Changeset 168261 in webkit

Timestamp:

May 5, 2014 12:45:46 AM (10 years ago)

Author:

Carlos Garcia Campos

Message:

Unreviewed. Revert r159826 - "Finally fix some obvious Bartlett bugs"

This reverts r159826.

Location:

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGJITCompiler.h (modified) (1 diff)
• dfg/DFGOSREntry.cpp (modified) (3 diffs)
• dfg/DFGOSREntry.h (modified) (1 diff)
• heap/Heap.cpp (modified) (1 diff)
• interpreter/JSStack.cpp (modified) (2 diffs)
• interpreter/JSStack.h (modified) (2 diffs)

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/ChangeLog

@@ -7880 +7880 @@
         (JSC::SymbolTable::SymbolTable):
         * runtime/SymbolTable.h:
-
-2013-11-27  Filip Pizlo  <fpizlo@apple.com>
-
-        Finally fix some obvious Bartlett bugs
-        https://bugs.webkit.org/show_bug.cgi?id=124951
-
-        Reviewed by Mark Hahnenberg.
-        
-        Sanitize the stack (i.e. zero parts of it known to be dead) at three key points:
-        
-        - GC.
-        
-        - At beginning of OSR entry.
-        
-        - Just as we finish preparing OSR entry. This clears those slots on the stack that
-          could have been live in baseline but that are known to be dead in DFG.
-        
-        This is as much as a 2x speed-up on splay if you run it in certain modes, and run it
-        for a long enough interval. It appears to fix all instances of the dreaded exponential
-        heap growth that splay gets into when some stale pointer stays around.
-        
-        This doesn't have much of an effect on real-world programs. This bug has only ever
-        manifested in splay and for that reason we thus far opted against fixing it. But splay
-        is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we
-        can run it without pathologies - even when you tweak its configuration - is probably
-        fairly important.
-
-        * dfg/DFGJITCompiler.h:
-        (JSC::DFG::JITCompiler::noticeOSREntry):
-        * dfg/DFGOSREntry.cpp:
-        (JSC::DFG::prepareOSREntry):
-        * dfg/DFGOSREntry.h:
-        * heap/Heap.cpp:
-        (JSC::Heap::markRoots):
-        * interpreter/JSStack.cpp:
-        (JSC::JSStack::JSStack):
-        (JSC::JSStack::sanitizeStack):
-        * interpreter/JSStack.h:
 
 2013-11-26  Filip Pizlo  <fpizlo@apple.com>

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -271 +271 @@
             else {
                 VariableAccessData* variable = node->variableAccessData();
-                entry->m_machineStackUsed.set(variable->machineLocal().toLocal());
-                
                 switch (variable->flushFormat()) {
                 case FlushedDouble:

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

@@ -53 +53 @@
     
     VM* vm = &exec->vm();
-    
-    vm->interpreter->stack().sanitizeStack();
-    
     if (codeBlock->jitType() != JITCode::DFGJIT) {
         RELEASE_ASSERT(codeBlock->jitType() == JITCode::FTLJIT);
@@ -185 +182 @@
     //    would have otherwise just kept running albeit less quickly.
     
-    unsigned frameSize = jitCode->common.requiredRegisterCountForExecutionAndExit();
-    if (!vm->interpreter->stack().grow(&exec->registers()[virtualRegisterForLocal(frameSize).offset()])) {
+    if (!vm->interpreter->stack().grow(&exec->registers()[virtualRegisterForLocal(jitCode->common.requiredRegisterCountForExecutionAndExit()).offset()])) {
         if (Options::verboseOSR())
             dataLogF("    OSR failed because stack growth failed.\n");
@@ -212 +208 @@
         registers[entry->m_reshufflings[i].toOffset] = temporaryLocals[i];
     
-    // 5) Clear those parts of the call frame that the DFG ain't using. This helps GC on some
-    //    programs by eliminating some stale pointer pathologies.
-    
-    for (unsigned i = frameSize; i--;) {
-        if (entry->m_machineStackUsed.get(i))
-            continue;
-        registers[virtualRegisterForLocal(i).offset()] = JSValue::encode(JSValue());
-    }
-    
-    // 6) Fix the call frame.
+    // 5) Fix the call frame.
     
     exec->setCodeBlock(codeBlock);
     
-    // 7) Find and return the destination machine code address.
+    // 6) Find and return the destination machine code address.
     
     void* result = codeBlock->jitCode()->executableAddressAtOffset(entry->m_machineCodeOffset);

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/dfg/DFGOSREntry.h

@@ -60 +60 @@
     BitVector m_localsForcedMachineInt;
     Vector<OSREntryReshuffling> m_reshufflings;
-    BitVector m_machineStackUsed;
 };
 

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/heap/Heap.cpp

@@ -468 +468 @@
         GCPHASE(GatherStackRoots);
         stack().gatherConservativeRoots(stackRoots, m_jitStubRoutines, m_codeBlocks);
-        stack().sanitizeStack();
     }
 

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/interpreter/JSStack.cpp

@@ -53 +53 @@
     updateStackLimit(highAddress());
     m_commitEnd = highAddress();
-    
-    m_lastStackTop = getBaseOfStack();
 
     disableErrorStackReserve();
@@ -102 +100 @@
 {
     conservativeRoots.add(getBaseOfStack(), getTopOfStack(), jitStubRoutines, codeBlocks);
-}
-
-void JSStack::sanitizeStack()
-{
-    ASSERT(getTopOfStack() <= getBaseOfStack());
-    
-    if (m_lastStackTop < getTopOfStack()) {
-        char* begin = reinterpret_cast<char*>(m_lastStackTop);
-        char* end = reinterpret_cast<char*>(getTopOfStack());
-        memset(begin, 0, end - begin);
-    }
-    
-    m_lastStackTop = getTopOfStack();
 }
 

releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/interpreter/JSStack.h

@@ -83 +83 @@
         void gatherConservativeRoots(ConservativeRoots&);
         void gatherConservativeRoots(ConservativeRoots&, JITStubRoutineSet&, CodeBlockSet&);
-        void sanitizeStack();
 
         Register* getBaseOfStack() const
@@ -158 +157 @@
         PageReservation m_reservation;
         CallFrame*& m_topCallFrame;
-        Register* m_lastStackTop;
 
         friend class LLIntOffsetsExtractor;