[webkit-changes] [161400] branches/jsCStack/Source/JavaScriptCore

Mon, 06 Jan 2014 20:55:36 -0800

Title: [161400] branches/jsCStack/Source/_javascript_Core
Revision
161400
Author
[email protected]
Date
2014-01-06 20:58:47 -0800 (Mon, 06 Jan 2014)

Log Message

Merge of trunk r160493

2013-12-11  Filip Pizlo  <[email protected]>

    ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
    https://bugs.webkit.org/show_bug.cgi?id=124727
    <rdar://problem/15566923>

    Reviewed by Michael Saboff.

    Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
    and it was the only IC that used that field, which was wasteful. Moreover, it used it
    to store two separate locations: the label for patching the jump and the label right
    after the jump. The code was relying on those two being the same label, which is true
    on X86 and some other platforms, but it isn't true on ARM64.

    This gets rid of hotPathBegin and makes In express those two locations as offsets from
    the callReturnLocation, which is analogous to what the other IC's do.

    This fixes a bug where any successful In patching would result in a trivially infinite
    loop - and hence a hang - on ARM64.

    * bytecode/StructureStubInfo.h:
    * dfg/DFGJITCompiler.cpp:
    (JSC::DFG::JITCompiler::link):
    * dfg/DFGJITCompiler.h:
    (JSC::DFG::InRecord::InRecord):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileIn):
    * jit/JITInlineCacheGenerator.cpp:
    (JSC::JITByIdGenerator::finalize):
    * jit/Repatch.cpp:
    (JSC::replaceWithJump):
    (JSC::patchJumpToGetByIdStub):
    (JSC::tryCachePutByID):
    (JSC::tryBuildPutByIdList):
    (JSC::tryRepatchIn):
    (JSC::resetGetByID):
    (JSC::resetPutByID):
    (JSC::resetIn):

Modified Paths

Diff

Modified: branches/jsCStack/Source/_javascript_Core/ChangeLog (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/ChangeLog	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/ChangeLog	2014-01-07 04:58:47 UTC (rev 161400)
@@ -1,3 +1,46 @@
+2014-01-06  Michael Saboff  <[email protected]>
+
+        Merge of trunk r160493
+
+    2013-12-11  Filip Pizlo  <[email protected]>
+
+            ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
+            https://bugs.webkit.org/show_bug.cgi?id=124727
+            <rdar://problem/15566923>
+
+            Reviewed by Michael Saboff.
+            
+            Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
+            and it was the only IC that used that field, which was wasteful. Moreover, it used it
+            to store two separate locations: the label for patching the jump and the label right
+            after the jump. The code was relying on those two being the same label, which is true
+            on X86 and some other platforms, but it isn't true on ARM64.
+            
+            This gets rid of hotPathBegin and makes In express those two locations as offsets from
+            the callReturnLocation, which is analogous to what the other IC's do.
+            
+            This fixes a bug where any successful In patching would result in a trivially infinite
+            loop - and hence a hang - on ARM64.
+
+            * bytecode/StructureStubInfo.h:
+            * dfg/DFGJITCompiler.cpp:
+            (JSC::DFG::JITCompiler::link):
+            * dfg/DFGJITCompiler.h:
+            (JSC::DFG::InRecord::InRecord):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileIn):
+            * jit/JITInlineCacheGenerator.cpp:
+            (JSC::JITByIdGenerator::finalize):
+            * jit/Repatch.cpp:
+            (JSC::replaceWithJump):
+            (JSC::patchJumpToGetByIdStub):
+            (JSC::tryCachePutByID):
+            (JSC::tryBuildPutByIdList):
+            (JSC::tryRepatchIn):
+            (JSC::resetGetByID):
+            (JSC::resetPutByID):
+            (JSC::resetIn):
+
 2014-01-06  Filip Pizlo  <[email protected]>
 
         Merge trunk r160294, r160295, r160328, r160347, r160348.

Modified: branches/jsCStack/Source/_javascript_Core/bytecode/StructureStubInfo.h (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/bytecode/StructureStubInfo.h	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/bytecode/StructureStubInfo.h	2014-01-07 04:58:47 UTC (rev 161400)
@@ -233,7 +233,7 @@
         RegisterSet usedRegisters;
         int32_t deltaCallToDone;
         int32_t deltaCallToStorageLoad;
-        int32_t deltaCallToStructCheck;
+        int32_t deltaCallToJump;
         int32_t deltaCallToSlowCase;
         int32_t deltaCheckImmToCall;
 #if USE(JSVALUE64)
@@ -290,7 +290,6 @@
 
     RefPtr<JITStubRoutine> stubRoutine;
     CodeLocationCall callReturnLocation;
-    CodeLocationLabel hotPathBegin; // FIXME: This is only used by DFG In IC.
     RefPtr<WatchpointsOnStructureStubInfo> watchpoints;
 };

Modified: branches/jsCStack/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2014-01-07 04:58:47 UTC (rev 161400)
@@ -221,9 +221,9 @@
 
     for (unsigned i = 0; i < m_ins.size(); ++i) {
         StructureStubInfo& info = *m_ins[i].m_stubInfo;
-        CodeLocationLabel jump = linkBuffer.locationOf(m_ins[i].m_jump);
         CodeLocationCall callReturnLocation = linkBuffer.locationOf(m_ins[i].m_slowPathGenerator->call());
-        info.hotPathBegin = jump;
+        info.patch.deltaCallToDone = differenceBetweenCodePtr(callReturnLocation, linkBuffer.locationOf(m_ins[i].m_done));
+        info.patch.deltaCallToJump = differenceBetweenCodePtr(callReturnLocation, linkBuffer.locationOf(m_ins[i].m_jump));
         info.callReturnLocation = callReturnLocation;
         info.patch.deltaCallToSlowCase = differenceBetweenCodePtr(callReturnLocation, linkBuffer.locationOf(m_ins[i].m_slowPathGenerator->label()));
     }

Modified: branches/jsCStack/Source/_javascript_Core/dfg/DFGJITCompiler.h (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/dfg/DFGJITCompiler.h	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/dfg/DFGJITCompiler.h	2014-01-07 04:58:47 UTC (rev 161400)
@@ -81,15 +81,17 @@
 
 struct InRecord {
     InRecord(
-        MacroAssembler::PatchableJump jump, SlowPathGenerator* slowPathGenerator,
-        StructureStubInfo* stubInfo)
+        MacroAssembler::PatchableJump jump, MacroAssembler::Label done,
+        SlowPathGenerator* slowPathGenerator, StructureStubInfo* stubInfo)
         : m_jump(jump)
+        , m_done(done)
         , m_slowPathGenerator(slowPathGenerator)
         , m_stubInfo(stubInfo)
     {
     }
     
     MacroAssembler::PatchableJump m_jump;
+    MacroAssembler::Label m_done;
     SlowPathGenerator* m_slowPathGenerator;
     StructureStubInfo* m_stubInfo;
 };

Modified: branches/jsCStack/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2014-01-07 04:58:47 UTC (rev 161400)
@@ -972,8 +972,9 @@
             GPRReg resultGPR = result.gpr();
 
             use(node->child1());
-                
+            
             MacroAssembler::PatchableJump jump = m_jit.patchableJump();
+            MacroAssembler::Label done = m_jit.label();
             
             OwnPtr<SlowPathGenerator> slowPath = slowPathCall(
                 jump.m_jump, this, operationInOptimize,
@@ -986,7 +987,7 @@
             stubInfo->patch.usedRegisters = usedRegisters();
             stubInfo->patch.registersFlushed = false;
             
-            m_jit.addIn(InRecord(jump, slowPath.get(), stubInfo));
+            m_jit.addIn(InRecord(jump, done, slowPath.get(), stubInfo));
             addSlowPathGenerator(slowPath.release());
                 
             base.use();

Modified: branches/jsCStack/Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp	2014-01-07 04:58:47 UTC (rev 161400)
@@ -75,7 +75,7 @@
     m_stubInfo->callReturnLocation = callReturnLocation;
     m_stubInfo->patch.deltaCheckImmToCall = MacroAssembler::differenceBetweenCodePtr(
         fastPath.locationOf(m_structureImm), callReturnLocation);
-    m_stubInfo->patch.deltaCallToStructCheck = MacroAssembler::differenceBetweenCodePtr(
+    m_stubInfo->patch.deltaCallToJump = MacroAssembler::differenceBetweenCodePtr(
         callReturnLocation, fastPath.locationOf(m_structureCheck));
 #if USE(JSVALUE64)
     m_stubInfo->patch.deltaCallToLoadOrStore = MacroAssembler::differenceBetweenCodePtr(

Modified: branches/jsCStack/Source/_javascript_Core/jit/Repatch.cpp (161399 => 161400)


--- branches/jsCStack/Source/_javascript_Core/jit/Repatch.cpp	2014-01-07 04:52:48 UTC (rev 161399)
+++ branches/jsCStack/Source/_javascript_Core/jit/Repatch.cpp	2014-01-07 04:58:47 UTC (rev 161400)
@@ -169,7 +169,7 @@
     
     repatchBuffer.relink(
         stubInfo.callReturnLocation.jumpAtOffset(
-            stubInfo.patch.deltaCallToStructCheck),
+            stubInfo.patch.deltaCallToJump),
         CodeLocationLabel(target));
 }
 
@@ -452,7 +452,7 @@
     if (stubInfo.u.getByIdSelfList.didSelfPatching) {
         repatchBuffer.relink(
             stubInfo.callReturnLocation.jumpAtOffset(
-                stubInfo.patch.deltaCallToStructCheck),
+                stubInfo.patch.deltaCallToJump),
             CodeLocationLabel(stubRoutine->code().code()));
         return;
     }
@@ -1030,7 +1030,7 @@
             RepatchBuffer repatchBuffer(codeBlock);
             repatchBuffer.relink(
                 stubInfo.callReturnLocation.jumpAtOffset(
-                    stubInfo.patch.deltaCallToStructCheck),
+                    stubInfo.patch.deltaCallToJump),
                 CodeLocationLabel(stubInfo.stubRoutine->code().code()));
             repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateListBuildingPutByIdFunction(slot, putKind));
             
@@ -1134,7 +1134,7 @@
         }
         
         RepatchBuffer repatchBuffer(codeBlock);
-        repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToStructCheck), CodeLocationLabel(stubRoutine->code().code()));
+        repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
         
         if (list->isFull())
             repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
@@ -1178,7 +1178,7 @@
     PolymorphicAccessStructureList* polymorphicStructureList;
     int listIndex;
     
-    CodeLocationLabel successLabel = stubInfo.hotPathBegin;
+    CodeLocationLabel successLabel = stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone);
     CodeLocationLabel slowCaseLabel;
     
     if (stubInfo.accessType == access_unset) {
@@ -1256,7 +1256,7 @@
     stubInfo.u.inList.listSize++;
     
     RepatchBuffer repatchBuffer(codeBlock);
-    repatchBuffer.relink(stubInfo.hotPathBegin.jumpAtOffset(0), CodeLocationLabel(stubRoutine->code().code()));
+    repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
     
     return listIndex < (POLYMORPHIC_LIST_CACHE_SIZE - 1);
 }
@@ -1448,7 +1448,7 @@
     repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToTagLoadOrStore), 0);
     repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToPayloadLoadOrStore), 0);
 #endif
-    repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToStructCheck), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
+    repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
 }
 
 void resetPutByID(RepatchBuffer& repatchBuffer, StructureStubInfo& stubInfo)
@@ -1482,12 +1482,12 @@
     repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToTagLoadOrStore), 0);
     repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToPayloadLoadOrStore), 0);
 #endif
-    repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToStructCheck), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
+    repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
 }
 
 void resetIn(RepatchBuffer& repatchBuffer, StructureStubInfo& stubInfo)
 {
-    repatchBuffer.relink(stubInfo.hotPathBegin.jumpAtOffset(0), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
+    repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
 }
 
 } // namespace JSC

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to