Skip to site navigation (Press enter)

[webkit-changes] [188889] branches/jsc-tailcall/Source/JavaScriptCore

msaboff Mon, 24 Aug 2015 15:41:33 -0700

Title: [188889] branches/jsc-tailcall/Source/_javascript_Core

Revision: 188889
Author: msab...@apple.com
Date: 2015-08-24 15:40:45 -0700 (Mon, 24 Aug 2015)

Log Message

jsc-tailcall: Specialized thunks need to save / restore callee save "tag" registers
https://bugs.webkit.org/show_bug.cgi?id=148345


Reviewed by Basile Clement.

Since these thunks can be called by FTL compiled functions, we can't count on the 
tagTypeNumberRegister and tagMaskRegister.  In fact, the same registers could be used
for other purposes.  Since they are callee saves, save the current values on entry to
these thunks and materialize the tag constant values.  On function exit we restore
the caller's values.

* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::SpecializedThunkJIT):
(JSC::SpecializedThunkJIT::loadDoubleArgument):
(JSC::SpecializedThunkJIT::returnJSValue):
(JSC::SpecializedThunkJIT::returnDouble):
(JSC::SpecializedThunkJIT::returnInt32):
(JSC::SpecializedThunkJIT::returnJSCell):
(JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
(JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters):
(JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters):
(JSC::SpecializedThunkJIT::tagReturnAsInt32):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):  Since the nativeForGenerator can be called via a tail call
by various specialized thunks, we need to restore the values of the tag constant callee
save registers.  The specialized thunks is the only code that make such tail calls
to nativeForGenerator generated code.

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/SpecializedThunkJIT.h
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp

Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188888 => 188889)


--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 21:56:38 UTC (rev 188888)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 22:40:45 UTC (rev 188889)
@@ -1,3 +1,33 @@
+2015-08-24  Michael Saboff  <msab...@apple.com>
+
+        jsc-tailcall: Specialized thunks need to save / restore callee save "tag" registers
+        https://bugs.webkit.org/show_bug.cgi?id=148345
+
+        Reviewed by Basile Clement.
+
+        Since these thunks can be called by FTL compiled functions, we can't count on the 
+        tagTypeNumberRegister and tagMaskRegister.  In fact, the same registers could be used
+        for other purposes.  Since they are callee saves, save the current values on entry to
+        these thunks and materialize the tag constant values.  On function exit we restore
+        the caller's values.
+
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
+        (JSC::SpecializedThunkJIT::loadDoubleArgument):
+        (JSC::SpecializedThunkJIT::returnJSValue):
+        (JSC::SpecializedThunkJIT::returnDouble):
+        (JSC::SpecializedThunkJIT::returnInt32):
+        (JSC::SpecializedThunkJIT::returnJSCell):
+        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
+        (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters):
+        (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters):
+        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):  Since the nativeForGenerator can be called via a tail call
+        by various specialized thunks, we need to restore the values of the tag constant callee
+        save registers.  The specialized thunks is the only code that make such tail calls
+        to nativeForGenerator generated code.
+
 2015-08-24  Basile Clement  <basile_clem...@apple.com>
 
         jsc-tailcall: We can't assert that registers are flushed when making a tail call

Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/SpecializedThunkJIT.h (188888 => 188889)


--- branches/jsc-tailcall/Source/_javascript_Core/jit/SpecializedThunkJIT.h	2015-08-24 21:56:38 UTC (rev 188888)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/SpecializedThunkJIT.h	2015-08-24 22:40:45 UTC (rev 188889)
@@ -44,6 +44,7 @@
             : JSInterfaceJIT(vm)
         {
             emitFunctionPrologue();
+            emitSaveThenMaterializeTagRegisters();
             // Check that we have the expected number of arguments
             m_failures.append(branch32(NotEqual, payloadFor(JSStack::ArgumentCount), TrustedImm32(expectedArgCount + 1)));
         }
@@ -52,6 +53,7 @@
             : JSInterfaceJIT(vm)
         {
             emitFunctionPrologue();
+            emitSaveThenMaterializeTagRegisters();
         }
         
         void loadDoubleArgument(int argument, FPRegisterID dst, RegisterID scratch)
@@ -105,6 +107,8 @@
         {
             if (src != regT0)
                 move(src, regT0);
+            
+            emitRestoreSavedTagRegisters();
             emitFunctionEpilogue();
             ret();
         }
@@ -113,6 +117,7 @@
         {
             ASSERT_UNUSED(payload, payload == regT0);
             ASSERT_UNUSED(tag, tag == regT1);
+            emitRestoreSavedTagRegisters();
             emitFunctionEpilogue();
             ret();
         }
@@ -137,6 +142,7 @@
             lowNonZero.link(this);
             highNonZero.link(this);
 #endif
+            emitRestoreSavedTagRegisters();
             emitFunctionEpilogue();
             ret();
         }
@@ -146,6 +152,7 @@
             if (src != regT0)
                 move(src, regT0);
             tagReturnAsInt32();
+            emitRestoreSavedTagRegisters();
             emitFunctionEpilogue();
             ret();
         }
@@ -155,6 +162,7 @@
             if (src != regT0)
                 move(src, regT0);
             tagReturnAsJSCell();
+            emitRestoreSavedTagRegisters();
             emitFunctionEpilogue();
             ret();
         }
@@ -185,7 +193,31 @@
         }
 
     private:
+        void emitSaveThenMaterializeTagRegisters()
+        {
+#if USE(JSVALUE64)
+#if CPU(ARM64)
+            pushPair(tagTypeNumberRegister, tagMaskRegister);
+#else
+            push(tagTypeNumberRegister);
+            push(tagMaskRegister);
+#endif
+            emitMaterializeTagCheckRegisters();
+#endif
+        }
 
+        void emitRestoreSavedTagRegisters()
+        {
+#if USE(JSVALUE64)
+#if CPU(ARM64)
+            popPair(tagTypeNumberRegister, tagMaskRegister);
+#else
+            pop(tagMaskRegister);
+            pop(tagTypeNumberRegister);
+#endif
+#endif
+        }
+        
         void tagReturnAsInt32()
         {
 #if USE(JSVALUE64)

Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp (188888 => 188889)


--- branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-08-24 21:56:38 UTC (rev 188888)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-08-24 22:40:45 UTC (rev 188889)
@@ -223,6 +223,18 @@
 
     if (entryType == EnterViaCall)
         jit.emitFunctionPrologue();
+#if USE(JSVALUE64)
+    else if (entryType == EnterViaJump) {
+        // We're coming from a specialized thunk that has saved the prior tag registers' contents.
+        // Restore them now.
+#if CPU(ARM64)
+        jit.popPair(JSInterfaceJIT::tagTypeNumberRegister, JSInterfaceJIT::tagMaskRegister);
+#else
+        jit.pop(JSInterfaceJIT::tagMaskRegister);
+        jit.pop(JSInterfaceJIT::tagTypeNumberRegister);
+#endif
+    }
+#endif
 
     jit.emitPutImmediateToCallFrameHeader(0, JSStack::CodeBlock);
     jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes