Changeset 168776 in webkit

Timestamp:

May 13, 2014 8:57:18 PM (10 years ago)

Author:

fpizlo@apple.com

Message:

JIT breakpoints should be more informative
​https://bugs.webkit.org/show_bug.cgi?id=132882

Reviewed by Oliver Hunt.

Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
at that platform's abort reason register (r11 on X86-64 for example).

• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• assembler/AbortReason.h: Added.
• assembler/AbstractMacroAssembler.h:
• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::abortWithReason):

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::abortWithReason):

• assembler/MacroAssemblerX86.h:

(JSC::MacroAssemblerX86::abortWithReason):

• assembler/MacroAssemblerX86_64.h:

(JSC::MacroAssemblerX86_64::abortWithReason):

• dfg/DFGSlowPathGenerator.h:

(JSC::DFG::SlowPathGenerator::generate):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::bail):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compileMakeRope):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGThunks.cpp:

(JSC::DFG::osrEntryThunkGenerator):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::jitAssertIsInt32):
(JSC::AssemblyHelpers::jitAssertIsJSInt32):
(JSC::AssemblyHelpers::jitAssertIsJSNumber):
(JSC::AssemblyHelpers::jitAssertIsJSDouble):
(JSC::AssemblyHelpers::jitAssertIsCell):
(JSC::AssemblyHelpers::jitAssertTagsInPlace):
(JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
(JSC::AssemblyHelpers::jitAssertIsNull):
(JSC::AssemblyHelpers::jitAssertArgumentCountSane):
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::checkStackPointerAlignment):
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.

• jit/JIT.h:
• jit/JITArithmetic.cpp:

(JSC::JIT::emitSlow_op_div):

• jit/JITOpcodes.cpp:

(JSC::JIT::emitSlow_op_loop_hint):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::privateCompileCTINativeCall):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::compileGetDirectOffset):
(JSC::JIT::addStructureTransitionCheck): Deleted.
(JSC::JIT::testPrototype): Deleted.

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::compileGetDirectOffset):

• jit/RegisterPreservationWrapperGenerator.cpp:

(JSC::generateRegisterRestoration):

• jit/Repatch.cpp:

(JSC::addStructureTransitionCheck):
(JSC::linkClosureCall):

• jit/ThunkGenerators.cpp:

(JSC::emitPointerValidation):
(JSC::nativeForGenerator):

• yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::generate):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• assembler/AbortReason.h (added)
• assembler/AbstractMacroAssembler.h (modified) (2 diffs)
• assembler/MacroAssemblerARM64.h (modified) (2 diffs)
• assembler/MacroAssemblerARMv7.h (modified) (2 diffs)
• assembler/MacroAssemblerX86.h (modified) (2 diffs)
• assembler/MacroAssemblerX86_64.h (modified) (2 diffs)
• dfg/DFGSlowPathGenerator.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (4 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• dfg/DFGThunks.cpp (modified) (1 diff)
• jit/AssemblyHelpers.cpp (modified) (13 diffs)
• jit/AssemblyHelpers.h (modified) (2 diffs)
• jit/JIT.h (modified) (1 diff)
• jit/JITArithmetic.cpp (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (1 diff)
• jit/JITOpcodes32_64.cpp (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (3 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (2 diffs)
• jit/RegisterPreservationWrapperGenerator.cpp (modified) (1 diff)
• jit/Repatch.cpp (modified) (2 diffs)
• jit/ThunkGenerators.cpp (modified) (2 diffs)
• yarr/YarrJIT.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-05-13  Filip Pizlo  <fpizlo@apple.com>
+
+        JIT breakpoints should be more informative
+        https://bugs.webkit.org/show_bug.cgi?id=132882
+
+        Reviewed by Oliver Hunt.
+        
+        Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
+        failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
+        at that platform's abort reason register (r11 on X86-64 for example).
+
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbortReason.h: Added.
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::abortWithReason):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::abortWithReason):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::abortWithReason):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::abortWithReason):
+        * dfg/DFGSlowPathGenerator.h:
+        (JSC::DFG::SlowPathGenerator::generate):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::bail):
+        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::jitAssertIsInt32):
+        (JSC::AssemblyHelpers::jitAssertIsJSInt32):
+        (JSC::AssemblyHelpers::jitAssertIsJSNumber):
+        (JSC::AssemblyHelpers::jitAssertIsJSDouble):
+        (JSC::AssemblyHelpers::jitAssertIsCell):
+        (JSC::AssemblyHelpers::jitAssertTagsInPlace):
+        (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
+        (JSC::AssemblyHelpers::jitAssertIsNull):
+        (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
+        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::checkStackPointerAlignment):
+        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitSlow_op_div):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_loop_hint):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::compileGetDirectOffset):
+        (JSC::JIT::addStructureTransitionCheck): Deleted.
+        (JSC::JIT::testPrototype): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::compileGetDirectOffset):
+        * jit/RegisterPreservationWrapperGenerator.cpp:
+        (JSC::generateRegisterRestoration):
+        * jit/Repatch.cpp:
+        (JSC::addStructureTransitionCheck):
+        (JSC::linkClosureCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::emitPointerValidation):
+        (JSC::nativeForGenerator):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generate):
+
 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -819 +819 @@
     <ClInclude Include="..\API\OpaqueJSString.h" />
     <ClInclude Include="..\API\WebKitAvailability.h" />
+    <ClInclude Include="..\assembler\AbortReason.h" />
     <ClInclude Include="..\assembler\AbstractMacroAssembler.h" />
     <ClInclude Include="..\assembler\AssemblerBuffer.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -108 +108 @@
                 0F1E3A471534CBB9000F9456 /* DFGDoubleFormatState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F1E3A441534CBAD000F9456 /* DFGDoubleFormatState.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F1E3A67153A21E2000F9456 /* DFGSilentRegisterSavePlan.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F1E3A65153A21DF000F9456 /* DFGSilentRegisterSavePlan.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F1FE51C1922A3BC006987C5 /* AbortReason.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F1FE51B1922A3BC006987C5 /* AbortReason.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F21C27D14BE727A00ADC64B /* CodeSpecializationKind.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F21C27914BE727300ADC64B /* CodeSpecializationKind.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F21C27F14BEAA8200ADC64B /* BytecodeConventions.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F21C27E14BEAA8000ADC64B /* BytecodeConventions.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1915 +1916 @@
                 0F1E3A501537C2CB000F9456 /* DFGSlowPathGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGSlowPathGenerator.h; path = dfg/DFGSlowPathGenerator.h; sourceTree = "<group>"; };
                 0F1E3A65153A21DF000F9456 /* DFGSilentRegisterSavePlan.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGSilentRegisterSavePlan.h; path = dfg/DFGSilentRegisterSavePlan.h; sourceTree = "<group>"; };
+                0F1FE51B1922A3BC006987C5 /* AbortReason.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AbortReason.h; sourceTree = "<group>"; };
                 0F21C27914BE727300ADC64B /* CodeSpecializationKind.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CodeSpecializationKind.h; sourceTree = "<group>"; };
                 0F21C27E14BEAA8000ADC64B /* BytecodeConventions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BytecodeConventions.h; sourceTree = "<group>"; };
@@ -4897 +4899 @@
                         isa = PBXGroup;
                         children = (
+                                0F1FE51B1922A3BC006987C5 /* AbortReason.h */,
                                 860161DF0F3A83C100F84710 /* AbstractMacroAssembler.h */,
                                 8640923B156EED3B00566CB2 /* ARM64Assembler.h */,
@@ -5826 +5829 @@
                                 A532439418569709002ED692 /* generate-combined-inspector-json.py in Headers */,
                                 0F2B66E017B6B5AB00A7AE3F /* GenericTypedArrayView.h in Headers */,
+                                0F1FE51C1922A3BC006987C5 /* AbortReason.h in Headers */,
                                 0F2B66E117B6B5AB00A7AE3F /* GenericTypedArrayViewInlines.h in Headers */,
                                 0F9332A014CA7DCD0085F3C6 /* GetByIdStatus.h in Headers */,

trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2012, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #define AbstractMacroAssembler_h
 
+#include "AbortReason.h"
 #include "AssemblerBuffer.h"
 #include "CodeLocation.h"

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -807 +807 @@
     }
 
+    void abortWithReason(AbortReason reason)
+    {
+        move(TrustedImm32(reason), dataTempRegister);
+        breakpoint();
+    }
+
     ConvertibleLoadLabel convertibleLoadPtr(Address address, RegisterID dest)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2009, 2010, 2014 Apple Inc. All rights reserved.
  * Copyright (C) 2010 University of Szeged
  *
@@ -633 +633 @@
     }
     
+    void abortWithReason(AbortReason reason)
+    {
+        move(TrustedImm32(reason), dataTempRegister);
+        breakpoint();
+    }
+
     ConvertibleLoadLabel convertibleLoadPtr(Address address, RegisterID dest)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -112 +112 @@
     }
 
+    void abortWithReason(AbortReason reason)
+    {
+        move(TrustedImm32(reason), X86Registers::eax);
+        breakpoint();
+    }
+
     ConvertibleLoadLabel convertibleLoadPtr(Address address, RegisterID dest)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2012, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -628 +628 @@
         neg64(srcDest);
         return Jump(m_assembler.jCC(x86Condition(cond)));
+    }
+
+    void abortWithReason(AbortReason reason)
+    {
+        move(TrustedImm32(reason), X86Registers::r11);
+        breakpoint();
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h

@@ -51 +51 @@
         generateInternal(jit);
         if (!ASSERT_DISABLED)
-            jit->m_jit.breakpoint(); // make sure that the generator jumps back to somewhere
+            jit->m_jit.abortWithReason(DFGSlowPathGeneratorFellThrough);
     }
     MacroAssembler::Label label() const { return m_label; }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1342 +1342 @@
 {
     m_compileOkay = true;
-    m_jit.breakpoint();
+    m_jit.abortWithReason(DFGBailed);
     clearGenerationInfo();
 }
@@ -1361 +1361 @@
         // But to be sure that nobody has generated a jump to this block, drop in a
         // breakpoint here.
-        m_jit.breakpoint();
+        m_jit.abortWithReason(DFGUnreachableBasicBlock);
         return;
     }
@@ -2822 +2822 @@
         JITCompiler::Jump ok = m_jit.branch32(
             JITCompiler::GreaterThanOrEqual, allocatorGPR, TrustedImm32(0));
-        m_jit.breakpoint();
+        m_jit.abortWithReason(DFGNegativeStringLength);
         ok.link(&m_jit);
     }
@@ -2838 +2838 @@
         JITCompiler::Jump ok = m_jit.branch32(
             JITCompiler::GreaterThanOrEqual, allocatorGPR, TrustedImm32(0));
-        m_jit.breakpoint();
+        m_jit.abortWithReason(DFGNegativeStringLength);
         ok.link(&m_jit);
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -2144 +2144 @@
         m_jit.move(size, resultGPR);
         MacroAssembler::Jump nonZeroSize = m_jit.branchTest32(MacroAssembler::NonZero, resultGPR);
-        m_jit.breakpoint();
+        m_jit.abortWithReason(DFGBasicStorageAllocatorZeroSize);
         nonZeroSize.link(&m_jit);
 #endif

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3710 +3710 @@
         SpeculateCellOperand op1(this, node->child1());
         JITCompiler::Jump isOK = m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(op1.gpr(), JSCell::structureIDOffset()), TrustedImmPtr(node->structure()));
-        m_jit.breakpoint();
+        m_jit.abortWithReason(DFGIneffectiveWatchpoint);
         isOK.link(&m_jit);
 #else

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -1037 +1037 @@
         if (!ASSERT_DISABLED) {
             MacroAssembler::Jump checkCell = branchIsCell(JSValueRegs(gpr));
-            m_jit.breakpoint();
+            m_jit.abortWithReason(DFGIsNotCell);
             checkCell.link(&m_jit);
         }
@@ -3783 +3783 @@
             JITCompiler::Address(op1.gpr(), JSCell::structureIDOffset()), 
             node->structure());
-        m_jit.breakpoint();
+        m_jit.abortWithReason(DFGIneffectiveWatchpoint);
         isOK.link(&m_jit);
 #else

trunk/Source/JavaScriptCore/dfg/DFGThunks.cpp

@@ -128 +128 @@
     jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, offsetOfTargetPC), GPRInfo::regT1);
     MacroAssembler::Jump ok = jit.branchPtr(MacroAssembler::Above, GPRInfo::regT1, MacroAssembler::TrustedImmPtr(bitwise_cast<void*>(static_cast<intptr_t>(1000))));
-    jit.breakpoint();
+    jit.abortWithReason(DFGUnreasonableOSREntryJumpDestination);
     ok.link(&jit);
     jit.jump(GPRInfo::regT1);

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -85 +85 @@
 #if CPU(X86_64)
     Jump checkInt32 = branch64(BelowOrEqual, gpr, TrustedImm64(static_cast<uintptr_t>(0xFFFFFFFFu)));
-    breakpoint();
+    abortWithReason(AHIsNotInt32);
     checkInt32.link(this);
 #else
@@ -95 +95 @@
 {
     Jump checkJSInt32 = branch64(AboveOrEqual, gpr, GPRInfo::tagTypeNumberRegister);
-    breakpoint();
+    abortWithReason(AHIsNotJSInt32);
     checkJSInt32.link(this);
 }
@@ -102 +102 @@
 {
     Jump checkJSNumber = branchTest64(MacroAssembler::NonZero, gpr, GPRInfo::tagTypeNumberRegister);
-    breakpoint();
+    abortWithReason(AHIsNotJSNumber);
     checkJSNumber.link(this);
 }
@@ -111 +111 @@
     Jump checkJSNumber = branchTest64(MacroAssembler::NonZero, gpr, GPRInfo::tagTypeNumberRegister);
     checkJSInt32.link(this);
-    breakpoint();
+    abortWithReason(AHIsNotJSDouble);
     checkJSNumber.link(this);
 }
@@ -118 +118 @@
 {
     Jump checkCell = branchTest64(MacroAssembler::Zero, gpr, GPRInfo::tagMaskRegister);
-    breakpoint();
+    abortWithReason(AHIsNotCell);
     checkCell.link(this);
 }
@@ -125 +125 @@
 {
     Jump ok = branch64(Equal, GPRInfo::tagTypeNumberRegister, TrustedImm64(TagTypeNumber));
+    abortWithReason(AHTagTypeNumberNotInPlace);
     breakpoint();
     ok.link(this);
     
     ok = branch64(Equal, GPRInfo::tagMaskRegister, TrustedImm64(TagMask));
-    breakpoint();
+    abortWithReason(AHTagMaskNotInPlace);
     ok.link(this);
 }
@@ -141 +142 @@
 {
     Jump checkJSInt32 = branch32(Equal, gpr, TrustedImm32(JSValue::Int32Tag));
-    breakpoint();
+    abortWithReason(AHIsNotJSInt32);
     checkJSInt32.link(this);
 }
@@ -149 +150 @@
     Jump checkJSInt32 = branch32(Equal, gpr, TrustedImm32(JSValue::Int32Tag));
     Jump checkJSDouble = branch32(Below, gpr, TrustedImm32(JSValue::LowestTag));
-    breakpoint();
+    abortWithReason(AHIsNotJSNumber);
     checkJSInt32.link(this);
     checkJSDouble.link(this);
@@ -157 +158 @@
 {
     Jump checkJSDouble = branch32(Below, gpr, TrustedImm32(JSValue::LowestTag));
-    breakpoint();
+    abortWithReason(AHIsNotJSDouble);
     checkJSDouble.link(this);
 }
@@ -164 +165 @@
 {
     Jump checkCell = branch32(Equal, gpr, TrustedImm32(JSValue::CellTag));
-    breakpoint();
+    abortWithReason(AHIsNotCell);
     checkCell.link(this);
 }
@@ -176 +177 @@
 {
     Jump checkCFR = branchTestPtr(Zero, GPRInfo::callFrameRegister, TrustedImm32(7));
-    breakpoint();
+    abortWithReason(AHCallFrameMisaligned);
     checkCFR.link(this);
 }
@@ -183 +184 @@
 {
     Jump checkNull = branchTestPtr(Zero, gpr);
-    breakpoint();
+    abortWithReason(AHIsNotNull);
     checkNull.link(this);
 }
@@ -190 +191 @@
 {
     Jump ok = branch32(Below, payloadFor(JSStack::ArgumentCount), TrustedImm32(10000000));
-    breakpoint();
+    abortWithReason(AHInsaneArgumentCount);
     ok.link(this);
 }
 #endif // !ASSERT_DISABLED
 
+void AssemblyHelpers::emitStoreStructureWithTypeInfo(AssemblyHelpers& jit, TrustedImmPtr structure, RegisterID dest)
+{
+    const Structure* structurePtr = static_cast<const Structure*>(structure.m_value);
+#if USE(JSVALUE64)
+    jit.store64(TrustedImm64(structurePtr->idBlob()), MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+    if (!ASSERT_DISABLED) {
+        Jump correctStructure = jit.branch32(Equal, MacroAssembler::Address(dest, JSCell::structureIDOffset()), TrustedImm32(structurePtr->id()));
+        jit.abortWithReason(AHStructureIDIsValid);
+        correctStructure.link(&jit);
+
+        Jump correctIndexingType = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::indexingTypeOffset()), TrustedImm32(structurePtr->indexingType()));
+        jit.abortWithReason(AHIndexingTypeIsValid);
+        correctIndexingType.link(&jit);
+
+        Jump correctType = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::typeInfoTypeOffset()), TrustedImm32(structurePtr->typeInfo().type()));
+        jit.abortWithReason(AHTypeInfoIsValid);
+        correctType.link(&jit);
+
+        Jump correctFlags = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::typeInfoFlagsOffset()), TrustedImm32(structurePtr->typeInfo().inlineTypeFlags()));
+        jit.abortWithReason(AHTypeInfoInlineTypeFlagsAreValid);
+        correctFlags.link(&jit);
+    }
+#else
+    // Do a 32-bit wide store to initialize the cell's fields.
+    jit.store32(TrustedImm32(structurePtr->objectInitializationBlob()), MacroAssembler::Address(dest, JSCell::indexingTypeOffset()));
+    jit.storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#endif
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -63 +63 @@
 #if !defined(NDEBUG) && !CPU(ARM64)
         Jump stackPointerAligned = branchTestPtr(Zero, stackPointerRegister, TrustedImm32(0xf));
-        breakpoint();
+        abortWithReason(AHStackPointerMisaligned);
         stackPointerAligned.link(this);
 #endif
@@ -630 +630 @@
     }
 
-    static void emitStoreStructureWithTypeInfo(AssemblyHelpers& jit, TrustedImmPtr structure, RegisterID dest)
-    {
-        const Structure* structurePtr = static_cast<const Structure*>(structure.m_value);
-#if USE(JSVALUE64)
-        jit.store64(TrustedImm64(structurePtr->idBlob()), MacroAssembler::Address(dest, JSCell::structureIDOffset()));
-#ifndef NDEBUG
-        Jump correctStructure = jit.branch32(Equal, MacroAssembler::Address(dest, JSCell::structureIDOffset()), TrustedImm32(structurePtr->id()));
-        jit.breakpoint();
-        correctStructure.link(&jit);
-
-        Jump correctIndexingType = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::indexingTypeOffset()), TrustedImm32(structurePtr->indexingType()));
-        jit.breakpoint();
-        correctIndexingType.link(&jit);
-
-        Jump correctType = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::typeInfoTypeOffset()), TrustedImm32(structurePtr->typeInfo().type()));
-        jit.breakpoint();
-        correctType.link(&jit);
-
-        Jump correctFlags = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::typeInfoFlagsOffset()), TrustedImm32(structurePtr->typeInfo().inlineTypeFlags()));
-        jit.breakpoint();
-        correctFlags.link(&jit);
-#endif
-#else
-        // Do a 32-bit wide store to initialize the cell's fields.
-        jit.store32(TrustedImm32(structurePtr->objectInitializationBlob()), MacroAssembler::Address(dest, JSCell::indexingTypeOffset()));
-        jit.storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
-#endif
-    }
+    static void emitStoreStructureWithTypeInfo(AssemblyHelpers& jit, TrustedImmPtr structure, RegisterID dest);
 
     Jump checkMarkByte(GPRReg cell)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -306 +306 @@
         void emitLoadInt32ToDouble(int index, FPRegisterID value);
         Jump emitJumpIfCellNotObject(RegisterID cellReg);
-
-        Jump addStructureTransitionCheck(JSCell*, Structure*, StructureStubInfo*, RegisterID scratch);
-        void addStructureTransitionCheck(JSCell*, Structure*, StructureStubInfo*, JumpList& failureCases, RegisterID scratch);
-        void testPrototype(JSValue, JumpList& failureCases, StructureStubInfo*);
 
         enum WriteBarrierMode { UnconditionalWriteBarrier, ShouldFilterBase, ShouldFilterValue, ShouldFilterBaseAndValue };

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp

@@ -956 +956 @@
     OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
     if (types.first().definitelyIsNumber() && types.second().definitelyIsNumber()) {
-#ifndef NDEBUG
-        breakpoint();
-#endif
+        if (!ASSERT_DISABLED)
+            abortWithReason(JITDivOperandsAreNotNumbers);
         return;
     }

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1107 +1107 @@
         if (!ASSERT_DISABLED) {
             Jump ok = branchPtr(MacroAssembler::Above, regT0, TrustedImmPtr(bitwise_cast<void*>(static_cast<intptr_t>(1000))));
-            breakpoint();
+            abortWithReason(JITUnreasonableLoopHintJumpTarget);
             ok.link(this);
         }

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -102 +102 @@
 #else
 #error "JIT not supported on this platform."
-    breakpoint();
+    abortWithReason(JITNotSupported);
 #endif // CPU(X86)
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -140 +140 @@
     Label done = label();
     
-#if !ASSERT_DISABLED
-    Jump resultOK = branchTest64(NonZero, regT0);
-    breakpoint();
-    resultOK.link(this);
-#endif
+    if (!ASSERT_DISABLED) {
+        Jump resultOK = branchTest64(NonZero, regT0);
+        abortWithReason(JITGetByValResultIsNotEmpty);
+        resultOK.link(this);
+    }
 
     emitValueProfilingSite();
@@ -253 +253 @@
         done.link(this);
     } else {
-#if !ASSERT_DISABLED
-        Jump isOutOfLine = branch32(GreaterThanOrEqual, offset, TrustedImm32(firstOutOfLineOffset));
-        breakpoint();
-        isOutOfLine.link(this);
-#endif
+        if (!ASSERT_DISABLED) {
+            Jump isOutOfLine = branch32(GreaterThanOrEqual, offset, TrustedImm32(firstOutOfLineOffset));
+            abortWithReason(JITOffsetIsNotOutOfLine);
+            isOutOfLine.link(this);
+        }
         loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
         neg32(offset);
@@ -975 +975 @@
     UNUSED_PARAM(owner);
 #endif // ENABLE(GGC)
-}
-
-JIT::Jump JIT::addStructureTransitionCheck(JSCell* object, Structure* structure, StructureStubInfo* stubInfo, RegisterID scratch)
-{
-    if (object->structure() == structure && structure->transitionWatchpointSetIsStillValid()) {
-        structure->addTransitionWatchpoint(stubInfo->addWatchpoint(m_codeBlock));
-#if !ASSERT_DISABLED
-        move(TrustedImmPtr(object), scratch);
-        Jump ok = branchStructure(Equal, Address(scratch, JSCell::structureIDOffset()), structure);
-        breakpoint();
-        ok.link(this);
-#endif
-        Jump result; // Returning an unset jump this way because otherwise VC++ would complain.
-        return result;
-    }
-    
-    move(TrustedImmPtr(object), scratch);
-    return branchStructure(NotEqual, Address(scratch, JSCell::structureIDOffset()), structure);
-}
-
-void JIT::addStructureTransitionCheck(JSCell* object, Structure* structure, StructureStubInfo* stubInfo, JumpList& failureCases, RegisterID scratch)
-{
-    Jump failureCase = addStructureTransitionCheck(object, structure, stubInfo, scratch);
-    if (!failureCase.isSet())
-        return;
-    
-    failureCases.append(failureCase);
-}
-
-void JIT::testPrototype(JSValue prototype, JumpList& failureCases, StructureStubInfo* stubInfo)
-{
-    if (prototype.isNull())
-        return;
-
-    ASSERT(prototype.isCell());
-    addStructureTransitionCheck(prototype.asCell(), prototype.asCell()->structure(), stubInfo, failureCases, regT3);
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -162 +162 @@
     Label done = label();
 
-#if !ASSERT_DISABLED
-    Jump resultOK = branch32(NotEqual, regT1, TrustedImm32(JSValue::EmptyValueTag));
-    breakpoint();
-    resultOK.link(this);
-#endif
+    if (!ASSERT_DISABLED) {
+        Jump resultOK = branch32(NotEqual, regT1, TrustedImm32(JSValue::EmptyValueTag));
+        abortWithReason(JITGetByValResultIsNotEmpty);
+        resultOK.link(this);
+    }
 
     emitValueProfilingSite();
@@ -602 +602 @@
         done.link(this);
     } else {
-#if !ASSERT_DISABLED
-        Jump isOutOfLine = branch32(GreaterThanOrEqual, offset, TrustedImm32(firstOutOfLineOffset));
-        breakpoint();
-        isOutOfLine.link(this);
-#endif
+        if (!ASSERT_DISABLED) {
+            Jump isOutOfLine = branch32(GreaterThanOrEqual, offset, TrustedImm32(firstOutOfLineOffset));
+            abortWithReason(JITOffsetIsNotOutOfLine);
+            isOutOfLine.link(this);
+        }
         loadPtr(Address(base, JSObject::butterflyOffset()), base);
         neg32(offset);

trunk/Source/JavaScriptCore/jit/RegisterPreservationWrapperGenerator.cpp

@@ -212 +212 @@
         AssemblyHelpers::Jump ok = jit.branchPtr(
             AssemblyHelpers::Above, GPRInfo::regT1, AssemblyHelpers::TrustedImmPtr(static_cast<size_t>(0x1000)));
-        jit.breakpoint();
+        jit.abortWithReason(RPWUnreasonableJumpTarget);
         ok.link(&jit);
     }

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -133 +133 @@
     if (object->structure() == structure && structure->transitionWatchpointSetIsStillValid()) {
         structure->addTransitionWatchpoint(stubInfo.addWatchpoint(codeBlock));
-#if !ASSERT_DISABLED
-        // If we execute this code, the object must have the structure we expect. Assert
-        // this in debug modes.
-        jit.move(MacroAssembler::TrustedImmPtr(object), scratchGPR);
-        MacroAssembler::Jump ok = branchStructure(jit,
-            MacroAssembler::Equal,
-            MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
-            structure);
-        jit.breakpoint();
-        ok.link(&jit);
-#endif
+        if (!ASSERT_DISABLED) {
+            // If we execute this code, the object must have the structure we expect. Assert
+            // this in debug modes.
+            jit.move(MacroAssembler::TrustedImmPtr(object), scratchGPR);
+            MacroAssembler::Jump ok = branchStructure(
+                jit,
+                MacroAssembler::Equal,
+                MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
+                structure);
+            jit.abortWithReason(RepatchIneffectiveWatchpoint);
+            ok.link(&jit);
+        }
         return;
     }
@@ -1572 +1573 @@
         CCallHelpers::Jump okArgumentCount = stubJit.branch32(
             CCallHelpers::Below, CCallHelpers::Address(CCallHelpers::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ArgumentCount) + offsetToFrame + PayloadOffset), CCallHelpers::TrustedImm32(10000000));
-        stubJit.breakpoint();
+        stubJit.abortWithReason(RepatchInsaneArgumentCount);
         okArgumentCount.link(&stubJit);
     }

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -46 +46 @@
 inline void emitPointerValidation(CCallHelpers& jit, GPRReg pointerGPR)
 {
-#if !ASSERT_DISABLED
+    if (ASSERT_DISABLED)
+        return;
     CCallHelpers::Jump isNonZero = jit.branchTestPtr(CCallHelpers::NonZero, pointerGPR);
-    jit.breakpoint();
+    jit.abortWithReason(TGInvalidPointer);
     isNonZero.link(&jit);
     jit.pushToSave(pointerGPR);
     jit.load8(pointerGPR, pointerGPR);
     jit.popToRestore(pointerGPR);
-#else
-    UNUSED_PARAM(jit);
-    UNUSED_PARAM(pointerGPR);
-#endif
 }
 
@@ -374 +371 @@
 #error "JIT not supported on this platform."
     UNUSED_PARAM(executableOffsetToFunction);
-    breakpoint();
+    abortWithReason(TGNotSupported);
 #endif
 

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

@@ -1640 +1640 @@
                 ASSERT(term->quantityCount == 1);
 
-#ifndef NDEBUG
                 // Runtime ASSERT to make sure that the nested alternative handled the
                 // "no input consumed" check.
-                if (term->quantityType != QuantifierFixedCount && !term->parentheses.disjunction->m_minimumSize) {
+                if (!ASSERT_DISABLED && term->quantityType != QuantifierFixedCount && !term->parentheses.disjunction->m_minimumSize) {
                     Jump pastBreakpoint;
                     pastBreakpoint = branch32(NotEqual, index, Address(stackPointerRegister, term->frameLocation * sizeof(void*)));
-                    breakpoint();
+                    abortWithReason(YARRNoInputConsumed);
                     pastBreakpoint.link(this);
                 }
-#endif
 
                 // If the parenthese are capturing, store the ending index value to the
@@ -1696 +1694 @@
             case OpParenthesesSubpatternTerminalEnd: {
                 YarrOp& beginOp = m_ops[op.m_previousOp];
-#ifndef NDEBUG
-                PatternTerm* term = op.m_term;
-
-                // Runtime ASSERT to make sure that the nested alternative handled the
-                // "no input consumed" check.
-                Jump pastBreakpoint;
-                pastBreakpoint = branch32(NotEqual, index, Address(stackPointerRegister, term->frameLocation * sizeof(void*)));
-                breakpoint();
-                pastBreakpoint.link(this);
-#endif
+                if (!ASSERT_DISABLED) {
+                    PatternTerm* term = op.m_term;
+                    
+                    // Runtime ASSERT to make sure that the nested alternative handled the
+                    // "no input consumed" check.
+                    Jump pastBreakpoint;
+                    pastBreakpoint = branch32(NotEqual, index, Address(stackPointerRegister, term->frameLocation * sizeof(void*)));
+                    abortWithReason(YARRNoInputConsumed);
+                    pastBreakpoint.link(this);
+                }
 
                 // We know that the match is non-zero, we can accept it  and