[webkit-changes] [163493] tags/Safari-538.16.2/Source/JavaScriptCore

Wed, 05 Feb 2014 16:47:36 -0800

Title: [163493] tags/Safari-538.16.2/Source/_javascript_Core

Diff

Modified: tags/Safari-538.16.2/Source/_javascript_Core/ChangeLog (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/ChangeLog	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/ChangeLog	2014-02-06 00:52:04 UTC (rev 163493)
@@ -1,5 +1,31 @@
 2014-02-05  Lucas Forschler  <[email protected]>
 
+        Merge r163471
+
+    2014-02-05  Mark Hahnenberg  <[email protected]>
+
+            Can no longer run OctaneV2 in browser, crashes in speculationFromCell
+            https://bugs.webkit.org/show_bug.cgi?id=128266
+
+            Reviewed by Filip Pizlo.
+
+            Move the OSR exit write barriers into OSRExitCompilerCommon. Also reorganize some 
+            of the code to be in more appropriate places.
+
+            * dfg/DFGOSRExitCompiler32_64.cpp:
+            (JSC::DFG::OSRExitCompiler::compileExit):
+            * dfg/DFGOSRExitCompiler64.cpp:
+            (JSC::DFG::OSRExitCompiler::compileExit):
+            * dfg/DFGOSRExitCompilerCommon.cpp:
+            (JSC::DFG::osrWriteBarrier):
+            (JSC::DFG::adjustAndJumpToTarget):
+            * dfg/DFGSpeculativeJIT.cpp:
+            * dfg/DFGSpeculativeJIT.h:
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::genericWriteBarrier):
+
+2014-02-05  Lucas Forschler  <[email protected]>
+
         Merge r163420
 
     2014-02-04  Mark Hahnenberg  <[email protected]>

Modified: tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp	2014-02-06 00:52:04 UTC (rev 163493)
@@ -456,17 +456,6 @@
         }
     }
 
-#if ENABLE(GGC) 
-    // 11) Write barrier the owner executable because we're jumping into a different block.
-    for (CodeOrigin codeOrigin = exit.m_codeOrigin; ; codeOrigin = codeOrigin.inlineCallFrame->caller) {
-        CodeBlock* baselineCodeBlock = m_jit.baselineCodeBlockFor(codeOrigin);
-        m_jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock->ownerExecutable()), GPRInfo::nonArgGPR0); 
-        SpeculativeJIT::osrWriteBarrier(m_jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1, GPRInfo::nonArgGPR2);
-        if (!codeOrigin.inlineCallFrame)
-            break;
-    }
-#endif
-
     // 12) And finish.
     adjustAndJumpToTarget(m_jit, exit);
 }

Modified: tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp	2014-02-06 00:52:04 UTC (rev 163493)
@@ -412,17 +412,6 @@
         }
     }
 
-#if ENABLE(GGC) 
-    // 11) Write barrier the owner executable because we're jumping into a different block.
-    for (CodeOrigin codeOrigin = exit.m_codeOrigin; ; codeOrigin = codeOrigin.inlineCallFrame->caller) {
-        CodeBlock* baselineCodeBlock = m_jit.baselineCodeBlockFor(codeOrigin);
-        m_jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock->ownerExecutable()), GPRInfo::nonArgGPR0); 
-        SpeculativeJIT::osrWriteBarrier(m_jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1, GPRInfo::nonArgGPR2);
-        if (!codeOrigin.inlineCallFrame)
-            break;
-    }
-#endif
-
     // 12) And finish.
     adjustAndJumpToTarget(m_jit, exit);
 }

Modified: tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp	2014-02-06 00:52:04 UTC (rev 163493)
@@ -160,8 +160,39 @@
     jit.store32(AssemblyHelpers::TrustedImm32(locationBits), AssemblyHelpers::tagFor((VirtualRegister)(JSStack::ArgumentCount)));
 }
 
+static void osrWriteBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
+{
+    AssemblyHelpers::Jump definitelyNotMarked = jit.genericWriteBarrier(owner, scratch1, scratch2);
+
+    // We need these extra slots because setupArgumentsWithExecState will use poke on x86.
+#if CPU(X86)
+    jit.subPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
+#endif
+
+    jit.setupArgumentsWithExecState(owner);
+    jit.move(MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(operationOSRWriteBarrier)), scratch1);
+    jit.call(scratch1);
+
+#if CPU(X86)
+    jit.addPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
+#endif
+
+    definitelyNotMarked.link(&jit);
+}
+
 void adjustAndJumpToTarget(CCallHelpers& jit, const OSRExitBase& exit)
 {
+#if ENABLE(GGC) 
+    // 11) Write barrier the owner executable because we're jumping into a different block.
+    for (CodeOrigin codeOrigin = exit.m_codeOrigin; ; codeOrigin = codeOrigin.inlineCallFrame->caller) {
+        CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(codeOrigin);
+        jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock->ownerExecutable()), GPRInfo::nonArgGPR0); 
+        osrWriteBarrier(jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1, GPRInfo::nonArgGPR2);
+        if (!codeOrigin.inlineCallFrame)
+            break;
+    }
+#endif
+
     if (exit.m_codeOrigin.inlineCallFrame)
         jit.addPtr(AssemblyHelpers::TrustedImm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);

Modified: tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2014-02-06 00:52:04 UTC (rev 163493)
@@ -5518,26 +5518,6 @@
     definitelyNotMarked.link(&m_jit);
 }
 
-void SpeculativeJIT::osrWriteBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
-{
-    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(jit, owner, scratch1, scratch2);
-
-    // We need these extra slots because setupArgumentsWithExecState will use poke on x86.
-#if CPU(X86)
-    jit.subPtr(TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
-#endif
-
-    jit.setupArgumentsWithExecState(owner);
-    jit.move(TrustedImmPtr(reinterpret_cast<void*>(operationOSRWriteBarrier)), scratch1);
-    jit.call(scratch1);
-
-#if CPU(X86)
-    jit.addPtr(TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
-#endif
-
-    definitelyNotMarked.link(&jit);
-}
-
 void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, GPRReg scratch1, GPRReg scratch2)
 {
     JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);

Modified: tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2014-02-06 00:52:04 UTC (rev 163493)
@@ -298,7 +298,6 @@
 
     static JITCompiler::Jump genericWriteBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2);
     static JITCompiler::Jump genericWriteBarrier(CCallHelpers& jit, JSCell* owner);
-    static void osrWriteBarrier(CCallHelpers&, GPRReg owner, GPRReg scratch1, GPRReg scratch2);
     void writeBarrier(GPRReg owner, GPRReg scratch1, GPRReg scratch2);
     void writeBarrier(GPRReg owner, JSCell* value, GPRReg scratch1, GPRReg scratch2);

Modified: tags/Safari-538.16.2/Source/_javascript_Core/jit/AssemblyHelpers.h (163492 => 163493)


--- tags/Safari-538.16.2/Source/_javascript_Core/jit/AssemblyHelpers.h	2014-02-06 00:49:42 UTC (rev 163492)
+++ tags/Safari-538.16.2/Source/_javascript_Core/jit/AssemblyHelpers.h	2014-02-06 00:52:04 UTC (rev 163493)
@@ -389,6 +389,23 @@
     void jitAssertArgumentCountSane() { }
 #endif
 
+    Jump genericWriteBarrier(GPRReg owner, GPRReg scratch1, GPRReg scratch2)
+    {
+        move(owner, scratch1);
+        move(owner, scratch2);
+    
+        andPtr(TrustedImmPtr(MarkedBlock::blockMask), scratch1);
+        andPtr(TrustedImmPtr(~MarkedBlock::blockMask), scratch2);
+    
+#if USE(JSVALUE64)
+        rshift64(TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
+#else
+        rshift32(TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
+#endif
+    
+        return branchTest8(Zero, BaseIndex(scratch1, scratch2, TimesOne, MarkedBlock::offsetOfMarks()));
+    }
+
     // These methods convert between doubles, and doubles boxed and JSValues.
 #if USE(JSVALUE64)
     GPRReg boxDouble(FPRReg fpr, GPRReg gpr)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to