Changeset 146100 in webkit
- Timestamp:
- Mar 18, 2013 12:11:47 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 9 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r146098 r146100 1 2013-03-18 Michael Saboff <msaboff@apple.com> 2 3 Potentially unsafe register allocations in DFG code generation 4 https://bugs.webkit.org/show_bug.cgi?id=112477 5 6 Reviewed by Geoffrey Garen. 7 8 New tests added to verify proper operation of 9 SpeculativeJIT::compileObjectToObjectOrOtherEquality, 10 SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality 11 and SpeculativeJIT::compileObjectOrOtherLogicalNot. 12 13 * fast/js/dfg-compare-final-object-to-final-object-or-other-expected.txt: Added. 14 * fast/js/dfg-compare-final-object-to-final-object-or-other.html: Added. 15 * fast/js/dfg-logical-not-final-object-or-other-expected.txt: Added. 16 * fast/js/dfg-logical-not-final-object-or-other.html: Added. 17 * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-expected.txt: Added. 18 * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other.html: Added. 19 * fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other.js: Added. 20 * fast/js/script-tests/dfg-logical-not-final-object-or-other.js: Added. 21 * fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other.js: Added. 22 1 23 2013-03-18 Julien Chaffraix <jchaffraix@webkit.org> 2 24 -
trunk/Source/JavaScriptCore/ChangeLog
r146089 r146100 1 2013-03-18 Michael Saboff <msaboff@apple.com> 2 3 Potentially unsafe register allocations in DFG code generation 4 https://bugs.webkit.org/show_bug.cgi?id=112477 5 6 Reviewed by Geoffrey Garen. 7 8 Moved allocation of temporary GPRs to be before any generated branches in the functions below. 9 10 * dfg/DFGSpeculativeJIT32_64.cpp: 11 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 12 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 13 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 14 * dfg/DFGSpeculativeJIT64.cpp: 15 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 16 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 17 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 18 1 19 2013-03-15 Filip Pizlo <fpizlo@apple.com> 2 20 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r146089 r146100 1344 1344 GPRReg op2PayloadGPR = op2.payloadGPR(); 1345 1345 GPRReg resultGPR = result.gpr(); 1346 1347 if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) { 1346 GPRTemporary structure; 1347 GPRReg structureGPR = InvalidGPRReg; 1348 1349 bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid(); 1350 1351 if (!masqueradesAsUndefinedWatchpointValid) { 1352 // The masquerades as undefined case will use the structure register, so allocate it here. 1353 // Do this at the top of the function to avoid branching around a register allocation. 1354 GPRTemporary realStructure(this); 1355 structure.adopt(realStructure); 1356 structureGPR = structure.gpr(); 1357 } 1358 1359 if (masqueradesAsUndefinedWatchpointValid) { 1348 1360 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1349 1361 DFG_TYPE_CHECK( … … 1353 1365 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1354 1366 } else { 1355 GPRTemporary structure(this);1356 GPRReg structureGPR = structure.gpr();1357 1358 1367 m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR); 1359 1368 DFG_TYPE_CHECK( … … 1376 1385 1377 1386 // We know that within this branch, rightChild must be a cell. 1378 if (m _jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {1387 if (masqueradesAsUndefinedWatchpointValid) { 1379 1388 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1380 1389 DFG_TYPE_CHECK( … … 1385 1394 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1386 1395 } else { 1387 GPRTemporary structure(this);1388 GPRReg structureGPR = structure.gpr();1389 1390 1396 m_jit.loadPtr(MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), structureGPR); 1391 1397 DFG_TYPE_CHECK( … … 1446 1452 GPRReg op2PayloadGPR = op2.payloadGPR(); 1447 1453 GPRReg resultGPR = result.gpr(); 1448 1449 if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) { 1454 GPRTemporary structure; 1455 GPRReg structureGPR = InvalidGPRReg; 1456 1457 bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid(); 1458 1459 if (!masqueradesAsUndefinedWatchpointValid) { 1460 // The masquerades as undefined case will use the structure register, so allocate it here. 1461 // Do this at the top of the function to avoid branching around a register allocation. 1462 GPRTemporary realStructure(this); 1463 structure.adopt(realStructure); 1464 structureGPR = structure.gpr(); 1465 } 1466 1467 if (masqueradesAsUndefinedWatchpointValid) { 1450 1468 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1451 1469 DFG_TYPE_CHECK( … … 1455 1473 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1456 1474 } else { 1457 GPRTemporary structure(this);1458 GPRReg structureGPR = structure.gpr();1459 1460 1475 m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR); 1461 1476 DFG_TYPE_CHECK( … … 1477 1492 1478 1493 // We know that within this branch, rightChild must be a cell. 1479 if (m _jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {1494 if (masqueradesAsUndefinedWatchpointValid) { 1480 1495 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1481 1496 DFG_TYPE_CHECK( … … 1486 1501 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1487 1502 } else { 1488 GPRTemporary structure(this);1489 GPRReg structureGPR = structure.gpr();1490 1491 1503 m_jit.loadPtr(MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), structureGPR); 1492 1504 DFG_TYPE_CHECK( … … 1584 1596 GPRReg valuePayloadGPR = value.payloadGPR(); 1585 1597 GPRReg resultPayloadGPR = resultPayload.gpr(); 1586 1598 GPRTemporary structure; 1599 GPRReg structureGPR = InvalidGPRReg; 1600 1601 bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid(); 1602 1603 if (!masqueradesAsUndefinedWatchpointValid) { 1604 // The masquerades as undefined case will use the structure register, so allocate it here. 1605 // Do this at the top of the function to avoid branching around a register allocation. 1606 GPRTemporary realStructure(this); 1607 structure.adopt(realStructure); 1608 structureGPR = structure.gpr(); 1609 } 1610 1587 1611 MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag)); 1588 if (m _jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {1612 if (masqueradesAsUndefinedWatchpointValid) { 1589 1613 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1590 1614 … … 1596 1620 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1597 1621 } else { 1598 GPRTemporary structure(this);1599 GPRReg structureGPR = structure.gpr();1600 1601 1622 m_jit.loadPtr(MacroAssembler::Address(valuePayloadGPR, JSCell::structureOffset()), structureGPR); 1602 1623 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r146089 r146100 1370 1370 GPRReg op2GPR = op2.gpr(); 1371 1371 GPRReg resultGPR = result.gpr(); 1372 1373 if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) { 1372 GPRTemporary structure; 1373 GPRReg structureGPR = InvalidGPRReg; 1374 1375 bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid(); 1376 1377 if (!masqueradesAsUndefinedWatchpointValid) { 1378 // The masquerades as undefined case will use the structure register, so allocate it here. 1379 // Do this at the top of the function to avoid branching around a register allocation. 1380 GPRTemporary realStructure(this); 1381 structure.adopt(realStructure); 1382 structureGPR = structure.gpr(); 1383 } 1384 1385 if (masqueradesAsUndefinedWatchpointValid) { 1374 1386 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1375 1387 DFG_TYPE_CHECK( … … 1379 1391 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1380 1392 } else { 1381 GPRTemporary structure(this);1382 GPRReg structureGPR = structure.gpr();1383 1384 1393 m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR); 1385 1394 DFG_TYPE_CHECK( … … 1401 1410 1402 1411 // We know that within this branch, rightChild must be a cell. 1403 if (m _jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {1412 if (masqueradesAsUndefinedWatchpointValid) { 1404 1413 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1405 1414 DFG_TYPE_CHECK( … … 1409 1418 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1410 1419 } else { 1411 GPRTemporary structure(this);1412 GPRReg structureGPR = structure.gpr();1413 1414 1420 m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR); 1415 1421 DFG_TYPE_CHECK( … … 1468 1474 GPRReg op2GPR = op2.gpr(); 1469 1475 GPRReg resultGPR = result.gpr(); 1470 1471 if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) { 1476 GPRTemporary structure; 1477 GPRReg structureGPR = InvalidGPRReg; 1478 1479 bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid(); 1480 1481 if (!masqueradesAsUndefinedWatchpointValid) { 1482 // The masquerades as undefined case will use the structure register, so allocate it here. 1483 // Do this at the top of the function to avoid branching around a register allocation. 1484 GPRTemporary realStructure(this); 1485 structure.adopt(realStructure); 1486 structureGPR = structure.gpr(); 1487 } 1488 1489 if (masqueradesAsUndefinedWatchpointValid) { 1472 1490 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1473 1491 DFG_TYPE_CHECK( … … 1477 1495 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1478 1496 } else { 1479 GPRTemporary structure(this);1480 GPRReg structureGPR = structure.gpr();1481 1482 1497 m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR); 1483 1498 DFG_TYPE_CHECK( … … 1492 1507 MacroAssembler::TrustedImm32(MasqueradesAsUndefined))); 1493 1508 } 1494 1509 1495 1510 // It seems that most of the time when programs do a == b where b may be either null/undefined 1496 1511 // or an object, b is usually an object. Balance the branches to make that case fast. … … 1499 1514 1500 1515 // We know that within this branch, rightChild must be a cell. 1501 if (m _jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {1516 if (masqueradesAsUndefinedWatchpointValid) { 1502 1517 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1503 1518 DFG_TYPE_CHECK( … … 1507 1522 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1508 1523 } else { 1509 GPRTemporary structure(this);1510 GPRReg structureGPR = structure.gpr();1511 1512 1524 m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR); 1513 1525 DFG_TYPE_CHECK( … … 1600 1612 GPRReg valueGPR = value.gpr(); 1601 1613 GPRReg resultGPR = result.gpr(); 1602 1614 GPRTemporary structure; 1615 GPRReg structureGPR = InvalidGPRReg; 1616 1617 bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid(); 1618 1619 if (!masqueradesAsUndefinedWatchpointValid) { 1620 // The masquerades as undefined case will use the structure register, so allocate it here. 1621 // Do this at the top of the function to avoid branching around a register allocation. 1622 GPRTemporary realStructure(this); 1623 structure.adopt(realStructure); 1624 structureGPR = structure.gpr(); 1625 } 1626 1603 1627 MacroAssembler::Jump notCell = m_jit.branchTest64(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister); 1604 if (m _jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {1628 if (masqueradesAsUndefinedWatchpointValid) { 1605 1629 m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint()); 1606 1630 DFG_TYPE_CHECK( … … 1610 1634 MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()))); 1611 1635 } else { 1612 GPRTemporary structure(this);1613 GPRReg structureGPR = structure.gpr();1614 1615 1636 m_jit.loadPtr(MacroAssembler::Address(valueGPR, JSCell::structureOffset()), structureGPR); 1616 1637
Note: See TracChangeset
for help on using the changeset viewer.