Changeset 174035 in webkit

Timestamp:

Sep 27, 2014 11:49:12 AM (10 years ago)

Author:

benjamin@webkit.org

Message:

Chaining multiple :nth-child() does not work properly
​https://bugs.webkit.org/show_bug.cgi?id=137032

Patch by Benjamin Poulain <​bpoulain@apple.com> on 2014-09-27
Reviewed by Gavin Barraclough.

Source/WebCore:

When multiple :nth-child() are chained, the evaluation of each "An+B" could depend on
the execution of the previous "An+B". The reason is that the register holding the position
of the current element could be modified by the evaluation of "An+B".

There are two cases in which the register was used as the destination of an operation:
1) When A and B are positive, the counter would be the destination of "counter - B".
2) When A is not 1 or 2, the modulo operation was not preserving the input register.

For (1), we a copy of the counter in that case of generateElementIsNthChild().

For (2), we also preserve a copy of the input if it is used by the operation. In this case,
if the input register is one of the argument we need for idiv, we preserve it on the stack
or in a register depending on what is available.

This increases the register requirements by 2 in the worst case on x86. The extra registers
can push generateElementIsNthChild() above the 4 available registers. To accomodate for that,
minimumRegisterRequirements() reserve more registers on x86.

The extra register pressure has strictly no effect on performance, x86_64 has 9 registers
available without pushing anything. The extra allocation is only necessary for debugging.

Tests: fast/selectors/nth-child-basics.html

fast/selectors/nth-child-chained.html
fast/selectors/nth-child-of-basics-2.html
fast/selectors/nth-child-of-chained.html

• cssjit/SelectorCompiler.cpp:

(WebCore::SelectorCompiler::minimumRegisterRequirements):
(WebCore::SelectorCompiler::SelectorCodeGenerator::modulo):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateElementIsNthChild):

LayoutTests:

• fast/selectors/nth-child-chained-expected.txt: Added.
• fast/selectors/nth-child-chained.html: Added.
• fast/selectors/nth-child-of-chained-expected.txt: Added.
• fast/selectors/nth-child-of-chained.html: Added.

Those new tests target specifically the register reuse bug fixed by the patch.

• fast/selectors/nth-child-basics-expected.txt: Added.
• fast/selectors/nth-child-basics.html: Added.
• fast/selectors/nth-child-of-basics-2-expected.txt: Added.
• fast/selectors/nth-child-of-basics-2.html: Added.

Those tests add coverage for the examples used by ​http://nthmaster.com. This is to increase
the general test coverage.

I added nth-child-of-basics-2.html instead of extending nth-child-of-basics.html because
of the speed issue in debug without CSS JIT (otherwise the test can timeout).

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/selectors/nth-child-basics-expected.txt (added)
• LayoutTests/fast/selectors/nth-child-basics.html (added)
• LayoutTests/fast/selectors/nth-child-chained-expected.txt (added)
• LayoutTests/fast/selectors/nth-child-chained.html (added)
• LayoutTests/fast/selectors/nth-child-of-basics-2-expected.txt (added)
• LayoutTests/fast/selectors/nth-child-of-basics-2.html (added)
• LayoutTests/fast/selectors/nth-child-of-chained-expected.txt (added)
• LayoutTests/fast/selectors/nth-child-of-chained.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/cssjit/SelectorCompiler.cpp (modified) (7 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-09-27  Benjamin Poulain  <bpoulain@apple.com>
+
+        Chaining multiple :nth-child() does not work properly
+        https://bugs.webkit.org/show_bug.cgi?id=137032
+
+        Reviewed by Gavin Barraclough.
+
+        * fast/selectors/nth-child-chained-expected.txt: Added.
+        * fast/selectors/nth-child-chained.html: Added.
+        * fast/selectors/nth-child-of-chained-expected.txt: Added.
+        * fast/selectors/nth-child-of-chained.html: Added.
+        Those new tests target specifically the register reuse bug fixed by the patch.
+
+        * fast/selectors/nth-child-basics-expected.txt: Added.
+        * fast/selectors/nth-child-basics.html: Added.
+        * fast/selectors/nth-child-of-basics-2-expected.txt: Added.
+        * fast/selectors/nth-child-of-basics-2.html: Added.
+        Those tests add coverage for the examples used by http://nthmaster.com. This is to increase
+        the general test coverage.
+
+        I added nth-child-of-basics-2.html instead of extending nth-child-of-basics.html because
+        of the speed issue in debug without CSS JIT (otherwise the test can timeout).
+
 2014-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-09-27  Benjamin Poulain  <bpoulain@apple.com>
+
+        Chaining multiple :nth-child() does not work properly
+        https://bugs.webkit.org/show_bug.cgi?id=137032
+
+        Reviewed by Gavin Barraclough.
+
+        When multiple :nth-child() are chained, the evaluation of each "An+B" could depend on
+        the execution of the previous "An+B". The reason is that the register holding the position
+        of the current element could be modified by the evaluation of "An+B".
+
+        There are two cases in which the register was used as the destination of an operation:
+        1) When A and B are positive, the counter would be the destination of "counter - B".
+        2) When A is not 1 or 2, the modulo operation was not preserving the input register.
+
+        For (1), we a copy of the counter in that case of generateElementIsNthChild().
+
+        For (2), we also preserve a copy of the input if it is used by the operation. In this case,
+        if the input register is one of the argument we need for idiv, we preserve it on the stack
+        or in a register depending on what is available.
+
+        This increases the register requirements by 2 in the worst case on x86. The extra registers
+        can push generateElementIsNthChild() above the 4 available registers. To accomodate for that,
+        minimumRegisterRequirements() reserve more registers on x86.
+
+        The extra register pressure has strictly no effect on performance, x86_64 has 9 registers
+        available without pushing anything. The extra allocation is only necessary for debugging.
+
+        Tests: fast/selectors/nth-child-basics.html
+               fast/selectors/nth-child-chained.html
+               fast/selectors/nth-child-of-basics-2.html
+               fast/selectors/nth-child-of-chained.html
+
+        * cssjit/SelectorCompiler.cpp:
+        (WebCore::SelectorCompiler::minimumRegisterRequirements):
+        (WebCore::SelectorCompiler::SelectorCodeGenerator::modulo):
+        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateElementIsNthChild):
+
 2014-09-26  Christophe Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/cssjit/SelectorCompiler.cpp

@@ -849 +849 @@
 // Element + BacktrackingRegister + ElementData + a pointer to values + an index on that pointer + the value we expect;
 static const unsigned minimumRequiredRegisterCount = 6;
+
 // Element + ElementData + scratchRegister + attributeArrayPointer + expectedLocalName + (qualifiedNameImpl && expectedValue).
 static const unsigned minimumRequiredRegisterCountForAttributeFilter = 6;
+
+#if CPU(X86_64)
+// Element + SiblingCounter + SiblingCounterCopy + divisor + dividend + remainder.
+static const unsigned minimumRequiredRegisterCountForNthChildFilter = 6;
+#endif
 
 static inline unsigned minimumRegisterRequirements(const SelectorFragment& selectorFragment)
@@ -877 +883 @@
         minimum = std::max(minimum, attributeMinimum);
     }
+
+#if CPU(X86_64)
+    if (!selectorFragment.nthChildFilters.isEmpty())
+        minimum = std::max(minimum, minimumRequiredRegisterCountForNthChildFilter + backtrackingRegisterRequirements);
+#endif
 
     // :not pseudo class filters cause some register pressure.
@@ -1755 +1766 @@
         bool registerIsInUse = m_registerAllocator.allocatedRegisters().contains(dividend);
         if (registerIsInUse) {
-            if (m_registerAllocator.availableRegisterCount()) {
+            if (m_registerAllocator.availableRegisterCount() > 1) {
                 temporaryDividendCopy = m_registerAllocator.allocateRegister();
                 m_assembler.move(dividend, temporaryDividendCopy);
@@ -1777 +1788 @@
         bool registerIsInUse = m_registerAllocator.allocatedRegisters().contains(remainder);
         if (registerIsInUse) {
-            if (m_registerAllocator.availableRegisterCount()) {
+            if (m_registerAllocator.availableRegisterCount() > 1) {
                 temporaryRemainderCopy = m_registerAllocator.allocateRegister();
                 m_assembler.move(remainder, temporaryRemainderCopy);
@@ -1790 +1801 @@
         }
     }
+
+    // If the input register is used by idiv, save its value to restore it after the operation.
+    Assembler::RegisterID inputDividendCopy;
+    StackAllocator::StackReference pushedInputDividendStackReference;
+    RegisterAllocationType savedInputDividendAllocationType = RegisterAllocationType::External;
+    if (inputDividend == dividend || inputDividend == remainder) {
+        if (m_registerAllocator.availableRegisterCount() > 1) {
+            inputDividendCopy = m_registerAllocator.allocateRegister();
+            m_assembler.move(inputDividend, inputDividendCopy);
+            savedInputDividendAllocationType = RegisterAllocationType::CopiedToTemporary;
+        } else {
+            pushedInputDividendStackReference = m_stackAllocator.push(inputDividend);
+            savedInputDividendAllocationType = RegisterAllocationType::PushedToStack;
+        }
+    }
+
     m_assembler.m_assembler.cdq();
 
@@ -1816 +1843 @@
     } else if (dividendAllocation == RegisterAllocationType::PushedToStack)
         m_stackAllocator.pop(temporaryDividendStackReference, dividend);
+
+    if (savedInputDividendAllocationType != RegisterAllocationType::External) {
+        if (savedInputDividendAllocationType == RegisterAllocationType::CopiedToTemporary) {
+            m_assembler.move(inputDividendCopy, inputDividend);
+            m_registerAllocator.deallocateRegister(inputDividendCopy);
+        } else if (savedInputDividendAllocationType == RegisterAllocationType::PushedToStack)
+            m_stackAllocator.pop(pushedInputDividendStackReference, inputDividend);
+    }
 
     // 4) Branch on the test.
@@ -2999 +3034 @@
                 failureCases.append(m_assembler.branchTest32(Assembler::Zero, elementCounter, Assembler::TrustedImm32(1)));
             } else {
-                if (b)
-                    failureCases.append(m_assembler.branchSub32(Assembler::Signed, Assembler::TrustedImm32(b), elementCounter));
-                moduloIsZero(failureCases, elementCounter, a);
+                if (b) {
+                    LocalRegister elementCounterCopy(m_registerAllocator);
+                    m_assembler.move(elementCounter, elementCounterCopy);
+                    failureCases.append(m_assembler.branchSub32(Assembler::Signed, Assembler::TrustedImm32(b), elementCounterCopy));
+                    moduloIsZero(failureCases, elementCounterCopy, a);
+                } else
+                    moduloIsZero(failureCases, elementCounter, a);
             }
         } else {