Changeset 182827 in webkit
- Timestamp:
- Apr 14, 2015 5:49:03 PM (9 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r182826 r182827 1 2015-04-14 Michael Saboff <msaboff@apple.com> 2 3 DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format 4 https://bugs.webkit.org/show_bug.cgi?id=143727 5 6 Reviewed by Geoffrey Garen. 7 8 Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible 9 with the requested fill format. If filter() reports a contradiction, then we force an OSR exit. 10 Removed individual checks made redundant by the new check. 11 12 * dfg/DFGSpeculativeJIT32_64.cpp: 13 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 14 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 15 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 16 * dfg/DFGSpeculativeJIT64.cpp: 17 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 18 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): 19 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 20 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 21 1 22 2015-04-14 Joseph Pecoraro <pecoraro@apple.com> 2 23 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r182759 r182827 846 846 SpeculatedType type = value.m_type; 847 847 ASSERT(edge.useKind() != KnownInt32Use || !(value.m_type & ~SpecInt32)); 848 m_interpreter.filter(value, SpecInt32); 849 VirtualRegister virtualRegister = edge->virtualRegister(); 850 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); 851 852 if (edge->hasConstant() && !edge->isInt32Constant()) { 848 849 if (m_interpreter.filter(value, SpecInt32) == Contradiction) { 853 850 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 854 851 returnFormat = DataFormatInt32; 855 852 return allocate(); 856 853 } 857 854 855 VirtualRegister virtualRegister = edge->virtualRegister(); 856 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); 857 858 858 switch (info.registerFormat()) { 859 859 case DataFormatNone: { … … 869 869 870 870 DataFormat spillFormat = info.spillFormat(); 871 872 if (spillFormat == DataFormatCell) {873 terminateSpeculativeExecution(BadType, JSValueRegs(), edge);874 returnFormat = DataFormatInt32;875 return allocate();876 }877 871 878 872 ASSERT_UNUSED(spillFormat, (spillFormat & DataFormatJS) || spillFormat == DataFormatInt32); … … 921 915 case DataFormatJSCell: 922 916 case DataFormatJSBoolean: 923 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);924 returnFormat = DataFormatInt32;925 return allocate();926 927 917 case DataFormatDouble: 928 918 case DataFormatStorage: … … 983 973 SpeculatedType type = value.m_type; 984 974 ASSERT((edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)); 985 m_interpreter.filter(value, SpecCell); 975 976 if (m_interpreter.filter(value, SpecCell) == Contradiction) { 977 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 978 return allocate(); 979 } 980 986 981 VirtualRegister virtualRegister = edge->virtualRegister(); 987 982 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); 988 989 if (edge->hasConstant() && !edge->isCellConstant()) {990 // Protect the silent spill/fill logic by failing early. If we "speculate" on991 // the constant then the silent filler may think that we have a cell and a992 // constant, so it will try to fill this as an cell constant. Bad things will993 // happen.994 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);995 return allocate();996 }997 983 998 984 switch (info.registerFormat()) { 999 985 case DataFormatNone: { 1000 if (info.spillFormat() == DataFormatInt32) {1001 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1002 return allocate();1003 }1004 1005 986 if (edge->hasConstant()) { 1006 987 JSValue jsValue = edge->asJSValue(); … … 1060 1041 case DataFormatJSBoolean: 1061 1042 case DataFormatBoolean: 1062 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1063 return allocate();1064 1065 1043 case DataFormatDouble: 1066 1044 case DataFormatStorage: … … 1077 1055 AbstractValue& value = m_state.forNode(edge); 1078 1056 SpeculatedType type = value.m_type; 1079 m_interpreter.filter(value, SpecBoolean); 1057 1058 if (m_interpreter.filter(value, SpecBoolean) == Contradiction) { 1059 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1060 return allocate(); 1061 } 1062 1080 1063 VirtualRegister virtualRegister = edge->virtualRegister(); 1081 1064 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); … … 1083 1066 switch (info.registerFormat()) { 1084 1067 case DataFormatNone: { 1085 if (info.spillFormat() == DataFormatInt32) {1086 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1087 return allocate();1088 }1089 1090 1068 if (edge->hasConstant()) { 1091 1069 JSValue jsValue = edge->asJSValue(); 1092 1070 GPRReg gpr = allocate(); 1093 if (jsValue.isBoolean()) { 1094 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1095 m_jit.move(MacroAssembler::TrustedImm32(jsValue.asBoolean()), gpr); 1096 info.fillBoolean(*m_stream, gpr); 1097 return gpr; 1098 } 1099 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1071 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1072 m_jit.move(MacroAssembler::TrustedImm32(jsValue.asBoolean()), gpr); 1073 info.fillBoolean(*m_stream, gpr); 1100 1074 return gpr; 1101 1075 } … … 1141 1115 case DataFormatJSCell: 1142 1116 case DataFormatCell: 1143 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1144 return allocate();1145 1146 1117 case DataFormatDouble: 1147 1118 case DataFormatStorage: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r182759 r182827 818 818 SpeculatedType type = value.m_type; 819 819 ASSERT(edge.useKind() != KnownInt32Use || !(value.m_type & ~SpecInt32)); 820 m_interpreter.filter(value, SpecInt32); 821 VirtualRegister virtualRegister = edge->virtualRegister(); 822 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); 823 824 if (edge->hasConstant() && !edge->isInt32Constant()) { 825 // Protect the silent spill/fill logic by failing early. If we "speculate" on 826 // the constant then the silent filler may think that we have an int32 and a 827 // constant, so it will try to fill this as an int32 constant. Bad things will 828 // happen. 820 821 if (m_interpreter.filter(value, SpecInt32) == Contradiction) { 829 822 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 830 823 returnFormat = DataFormatInt32; 831 824 return allocate(); 832 825 } 833 826 827 VirtualRegister virtualRegister = edge->virtualRegister(); 828 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); 829 834 830 switch (info.registerFormat()) { 835 831 case DataFormatNone: { … … 930 926 case DataFormatBoolean: 931 927 case DataFormatJSCell: 932 case DataFormatJSBoolean: { 933 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 934 returnFormat = DataFormatInt32; 935 return allocate(); 936 } 937 928 case DataFormatJSBoolean: 938 929 case DataFormatDouble: 939 930 case DataFormatStorage: … … 968 959 ASSERT(desiredFormat == DataFormatInt52 || desiredFormat == DataFormatStrictInt52); 969 960 AbstractValue& value = m_state.forNode(edge); 970 m_interpreter.filter(value, SpecMachineInt); 961 962 if (m_interpreter.filter(value, SpecMachineInt) == Contradiction) { 963 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 964 return allocate(); 965 } 966 971 967 VirtualRegister virtualRegister = edge->virtualRegister(); 972 968 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); … … 974 970 switch (info.registerFormat()) { 975 971 case DataFormatNone: { 976 if (edge->hasConstant() && !edge->isMachineIntConstant()) {977 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);978 return allocate();979 }980 981 972 GPRReg gpr = allocate(); 982 973 … … 1097 1088 SpeculatedType type = value.m_type; 1098 1089 ASSERT((edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)); 1099 m_interpreter.filter(value, SpecCell); 1090 1091 if (m_interpreter.filter(value, SpecCell) == Contradiction) { 1092 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1093 return allocate(); 1094 } 1095 1100 1096 VirtualRegister virtualRegister = edge->virtualRegister(); 1101 1097 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); 1102 1103 if (edge->hasConstant() && !edge->isCellConstant()) {1104 // Better to fail early on constants.1105 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1106 return allocate();1107 }1108 1098 1109 1099 switch (info.registerFormat()) { … … 1118 1108 return gpr; 1119 1109 } 1120 1121 if (!(info.spillFormat() & DataFormatJS)) { 1122 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1123 return gpr; 1124 } 1125 1110 1126 1111 m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled); 1127 1112 m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr); … … 1159 1144 case DataFormatJSDouble: 1160 1145 case DataFormatJSBoolean: 1161 case DataFormatBoolean: { 1162 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1163 return allocate(); 1164 } 1165 1146 case DataFormatBoolean: 1166 1147 case DataFormatDouble: 1167 1148 case DataFormatStorage: … … 1180 1161 AbstractValue& value = m_state.forNode(edge); 1181 1162 SpeculatedType type = value.m_type; 1182 m_interpreter.filter(value, SpecBoolean); 1163 1164 if (m_interpreter.filter(value, SpecBoolean) == Contradiction) { 1165 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1166 return allocate(); 1167 } 1168 1183 1169 VirtualRegister virtualRegister = edge->virtualRegister(); 1184 1170 GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister); … … 1186 1172 switch (info.registerFormat()) { 1187 1173 case DataFormatNone: { 1188 if (info.spillFormat() == DataFormatInt32) {1189 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1190 return allocate();1191 }1192 1193 1174 GPRReg gpr = allocate(); 1194 1175 1195 1176 if (edge->hasConstant()) { 1196 1177 JSValue jsValue = edge->asJSValue(); 1197 if (jsValue.isBoolean()) { 1198 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1199 m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr); 1200 info.fillJSValue(*m_stream, gpr, DataFormatJSBoolean); 1201 return gpr; 1202 } 1203 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1178 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1179 m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr); 1180 info.fillJSValue(*m_stream, gpr, DataFormatJSBoolean); 1204 1181 return gpr; 1205 1182 } … … 1242 1219 case DataFormatJSCell: 1243 1220 case DataFormatCell: 1244 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);1245 return allocate();1246 1247 1221 case DataFormatDouble: 1248 1222 case DataFormatStorage:
Note: See TracChangeset
for help on using the changeset viewer.