- Revision
- 162666
- Author
- fpi...@apple.com
- Date
- 2014-01-23 17:18:19 -0800 (Thu, 23 Jan 2014)
Log Message
3x splay regression in FTL with experimental coverage that is entirely due to Bartlett weirdness
https://bugs.webkit.org/show_bug.cgi?id=127463
Reviewed by Mark Hahnenberg.
This turned out to be entirely due to misuse of the scratch buffer in an FTL thunk.
We need to mark a scratch buffer as unused after we're done with it or else the GC
will have a bad time.
But, this also introduces some debugging-related things that were useful on my
journey.
Finally, this turns all experimental FTL coverage into non-experimental coverage for
now. I'm keeping the option because we will probably make other things "experimental"
in the near future, if they cause regressions.
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run): Made it possible to disable FTL OSR entry.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): Make the new NodeTypes non-experimental.
* ftl/FTLThunks.cpp:
(JSC::FTL::osrExitGenerationThunkGenerator): Fix the actual bug.
* llint/LowLevelInterpreter.asm:
* runtime/Options.h:
* runtime/VM.cpp:
(JSC::logSanitizeStack):
* runtime/VM.h:
(JSC::sanitizeStackForVM): This is all about making it possible to print things when the stack is sanitized.
Modified Paths
Diff
Modified: branches/jsCStack/Source/_javascript_Core/ChangeLog (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/ChangeLog 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/ChangeLog 2014-01-24 01:18:19 UTC (rev 162666)
@@ -1,3 +1,34 @@
+2014-01-23 Filip Pizlo <fpi...@apple.com>
+
+ 3x splay regression in FTL with experimental coverage that is entirely due to Bartlett weirdness
+ https://bugs.webkit.org/show_bug.cgi?id=127463
+
+ Reviewed by Mark Hahnenberg.
+
+ This turned out to be entirely due to misuse of the scratch buffer in an FTL thunk.
+ We need to mark a scratch buffer as unused after we're done with it or else the GC
+ will have a bad time.
+
+ But, this also introduces some debugging-related things that were useful on my
+ journey.
+
+ Finally, this turns all experimental FTL coverage into non-experimental coverage for
+ now. I'm keeping the option because we will probably make other things "experimental"
+ in the near future, if they cause regressions.
+
+ * dfg/DFGTierUpCheckInjectionPhase.cpp:
+ (JSC::DFG::TierUpCheckInjectionPhase::run): Made it possible to disable FTL OSR entry.
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile): Make the new NodeTypes non-experimental.
+ * ftl/FTLThunks.cpp:
+ (JSC::FTL::osrExitGenerationThunkGenerator): Fix the actual bug.
+ * llint/LowLevelInterpreter.asm:
+ * runtime/Options.h:
+ * runtime/VM.cpp:
+ (JSC::logSanitizeStack):
+ * runtime/VM.h:
+ (JSC::sanitizeStackForVM): This is all about making it possible to print things when the stack is sanitized.
+
2014-01-23 Mark Hahnenberg <mhahnenb...@apple.com>
Merge branch up to ToT r161658.
Modified: branches/jsCStack/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp 2014-01-24 01:18:19 UTC (rev 162666)
@@ -58,6 +58,9 @@
if (level == FTL::CannotCompile)
return false;
+ if (!Options::enableOSREntryToFTL())
+ level = FTL::CanCompile;
+
InsertionSet insertionSet(m_graph);
for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
BasicBlock* block = m_graph.block(blockIndex);
Modified: branches/jsCStack/Source/_javascript_Core/ftl/FTLCapabilities.cpp (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2014-01-24 01:18:19 UTC (rev 162666)
@@ -125,6 +125,11 @@
case CountExecution:
case CheckExecutable:
case GetScope:
+ case AllocationProfileWatchpoint:
+ case CheckArgumentsNotCreated:
+ case GetCallee:
+ case ToString:
+ case MakeRope:
// These are OK.
break;
case GetById:
@@ -238,14 +243,6 @@
return CannotCompile;
}
break;
- case AllocationProfileWatchpoint:
- case CheckArgumentsNotCreated:
- case GetCallee:
- case ToString:
- case MakeRope:
- if (!Options::enableExperimentalFTLCoverage())
- return CannotCompile;
- break;
default:
// Don't know how to handle anything else.
return CannotCompile;
Modified: branches/jsCStack/Source/_javascript_Core/ftl/FTLThunks.cpp (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/ftl/FTLThunks.cpp 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/ftl/FTLThunks.cpp 2014-01-24 01:18:19 UTC (rev 162666)
@@ -71,10 +71,13 @@
jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0);
+ // Make sure we tell the GC that we're not using the scratch buffer anymore.
+ jit.move(MacroAssembler::TrustedImmPtr(scratchBuffer->activeLengthPtr()), GPRInfo::regT1);
+ jit.storePtr(MacroAssembler::TrustedImmPtr(0), GPRInfo::regT1);
+
// Prepare for tail call.
jit.pop(GPRInfo::regT1);
jit.pop(GPRInfo::regT1);
- // FIXME: CStack - Need to address the right way to adjust CFR and SP
jit.pop(MacroAssembler::framePointerRegister);
// At this point we're sitting on the return address - so if we did a jump right now, the
@@ -82,7 +85,6 @@
// restore all registers.
jit.restoreReturnAddressBeforeReturn(GPRInfo::regT0);
- // FIXME: CStack - Through here
restoreAllRegisters(jit, buffer);
Modified: branches/jsCStack/Source/_javascript_Core/llint/LowLevelInterpreter.asm (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2014-01-24 01:18:19 UTC (rev 162666)
@@ -609,8 +609,8 @@
if C_LOOP
else
-# void sanitizeStackForVM(VM* vm)
-_sanitizeStackForVM:
+# void sanitizeStackForVMImpl(VM* vm)
+_sanitizeStackForVMImpl:
if X86_64
const vm = t4
const address = t1
Modified: branches/jsCStack/Source/_javascript_Core/runtime/Options.h (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/runtime/Options.h 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/runtime/Options.h 2014-01-24 01:18:19 UTC (rev 162666)
@@ -129,8 +129,10 @@
v(bool, verboseFTLFailure, false) \
v(bool, alwaysComputeHash, false) \
v(bool, testTheFTL, false) \
+ v(bool, verboseSanitizeStack, false) \
\
v(bool, enableOSREntryToDFG, true) \
+ v(bool, enableOSREntryToFTL, true) \
\
v(bool, useExperimentalFTL, false) \
v(bool, enableExperimentalFTLCoverage, false) \
Modified: branches/jsCStack/Source/_javascript_Core/runtime/VM.cpp (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/runtime/VM.cpp 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/runtime/VM.cpp 2014-01-24 01:18:19 UTC (rev 162666)
@@ -772,12 +772,17 @@
}
#endif
-#if ENABLE(LLINT_C_LOOP)
-void sanitizeStackForVM(VM* vm)
+void logSanitizeStack(VM* vm)
{
- vm->interpreter->stack().sanitizeStack();
+ if (Options::verboseSanitizeStack() && vm->topCallFrame) {
+ int dummy;
+ dataLog(
+ "Sanitizing stack with top call frame at ", RawPointer(vm->topCallFrame),
+ ", current stack pointer at ", RawPointer(&dummy), ", in ",
+ pointerDump(vm->topCallFrame->codeBlock()), " and last code origin = ",
+ vm->topCallFrame->codeOrigin(), "\n");
+ }
}
-#endif
#if ENABLE(REGEXP_TRACING)
void VM::addRegExpToTrace(RegExp* regExp)
Modified: branches/jsCStack/Source/_javascript_Core/runtime/VM.h (162665 => 162666)
--- branches/jsCStack/Source/_javascript_Core/runtime/VM.h 2014-01-24 01:15:11 UTC (rev 162665)
+++ branches/jsCStack/Source/_javascript_Core/runtime/VM.h 2014-01-24 01:18:19 UTC (rev 162666)
@@ -558,13 +558,21 @@
return &m_vm->heap;
}
-#if ENABLE(LLINT)
+#if !ENABLE(LLINT_C_LOOP)
+ extern "C" void sanitizeStackForVMImpl(VM*);
+#endif
+
+ void logSanitizeStack(VM*);
+
+ ALWAYS_INLINE void sanitizeStackForVM(VM* vm)
+ {
+ logSanitizeStack(vm);
#if ENABLE(LLINT_C_LOOP)
- void sanitizeStackForVM(VM*);
+ vm->interpreter->stack().sanitizeStack();
#else
- extern "C" void sanitizeStackForVM(VM*);
+ sanitizeStackForVMImpl(vm);
#endif
-#endif
+ }
} // namespace JSC
