[webkit-changes] [227015] branches/safari-605-branch

Tue, 16 Jan 2018 21:03:56 -0800

Title: [227015] branches/safari-605-branch

Diff

Modified: branches/safari-605-branch/JSTests/ChangeLog (227014 => 227015)


--- branches/safari-605-branch/JSTests/ChangeLog	2018-01-17 05:03:33 UTC (rev 227014)
+++ branches/safari-605-branch/JSTests/ChangeLog	2018-01-17 05:03:36 UTC (rev 227015)
@@ -1,3 +1,17 @@
+2018-01-16  Jason Marcell  <[email protected]>
+
+        Cherry-pick r226806. rdar://problem/36567946
+
+    2018-01-11  Saam Barati  <[email protected]>
+
+            JITMathIC code in the FTL is wrong when code gets duplicated
+            https://bugs.webkit.org/show_bug.cgi?id=181525
+            <rdar://problem/36351993>
+
+            Reviewed by Michael Saboff and Keith Miller.
+
+            * stress/allow-math-ic-b3-code-duplication.js: Added.
+
 2018-01-11  Jason Marcell  <[email protected]>
 
         Cherry-pick r226811. rdar://problem/36458907

Added: branches/safari-605-branch/JSTests/stress/allow-math-ic-b3-code-duplication.js (0 => 227015)


--- branches/safari-605-branch/JSTests/stress/allow-math-ic-b3-code-duplication.js	                        (rev 0)
+++ branches/safari-605-branch/JSTests/stress/allow-math-ic-b3-code-duplication.js	2018-01-17 05:03:36 UTC (rev 227015)
@@ -0,0 +1,35 @@
+function test1() {
+    var o1;
+    for (let i = 0; i < 1000000; ++i) {
+        var o2 = { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { } } } } } } } } } } } } };
+    }
+    return -o2;
+}
+test1();
+
+function test2() {
+    var o1;
+    for (let i = 0; i < 1000000; ++i) {
+        var o2 = { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { } } } } } } } } } } } } };
+    }
+    return o1 - o2;
+}
+test2();
+
+function test3() {
+    var o1;
+    for (let i = 0; i < 1000000; ++i) {
+        var o2 = { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { } } } } } } } } } } } } };
+    }
+    return o1 + o2;
+}
+test3();
+
+function test4() {
+    var o1;
+    for (let i = 0; i < 1000000; ++i) {
+        var o2 = { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { f: { } } } } } } } } } } } } };
+    }
+    return o1 * o2;
+}
+test4();

Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (227014 => 227015)


--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog	2018-01-17 05:03:33 UTC (rev 227014)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog	2018-01-17 05:03:36 UTC (rev 227015)
@@ -1,3 +1,34 @@
+2018-01-16  Jason Marcell  <[email protected]>
+
+        Cherry-pick r226806. rdar://problem/36567946
+
+    2018-01-11  Saam Barati  <[email protected]>
+
+            JITMathIC code in the FTL is wrong when code gets duplicated
+            https://bugs.webkit.org/show_bug.cgi?id=181525
+            <rdar://problem/36351993>
+
+            Reviewed by Michael Saboff and Keith Miller.
+
+            B3/Air may duplicate code for various reasons. Patchpoint generators inside
+            FTLLower must be aware that they can be called multiple times because of this.
+            The patchpoint for math ICs was not aware of this, and shared state amongst
+            all invocations of the patchpoint's generator. This patch fixes this bug so
+            that each invocation of the patchpoint's generator gets a unique math IC.
+
+            * bytecode/CodeBlock.h:
+            (JSC::CodeBlock::addMathIC):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
+            (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
+            (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
+            (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
+            (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
+            (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
+            (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
+            * jit/JITMathIC.h:
+            (JSC::isProfileEmpty):
+
 2018-01-12  Jason Marcell  <[email protected]>
 
         Apply patch. rdar://problem/36303061

Modified: branches/safari-605-branch/Source/_javascript_Core/bytecode/CodeBlock.h (227014 => 227015)


--- branches/safari-605-branch/Source/_javascript_Core/bytecode/CodeBlock.h	2018-01-17 05:03:33 UTC (rev 227014)
+++ branches/safari-605-branch/Source/_javascript_Core/bytecode/CodeBlock.h	2018-01-17 05:03:36 UTC (rev 227015)
@@ -259,11 +259,24 @@
     void getByValInfoMap(ByValInfoMap& result);
     
 #if ENABLE(JIT)
-    StructureStubInfo* addStubInfo(AccessType);
     JITAddIC* addJITAddIC(ArithProfile*);
     JITMulIC* addJITMulIC(ArithProfile*);
     JITNegIC* addJITNegIC(ArithProfile*);
     JITSubIC* addJITSubIC(ArithProfile*);
+
+    template <typename Generator, typename = typename std::enable_if<std::is_same<Generator, JITAddGenerator>::value>::type>
+    JITAddIC* addMathIC(ArithProfile* profile) { return addJITAddIC(profile); }
+
+    template <typename Generator, typename = typename std::enable_if<std::is_same<Generator, JITMulGenerator>::value>::type>
+    JITMulIC* addMathIC(ArithProfile* profile) { return addJITMulIC(profile); }
+
+    template <typename Generator, typename = typename std::enable_if<std::is_same<Generator, JITNegGenerator>::value>::type>
+    JITNegIC* addMathIC(ArithProfile* profile) { return addJITNegIC(profile); }
+
+    template <typename Generator, typename = typename std::enable_if<std::is_same<Generator, JITSubGenerator>::value>::type>
+    JITSubIC* addMathIC(ArithProfile* profile) { return addJITSubIC(profile); }
+
+    StructureStubInfo* addStubInfo(AccessType);
     auto stubInfoBegin() { return m_stubInfos.begin(); }
     auto stubInfoEnd() { return m_stubInfos.end(); }

Modified: branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (227014 => 227015)


--- branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-01-17 05:03:33 UTC (rev 227014)
+++ branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-01-17 05:03:36 UTC (rev 227015)
@@ -1773,14 +1773,13 @@
     void compileValueAdd()
     {
         ArithProfile* arithProfile = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic)->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
-        JITAddIC* addIC = codeBlock()->addJITAddIC(arithProfile);
         auto repatchingFunction = operationValueAddOptimize;
         auto nonRepatchingFunction = operationValueAdd;
-        compileMathIC(addIC, repatchingFunction, nonRepatchingFunction);
+        compileBinaryMathIC<JITAddGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
     }
 
     template <typename Generator>
-    void compileMathIC(JITUnaryMathIC<Generator>* mathIC, FunctionPtr repatchingFunction, FunctionPtr nonRepatchingFunction)
+    void compileUnaryMathIC(ArithProfile* arithProfile, FunctionPtr repatchingFunction, FunctionPtr nonRepatchingFunction)
     {
         Node* node = m_node;
 
@@ -1806,6 +1805,7 @@
 #endif
 
                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
+                JITUnaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile);
                 mathIC->m_generator = Generator(JSValueRegs(params[0].gpr()), JSValueRegs(params[1].gpr()), params.gpScratch(0));
 
                 bool shouldEmitProfiling = false;
@@ -1864,7 +1864,7 @@
     }
 
     template <typename Generator>
-    void compileMathIC(JITBinaryMathIC<Generator>* mathIC, FunctionPtr repatchingFunction, FunctionPtr nonRepatchingFunction)
+    void compileBinaryMathIC(ArithProfile* arithProfile, FunctionPtr repatchingFunction, FunctionPtr nonRepatchingFunction)
     {
         Node* node = m_node;
         
@@ -1889,6 +1889,7 @@
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
                 AllowMacroScratchRegisterUsage allowScratch(jit);
 
+
                 Box<CCallHelpers::JumpList> exceptions =
                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
 
@@ -1897,6 +1898,7 @@
 #endif
 
                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
+                JITBinaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile);
                 mathIC->m_generator = Generator(leftOperand, rightOperand, JSValueRegs(params[0].gpr()),
                     JSValueRegs(params[1].gpr()), JSValueRegs(params[2].gpr()), params.fpScratch(0),
                     params.fpScratch(1), params.gpScratch(0), InvalidFPRReg);
@@ -2028,10 +2030,9 @@
             }
 
             ArithProfile* arithProfile = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic)->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
-            JITSubIC* subIC = codeBlock()->addJITSubIC(arithProfile);
             auto repatchingFunction = operationValueSubOptimize;
             auto nonRepatchingFunction = operationValueSub;
-            compileMathIC(subIC, repatchingFunction, nonRepatchingFunction);
+            compileBinaryMathIC<JITSubGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
             break;
         }
 
@@ -2123,10 +2124,9 @@
 
         case UntypedUse: {
             ArithProfile* arithProfile = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic)->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
-            JITMulIC* mulIC = codeBlock()->addJITMulIC(arithProfile);
             auto repatchingFunction = operationValueMulOptimize;
             auto nonRepatchingFunction = operationValueMul;
-            compileMathIC(mulIC, repatchingFunction, nonRepatchingFunction);
+            compileBinaryMathIC<JITMulGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
             break;
         }
 
@@ -2705,10 +2705,9 @@
         default:
             DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse);
             ArithProfile* arithProfile = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic)->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
-            JITNegIC* negIC = codeBlock()->addJITNegIC(arithProfile);
             auto repatchingFunction = operationArithNegateOptimize;
             auto nonRepatchingFunction = operationArithNegate;
-            compileMathIC(negIC, repatchingFunction, nonRepatchingFunction);
+            compileUnaryMathIC<JITNegGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
             break;
         }
     }

Modified: branches/safari-605-branch/Source/_javascript_Core/jit/JITMathIC.h (227014 => 227015)


--- branches/safari-605-branch/Source/_javascript_Core/jit/JITMathIC.h	2018-01-17 05:03:33 UTC (rev 227014)
+++ branches/safari-605-branch/Source/_javascript_Core/jit/JITMathIC.h	2018-01-17 05:03:36 UTC (rev 227015)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -54,6 +54,7 @@
 
 template <typename GeneratorType, bool(*isProfileEmpty)(ArithProfile&)>
 class JITMathIC {
+    WTF_MAKE_FAST_ALLOCATED;
 public:
     JITMathIC(ArithProfile* arithProfile)
         : m_arithProfile(arithProfile)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to