Changeset 146100 in webkit


Ignore:
Timestamp:
Mar 18, 2013 12:11:47 PM (11 years ago)
Author:
msaboff@apple.com
Message:

Potentially unsafe register allocations in DFG code generation
https://bugs.webkit.org/show_bug.cgi?id=112477

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Moved allocation of temporary GPRs to be before any generated branches in the functions below.

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):

LayoutTests:

New tests added to verify proper operation of
SpeculativeJIT::compileObjectToObjectOrOtherEquality,
SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality
and SpeculativeJIT::compileObjectOrOtherLogicalNot.

  • fast/js/dfg-compare-final-object-to-final-object-or-other-expected.txt: Added.
  • fast/js/dfg-compare-final-object-to-final-object-or-other.html: Added.
  • fast/js/dfg-logical-not-final-object-or-other-expected.txt: Added.
  • fast/js/dfg-logical-not-final-object-or-other.html: Added.
  • fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-expected.txt: Added.
  • fast/js/dfg-peephole-compare-final-object-to-final-object-or-other.html: Added.
  • fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other.js: Added.
  • fast/js/script-tests/dfg-logical-not-final-object-or-other.js: Added.
  • fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other.js: Added.
Location:
trunk
Files:
9 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r146098 r146100  
     12013-03-18  Michael Saboff  <msaboff@apple.com>
     2
     3        Potentially unsafe register allocations in DFG code generation
     4        https://bugs.webkit.org/show_bug.cgi?id=112477
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        New tests added to verify proper operation of
     9        SpeculativeJIT::compileObjectToObjectOrOtherEquality,
     10        SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality
     11        and SpeculativeJIT::compileObjectOrOtherLogicalNot.
     12
     13        * fast/js/dfg-compare-final-object-to-final-object-or-other-expected.txt: Added.
     14        * fast/js/dfg-compare-final-object-to-final-object-or-other.html: Added.
     15        * fast/js/dfg-logical-not-final-object-or-other-expected.txt: Added.
     16        * fast/js/dfg-logical-not-final-object-or-other.html: Added.
     17        * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-expected.txt: Added.
     18        * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other.html: Added.
     19        * fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other.js: Added.
     20        * fast/js/script-tests/dfg-logical-not-final-object-or-other.js: Added.
     21        * fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other.js: Added.
     22
    1232013-03-18  Julien Chaffraix  <jchaffraix@webkit.org>
    224
  • trunk/Source/JavaScriptCore/ChangeLog

    r146089 r146100  
     12013-03-18  Michael Saboff  <msaboff@apple.com>
     2
     3        Potentially unsafe register allocations in DFG code generation
     4        https://bugs.webkit.org/show_bug.cgi?id=112477
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        Moved allocation of temporary GPRs to be before any generated branches in the functions below.
     9
     10        * dfg/DFGSpeculativeJIT32_64.cpp:
     11        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
     12        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
     13        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
     14        * dfg/DFGSpeculativeJIT64.cpp:
     15        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
     16        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
     17        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
     18
    1192013-03-15  Filip Pizlo  <fpizlo@apple.com>
    220
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

    r146089 r146100  
    13441344    GPRReg op2PayloadGPR = op2.payloadGPR();
    13451345    GPRReg resultGPR = result.gpr();
    1346    
    1347     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1346    GPRTemporary structure;
     1347    GPRReg structureGPR = InvalidGPRReg;
     1348
     1349    bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid();
     1350
     1351    if (!masqueradesAsUndefinedWatchpointValid) {
     1352        // The masquerades as undefined case will use the structure register, so allocate it here.
     1353        // Do this at the top of the function to avoid branching around a register allocation.
     1354        GPRTemporary realStructure(this);
     1355        structure.adopt(realStructure);
     1356        structureGPR = structure.gpr();
     1357    }
     1358
     1359    if (masqueradesAsUndefinedWatchpointValid) {
    13481360        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    13491361        DFG_TYPE_CHECK(
     
    13531365                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    13541366    } else {
    1355         GPRTemporary structure(this);
    1356         GPRReg structureGPR = structure.gpr();
    1357 
    13581367        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
    13591368        DFG_TYPE_CHECK(
     
    13761385   
    13771386    // We know that within this branch, rightChild must be a cell.
    1378     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1387    if (masqueradesAsUndefinedWatchpointValid) {
    13791388        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    13801389        DFG_TYPE_CHECK(
     
    13851394                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    13861395    } else {
    1387         GPRTemporary structure(this);
    1388         GPRReg structureGPR = structure.gpr();
    1389 
    13901396        m_jit.loadPtr(MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), structureGPR);
    13911397        DFG_TYPE_CHECK(
     
    14461452    GPRReg op2PayloadGPR = op2.payloadGPR();
    14471453    GPRReg resultGPR = result.gpr();
    1448    
    1449     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1454    GPRTemporary structure;
     1455    GPRReg structureGPR = InvalidGPRReg;
     1456
     1457    bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid();
     1458
     1459    if (!masqueradesAsUndefinedWatchpointValid) {
     1460        // The masquerades as undefined case will use the structure register, so allocate it here.
     1461        // Do this at the top of the function to avoid branching around a register allocation.
     1462        GPRTemporary realStructure(this);
     1463        structure.adopt(realStructure);
     1464        structureGPR = structure.gpr();
     1465    }
     1466
     1467    if (masqueradesAsUndefinedWatchpointValid) {
    14501468        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    14511469        DFG_TYPE_CHECK(
     
    14551473                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    14561474    } else {
    1457         GPRTemporary structure(this);
    1458         GPRReg structureGPR = structure.gpr();
    1459 
    14601475        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
    14611476        DFG_TYPE_CHECK(
     
    14771492   
    14781493    // We know that within this branch, rightChild must be a cell.
    1479     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1494    if (masqueradesAsUndefinedWatchpointValid) {
    14801495        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    14811496        DFG_TYPE_CHECK(
     
    14861501                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    14871502    } else {
    1488         GPRTemporary structure(this);
    1489         GPRReg structureGPR = structure.gpr();
    1490 
    14911503        m_jit.loadPtr(MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), structureGPR);
    14921504        DFG_TYPE_CHECK(
     
    15841596    GPRReg valuePayloadGPR = value.payloadGPR();
    15851597    GPRReg resultPayloadGPR = resultPayload.gpr();
    1586    
     1598    GPRTemporary structure;
     1599    GPRReg structureGPR = InvalidGPRReg;
     1600
     1601    bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid();
     1602
     1603    if (!masqueradesAsUndefinedWatchpointValid) {
     1604        // The masquerades as undefined case will use the structure register, so allocate it here.
     1605        // Do this at the top of the function to avoid branching around a register allocation.
     1606        GPRTemporary realStructure(this);
     1607        structure.adopt(realStructure);
     1608        structureGPR = structure.gpr();
     1609    }
     1610
    15871611    MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag));
    1588     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1612    if (masqueradesAsUndefinedWatchpointValid) {
    15891613        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    15901614
     
    15961620                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    15971621    } else {
    1598         GPRTemporary structure(this);
    1599         GPRReg structureGPR = structure.gpr();
    1600 
    16011622        m_jit.loadPtr(MacroAssembler::Address(valuePayloadGPR, JSCell::structureOffset()), structureGPR);
    16021623
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r146089 r146100  
    13701370    GPRReg op2GPR = op2.gpr();
    13711371    GPRReg resultGPR = result.gpr();
    1372    
    1373     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1372    GPRTemporary structure;
     1373    GPRReg structureGPR = InvalidGPRReg;
     1374
     1375    bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid();
     1376
     1377    if (!masqueradesAsUndefinedWatchpointValid) {
     1378        // The masquerades as undefined case will use the structure register, so allocate it here.
     1379        // Do this at the top of the function to avoid branching around a register allocation.
     1380        GPRTemporary realStructure(this);
     1381        structure.adopt(realStructure);
     1382        structureGPR = structure.gpr();
     1383    }
     1384
     1385    if (masqueradesAsUndefinedWatchpointValid) {
    13741386        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    13751387        DFG_TYPE_CHECK(
     
    13791391                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    13801392    } else {
    1381         GPRTemporary structure(this);
    1382         GPRReg structureGPR = structure.gpr();
    1383 
    13841393        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
    13851394        DFG_TYPE_CHECK(
     
    14011410   
    14021411    // We know that within this branch, rightChild must be a cell.
    1403     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1412    if (masqueradesAsUndefinedWatchpointValid) {
    14041413        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    14051414        DFG_TYPE_CHECK(
     
    14091418                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    14101419    } else {
    1411         GPRTemporary structure(this);
    1412         GPRReg structureGPR = structure.gpr();
    1413 
    14141420        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
    14151421        DFG_TYPE_CHECK(
     
    14681474    GPRReg op2GPR = op2.gpr();
    14691475    GPRReg resultGPR = result.gpr();
    1470    
    1471     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1476    GPRTemporary structure;
     1477    GPRReg structureGPR = InvalidGPRReg;
     1478   
     1479    bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid();
     1480
     1481    if (!masqueradesAsUndefinedWatchpointValid) {
     1482        // The masquerades as undefined case will use the structure register, so allocate it here.
     1483        // Do this at the top of the function to avoid branching around a register allocation.
     1484        GPRTemporary realStructure(this);
     1485        structure.adopt(realStructure);
     1486        structureGPR = structure.gpr();
     1487    }
     1488
     1489    if (masqueradesAsUndefinedWatchpointValid) {
    14721490        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    14731491        DFG_TYPE_CHECK(
     
    14771495                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    14781496    } else {
    1479         GPRTemporary structure(this);
    1480         GPRReg structureGPR = structure.gpr();
    1481 
    14821497        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
    14831498        DFG_TYPE_CHECK(
     
    14921507                MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
    14931508    }
    1494    
     1509
    14951510    // It seems that most of the time when programs do a == b where b may be either null/undefined
    14961511    // or an object, b is usually an object. Balance the branches to make that case fast.
     
    14991514   
    15001515    // We know that within this branch, rightChild must be a cell.
    1501     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1516    if (masqueradesAsUndefinedWatchpointValid) {
    15021517        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    15031518        DFG_TYPE_CHECK(
     
    15071522                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    15081523    } else {
    1509         GPRTemporary structure(this);
    1510         GPRReg structureGPR = structure.gpr();
    1511 
    15121524        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
    15131525        DFG_TYPE_CHECK(
     
    16001612    GPRReg valueGPR = value.gpr();
    16011613    GPRReg resultGPR = result.gpr();
    1602    
     1614    GPRTemporary structure;
     1615    GPRReg structureGPR = InvalidGPRReg;
     1616
     1617    bool masqueradesAsUndefinedWatchpointValid = m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid();
     1618
     1619    if (!masqueradesAsUndefinedWatchpointValid) {
     1620        // The masquerades as undefined case will use the structure register, so allocate it here.
     1621        // Do this at the top of the function to avoid branching around a register allocation.
     1622        GPRTemporary realStructure(this);
     1623        structure.adopt(realStructure);
     1624        structureGPR = structure.gpr();
     1625    }
     1626
    16031627    MacroAssembler::Jump notCell = m_jit.branchTest64(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
    1604     if (m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()) {
     1628    if (masqueradesAsUndefinedWatchpointValid) {
    16051629        m_jit.graph().globalObjectFor(m_currentNode->codeOrigin)->masqueradesAsUndefinedWatchpoint()->add(speculationWatchpoint());
    16061630        DFG_TYPE_CHECK(
     
    16101634                MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
    16111635    } else {
    1612         GPRTemporary structure(this);
    1613         GPRReg structureGPR = structure.gpr();
    1614 
    16151636        m_jit.loadPtr(MacroAssembler::Address(valueGPR, JSCell::structureOffset()), structureGPR);
    16161637
Note: See TracChangeset for help on using the changeset viewer.