Changeset 279598 in webkit

Timestamp:

Jul 6, 2021, 10:59:46 AM (4 years ago)

Author:

Ruben Turcios

Message:

Cherry-pick r279560. rdar://problem/80212160

ActiveScratchBufferScope should take the buffer as argument
​https://bugs.webkit.org/show_bug.cgi?id=227670
rdar://80011612

Reviewed by Mark Lam.

​https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.

A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).

• dfg/DFGOSRExit.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
• dfg/DFGOSRExit.h:
• dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewArray):
• dfg/DFGThunks.cpp: (JSC::DFG::osrExitGenerationThunkGenerator):
• runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::haveABadTime):
• runtime/VM.h: (JSC::ScratchBuffer::fromData):
• runtime/VMInlines.h: (JSC::ActiveScratchBufferScope::ActiveScratchBufferScope): (JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):

git-svn-id: ​https://svn.webkit.org/repository/webkit/trunk@279560 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Location:

branches/safari-612.1.22.3-branch/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGOSRExit.cpp (modified) (2 diffs)
• dfg/DFGOSRExit.h (modified) (2 diffs)
• dfg/DFGOperations.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGThunks.cpp (modified) (1 diff)
• runtime/VM.h (modified) (2 diffs)
• runtime/VMInlines.h (modified) (2 diffs)

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-07-06  Ruben Turcios  <rubent_22@apple.com>
+
+        Cherry-pick r279560. rdar://problem/80212160
+
+    ActiveScratchBufferScope should take the buffer as argument
+    https://bugs.webkit.org/show_bug.cgi?id=227670
+    rdar://80011612
+    
+    Reviewed by Mark Lam.
+    
+    https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
+    It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
+    The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.
+    
+    A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
+    In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).
+    
+    * dfg/DFGOSRExit.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * dfg/DFGOSRExit.h:
+    * dfg/DFGOperations.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileNewArray):
+    * dfg/DFGThunks.cpp:
+    (JSC::DFG::osrExitGenerationThunkGenerator):
+    * runtime/JSGlobalObject.cpp:
+    (JSC::JSGlobalObject::haveABadTime):
+    * runtime/VM.h:
+    (JSC::ScratchBuffer::fromData):
+    * runtime/VMInlines.h:
+    (JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
+    (JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279560 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-07-04  Robin Morisset  <rmorisset@apple.com>
+
+            ActiveScratchBufferScope should take the buffer as argument
+            https://bugs.webkit.org/show_bug.cgi?id=227670
+            rdar://80011612
+
+            Reviewed by Mark Lam.
+
+            https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
+            It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
+            The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.
+
+            A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
+            In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).
+
+            * dfg/DFGOSRExit.cpp:
+            (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+            * dfg/DFGOSRExit.h:
+            * dfg/DFGOperations.cpp:
+            (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileNewArray):
+            * dfg/DFGThunks.cpp:
+            (JSC::DFG::osrExitGenerationThunkGenerator):
+            * runtime/JSGlobalObject.cpp:
+            (JSC::JSGlobalObject::haveABadTime):
+            * runtime/VM.h:
+            (JSC::ScratchBuffer::fromData):
+            * runtime/VMInlines.h:
+            (JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
+            (JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):
+
 2021-06-30  Alan Coon  <alancoon@apple.com>
 

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/dfg/DFGOSRExit.cpp

@@ -142 +142 @@
 }
 
-JSC_DEFINE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame* callFrame))
+JSC_DEFINE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame* callFrame, void* bufferToPreserve))
 {
     VM& vm = callFrame->deprecatedVM();
     auto scope = DECLARE_THROW_SCOPE(vm);
-    ActiveScratchBufferScope activeScratchBufferScope(vm, GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(bufferToPreserve), GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
 
     if constexpr (validateDFGDoesGC) {
@@ -931 +931 @@
     VM& vm = callFrame->deprecatedVM();
     NativeCallFrameTracer tracer(vm, callFrame);
-    ActiveScratchBufferScope activeScratchBufferScope(vm, GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(scratch), GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
 
     SpeculationFailureDebugInfo* debugInfo = static_cast<SpeculationFailureDebugInfo*>(debugInfoRaw);

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/dfg/DFGOSRExit.h

@@ -139 +139 @@
 };
 
-JSC_DECLARE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame*));
+JSC_DECLARE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame*, void*));
 JSC_DECLARE_JIT_OPERATION(operationDebugPrintSpeculationFailure, void, (CallFrame*, void*, void*));
 JSC_DECLARE_JIT_OPERATION(operationMaterializeOSRExitSideState, void, (VM*, const OSRExitBase*, EncodedJSValue*));
@@ -150 +150 @@
     OSRExit(ExitKind, JSValueSource, MethodOfGettingAValueProfile, SpeculativeJIT*, unsigned streamIndex, unsigned recoveryIndex = UINT_MAX);
 
-    friend void JIT_OPERATION_ATTRIBUTES operationCompileOSRExit(CallFrame*);
+    friend void JIT_OPERATION_ATTRIBUTES operationCompileOSRExit(CallFrame*, void*);
 
     CodeLocationLabel<JSInternalPtrTag> m_patchableJumpLocation;

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1040 +1040 @@
     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    ActiveScratchBufferScope activeScratchBufferScope(vm, elementCount);
-    auto scope = DECLARE_THROW_SCOPE(vm);
+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(buffer), elementCount);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
 
     // We assume that multiple JSArray::push calls with ArrayWithInt32/ArrayWithContiguous do not cause JS traps.
@@ -1735 +1736 @@
     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    ActiveScratchBufferScope activeScratchBufferScope(vm, size);
+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(buffer), size);
 
     return bitwise_cast<char*>(constructArray(globalObject, arrayStructure, static_cast<JSValue*>(buffer), size));
@@ -3043 +3044 @@
     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    ActiveScratchBufferScope activeScratchBufferScope(vm, numItems);
+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(buffer), numItems);
     auto scope = DECLARE_THROW_SCOPE(vm);
 

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -9239 +9239 @@
 
     GPRFlushedCallResult result(this);
+    GPRReg resultGPR = result.gpr();
 
     callOperation(
-        operationNewArray, result.gpr(), TrustedImmPtr::weakPointer(m_graph, globalObject), m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())),
+        operationNewArray, resultGPR, TrustedImmPtr::weakPointer(m_graph, globalObject), m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())),
         static_cast<void*>(buffer), size_t(node->numChildren()));
     m_jit.exceptionCheck();
 
-    cellResult(result.gpr(), node, UseChildrenCalledExplicitly);
+    cellResult(resultGPR, node, UseChildrenCalledExplicitly);
 }
 

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/dfg/DFGThunks.cpp

@@ -90 +90 @@
     storeSpooler.finalizeFPR();
 
-    // Set up one argument.
-    jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+    // This will implicitly pass GPRInfo::callFrameRegister as the first argument based on the operation type.
+    jit.setupArguments<decltype(operationCompileOSRExit)>(bufferGPR);
     jit.prepareCallOperation(vm);
 

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/runtime/VM.h

@@ -261 +261 @@
     }
 
+    static ScratchBuffer* fromData(void* buffer)
+    {
+        return bitwise_cast<ScratchBuffer*>(static_cast<char*>(buffer) - OBJECT_OFFSETOF(ScratchBuffer, m_buffer));
+    }
+
     static size_t allocationSize(Checked<size_t> bufferSize) { return sizeof(ScratchBuffer) + bufferSize; }
     void setActiveLength(size_t activeLength) { u.m_activeLength = activeLength; }
@@ -283 +288 @@
 class ActiveScratchBufferScope {
 public:
-    ActiveScratchBufferScope(VM&, size_t activeScratchBufferSizeInJSValues);
+    ActiveScratchBufferScope(ScratchBuffer*, size_t activeScratchBufferSizeInJSValues);
     ~ActiveScratchBufferScope();
 

branches/safari-612.1.22.3-branch/Source/JavaScriptCore/runtime/VMInlines.h

@@ -33 +33 @@
 namespace JSC {
 
-inline ActiveScratchBufferScope::ActiveScratchBufferScope(VM& vm, size_t activeScratchBufferSizeInJSValues)
-    : m_scratchBuffer(vm.scratchBufferForSize(activeScratchBufferSizeInJSValues * sizeof(EncodedJSValue)))
+inline ActiveScratchBufferScope::ActiveScratchBufferScope(ScratchBuffer* buffer, size_t activeScratchBufferSizeInJSValues)
+    : m_scratchBuffer(buffer)
 {
     // Tell GC mark phase how much of the scratch buffer is active during the call operation this scope is used in.
     if (m_scratchBuffer)
-        m_scratchBuffer->u.m_activeLength = activeScratchBufferSizeInJSValues * sizeof(EncodedJSValue);
+        m_scratchBuffer->setActiveLength(activeScratchBufferSizeInJSValues * sizeof(EncodedJSValue));
 }
 
@@ -45 +45 @@
     // Tell the GC that we're not using the scratch buffer anymore.
     if (m_scratchBuffer)
-        m_scratchBuffer->u.m_activeLength = 0;
+        m_scratchBuffer->setActiveLength(0);
 }