jnz JIT$$leave_function
	mov 0x20(%esi), %eax
	mov %eax, EG(current_execute_data)
	test $0x40, %ecx
	jz .L12
	mov 0x10(%esi), %eax
	sub $0x1, (%eax)
	jnz .L11
	mov %eax, %ecx
	call zend_objects_store_del
	jmp .L12
.L11:
	mov 0x4(%eax), %ecx
	and $0xfffffc10, %ecx
	cmp $0x10, %ecx
	jnz .L12
	mov %eax, %ecx
	call gc_possible_root
.L12:
	mov %esi, EG(vm_stack_top)
	mov 0x20(%esi), %esi
	cmp $0x0, EG(exception)
	mov (%esi), %edi
	jnz JIT$$leave_throw
	add $0x1c, %edi
	add $0x10, %esp
	jmp (%edi)
.L13:
	cmp $0x3e8, %edx
	jle .L5
	mov 0x8(%esi), %ecx
	test %ecx, %ecx
	jz .L7
	mov $0x0, (%ecx)
	mov $0x4, 0x8(%ecx)
	jmp .L7
.L14:
	mov %edi, (%esi)
	mov %esi, %ecx
	call zend_missing_arg_error
	jmp JIT$$exception_handler
.L15:
	mov %edi, (%esi)
	mov %esi, %ecx
	call zend_missing_arg_error
	jmp JIT$$exception_handler
.L16:
	cmp $0x4, 0x48(%esi)
	jnz .L17
	vcvtsi2sd 0x40(%esi), %xmm1, %xmm1
	vsubsd 0xec380068, %xmm1, %xmm1
	jmp .L3
.L17:
	mov %edi, (%esi)
	lea 0x50(%esi), %ecx
	lea 0x40(%esi), %edx
	sub $0xc, %esp
	push $0xec380068
	call sub_function
	add $0xc, %esp
	cmp $0x0, EG(exception)
	jnz JIT$$exception_handler
	vmovsd 0x50(%esi), %xmm1
	jmp .L3
.L18:
	mov $0xec38017c, %edi
	jmp JIT$$interrupt_handler
.L19:
	cmp $0x4, 0x68(%esi)
	jnz .L20
	vcvtsi2sd 0x60(%esi), %xmm3, %xmm3
	vaddsd %xmm4, %xmm3, %xmm3
	jmp .L6
.L20:
	mov $0xec380240, (%esi)
	lea 0x80(%esi), %ecx
	vmovsd %xmm4, 0xe0(%esi)
	mov $0x5, 0xe8(%esi)
	lea 0xe0(%esi), %edx
	sub $0xc, %esp
	lea 0x60(%esi), %eax
	push %eax
	call add_function
	add $0xc, %esp
	cmp $0x0, EG(exception)
	jnz JIT$$exception_handler
	vmovsd 0x80(%esi), %xmm3
	jmp .L6
.L21:
	mov 0x30(%esi), %ecx
	sub $0x1, (%ecx)
	jnz .L22
	mov $0x1, 0x38(%esi)
	mov $0xec3802b0, (%esi)
	call rc_dtor_func
	jmp .L8
.L22:
	mov 0x4(%ecx), %eax
	and $0xfffffc10, %eax
	cmp $0x10, %eax
	jnz .L8
	call gc_possible_root
	jmp .L8
.L23:
	mov 0x40(%esi), %ecx
	sub $0x1, (%ecx)
	jnz .L24
	mov $0x1, 0x48(%esi)
	mov $0xec3802b0, (%esi)
	call rc_dtor_func
	jmp .L9
.L24:
	mov 0x4(%ecx), %eax
	and $0xfffffc10, %eax
	cmp $0x10, %eax
	jnz .L9
	call gc_possible_root
	jmp .L9
.L25:
	mov 0x60(%esi), %ecx
	sub $0x1, (%ecx)
	jnz .L26
	mov $0x1, 0x68(%esi)
	mov $0xec3802b0, (%esi)
	call rc_dtor_func
	jmp .L10
.L26:
	mov 0x4(%ecx), %eax
	and $0xfffffc10, %eax
	cmp $0x10, %eax
	jnz .L10
	call gc_possible_root
	jmp .L10

In comparison to V8, HHVM, PyPy and most others modern JIT implementations PHP JIT is extremely simple, but anyway it increases the level of the whole PHP complexity, risk of new kind of bugs and cost of development and maintenance.

Backward Incompatible Changes

none

Proposed PHP Version(s)

PHP 8 and PHP 7.4 (separate votes)

RFC Impact

To SAPIs

none

To Existing Extensions

JIT is going to affect third party debuggers (e.g. xdebug) and profilers (e.g. XHProf, Blackfire, Tideways).

For debugging a particular request, it's possible to disable JIT (together with opcache) changing “opcache.enable” through C API (zend_alter_ini_entry) at RINIT stage.

Run-time profiling should work even with JIT-ed code, but this might require development of additional tracing API and corresponding JIT extension, to generate tracing callbacks.

To Opcache

JIT would be implemented as a part of OPcache.

New Constants

none

php.ini Defaults

If there are any php.ini settings then list:

  • opcache.jit_buffer_size - size of shared memory buffer reserved for native code generation (in bytes; K, M - suffixes are supported). Default - 0 disables JIT.
  • opcache.jit - JIT control options. Consists of 4 decimal digits - CRTO (Default 1205. Probably, better to change to 1235).
    • O - Optimization level
      • 0 - don't JIT
      • 1 - minimal JIT (call standard VM handlers)
      • 2 - selective VM handler inlining
      • 3 - optimized JIT based on static type inference of individual function
      • 4 - optimized JIT based on static type inference and call tree
      • 5 - optimized JIT based on static type inference and inner procedure analyses
    • T - JIT trigger
      • 0 - JIT all functions on first script load
      • 1 - JIT function on first execution
      • 2 - Profile on first request and compile hot functions on second request
      • 3 - Profile on the fly and compile hot functions
      • 4 - Compile functions with @jit tag in doc-comments
    • R - register allocation
      • 0 - don't perform register allocation
      • 1 - use local liner-scan register allocator
      • 2 - use global liner-scan register allocator
    • C - CPU specific optimization flags
      • 0 - none
      • 1 - enable AVX instruction generation
  • opcache.jit_debug - JIT debug control options, where each bit enabling some debugging options. Default - 0.
    • (1«0) - print generated assembler code
    • (1«1) - print intermediate SSA form used for code generation
    • (1«2) - register allocation information
    • (1«3) - print stubs assembler code
    • (1«4) - generate perf.map file to list JIt-ed functions in Linux perf report
    • (1«5) - generate perf.dump file to show assembler code of JIT-ed functions in Linux perf peport
    • (1«6) - provide information about JIt-ed code for Linux Oprofile
    • (1«7) - provide information about JIt-ed code for Intel VTune
    • (1«8) - allow debugging JIT-ed code using GDB

Performance

JIT makes bench.php more than two times faster: 0.140 sec vs 0.320 sec. It is expected to make most CPU-intensive workloads run significantly faster.

According to Nikita, PHP-Parser became ~1.3 times faster with JIT. Amphp hello-world.php got just 5% speedup.

However, like the previous attempts - it currently doesn't seem to significantly improve real-life apps like WordPress (with opcache.jit=1235 326 req/sec vs 315 req/sec).

It's planned to provide additional effort, improving JIT for real-life apps, using profiling and speculative optimizations.

JIT Debugging

As any complication, JIT increases risk of bugs in JIT itself. They may be caused by inaccurate analyses, bugs in code-generator or register-allocator. Fixing these new kind of bugs is going to be more difficult, because we'll have to catch the place of the failure, get and analyse the assemble code generated for bogus function, find the mistake and understand why it was done by JIT compiler.

In case of crash, we may just run app under gdb until the crash, check that JIT is involved in crash backtrace and find the place:

$ gdb php 

(gdb) r app.php

...

(gdb) bt

#1  0xe960dc11 in ?? ()
#2  0x08689524 in zend_execute (op_array=0xf4074460, return_value=0x0) at Zend/zend_vm_execute.h:69122
#3  0x085cb93b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1639
#4  0x0855a890 in php_execute_script (primary_file=0xffffcbfc) at main/main.c:2607
#5  0x0868ba25 in do_cli (argc=2, argv=0x9035820) at sapi/cli/php_cli.c:992
#6  0x0868c65b in main (argc=2, argv=0x9035820) at sapi/cli/php_cli.c:1384

Unknown function “??” called from zend_execute() is a JIT-ed code. We may determine the failure location analysing execution context.

(gdb) p (char*)executor_global.current_execute_data.func.op_array.filename.val
(gdb) p executor_global.current_execute_data.opline.lineno 

Line number may be inaccurate, because JIT doesn't keep “opline” in consistency. We may disassemble the code around the bogus instruction to understand the real “opline”.

(gdb) disassemble 0xe960dc00,0xe960dc30

Also, it may be useful to analyse bytecode and assembler dump of the bogus JIT-ed function.

$ php --opcache.jit_debug=1 app.php
$ php --opcache.jit_debug=2 app.php

To catch the mistake, we might need to trace the JIT code generator (when it generates the bogus code), or instrument it to generate breakpoint (int3 x86 instruction) and then trace the generated code.

PHP JIT may use GDB API to provide information about generated code to debugger. However, it works only for reasonable small scripts. In case of big amount of JIT-ed code, GDB just stuck registering functions. In case we can isolate the bogus code, we may debug JIT in more comfortable way.

$ gdb php 

(gdb) r -dopcache.jit_debug=0x100 test.php
...

(gdb) bt

#1  0xe960dc11 in JIT$foo () at test.php:2
#2  0x08689524 in zend_execute (op_array=0xf4074460, return_value=0x0) at Zend/zend_vm_execute.h:69122
#3  0x085cb93b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1639
#4  0x0855a890 in php_execute_script (primary_file=0xffffcbfc) at main/main.c:2607
#5  0x0868ba25 in do_cli (argc=2, argv=0x9035820) at sapi/cli/php_cli.c:992
#6  0x0868c65b in main (argc=2, argv=0x9035820) at sapi/cli/php_cli.c:1384

(gdb) disassemble
...
(gdb) layout asm

State and compatibility

Currently we only support x86 and x86_64 non-ZTS builds on POSIX platforms (tested on Linux). We support only “Hybrid VM” that requires C compiler with GCC extensions (labels as values and explicit global register variables). Unfortunately, LLVM doesn't support the second feature and MSVC - both.

ZTS support is doable and shouldn't be very difficult, but should be implemented once the ZTS improvements described at https://wiki.php.net/zts-improvement are done.

LLVM and MSVC are not currently supported. Without JIT, bench.php is about 2 times faster on PHP built with GCC, compared to with LLVM or MSVC. LLVM and MSVC require support for “Call VM” (which was already implemented, but wasn't tested for a while) and additional code for opcode handlers argument passing and FP/IP register reloading (to emulate register variables and reuse existing code-generator). Windows support might also require adopting a different calling convention.

An alternative way to support all platforms and C compilers is generating a low-level VM (using the same JIT framework). This VM won't depend on C compiler extensions, and going to be compatible with JIT out of the box. As a side effect, interpretation should also become faster. This approach is used in the JVM template VM, the low level WebKit interpreter, the V8 ignition interpreter and the LuaJIT interpreter. Low-level VM may be implemented in PHP 8, in addition to existing interpreter written in C.

Open Issues

Make sure there are no open issues when the vote starts!

Future Scope

In PHP 8 we are going to improve JIT and perform optimized code generation after an initial profiling of hot functions. This would allow application of speculative optimizations and generation only the code that is really executed. It's also possible to do deeper integration of JIT with preloading and FFI, and perhaps a standardized way of developing (and providing) built-in functions that are written in PHP, and not just in C.

Proposed Voting Choices

Support for JIT is more a strategic PHP question. JIT definitely requires a lot of work, but it may be actively developed only as a part of PHP, with common effort.

This project requires a 2/3+1 majority.

Include JIT into PHP 8?
Real name Yes No
Final result: 0 0
This poll has been closed.

As PHP 7.4 is already branched and its engine is not expected to be significantly changed (consequently requiring corresponding changes to the JIT implementation), we can also consider including JIT in PHP-7.4 as an experimental feature (disabled by default), to provide early access and receive more feedback. This also requires a 2/3+1 majority.

Include JIT into PHP 7.4 (experimental)?
Real name Yes No
Final result: 0 0
This poll has been closed.

Patches and Tests

  1. https://github.com/zendtech/php-src/ - The PHP JIT branch was announced more than two years ago, and since that time was kept in consistency with PHP master.

Implementation

After the project is implemented, this section should contain

  1. the version(s) it was merged into
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)

References

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/jit.txt · Last modified: 2019/02/13 09:27 by zeev