Changeset 99148 in webkit

Timestamp:

Nov 3, 2011, 1:06:42 AM (14 years ago)

Author:

fpizlo@apple.com

Message:

Source/JavaScriptCore: DFG inlining breaks function.arguments[something] if the argument being
retrieved was subjected to DFG's unboxing optimizations
​https://bugs.webkit.org/show_bug.cgi?id=71436

Reviewed by Oliver Hunt.

This makes inlined arguments retrieval use some of the same machinery as
OSR to determine where from, and how, to retrieve a value that the DFG
might have somehow squirreled away while the old JIT would put it in its
obvious location, using an obvious format.

To that end, previously DFG-internal notions such as DataFormat,
VirtualRegister, and ValueRecovery are now in bytecode/ since they are
stored as part of InlineCallFrames.

• bytecode/CodeOrigin.h:
• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):

• dfg/DFGJITCompiler32_64.cpp:

(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):

• dfg/DFGNode.h:
• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::propagateNodePredictions):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• interpreter/CallFrame.cpp:

(JSC::CallFrame::trueCallerFrame):

• interpreter/CallFrame.h:

(JSC::ExecState::inlineCallFrame):

• interpreter/Register.h:

(JSC::Register::asInlineCallFrame):
(JSC::Register::unboxedInt32):
(JSC::Register::unboxedBoolean):
(JSC::Register::unboxedCell):

• runtime/Arguments.h:

(JSC::Arguments::finishCreationAndCopyRegisters):

LayoutTests: DFG inlining breaks function.arguments[something] if the argument being
retrieved was subjected to DFG's unboxing optimizations
​https://bugs.webkit.org/show_bug.cgi?id=71436

Reviewed by Oliver Hunt.

• fast/js/dfg-inline-arguments-int32-expected.txt: Added.
• fast/js/dfg-inline-arguments-int32.html: Added.
• fast/js/script-tests/dfg-inline-arguments-int32.js: Added.

(foo):
(bar):
(baz):
(argsToStr):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/dfg-inline-arguments-int32-expected.txt (added)
• LayoutTests/fast/js/dfg-inline-arguments-int32.html (added)
• LayoutTests/fast/js/script-tests/dfg-inline-arguments-int32.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeOrigin.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGJITCompiler32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPropagator.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CallFrame.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CallFrame.h (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Register.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/Arguments.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-02  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG inlining breaks function.arguments[something] if the argument being
+        retrieved was subjected to DFG's unboxing optimizations
+        https://bugs.webkit.org/show_bug.cgi?id=71436        
+
+        Reviewed by Oliver Hunt.
+
+        * fast/js/dfg-inline-arguments-int32-expected.txt: Added.
+        * fast/js/dfg-inline-arguments-int32.html: Added.
+        * fast/js/script-tests/dfg-inline-arguments-int32.js: Added.
+        (foo):
+        (bar):
+        (baz):
+        (argsToStr):
+
 2011-11-02  Adam Barth  <abarth@webkit.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-11-02  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG inlining breaks function.arguments[something] if the argument being
+        retrieved was subjected to DFG's unboxing optimizations
+        https://bugs.webkit.org/show_bug.cgi?id=71436
+
+        Reviewed by Oliver Hunt.
+        
+        This makes inlined arguments retrieval use some of the same machinery as
+        OSR to determine where from, and how, to retrieve a value that the DFG
+        might have somehow squirreled away while the old JIT would put it in its
+        obvious location, using an obvious format.
+        
+        To that end, previously DFG-internal notions such as DataFormat,
+        VirtualRegister, and ValueRecovery are now in bytecode/ since they are
+        stored as part of InlineCallFrames.
+
+        * bytecode/CodeOrigin.h:
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
+        * dfg/DFGJITCompiler32_64.cpp:
+        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
+        * dfg/DFGNode.h:
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::propagateNodePredictions):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::trueCallerFrame):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::inlineCallFrame):
+        * interpreter/Register.h:
+        (JSC::Register::asInlineCallFrame):
+        (JSC::Register::unboxedInt32):
+        (JSC::Register::unboxedBoolean):
+        (JSC::Register::unboxedCell):
+        * runtime/Arguments.h:
+        (JSC::Arguments::finishCreationAndCopyRegisters):
+
 2011-11-02  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h

@@ -27 +27 @@
 #define CodeOrigin_h
 
+#include "ValueRecovery.h"
 #include "WriteBarrier.h"
 #include <wtf/StdLibExtras.h>
@@ -76 +77 @@
 
 struct InlineCallFrame {
+    Vector<ValueRecovery> arguments;
     WriteBarrier<ExecutableBase> executable;
     WriteBarrier<JSFunction> callee;
     CodeOrigin caller;
-    unsigned stackOffset;
-    unsigned numArgumentsIncludingThis : 31;
+    unsigned stackOffset : 31;
     bool isCall : 1;
 };

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -660 +660 @@
             
     case Phantom:
+    case InlineStart:
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1004 +1004 @@
     unsigned oldIndex = m_currentIndex;
     m_currentIndex = 0;
+
+    addToGraph(InlineStart);
+    
     parseCodeBlock();
+    
     m_currentIndex = oldIndex;
     
@@ -2327 +2331 @@
         inlineCallFrame.callee.set(*byteCodeParser->m_globalData, byteCodeParser->m_codeBlock->ownerExecutable(), callee);
         inlineCallFrame.caller = byteCodeParser->currentCodeOrigin();
-        inlineCallFrame.numArgumentsIncludingThis = codeBlock->m_numParameters;
+        inlineCallFrame.arguments.resize(codeBlock->m_numParameters); // Set the number of arguments including this, but don't configure the value recoveries, yet.
         inlineCallFrame.isCall = isCall(kind);
         byteCodeParser->m_codeBlock->inlineCallFrames().append(inlineCallFrame);

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -784 +784 @@
         storePtr(callerFrameGPR, addressFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::CallerFrame)));
         storePtr(TrustedImmPtr(jumpTarget), addressFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ReturnPC)));
-        storePtr(TrustedImmPtr(JSValue::encode(jsNumber(inlineCallFrame->numArgumentsIncludingThis))), addressFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ArgumentCount)));
+        storePtr(TrustedImmPtr(JSValue::encode(jsNumber(inlineCallFrame->arguments.size()))), addressFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ArgumentCount)));
         storePtr(TrustedImmPtr(inlineCallFrame->callee.get()), addressFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::Callee)));
     }

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler32_64.cpp

@@ -529 +529 @@
         storePtr(TrustedImmPtr(jumpTarget), payloadFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ReturnPC)));
         store32(Imm32(JSValue::Int32Tag), tagFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ArgumentCount)));
-        store32(Imm32(inlineCallFrame->numArgumentsIncludingThis), payloadFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ArgumentCount)));
+        store32(Imm32(inlineCallFrame->arguments.size()), payloadFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::ArgumentCount)));
         store32(Imm32(JSValue::CellTag), tagFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::Callee)));
         storePtr(TrustedImmPtr(inlineCallFrame->callee.get()), payloadFor((VirtualRegister)(inlineCallFrame->stackOffset + RegisterFile::Callee)));

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -221 +221 @@
     macro(SetArgument, 0) \
     \
+    /* Hint that inlining begins here. No code is generated for this node. It's only */\
+    /* used for copying OSR data into inline frame data, to support reification of */\
+    /* call frames of inlined functions. */\
+    macro(InlineStart, 0) \
+    \
     /* Nodes for bitwise operations. */\
     macro(BitAnd, NodeResultInt32) \

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -608 +608 @@
             break;
             
-        // This gets ignored because it doesn't do anything.
+        // These gets ignored because it doesn't do anything.
         case Phantom:
+        case InlineStart:
             break;
 #else

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -264 +264 @@
             fprintf(stderr, "SpeculativeJIT skipping Node @%d (bc#%u) at JIT offset 0x%x     ", (int)m_compileIndex, node.codeOrigin.bytecodeIndex, m_jit.debugOffset());
 #endif
-            if (node.op == SetLocal)
+            switch (node.op) {
+            case SetLocal:
                 compileMovHint(node);
+                break;
+
+            case InlineStart: {
+                InlineCallFrame* inlineCallFrame = node.codeOrigin.inlineCallFrame;
+                unsigned argumentsStart = inlineCallFrame->stackOffset - RegisterFile::CallFrameHeaderSize - inlineCallFrame->arguments.size();
+                for (unsigned i = 0; i < inlineCallFrame->arguments.size(); ++i) {
+                    ValueRecovery recovery = computeValueRecoveryFor(m_variables[argumentsStart + i]);
+                    // The recovery cannot point to registers, since the call frame reification isn't
+                    // as smart as OSR, so it can't handle that. The exception is the this argument,
+                    // which we don't really need to be able to recover.
+                    ASSERT(!i || !recovery.isInRegisters());
+                    inlineCallFrame->arguments[i] = recovery;
+                }
+                break;
+            }
+                
+            default:
+                break;
+            }
         } else {
             

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2492 +2492 @@
         noResult(m_compileIndex);
         break;
+        
+    case InlineStart:
+        ASSERT_NOT_REACHED();
+        break;
     }
 

trunk/Source/JavaScriptCore/interpreter/CallFrame.cpp

@@ -111 +111 @@
         
         inlinedCaller->setInlineCallFrame(inlineCallFrame);
-        inlinedCaller->setArgumentCountIncludingThis(inlineCallFrame->numArgumentsIncludingThis);
+        inlinedCaller->setArgumentCountIncludingThis(inlineCallFrame->arguments.size());
         inlinedCaller->setCallee(calleeAsFunction);
         

trunk/Source/JavaScriptCore/interpreter/CallFrame.h

@@ -106 +106 @@
 #endif
 #if ENABLE(DFG_JIT)
-        InlineCallFrame* inlineCallFrame() const { return this[RegisterFile::ReturnPC].inlineCallFrame(); }
+        InlineCallFrame* inlineCallFrame() const { return this[RegisterFile::ReturnPC].asInlineCallFrame(); }
+#else
+        // This will never be called if !ENABLE(DFG_JIT) since all calls should be guarded by
+        // isInlineCallFrame(). But to make it easier to write code without having a bunch of
+        // #if's, we make a dummy implementation available anyway.
+        InlineCallFrame* inlineCallFrame() const
+        {
+            ASSERT_NOT_REACHED();
+            return 0;
+        }
 #endif
 #if ENABLE(INTERPRETER)

trunk/Source/JavaScriptCore/interpreter/Register.h

@@ -72 +72 @@
         ScopeChainNode* scopeChain() const;
         Instruction* vPC() const;
-        InlineCallFrame* inlineCallFrame() const;
+        InlineCallFrame* asInlineCallFrame() const;
+        int32_t unboxedInt32() const;
+        bool unboxedBoolean() const;
+        JSCell* unboxedCell() const;
 
         static Register withInt(int32_t i)
@@ -89 +92 @@
             Instruction* vPC;
             InlineCallFrame* inlineCallFrame;
+            EncodedValueDescriptor encodedValue;
         } u;
     };
@@ -166 +170 @@
     }
 
-    ALWAYS_INLINE InlineCallFrame* Register::inlineCallFrame() const
+    ALWAYS_INLINE InlineCallFrame* Register::asInlineCallFrame() const
     {
         return u.inlineCallFrame;
     }
+        
+    ALWAYS_INLINE int32_t Register::unboxedInt32() const
+    {
+        return u.encodedValue.asBits.payload;
+    }
+
+    ALWAYS_INLINE bool Register::unboxedBoolean() const
+    {
+        return !!u.encodedValue.asBits.payload;
+    }
+
+    ALWAYS_INLINE JSCell* Register::unboxedCell() const
+    {
+#if USE(JSVALUE64)
+        return u.encodedValue.ptr;
+#else
+        return bitwise_cast<JSCell*>(u.encodedValue.asBits.payload);
+#endif
+    }
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/Arguments.h

@@ -260 +260 @@
             
             OwnArrayPtr<WriteBarrier<Unknown> > registerArray = adoptArrayPtr(new WriteBarrier<Unknown>[registerArraySize]);
-            for (size_t i = 0; i < registerArraySize; ++i)
-                registerArray[i].set(callFrame->globalData(), this, callFrame->registers()[i - registerOffset].jsValue());
+            if (callFrame->isInlineCallFrame()) {
+                InlineCallFrame* inlineCallFrame = callFrame->inlineCallFrame();
+                for (size_t i = 0; i < registerArraySize; ++i) {
+                    ValueRecovery& recovery = inlineCallFrame->arguments[i + 1];
+                    // In the future we'll support displaced recoveries (indicating that the
+                    // argument was flushed to a different location), but for now we don't do
+                    // that so this code will fail if that were to happen. On the other hand,
+                    // it's much less likely that we'll support in-register recoveries since
+                    // this code does not (easily) have access to registers.
+                    JSValue value;
+                    Register* location = callFrame->registers() + i - registerOffset;
+                    switch (recovery.technique()) {
+                    case AlreadyInRegisterFile:
+                        value = location->jsValue();
+                        break;
+                    case AlreadyInRegisterFileAsUnboxedInt32:
+                        value = jsNumber(location->unboxedInt32());
+                        break;
+                    case AlreadyInRegisterFileAsUnboxedCell:
+                        value = location->unboxedCell();
+                        break;
+                    case AlreadyInRegisterFileAsUnboxedBoolean:
+                        value = jsBoolean(location->unboxedBoolean());
+                        break;
+                    case Constant:
+                        value = recovery.constant();
+                        break;
+                    default:
+                        ASSERT_NOT_REACHED();
+                        break;
+                    }
+                    registerArray[i].set(callFrame->globalData(), this, value);
+                }
+            } else {
+                for (size_t i = 0; i < registerArraySize; ++i)
+                    registerArray[i].set(callFrame->globalData(), this, callFrame->registers()[i - registerOffset].jsValue());
+            }
             d->registers = registerArray.get() + d->numParameters + RegisterFile::CallFrameHeaderSize;
             d->registerArray = registerArray.release();