Changeset 129089 in webkit

Timestamp:

Sep 19, 2012 9:44:43 PM (12 years ago)

Author:

ggaren@apple.com

Message:

OSR exit sometimes neglects to create the arguments object
​https://bugs.webkit.org/show_bug.cgi?id=97162

Reviewed by Filip Pizlo.

../JavaScriptCore:

No performance change.

I don't know of any case where this is a real problem in TOT, but it
will become a problem if we start compiling eval, with, or catch, and/or
sometimes stop doing arguments optimizations in the bytecode.

• dfg/DFGArgumentsSimplificationPhase.cpp:

(JSC::DFG::ArgumentsSimplificationPhase::run): Account for a
CreateArguments that has transformed into PhantomArguments. We used to
clear our reference to the CreateArguments node, but now we hold onto it,
so we need to account for it transforming.

Don't replace a SetLocal(CreateArguments) with a SetLocal(JSValue())
because that doesn't leave enough information behind for OSR exit to do
the right thing. Instead, maintain our reference to CreateArguments, and
rely on CreateArguments transforming into PhantomArguments after
optimization. SetLocal(PhantomArguments) is efficient, and it's a marker
for OSR exit to create the arguments object.

Don't ASSERT that all PhantomArguments are unreferenced because we now
leave them in the graph as SetLocal(PhantomArguments), and that's harmless.

• dfg/DFGArgumentsSimplificationPhase.h:

(NullableHashTraits):
(JSC::DFG::NullableHashTraits::emptyValue): Export our special hash table
for inline call frames so the OSR exit compiler can use it.

• dfg/DFGOSRExitCompiler32_64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit): Don't load the 'arguments'
register to decide if we need to create the arguments object. Optimization
may have eliminated the initializing store to this register, in which
case we'll load garbage. Instead, use the global knowledge that all call
frames that optimized out 'arguments' now need to create it, and use a hash
table to make sure we do so only once per call frame.

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile): SetLocal(PhantomArguments) is unique
because we haven't just changed a value's format or elided a load or store;
instead, we've replaced an object with JSValue(). We could try to account
for this in a general way, but for now it's a special-case optimization,
so we give it a specific OSR hint instead.

../WTF:

• wtf/HashTraits.h:

(NullableHashTraits):
(WTF::NullableHashTraits::emptyValue):
(WTF):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp (modified) (4 diffs)
• JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/HashTraits.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-19  Geoffrey Garen  <ggaren@apple.com>
+
+        OSR exit sometimes neglects to create the arguments object
+        https://bugs.webkit.org/show_bug.cgi?id=97162
+
+        Reviewed by Filip Pizlo.
+
+        No performance change.
+
+        I don't know of any case where this is a real problem in TOT, but it
+        will become a problem if we start compiling eval, with, or catch, and/or
+        sometimes stop doing arguments optimizations in the bytecode.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run): Account for a
+        CreateArguments that has transformed into PhantomArguments. We used to
+        clear our reference to the CreateArguments node, but now we hold onto it, 
+        so we need to account for it transforming.
+
+        Don't replace a SetLocal(CreateArguments) with a SetLocal(JSValue())
+        because that doesn't leave enough information behind for OSR exit to do
+        the right thing. Instead, maintain our reference to CreateArguments, and
+        rely on CreateArguments transforming into PhantomArguments after
+        optimization. SetLocal(PhantomArguments) is efficient, and it's a marker
+        for OSR exit to create the arguments object.
+
+        Don't ASSERT that all PhantomArguments are unreferenced because we now
+        leave them in the graph as SetLocal(PhantomArguments), and that's harmless.
+
+        * dfg/DFGArgumentsSimplificationPhase.h:
+        (NullableHashTraits):
+        (JSC::DFG::NullableHashTraits::emptyValue): Export our special hash table
+        for inline call frames so the OSR exit compiler can use it.
+
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit): Don't load the 'arguments'
+        register to decide if we need to create the arguments object. Optimization
+        may have eliminated the initializing store to this register, in which
+        case we'll load garbage. Instead, use the global knowledge that all call
+        frames that optimized out 'arguments' now need to create it, and use a hash
+        table to make sure we do so only once per call frame.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): SetLocal(PhantomArguments) is unique
+        because we haven't just changed a value's format or elided a load or store;
+        instead, we've replaced an object with JSValue(). We could try to account
+        for this in a general way, but for now it's a special-case optimization,
+        so we give it a specific OSR hint instead.
+
 2012-09-19  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp

@@ -42 +42 @@
 namespace {
 
-template<typename T>
-struct NullableHashTraits : public HashTraits<T> {
-    static const bool emptyValueIsZero = false;
-    static T emptyValue() { return reinterpret_cast<T>(1); }
-};
-
 struct ArgumentsAliasingData {
     InlineCallFrame* callContext;
@@ -182 +176 @@
                     int argumentsRegister =
                         m_graph.uncheckedArgumentsRegisterFor(node.codeOrigin);
-                    if (source.op() != CreateArguments) {
+                    if (source.op() != CreateArguments && source.op() != PhantomArguments) {
                         // Make sure that the source of the SetLocal knows that if it's
                         // a variable that we think is aliased to the arguments, then it
@@ -436 +430 @@
                     
                     if (m_graph.argumentsRegisterFor(node.codeOrigin) == variableAccessData->local()
-                           || unmodifiedArgumentsRegister(m_graph.argumentsRegisterFor(node.codeOrigin)) == variableAccessData->local()) {
-                        // The child of this store should really be the empty value.
-                        Node emptyJSValue(JSConstant, node.codeOrigin, OpInfo(codeBlock()->addOrFindConstant(JSValue())));
-                        emptyJSValue.ref();
-                        NodeIndex emptyJSValueIndex = m_graph.size();
-                        m_graph.deref(node.child1());
-                        node.children.child1() = Edge(emptyJSValueIndex);
-                        m_graph.append(emptyJSValue);
-                        insertionSet.append(indexInBlock, emptyJSValueIndex);
-                        changed = true;
-                        break;
-                    }
+                           || unmodifiedArgumentsRegister(m_graph.argumentsRegisterFor(node.codeOrigin)) == variableAccessData->local())
+                        break;
+
                     ASSERT(!variableAccessData->isCaptured());
                     
@@ -662 +647 @@
         }
         
-        if (changed) {
+        if (changed)
             m_graph.collectGarbage();
-            
-            // Verify that PhantomArguments nodes are not shouldGenerate().
-#if !ASSERT_DISABLED
-            for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
-                BasicBlock* block = m_graph.m_blocks[blockIndex].get();
-                if (!block)
-                    continue;
-                for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
-                    NodeIndex nodeIndex = block->at(indexInBlock);
-                    Node& node = m_graph[nodeIndex];
-                    if (node.op() != PhantomArguments)
-                        continue;
-                    ASSERT(!node.shouldGenerate());
-                }
-            }
-#endif
-        }
         
         return changed;

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp

@@ -613 +613 @@
     
     if (haveArguments) {
+        HashSet<InlineCallFrame*, DefaultHash<InlineCallFrame*>::Hash,
+            NullableHashTraits<InlineCallFrame*> > didCreateArgumentsObject;
+
         for (size_t index = 0; index < operands.size(); ++index) {
             const ValueRecovery& recovery = operands[index];
@@ -628 +631 @@
                 }
             }
+
             int argumentsRegister = m_jit.argumentsRegisterFor(inlineCallFrame);
-            
+            if (didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
+                // We know this call frame optimized out an arguments object that
+                // the baseline JIT would have created. Do that creation now.
+                if (inlineCallFrame) {
+                    m_jit.setupArgumentsWithExecState(
+                        AssemblyHelpers::TrustedImmPtr(inlineCallFrame));
+                    m_jit.move(
+                        AssemblyHelpers::TrustedImmPtr(
+                            bitwise_cast<void*>(operationCreateInlinedArguments)),
+                        GPRInfo::nonArgGPR0);
+                } else {
+                    m_jit.setupArgumentsExecState();
+                    m_jit.move(
+                        AssemblyHelpers::TrustedImmPtr(
+                            bitwise_cast<void*>(operationCreateArguments)),
+                        GPRInfo::nonArgGPR0);
+                }
+                m_jit.call(GPRInfo::nonArgGPR0);
+                m_jit.store32(
+                    AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+                    AssemblyHelpers::tagFor(argumentsRegister));
+                m_jit.store32(
+                    GPRInfo::returnValueGPR,
+                    AssemblyHelpers::payloadFor(argumentsRegister));
+                m_jit.store32(
+                    AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+                    AssemblyHelpers::tagFor(unmodifiedArgumentsRegister(argumentsRegister)));
+                m_jit.store32(
+                    GPRInfo::returnValueGPR,
+                    AssemblyHelpers::payloadFor(unmodifiedArgumentsRegister(argumentsRegister)));
+                m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
+            }
+
             m_jit.load32(AssemblyHelpers::payloadFor(argumentsRegister), GPRInfo::regT0);
-            AssemblyHelpers::Jump haveArguments = m_jit.branch32(
-                AssemblyHelpers::NotEqual,
-                AssemblyHelpers::tagFor(argumentsRegister),
-                AssemblyHelpers::TrustedImm32(JSValue::EmptyValueTag));
-            
-            if (inlineCallFrame) {
-                m_jit.setupArgumentsWithExecState(
-                    AssemblyHelpers::TrustedImmPtr(inlineCallFrame));
-                m_jit.move(
-                    AssemblyHelpers::TrustedImmPtr(
-                        bitwise_cast<void*>(operationCreateInlinedArguments)),
-                    GPRInfo::nonArgGPR0);
-            } else {
-                m_jit.setupArgumentsExecState();
-                m_jit.move(
-                    AssemblyHelpers::TrustedImmPtr(
-                        bitwise_cast<void*>(operationCreateArguments)),
-                    GPRInfo::nonArgGPR0);
-            }
-            m_jit.call(GPRInfo::nonArgGPR0);
-            m_jit.store32(
-                AssemblyHelpers::TrustedImm32(JSValue::CellTag),
-                AssemblyHelpers::tagFor(argumentsRegister));
-            m_jit.store32(
-                GPRInfo::returnValueGPR,
-                AssemblyHelpers::payloadFor(argumentsRegister));
-            m_jit.store32(
-                AssemblyHelpers::TrustedImm32(JSValue::CellTag),
-                AssemblyHelpers::tagFor(unmodifiedArgumentsRegister(argumentsRegister)));
-            m_jit.store32(
-                GPRInfo::returnValueGPR,
-                AssemblyHelpers::payloadFor(unmodifiedArgumentsRegister(argumentsRegister)));
-            m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
-            
-            haveArguments.link(&m_jit);
             m_jit.store32(
                 AssemblyHelpers::TrustedImm32(JSValue::CellTag),

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp

@@ -588 +588 @@
     
     if (haveArguments) {
+        HashSet<InlineCallFrame*, DefaultHash<InlineCallFrame*>::Hash,
+            NullableHashTraits<InlineCallFrame*> > didCreateArgumentsObject;
+
         for (size_t index = 0; index < operands.size(); ++index) {
             const ValueRecovery& recovery = operands[index];
@@ -603 +606 @@
                 }
             }
+
             int argumentsRegister = m_jit.argumentsRegisterFor(inlineCallFrame);
-            
+            if (didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
+                // We know this call frame optimized out an arguments object that
+                // the baseline JIT would have created. Do that creation now.
+                if (inlineCallFrame) {
+                    m_jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister, GPRInfo::regT0);
+                    m_jit.setupArguments(GPRInfo::regT0);
+                } else
+                    m_jit.setupArgumentsExecState();
+                m_jit.move(
+                    AssemblyHelpers::TrustedImmPtr(
+                        bitwise_cast<void*>(operationCreateArguments)),
+                    GPRInfo::nonArgGPR0);
+                m_jit.call(GPRInfo::nonArgGPR0);
+                m_jit.storePtr(GPRInfo::returnValueGPR, AssemblyHelpers::addressFor(argumentsRegister));
+                m_jit.storePtr(
+                    GPRInfo::returnValueGPR,
+                    AssemblyHelpers::addressFor(unmodifiedArgumentsRegister(argumentsRegister)));
+                m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
+            }
+
             m_jit.loadPtr(AssemblyHelpers::addressFor(argumentsRegister), GPRInfo::regT0);
-            AssemblyHelpers::Jump haveArguments = m_jit.branchTestPtr(
-                AssemblyHelpers::NonZero, GPRInfo::regT0);
-            
-            if (inlineCallFrame) {
-                m_jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister, GPRInfo::regT0);
-                m_jit.setupArguments(GPRInfo::regT0);
-            } else
-                m_jit.setupArgumentsExecState();
-            m_jit.move(
-                AssemblyHelpers::TrustedImmPtr(
-                    bitwise_cast<void*>(operationCreateArguments)),
-                GPRInfo::nonArgGPR0);
-            m_jit.call(GPRInfo::nonArgGPR0);
-            m_jit.storePtr(GPRInfo::returnValueGPR, AssemblyHelpers::addressFor(argumentsRegister));
-            m_jit.storePtr(
-                GPRInfo::returnValueGPR,
-                AssemblyHelpers::addressFor(unmodifiedArgumentsRegister(argumentsRegister)));
-            m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
-            
-            haveArguments.link(&m_jit);
             m_jit.storePtr(GPRInfo::regT0, AssemblyHelpers::addressFor(operand));
         }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2056 +2056 @@
 
     case PhantomArguments:
-        // This should never be must-generate.
-        ASSERT_NOT_REACHED();
-        // But as a release-mode fall-back make it the empty value.
         initConstantInfo(m_compileIndex);
         break;
@@ -2245 +2242 @@
         noResult(m_compileIndex);
         recordSetLocal(node.local(), ValueSource(ValueInRegisterFile));
+
+        // If we're storing an arguments object that has been optimized away,
+        // our variable event stream for OSR exit now reflects the optimized
+        // value (JSValue()). On the slow path, we want an arguments object
+        // instead. We add an additional move hint to show OSR exit that it
+        // needs to reconstruct the arguments object.
+        if (at(node.child1()).op() == PhantomArguments)
+            compileMovHint(node);
+
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2120 +2120 @@
 
     case PhantomArguments:
-        // This should never be must-generate.
-        ASSERT_NOT_REACHED();
-        // But as a release-mode fall-back make it the empty value.
         initConstantInfo(m_compileIndex);
         break;
@@ -2281 +2278 @@
 
         recordSetLocal(node.local(), ValueSource(ValueInRegisterFile));
+
+        // If we're storing an arguments object that has been optimized away,
+        // our variable event stream for OSR exit now reflects the optimized
+        // value (JSValue()). On the slow path, we want an arguments object
+        // instead. We add an additional move hint to show OSR exit that it
+        // needs to reconstruct the arguments object.
+        if (at(node.child1()).op() == PhantomArguments)
+            compileMovHint(node);
+
         break;
     }

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2012-09-19  Geoffrey Garen  <ggaren@apple.com>
+
+        OSR exit sometimes neglects to create the arguments object
+        https://bugs.webkit.org/show_bug.cgi?id=97162
+
+        Reviewed by Filip Pizlo.
+
+        * wtf/HashTraits.h:
+        (NullableHashTraits):
+        (WTF::NullableHashTraits::emptyValue):
+        (WTF):
+
 2012-09-18  Glenn Adams  <glenn@skynav.com>
 

trunk/Source/WTF/wtf/HashTraits.h

@@ -232 +232 @@
     struct HashTraits<KeyValuePair<Key, Value> > : public KeyValuePairHashTraits<HashTraits<Key>, HashTraits<Value> > { };
 
+    template<typename T>
+    struct NullableHashTraits : public HashTraits<T> {
+        static const bool emptyValueIsZero = false;
+        static T emptyValue() { return reinterpret_cast<T>(1); }
+    };
+
 } // namespace WTF
 
 using WTF::HashTraits;
 using WTF::PairHashTraits;
+using WTF::NullableHashTraits;
 
 #endif // WTF_HashTraits_h