Diff
Modified: trunk/JSTests/ChangeLog (283206 => 283207)
--- trunk/JSTests/ChangeLog 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/JSTests/ChangeLog 2021-09-29 01:33:02 UTC (rev 283207)
@@ -1,3 +1,15 @@
+2021-09-28 Saam Barati <[email protected]>
+
+ DoesGCCheck does not use enough bits for nodeIndex
+ https://bugs.webkit.org/show_bug.cgi?id=230915
+ <rdar://83297515>
+
+ Reviewed by Mark Lam.
+
+ * stress/verify-can-gc-node-index.js: Added.
+ (gen):
+ (f):
+
2021-09-28 Alexey Shvayka <[email protected]>
Speed up setting JSFunction's "prototype" property
Added: trunk/JSTests/stress/verify-can-gc-node-index.js (0 => 283207)
--- trunk/JSTests/stress/verify-can-gc-node-index.js (rev 0)
+++ trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 01:33:02 UTC (rev 283207)
@@ -0,0 +1,19 @@
+//@ runDefault("--destroy-vm", "--maximumFunctionForCallInlineCandidateBytecodeCost=500", "--maximumInliningRecursion=5")
+
+function* gen() {
+}
+let g = gen();
+function f() {
+ g.next();
+ f();
+ f();
+ f();
+ f();
+ f();
+ f();
+ f();
+ f();
+ f();
+ f();
+};
+f();
Modified: trunk/Source/_javascript_Core/ChangeLog (283206 => 283207)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-29 01:33:02 UTC (rev 283207)
@@ -1,3 +1,34 @@
+2021-09-28 Saam Barati <[email protected]>
+
+ DoesGCCheck does not use enough bits for nodeIndex
+ https://bugs.webkit.org/show_bug.cgi?id=230915
+ <rdar://83297515>
+
+ Reviewed by Mark Lam.
+
+ * dfg/DFGDoesGCCheck.h:
+ (JSC::DFG::DoesGCCheck::DoesGCCheck):
+ (JSC::DFG::DoesGCCheck::encode):
+ (JSC::DFG::DoesGCCheck::set):
+ (JSC::DFG::DoesGCCheck::expectDoesGC const):
+ (JSC::DFG::DoesGCCheck::isSpecial const):
+ (JSC::DFG::DoesGCCheck::special):
+ (JSC::DFG::DoesGCCheck::nodeOp):
+ (JSC::DFG::DoesGCCheck::nodeIndex):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::compileExit):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileLoopHint):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+ * ftl/FTLOSRExitCompiler.cpp:
+ (JSC::FTL::compileStub):
+
2021-09-28 Alex Christensen <[email protected]>
Mostly fix Mac CMake build
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h (283206 => 283207)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h 2021-09-29 01:33:02 UTC (rev 283207)
@@ -43,39 +43,42 @@
};
DoesGCCheck()
- : m_value(encode(true, Special::Uninitialized))
- { }
+ {
+ u.encoded = encode(true, Special::Uninitialized);
+ }
- static uint32_t encode(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp)
+ static uint64_t encode(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp)
{
- // We know nodeOp always fits because of the static_assert in DFGDoesGCCheck.cpp.
- ASSERT((nodeIndex << nodeIndexShift) >> nodeIndexShift == nodeIndex);
- return nodeIndex << nodeIndexShift | nodeOp << nodeOpShift | bits(expectDoesGC);
+ Union un;
+ un.nodeIndex = nodeIndex;
+ un.other = (nodeOp << nodeOpShift) | bits(expectDoesGC);
+ return un.encoded;
}
- static uint32_t encode(bool expectDoesGC, Special special)
+ static uint64_t encode(bool expectDoesGC, Special special)
{
- return bits(special) << specialShift | isSpecialBit | bits(expectDoesGC);
+ Union un;
+ un.nodeIndex = 0;
+ un.other = bits(special) << specialShift | isSpecialBit | bits(expectDoesGC);
+ return un.encoded;
}
void set(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp)
{
- m_value = encode(expectDoesGC, nodeIndex, nodeOp);
+ u.encoded = encode(expectDoesGC, nodeIndex, nodeOp);
}
void set(bool expectDoesGC, Special special)
{
- m_value = encode(expectDoesGC, special);
+ u.encoded = encode(expectDoesGC, special);
}
- bool expectDoesGC() const { return m_value & expectDoesGCBit; }
- bool isSpecial() const { return m_value & isSpecialBit; }
+ bool expectDoesGC() const { return u.other & expectDoesGCBit; }
+ bool isSpecial() const { return u.other & isSpecialBit; }
+ Special special() { return static_cast<Special>(u.other >> specialShift); }
+ unsigned nodeOp() { return (u.other >> nodeOpShift) & nodeOpMask; }
+ unsigned nodeIndex() { return u.nodeIndex; }
- Special special() { return static_cast<Special>(m_value >> specialShift); }
-
- unsigned nodeOp() { return (m_value >> nodeOpShift) & nodeOpMask; }
- unsigned nodeIndex() { return m_value >> nodeIndexShift; }
-
JS_EXPORT_PRIVATE void verifyCanGC(VM&);
private:
@@ -96,11 +99,14 @@
static constexpr unsigned nodeOpMask = (1 << nodeOpBits) - 1;
static constexpr unsigned nodeOpShift = commonBits;
- static constexpr unsigned nodeIndexBits = 21;
- static constexpr unsigned nodeIndexShift = nodeOpShift + nodeOpBits;
- static_assert(nodeIndexShift + nodeIndexBits == 32);
-
- uint32_t m_value { 0 };
+public:
+ union Union {
+ struct {
+ uint32_t other;
+ uint32_t nodeIndex;
+ };
+ uint64_t encoded;
+ } u;
};
} // namespace DFG
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp (283206 => 283207)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2021-09-29 01:33:02 UTC (rev 283207)
@@ -753,7 +753,14 @@
// to set it here because compileOSRExit() is only called on the first time
// we exit from this site, but all subsequent exits will take this compiled
// ramp without calling compileOSRExit() first.
- jit.store32(CCallHelpers::TrustedImm32(DoesGCCheck::encode(true, DoesGCCheck::Special::DFGOSRExit)), vm.heap.addressOfDoesGC());
+ DoesGCCheck check;
+ check.u.encoded = DoesGCCheck::encode(true, DoesGCCheck::Special::DFGOSRExit);
+#if USE(JSVALUE64)
+ jit.store64(CCallHelpers::TrustedImm64(check.u.encoded), vm.heap.addressOfDoesGC());
+#else
+ jit.store32(CCallHelpers::TrustedImm32(check.u.other), &vm.heap.addressOfDoesGC()->u.other);
+ jit.store32(CCallHelpers::TrustedImm32(check.u.nodeIndex), &vm.heap.addressOfDoesGC()->u.nodeIndex);
+#endif
}
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (283206 => 283207)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-29 01:33:02 UTC (rev 283207)
@@ -2110,8 +2110,14 @@
if constexpr (validateDFGDoesGC) {
if (Options::validateDoesGC()) {
// We need to mock what a Return does: claims to GC.
- m_jit.move(CCallHelpers::TrustedImmPtr(vm().heap.addressOfDoesGC()), GPRInfo::regT0);
- m_jit.store32(CCallHelpers::TrustedImm32(DoesGCCheck::encode(true, DoesGCCheck::Special::Uninitialized)), CCallHelpers::Address(GPRInfo::regT0));
+ DoesGCCheck check;
+ check.u.encoded = DoesGCCheck::encode(true, DoesGCCheck::Special::Uninitialized);
+#if USE(JSVALUE64)
+ m_jit.store64(CCallHelpers::TrustedImm64(check.u.encoded), vm().heap.addressOfDoesGC());
+#else
+ m_jit.store32(CCallHelpers::TrustedImm32(check.u.other), &vm().heap.addressOfDoesGC()->u.other);
+ m_jit.store32(CCallHelpers::TrustedImm32(check.u.nodeIndex), &vm().heap.addressOfDoesGC()->u.nodeIndex);
+#endif
}
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (283206 => 283207)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2021-09-29 01:33:02 UTC (rev 283207)
@@ -2149,7 +2149,10 @@
if constexpr (validateDFGDoesGC) {
if (Options::validateDoesGC()) {
bool expectDoesGC = doesGC(m_jit.graph(), node);
- m_jit.store32(TrustedImm32(DoesGCCheck::encode(expectDoesGC, node->index(), node->op())), vm().heap.addressOfDoesGC());
+ DoesGCCheck check;
+ check.u.encoded = DoesGCCheck::encode(expectDoesGC, node->index(), node->op());
+ m_jit.store32(CCallHelpers::TrustedImm32(check.u.other), &vm().heap.addressOfDoesGC()->u.other);
+ m_jit.store32(CCallHelpers::TrustedImm32(check.u.nodeIndex), &vm().heap.addressOfDoesGC()->u.nodeIndex);
}
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (283206 => 283207)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-09-29 01:33:02 UTC (rev 283207)
@@ -2701,7 +2701,7 @@
if constexpr (validateDFGDoesGC) {
if (Options::validateDoesGC()) {
bool expectDoesGC = doesGC(m_jit.graph(), node);
- m_jit.store32(TrustedImm32(DoesGCCheck::encode(expectDoesGC, node->index(), node->op())), vm().heap.addressOfDoesGC());
+ m_jit.store64(TrustedImm64(DoesGCCheck::encode(expectDoesGC, node->index(), node->op())), vm().heap.addressOfDoesGC());
}
}
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (283206 => 283207)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-09-29 01:33:02 UTC (rev 283207)
@@ -718,7 +718,7 @@
if constexpr (validateDFGDoesGC) {
if (Options::validateDoesGC()) {
bool expectDoesGC = doesGC(m_graph, m_node);
- m_out.store(m_out.constInt32(DoesGCCheck::encode(expectDoesGC, m_node->index(), m_node->op())), m_out.absolute(vm().heap.addressOfDoesGC()));
+ m_out.store(m_out.constInt64(DoesGCCheck::encode(expectDoesGC, m_node->index(), m_node->op())), m_out.absolute(vm().heap.addressOfDoesGC()));
}
}
@@ -16022,8 +16022,8 @@
if (Options::validateDoesGC()) {
// We need to mock what a Return does: claims to GC.
jit.move(CCallHelpers::TrustedImmPtr(vm->heap.addressOfDoesGC()), GPRInfo::regT0);
- jit.move(CCallHelpers::TrustedImm32(DoesGCCheck::encode(true, DoesGCCheck::Special::Uninitialized)), GPRInfo::regT1);
- jit.store32(GPRInfo::regT1, CCallHelpers::Address(GPRInfo::regT0));
+ jit.move(CCallHelpers::TrustedImm64(DoesGCCheck::encode(true, DoesGCCheck::Special::Uninitialized)), GPRInfo::regT1);
+ jit.store64(GPRInfo::regT1, CCallHelpers::Address(GPRInfo::regT0));
}
}
restore();
Modified: trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp (283206 => 283207)
--- trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp 2021-09-29 01:33:02 UTC (rev 283207)
@@ -218,7 +218,7 @@
// to set it here because compileFTLOSRExit() is only called on the first time
// we exit from this site, but all subsequent exits will take this compiled
// ramp without calling compileFTLOSRExit() first.
- jit.store32(CCallHelpers::TrustedImm32(DoesGCCheck::encode(true, DoesGCCheck::Special::FTLOSRExit)), vm.heap.addressOfDoesGC());
+ jit.store64(CCallHelpers::TrustedImm64(DoesGCCheck::encode(true, DoesGCCheck::Special::FTLOSRExit)), vm.heap.addressOfDoesGC());
}
}
