[webkit-changes] [288838] trunk/Source/JavaScriptCore

Mon, 31 Jan 2022 13:16:34 -0800

Title: [288838] trunk/Source/_javascript_Core
Revision
288838
Author
[email protected]
Date
2022-01-31 13:15:52 -0800 (Mon, 31 Jan 2022)

Log Message

[RISCV64] Fix offlineasm lowering of arithmetic branch instructions with address destinations
https://bugs.webkit.org/show_bug.cgi?id=235887

Patch by Zan Dobersek <[email protected]> on 2022-01-31
Reviewed by Yusuke Suzuki.

Fix lowering of baddi* and bsubi* instructions in the riscv64 offlineasm
backend. Node.riscCloneWithOperandsLowered() doesn't do the job properly
when the result of the arithmetic operation has to be stored back into
memory. In that case, right now these instructions are lowered into a
sequence that loads from memory, performs the arithmetic operation,
sets up the branch and only then stores the result back into memory,
which means the result never gets written back if the branch is taken.
Most prominently this breaks the execution counter through which JIT
entry is decided.

The riscv64LowerMisplacedAddresses() pass is specialized to cover
baddi* and bsubi* instructions whose destination operand is an address.
A manual sequence is constructed, loading, adding/subtracting, storing
and only then branching on the given condition.

* offlineasm/riscv64.rb:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (288837 => 288838)


--- trunk/Source/_javascript_Core/ChangeLog	2022-01-31 21:01:21 UTC (rev 288837)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-01-31 21:15:52 UTC (rev 288838)
@@ -1,3 +1,27 @@
+2022-01-31  Zan Dobersek  <[email protected]>
+
+        [RISCV64] Fix offlineasm lowering of arithmetic branch instructions with address destinations
+        https://bugs.webkit.org/show_bug.cgi?id=235887
+
+        Reviewed by Yusuke Suzuki.
+
+        Fix lowering of baddi* and bsubi* instructions in the riscv64 offlineasm
+        backend. Node.riscCloneWithOperandsLowered() doesn't do the job properly
+        when the result of the arithmetic operation has to be stored back into
+        memory. In that case, right now these instructions are lowered into a
+        sequence that loads from memory, performs the arithmetic operation,
+        sets up the branch and only then stores the result back into memory,
+        which means the result never gets written back if the branch is taken.
+        Most prominently this breaks the execution counter through which JIT
+        entry is decided.
+
+        The riscv64LowerMisplacedAddresses() pass is specialized to cover
+        baddi* and bsubi* instructions whose destination operand is an address.
+        A manual sequence is constructed, loading, adding/subtracting, storing
+        and only then branching on the given condition.
+
+        * offlineasm/riscv64.rb:
+
 2022-01-31  Keith Miller  <[email protected]>
 
         Reland StructureID overhaul

Modified: trunk/Source/_javascript_Core/offlineasm/riscv64.rb (288837 => 288838)


--- trunk/Source/_javascript_Core/offlineasm/riscv64.rb	2022-01-31 21:01:21 UTC (rev 288837)
+++ trunk/Source/_javascript_Core/offlineasm/riscv64.rb	2022-01-31 21:15:52 UTC (rev 288838)
@@ -400,10 +400,17 @@
         | node |
         if node.is_a? Instruction
             case node.opcode
-            when /^baddi/, /^bsubi/, /^bmuli/
-                postInstructions = []
-                newList << node.riscCloneWithOperandsLowered(newList, postInstructions, "i")
-                newList += postInstructions
+            when /^b(add|sub)i(z|nz|s)$/
+                case riscv64OperandTypes(node.operands)
+                when [Immediate, Address, LocalLabelReference]
+                    tmp = Tmp.new(node.codeOrigin, :gpr)
+                    newList << Instruction.new(node.codeOrigin, "loadi", [node.operands[1], tmp])
+                    newList << Instruction.new(node.codeOrigin, "#{$1}i", [tmp, node.operands[0], tmp])
+                    newList << Instruction.new(node.codeOrigin, "storei", [tmp, node.operands[1]])
+                    newList << Instruction.new(node.codeOrigin, "bti#{$2}", [tmp, node.operands[2]])
+                else
+                    newList << node
+                end
             else
                 newList << node
             end
@@ -1465,8 +1472,8 @@
                 false
             end
         }
+        result = riscv64LowerMisplacedAddresses(result)
         result = riscLowerMisplacedAddresses(result)
-        result = riscv64LowerMisplacedAddresses(result)
         result = riscv64LowerAddressLoads(result)
 
         result = riscLowerMisplacedImmediates(result, ["storeb", "storeh", "storei", "storep", "storeq"])

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to