Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (165128 => 165129)
--- trunk/Source/_javascript_Core/ChangeLog 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-03-05 22:01:57 UTC (rev 165129)
@@ -1,3 +1,49 @@
+2014-03-05 Filip Pizlo <[email protected]>
+
+ More FTL ARM fixes
+ https://bugs.webkit.org/show_bug.cgi?id=129755
+
+ Reviewed by Geoffrey Garen.
+
+ - Be more defensive about inline caches that have degenerate chains.
+
+ - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
+ platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
+
+ - Don't even emit intrinsic declarations on non-x86 platforms.
+
+ - More debug printing support.
+
+ - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
+ but somehow it gets lucky on x86.
+
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::appendVariant):
+ (JSC::GetByIdStatus::computeForChain):
+ (JSC::GetByIdStatus::computeForStubInfo):
+ * bytecode/GetByIdStatus.h:
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::appendVariant):
+ (JSC::PutByIdStatus::computeForStubInfo):
+ * bytecode/PutByIdStatus.h:
+ * bytecode/StructureSet.h:
+ (JSC::StructureSet::overlaps):
+ * ftl/FTLCompile.cpp:
+ (JSC::FTL::mmAllocateDataSection):
+ * ftl/FTLDataSection.cpp:
+ (JSC::FTL::DataSection::DataSection):
+ (JSC::FTL::DataSection::~DataSection):
+ * ftl/FTLDataSection.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::lower):
+ * ftl/FTLOutput.h:
+ (JSC::FTL::Output::doubleSin):
+ (JSC::FTL::Output::doubleCos):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::dumpInContext):
+ * runtime/JSCell.h:
+ (JSC::JSCell::structureID):
+
2014-03-05 [email protected] <[email protected]>
[Win32][LLINT] Crash when running JSC stress tests.
Modified: trunk/Source/_javascript_Core/bytecode/GetByIdStatus.cpp (165128 => 165129)
--- trunk/Source/_javascript_Core/bytecode/GetByIdStatus.cpp 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/bytecode/GetByIdStatus.cpp 2014-03-05 22:01:57 UTC (rev 165129)
@@ -35,6 +35,16 @@
namespace JSC {
+bool GetByIdStatus::appendVariant(const GetByIdVariant& variant)
+{
+ for (unsigned i = 0; i < m_variants.size(); ++i) {
+ if (m_variants[i].structureSet().overlaps(variant.structureSet()))
+ return false;
+ }
+ m_variants.append(variant);
+ return true;
+}
+
#if ENABLE(DFG_JIT)
bool GetByIdStatus::hasExitSite(const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, unsigned bytecodeIndex, ExitingJITType jitType)
{
@@ -119,9 +129,7 @@
if (!isValidOffset(offset))
return false;
- m_variants.append(
- GetByIdVariant(StructureSet(chain->head()), offset, specificValue, chain));
- return true;
+ return appendVariant(GetByIdVariant(StructureSet(chain->head()), offset, specificValue, chain));
#else // ENABLE(JIT)
UNUSED_PARAM(profiledBlock);
UNUSED_PARAM(uid);
@@ -202,7 +210,7 @@
variant.m_structureSet.add(structure);
variant.m_specificValue = JSValue(specificValue);
- result.m_variants.append(variant);
+ result.appendVariant(variant);
return result;
}
@@ -256,8 +264,8 @@
if (found)
continue;
- result.m_variants.append(
- GetByIdVariant(StructureSet(structure), myOffset, specificValue));
+ if (!result.appendVariant(GetByIdVariant(StructureSet(structure), myOffset, specificValue)))
+ return GetByIdStatus(TakesSlowPath, true);
}
return result;
Modified: trunk/Source/_javascript_Core/bytecode/GetByIdStatus.h (165128 => 165129)
--- trunk/Source/_javascript_Core/bytecode/GetByIdStatus.h 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/bytecode/GetByIdStatus.h 2014-03-05 22:01:57 UTC (rev 165129)
@@ -99,6 +99,8 @@
bool computeForChain(CodeBlock*, StringImpl* uid, PassRefPtr<IntendedStructureChain>);
static GetByIdStatus computeFromLLInt(CodeBlock*, unsigned bytecodeIndex, StringImpl* uid);
+ bool appendVariant(const GetByIdVariant&);
+
State m_state;
Vector<GetByIdVariant, 1> m_variants;
bool m_wasSeenInJIT;
Modified: trunk/Source/_javascript_Core/bytecode/PutByIdStatus.cpp (165128 => 165129)
--- trunk/Source/_javascript_Core/bytecode/PutByIdStatus.cpp 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/bytecode/PutByIdStatus.cpp 2014-03-05 22:01:57 UTC (rev 165129)
@@ -37,6 +37,16 @@
namespace JSC {
+bool PutByIdStatus::appendVariant(const PutByIdVariant& variant)
+{
+ for (unsigned i = 0; i < m_variants.size(); ++i) {
+ if (m_variants[i].oldStructure() == variant.oldStructure())
+ return false;
+ }
+ m_variants.append(variant);
+ return true;
+}
+
#if ENABLE(DFG_JIT)
bool PutByIdStatus::hasExitSite(const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, unsigned bytecodeIndex, ExitingJITType exitType)
{
@@ -176,7 +186,8 @@
PropertyOffset offset = structure->getConcurrently(*profiledBlock->vm(), uid);
if (!isValidOffset(offset))
return PutByIdStatus(TakesSlowPath);
- result.m_variants.append(PutByIdVariant::replace(structure, offset));
+ if (!result.appendVariant(PutByIdVariant::replace(structure, offset)))
+ return PutByIdStatus(TakesSlowPath);
break;
}
@@ -185,11 +196,13 @@
access.newStructure()->getConcurrently(*profiledBlock->vm(), uid);
if (!isValidOffset(offset))
return PutByIdStatus(TakesSlowPath);
- result.m_variants.append(PutByIdVariant::transition(
+ bool ok = result.appendVariant(PutByIdVariant::transition(
access.oldStructure(), access.newStructure(),
access.chain() ? adoptRef(new IntendedStructureChain(
profiledBlock, access.oldStructure(), access.chain())) : 0,
offset));
+ if (!ok)
+ return PutByIdStatus(TakesSlowPath);
break;
}
Modified: trunk/Source/_javascript_Core/bytecode/PutByIdStatus.h (165128 => 165129)
--- trunk/Source/_javascript_Core/bytecode/PutByIdStatus.h 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/bytecode/PutByIdStatus.h 2014-03-05 22:01:57 UTC (rev 165129)
@@ -95,6 +95,8 @@
#endif
static PutByIdStatus computeFromLLInt(CodeBlock*, unsigned bytecodeIndex, StringImpl* uid);
+ bool appendVariant(const PutByIdVariant&);
+
State m_state;
Vector<PutByIdVariant, 1> m_variants;
};
Modified: trunk/Source/_javascript_Core/bytecode/StructureSet.h (165128 => 165129)
--- trunk/Source/_javascript_Core/bytecode/StructureSet.h 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/bytecode/StructureSet.h 2014-03-05 22:01:57 UTC (rev 165129)
@@ -115,6 +115,15 @@
return other.isSubsetOf(*this);
}
+ bool overlaps(const StructureSet& other) const
+ {
+ for (size_t i = 0; i < m_structures.size(); ++i) {
+ if (other.contains(m_structures[i]))
+ return true;
+ }
+ return false;
+ }
+
size_t size() const { return m_structures.size(); }
// Call this if you know that the structure set must consist of exactly
Modified: trunk/Source/_javascript_Core/ftl/FTLCompile.cpp (165128 => 165129)
--- trunk/Source/_javascript_Core/ftl/FTLCompile.cpp 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/ftl/FTLCompile.cpp 2014-03-05 22:01:57 UTC (rev 165129)
@@ -81,7 +81,8 @@
State& state = *static_cast<State*>(opaqueState);
- RefPtr<DataSection> section = adoptRef(new DataSection(size, alignment));
+ RefPtr<DataSection> section = adoptRef(new DataSection(
+ state.graph.m_vm, state.graph.m_codeBlock, size, alignment));
if (!strcmp(sectionName, "__llvm_stackmaps"))
state.stackmapsSection = section;
Modified: trunk/Source/_javascript_Core/ftl/FTLDataSection.cpp (165128 => 165129)
--- trunk/Source/_javascript_Core/ftl/FTLDataSection.cpp 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/ftl/FTLDataSection.cpp 2014-03-05 22:01:57 UTC (rev 165129)
@@ -34,9 +34,30 @@
namespace JSC { namespace FTL {
-DataSection::DataSection(size_t size, unsigned alignment)
+#if CPU(ARM64)
+// FIXME: We should undo this once we fix relocation issues.
+// https://bugs.webkit.org/show_bug.cgi?id=129756
+static const bool useExecutableMemory = true;
+#else
+static const bool useExecutableMemory = false;
+#endif
+
+DataSection::DataSection(VM& vm, CodeBlock* codeBlock, size_t size, unsigned alignment)
: m_size(size)
{
+ if (useExecutableMemory) {
+ RELEASE_ASSERT(alignment < jitAllocationGranule);
+
+ RefPtr<ExecutableMemoryHandle> result =
+ vm.executableAllocator.allocate(
+ vm, size, codeBlock, JITCompilationMustSucceed);
+ m_base = result->start();
+ m_size = result->sizeInBytes();
+
+ m_allocationBase = result.release().leakRef();
+ return;
+ }
+
RELEASE_ASSERT(WTF::bitCount(alignment) == 1);
const unsigned nativeAlignment = 8;
@@ -55,7 +76,10 @@
DataSection::~DataSection()
{
- fastFree(m_allocationBase);
+ if (useExecutableMemory)
+ static_cast<ExecutableMemoryHandle*>(m_allocationBase)->deref();
+ else
+ fastFree(m_allocationBase);
}
} } // namespace JSC::FTL
Modified: trunk/Source/_javascript_Core/ftl/FTLDataSection.h (165128 => 165129)
--- trunk/Source/_javascript_Core/ftl/FTLDataSection.h 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/ftl/FTLDataSection.h 2014-03-05 22:01:57 UTC (rev 165129)
@@ -28,13 +28,15 @@
#if ENABLE(FTL_JIT)
+#include "CodeBlock.h"
+#include "VM.h"
#include <wtf/RefCounted.h>
namespace JSC { namespace FTL {
class DataSection : public RefCounted<DataSection> {
public:
- DataSection(size_t size, unsigned alignment);
+ DataSection(VM&, CodeBlock*, size_t, unsigned alignment);
~DataSection();
void* base() { return m_base; }
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (165128 => 165129)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-03-05 22:01:57 UTC (rev 165129)
@@ -102,6 +102,9 @@
addTargetDependentFunctionAttr(m_ftlState.function, "target-features", "-avx");
}
+ if (verboseCompilationEnabled())
+ dataLog("Function ready, beginning lowering.\n");
+
m_out.initialize(m_ftlState.module, m_ftlState.function, m_heaps);
m_prologue = FTL_NEW_BLOCK(m_out, ("Prologue"));
@@ -141,7 +144,7 @@
didOverflowStack(), rarely(stackOverflow), usually(lowBlock(m_graph.block(0))));
m_out.appendTo(stackOverflow, m_handleExceptions);
- vmCall(m_out.operation(operationThrowStackOverflowError), m_callFrame, m_out.constIntPtr(codeBlock()), NoExceptions);
+ m_out.call(m_out.operation(operationThrowStackOverflowError), m_callFrame, m_out.constIntPtr(codeBlock()));
m_ftlState.handleStackOverflowExceptionStackmapID = m_stackmapIDs++;
m_out.call(
m_out.stackmapIntrinsic(), m_out.constInt64(m_ftlState.handleStackOverflowExceptionStackmapID),
Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.h (165128 => 165129)
--- trunk/Source/_javascript_Core/ftl/FTLOutput.h 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/ftl/FTLOutput.h 2014-03-05 22:01:57 UTC (rev 165129)
@@ -33,6 +33,7 @@
#include "FTLAbstractHeapRepository.h"
#include "FTLCommonValues.h"
#include "FTLIntrinsicRepository.h"
+#include "FTLState.h"
#include "FTLSwitchCase.h"
#include "FTLTypedPointer.h"
#include "FTLWeight.h"
@@ -170,12 +171,12 @@
LValue doubleSin(LValue value)
{
- return call(intrinsicOrOperation(doubleSinIntrinsic(), sin), value);
+ return call(isX86() ? doubleSinIntrinsic() : operation(sin), value);
}
LValue doubleCos(LValue value)
{
- return call(intrinsicOrOperation(doubleCosIntrinsic(), cos), value);
+ return call(isX86() ? doubleCosIntrinsic() : operation(cos), value);
}
LValue doubleSqrt(LValue value)
@@ -362,21 +363,6 @@
return intToPtr(constIntPtr(function), pointerType(operationType(function)));
}
- template<typename FunctionType>
- LValue intrinsicOrOperation(LValue intrinsic, FunctionType function)
- {
- if (isX86())
- return intrinsic;
-
- // LLVM's behavior with respect to math intrinsics that lower to calls is pretty odd
- // on hardware that requires real effort during relocation.
- // https://bugs.webkit.org/show_bug.cgi?id=129495
-
- // FIXME: At least mark these pure.
- // https://bugs.webkit.org/show_bug.cgi?id=129494
- return operation(function);
- }
-
void jump(LBasicBlock destination) { buildBr(m_builder, destination); }
void branch(LValue condition, LBasicBlock taken, Weight takenWeight, LBasicBlock notTaken, Weight notTakenWeight);
void branch(LValue condition, WeightedTarget taken, WeightedTarget notTaken)
@@ -438,7 +424,7 @@
};
#define FTL_NEW_BLOCK(output, nameArguments) \
- (LIKELY(!::JSC::DFG::verboseCompilationEnabled()) \
+ (LIKELY(!verboseCompilationEnabled()) \
? (output).newBlock() \
: (output).newBlock((toCString nameArguments).data()))
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (165128 => 165129)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2014-03-05 22:01:57 UTC (rev 165129)
@@ -229,6 +229,9 @@
out.print("Cell: ", RawPointer(asCell()));
out.print(" (", inContext(*asCell()->structure(), context), ")");
}
+#if USE(JSVALUE64)
+ out.print(", ID: ", asCell()->structureID());
+#endif
} else if (isTrue())
out.print("True");
else if (isFalse())
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (165128 => 165129)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2014-03-05 21:57:26 UTC (rev 165128)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2014-03-05 22:01:57 UTC (rev 165129)
@@ -96,6 +96,7 @@
JSType type() const;
IndexingType indexingType() const;
+ StructureID structureID() const { return m_structureID; }
Structure* structure() const;
Structure* structure(VM&) const;
void setStructure(VM&, Structure*);
