Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (232460 => 232461)
--- trunk/Source/_javascript_Core/ChangeLog 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-06-04 04:13:42 UTC (rev 232461)
@@ -1,3 +1,50 @@
+2018-06-03 Yusuke Suzuki <[email protected]>
+
+ LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
+ https://bugs.webkit.org/show_bug.cgi?id=186223
+
+ Reviewed by Keith Miller.
+
+ After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
+ It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
+
+ This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
+ We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
+ this ClearCatchLocals valid.
+
+ The existing tests for ExtractCatchLocal just pass.
+
+ * dfg/DFGAbstractHeap.h:
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGMayExit.cpp:
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareCatchOSREntry):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
+
2018-06-02 Darin Adler <[email protected]>
[Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractHeap.h (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractHeap.h 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractHeap.h 2018-06-04 04:13:42 UTC (rev 232461)
@@ -77,6 +77,7 @@
macro(JSWeakMapFields) \
macro(JSWeakSetFields) \
macro(InternalState) \
+ macro(CatchLocals) \
macro(Absolute) \
/* DOMJIT tells the heap range with the pair of integers. */\
macro(DOMState) \
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-06-04 04:13:42 UTC (rev 232461)
@@ -3529,6 +3529,7 @@
case LoopHint:
case ZombieHint:
case ExitOK:
+ case ClearCatchLocals:
break;
case CheckTypeInfoFlags: {
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -5680,6 +5680,8 @@
addToGraph(MovHint, OpInfo(profile.m_operand), value);
localsToSet.uncheckedAppend(std::make_pair(operand, value));
});
+ if (numberOfLocals)
+ addToGraph(ClearCatchLocals);
if (!m_graph.m_maxLocalsForCatchOSREntry)
m_graph.m_maxLocalsForCatchOSREntry = 0;
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2018-06-04 04:13:42 UTC (rev 232461)
@@ -144,9 +144,16 @@
case Check:
case CheckVarargs:
case ExtractOSREntryLocal:
- case ExtractCatchLocal:
case CheckStructureImmediate:
return;
+
+ case ExtractCatchLocal:
+ read(AbstractHeap(CatchLocals, node->catchOSREntryIndex()));
+ return;
+
+ case ClearCatchLocals:
+ write(CatchLocals);
+ return;
case LazyJSConstant:
// We should enable CSE of LazyJSConstant. It's a little annoying since LazyJSValue has
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -224,8 +224,9 @@
case WeakSetAdd:
case WeakMapSet:
case Unreachable:
+ case ExtractOSREntryLocal:
case ExtractCatchLocal:
- case ExtractOSREntryLocal:
+ case ClearCatchLocals:
case CheckTierUpInLoop:
case CheckTierUpAtReturn:
case CheckTierUpAndOSREnter:
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -2167,6 +2167,7 @@
case Unreachable:
case ExtractOSREntryLocal:
case ExtractCatchLocal:
+ case ClearCatchLocals:
case LoopHint:
case MovHint:
case InitializeEntrypointArguments:
Modified: trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -92,6 +92,7 @@
case ValueRep:
case ExtractOSREntryLocal:
case ExtractCatchLocal:
+ case ClearCatchLocals:
case LogicalNot:
case NotifyWrite:
case PutStructure:
Modified: trunk/Source/_javascript_Core/dfg/DFGNodeType.h (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2018-06-04 04:13:42 UTC (rev 232461)
@@ -96,6 +96,7 @@
/* variable from the scratch buffer. */\
macro(ExtractOSREntryLocal, NodeResultJS) \
macro(ExtractCatchLocal, NodeResultJS) \
+ macro(ClearCatchLocals, NodeMustGenerate) \
\
/* Tier-up checks from the DFG to the FTL. */\
macro(CheckTierUpInLoop, NodeMustGenerate) \
Modified: trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -400,6 +400,7 @@
++index;
});
+ // The active length of catchOSREntryBuffer will be zeroed by ClearCatchLocals node.
dfgCommon->catchOSREntryBuffer->setActiveLength(sizeof(JSValue) * index);
return catchEntrypoint->machineCode;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -1214,6 +1214,7 @@
case InitializeEntrypointArguments:
case WeakSetAdd:
case WeakMapSet:
+ case ClearCatchLocals:
break;
// This gets ignored because it only pretends to produce a value.
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2018-06-04 04:13:42 UTC (rev 232461)
@@ -373,6 +373,7 @@
case Unreachable:
case ExtractOSREntryLocal:
case ExtractCatchLocal:
+ case ClearCatchLocals:
case CheckTierUpInLoop:
case CheckTierUpAtReturn:
case CheckTierUpAndOSREnter:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -12939,6 +12939,17 @@
jsValueResult(resultRegs, node);
}
+void SpeculativeJIT::compileClearCatchLocals(Node* node)
+{
+ ScratchBuffer* scratchBuffer = m_jit.jitCode()->common.catchOSREntryBuffer;
+ ASSERT(scratchBuffer);
+ GPRTemporary scratch(this);
+ GPRReg scratchGPR = scratch.gpr();
+ m_jit.move(TrustedImmPtr(scratchBuffer->addressOfActiveLength()), scratchGPR);
+ m_jit.storePtr(TrustedImmPtr(nullptr), scratchGPR);
+ noResult(node);
+}
+
void SpeculativeJIT::compileProfileType(Node* node)
{
JSValueOperand value(this, node->child1());
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-06-04 04:13:42 UTC (rev 232461)
@@ -1480,6 +1480,7 @@
void compileLogShadowChickenTail(Node*);
void compileHasIndexedProperty(Node*);
void compileExtractCatchLocal(Node*);
+ void compileClearCatchLocals(Node*);
void compileProfileType(Node*);
void moveTrueTo(GPRReg);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -4039,6 +4039,10 @@
break;
}
+ case ClearCatchLocals:
+ compileClearCatchLocals(node);
+ break;
+
case CheckStructureOrEmpty:
DFG_CRASH(m_jit.graph(), node, "CheckStructureOrEmpty only used in 64-bit DFG");
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -4548,6 +4548,10 @@
break;
}
+ case ClearCatchLocals:
+ compileClearCatchLocals(node);
+ break;
+
#if ENABLE(FTL_JIT)
case CheckTierUpInLoop: {
MacroAssembler::Jump callTierUp = m_jit.branchAdd32(
Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -115,6 +115,7 @@
case Upsilon:
case ExtractOSREntryLocal:
case ExtractCatchLocal:
+ case ClearCatchLocals:
case LoopHint:
case SkipScope:
case GetGlobalObject:
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (232460 => 232461)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-06-04 04:02:20 UTC (rev 232460)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-06-04 04:13:42 UTC (rev 232461)
@@ -567,6 +567,9 @@
case ExtractCatchLocal:
compileExtractCatchLocal();
break;
+ case ClearCatchLocals:
+ compileClearCatchLocals();
+ break;
case GetStack:
compileGetStack();
break;
@@ -1694,6 +1697,13 @@
EncodedJSValue* buffer = static_cast<EncodedJSValue*>(m_ftlState.jitCode->common.catchOSREntryBuffer->dataBuffer());
setJSValue(m_out.load64(m_out.absolute(buffer + m_node->catchOSREntryIndex())));
}
+
+ void compileClearCatchLocals()
+ {
+ ScratchBuffer* scratchBuffer = m_ftlState.jitCode->common.catchOSREntryBuffer;
+ ASSERT(scratchBuffer);
+ m_out.storePtr(m_out.constIntPtr(0), m_out.absolute(scratchBuffer->addressOfActiveLength()));
+ }
void compileGetStack()
{
