Changeset 152953 in webkit

Timestamp:

Jul 21, 2013, 2:44:38 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
​https://bugs.webkit.org/show_bug.cgi?id=118866

Reviewed by Sam Weinig.

Adds a safeToExecute() method that takes a node and an abstract state and tells you
if the node will run without crashing under that state.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):

• dfg/DFGCFAPhase.cpp:

(CFAPhase):
(JSC::DFG::CFAPhase::CFAPhase):
(JSC::DFG::CFAPhase::run):
(JSC::DFG::CFAPhase::performBlockCFA):
(JSC::DFG::CFAPhase::performForwardCFA):

• dfg/DFGSafeToExecute.h: Added.

(DFG):
(SafeToExecuteEdge):
(JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::SafeToExecuteEdge::result):
(JSC::DFG::safeToExecute):

• dfg/DFGStructureAbstractValue.h:

(JSC::DFG::StructureAbstractValue::isValidOffset):
(StructureAbstractValue):

• runtime/Options.h:

(JSC):

Location:

branches/dfgFourthTier/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• dfg/DFGCFAPhase.cpp (modified) (9 diffs)
• dfg/DFGSafeToExecute.h (added)
• dfg/DFGStructureAbstractValue.h (modified) (1 diff)
• runtime/Options.h (modified) (1 diff)

branches/dfgFourthTier/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-07-20  Filip Pizlo  <fpizlo@apple.com>
+
+        fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
+        https://bugs.webkit.org/show_bug.cgi?id=118866
+
+        Reviewed by Sam Weinig.
+        
+        Adds a safeToExecute() method that takes a node and an abstract state and tells you
+        if the node will run without crashing under that state.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * dfg/DFGCFAPhase.cpp:
+        (CFAPhase):
+        (JSC::DFG::CFAPhase::CFAPhase):
+        (JSC::DFG::CFAPhase::run):
+        (JSC::DFG::CFAPhase::performBlockCFA):
+        (JSC::DFG::CFAPhase::performForwardCFA):
+        * dfg/DFGSafeToExecute.h: Added.
+        (DFG):
+        (SafeToExecuteEdge):
+        (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        (JSC::DFG::SafeToExecuteEdge::result):
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGStructureAbstractValue.h:
+        (JSC::DFG::StructureAbstractValue::isValidOffset):
+        (StructureAbstractValue):
+        * runtime/Options.h:
+        (JSC):
+
 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
 

branches/dfgFourthTier/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -376 +376 @@
                 0FE50591179A492400B35F8C /* DFGSaneStringGetByValSlowPathGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FE50590179A492400B35F8C /* DFGSaneStringGetByValSlowPathGenerator.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FE50593179A604500B35F8C /* DFGEdgeUsesStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FE50592179A604500B35F8C /* DFGEdgeUsesStructure.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0FE5059F179B4A2300B35F8C /* DFGSafeToExecute.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FE5059E179B4A2000B35F8C /* DFGSafeToExecute.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FE505A2179B60ED00B35F8C /* FTLFail.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FE505A0179B60ED00B35F8C /* FTLFail.cpp */; };
                 0FE505A3179B60ED00B35F8C /* FTLFail.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FE505A1179B60ED00B35F8C /* FTLFail.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1431 +1432 @@
                 0FE50590179A492400B35F8C /* DFGSaneStringGetByValSlowPathGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGSaneStringGetByValSlowPathGenerator.h; path = dfg/DFGSaneStringGetByValSlowPathGenerator.h; sourceTree = "<group>"; };
                 0FE50592179A604500B35F8C /* DFGEdgeUsesStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGEdgeUsesStructure.h; path = dfg/DFGEdgeUsesStructure.h; sourceTree = "<group>"; };
+                0FE5059E179B4A2000B35F8C /* DFGSafeToExecute.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = DFGSafeToExecute.h; path = dfg/DFGSafeToExecute.h; sourceTree = "<group>"; };
                 0FE505A0179B60ED00B35F8C /* FTLFail.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLFail.cpp; path = ftl/FTLFail.cpp; sourceTree = "<group>"; };
                 0FE505A1179B60ED00B35F8C /* FTLFail.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLFail.h; path = ftl/FTLFail.h; sourceTree = "<group>"; };
@@ -3140 +3142 @@
                                 86BB09BE138E381B0056702F /* DFGRepatch.cpp */,
                                 86BB09BF138E381B0056702F /* DFGRepatch.h */,
+                                0FE5059E179B4A2000B35F8C /* DFGSafeToExecute.h */,
                                 0FE50590179A492400B35F8C /* DFGSaneStringGetByValSlowPathGenerator.h */,
                                 86ECA3F9132DF25A002B2AD7 /* DFGScoreBoard.h */,
@@ -3917 +3920 @@
                                 0F46E6F4177CF0D200E1F755 /* DFGNaturalLoops.h in Headers */,
                                 0F46E6E3177CC36600E1F755 /* LLVMDisassembler.h in Headers */,
+                                0FE5059F179B4A2300B35F8C /* DFGSafeToExecute.h in Headers */,
                                 0F46E6E4177CC36600E1F755 /* UDis86Disassembler.h in Headers */,
                         );

branches/dfgFourthTier/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1824 +1824 @@
         || Options::verboseOSR()
         || Options::verboseCompilationQueue()
-        || Options::reportCompileTimes())
+        || Options::reportCompileTimes()
+        || Options::verboseCFA())
         hash();
 

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp

@@ -33 +33 @@
 #include "DFGInPlaceAbstractState.h"
 #include "DFGPhase.h"
+#include "DFGSafeToExecute.h"
 #include "Operations.h"
 
@@ -39 +40 @@
 class CFAPhase : public Phase {
 public:
-#if DFG_ENABLE(DFG_PROPAGATION_VERBOSE)
-    static const bool verbose = true;
-#else
-    static const bool verbose = false;
-#endif
-
     CFAPhase(Graph& graph)
         : Phase(graph, "control flow analysis")
         , m_state(graph)
         , m_interpreter(graph, m_state)
+        , m_verbose(Options::verboseCFA())
     {
     }
@@ -59 +55 @@
         
         m_count = 0;
+        
+        if (m_verbose && !shouldDumpGraphAtEachPhase()) {
+            dataLog("Graph before CFA:\n");
+            m_graph.dump();
+        }
         
         // This implements a pseudo-worklist-based forward CFA, except that the visit order
@@ -88 +89 @@
         if (!block->cfaShouldRevisit)
             return;
-        if (verbose)
+        if (m_verbose)
             dataLog("   Block ", *block, ":\n");
         m_state.beginBasicBlock(block);
-        if (verbose) {
+        if (m_verbose) {
             dataLogF("      head vars: ");
             dumpOperands(block->valuesAtHead, WTF::dataFile());
@@ -97 +98 @@
         }
         for (unsigned i = 0; i < block->size(); ++i) {
-            if (verbose) {
+            if (m_verbose) {
                 Node* node = block->at(i);
                 dataLogF("      %s @%u: ", Graph::opName(node->op()), node->index());
+                
+                if (!safeToExecute(m_state, m_graph, node))
+                    dataLog("(UNSAFE) ");
+                
                 m_interpreter.dump(WTF::dataFile());
+                
                 if (m_state.haveStructures())
                     dataLog(" (Have Structures)");
@@ -106 +112 @@
             }
             if (!m_interpreter.execute(i)) {
-                if (verbose)
+                if (m_verbose)
                     dataLogF("         Expect OSR exit.\n");
                 break;
             }
         }
-        if (verbose) {
+        if (m_verbose) {
             dataLogF("      tail regs: ");
             m_interpreter.dump(WTF::dataFile());
@@ -118 +124 @@
         m_changed |= m_state.endBasicBlock(MergeToSuccessors);
         
-        if (verbose) {
+        if (m_verbose) {
             dataLogF("      tail vars: ");
             dumpOperands(block->valuesAtTail, WTF::dataFile());
@@ -128 +134 @@
     {
         ++m_count;
-        if (verbose)
+        if (m_verbose)
             dataLogF("CFA [%u]\n", ++m_count);
         
@@ -138 +144 @@
     InPlaceAbstractState m_state;
     AbstractInterpreter<InPlaceAbstractState> m_interpreter;
+    
+    bool m_verbose;
     
     bool m_changed;

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h

@@ -283 +283 @@
     }
     
+    bool isValidOffset(PropertyOffset offset)
+    {
+        if (isTop())
+            return false;
+        if (isClear())
+            return true;
+        return m_structure->isValidOffset(offset);
+    }
+    
     bool hasSingleton() const
     {

branches/dfgFourthTier/Source/JavaScriptCore/runtime/Options.h

@@ -86 +86 @@
     v(bool, verboseCompilationQueue, false) \
     v(bool, reportCompileTimes, false) \
+    v(bool, verboseCFA, false) \
     \
     v(bool, enableOSREntryInLoops, true) \