Changeset 209846 in webkit

Timestamp:

Dec 14, 2016 5:25:16 PM (7 years ago)

Author:

fpizlo@apple.com

Message:

DirectTailCall implementation needs to tell the shuffler what to put into the ArgumentCount explicitly
​https://bugs.webkit.org/show_bug.cgi?id=165882

Reviewed by Mark Lam.
JSTests:

• stress/direct-tail-call-arity-mismatch-count-args.js: Added.

(foo):
(bar):

Source/JavaScriptCore:

The CallFrameShuffler was assuming that the ArgumentCount that it should store into the
callee frame is simply the size of the args vector.

That's not true for DirectTailCall, which will pad the args vector with undefined if we
are optimizing an arity mismatch. We need to pass the ArgumentCount explicitly in this
case.

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):

• jit/CallFrameShuffleData.h:
• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::CallFrameShuffler):
(JSC::CallFrameShuffler::prepareAny):

• jit/CallFrameShuffler.h:

(JSC::CallFrameShuffler::snapshot):

• jit/JITCall.cpp:

(JSC::JIT::compileOpCall):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/direct-tail-call-arity-mismatch-count-args.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/CallFrameShuffleData.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/CallFrameShuffler.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/CallFrameShuffler.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITCall.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-12-14  Filip Pizlo  <fpizlo@apple.com>
+
+        DirectTailCall implementation needs to tell the shuffler what to put into the ArgumentCount explicitly
+        https://bugs.webkit.org/show_bug.cgi?id=165882
+
+        Reviewed by Mark Lam.
+
+        * stress/direct-tail-call-arity-mismatch-count-args.js: Added.
+        (foo):
+        (bar):
+
 2016-12-14  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-12-14  Filip Pizlo  <fpizlo@apple.com>
+
+        DirectTailCall implementation needs to tell the shuffler what to put into the ArgumentCount explicitly
+        https://bugs.webkit.org/show_bug.cgi?id=165882
+
+        Reviewed by Mark Lam.
+        
+        The CallFrameShuffler was assuming that the ArgumentCount that it should store into the
+        callee frame is simply the size of the args vector.
+        
+        That's not true for DirectTailCall, which will pad the args vector with undefined if we
+        are optimizing an arity mismatch. We need to pass the ArgumentCount explicitly in this
+        case.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        * jit/CallFrameShuffleData.h:
+        * jit/CallFrameShuffler.cpp:
+        (JSC::CallFrameShuffler::CallFrameShuffler):
+        (JSC::CallFrameShuffler::prepareAny):
+        * jit/CallFrameShuffler.h:
+        (JSC::CallFrameShuffler::snapshot):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+
 2016-12-14  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -880 +880 @@
             shuffleData.callee = ValueRecovery::inPair(calleeTagGPR, calleePayloadGPR);
             shuffleData.args.resize(numAllocatedArgs);
+            shuffleData.numPassedArgs = numPassedArgs;
 
             for (unsigned i = 0; i < numPassedArgs; ++i) {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -852 +852 @@
             shuffleData.callee = ValueRecovery::inGPR(calleeGPR, DataFormatJS);
             shuffleData.args.resize(numAllocatedArgs);
-
+            shuffleData.numPassedArgs = numPassedArgs;
+            
             for (unsigned i = 0; i < numPassedArgs; ++i) {
                 Edge argEdge = m_jit.graph().varArgChild(node, i + 1);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -5993 +5993 @@
                     for (unsigned i = numPassedArgs; i < numAllocatedArgs; ++i)
                         shuffleData.args.append(ValueRecovery::constant(jsUndefined()));
+                    shuffleData.numPassedArgs = numPassedArgs;
                     shuffleData.setupCalleeSaveRegisters(jit.codeBlock());
                     
@@ -6159 +6160 @@
                     shuffleData.args.append(params[1 + i].recoveryForJSValue());
 
+                shuffleData.numPassedArgs = numArgs;
+                
                 shuffleData.setupCalleeSaveRegisters(jit.codeBlock());
 

trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -36 +36 @@
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    unsigned numLocals;
+    unsigned numLocals { UINT_MAX };
     ValueRecovery callee;
     Vector<ValueRecovery> args;
+    unsigned numPassedArgs { UINT_MAX };
 #if USE(JSVALUE64)
     RegisterMap<ValueRecovery> registers;

trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -45 +45 @@
     , m_frameDelta(m_alignedNewFrameSize - m_alignedOldFrameSize)
     , m_lockedRegisters(RegisterSet::allRegisters())
+    , m_numPassedArgs(data.numPassedArgs)
 {
     // We are allowed all the usual registers...
@@ -747 +748 @@
     m_jit.store32(MacroAssembler::TrustedImm32(0),
         addressForNew(VirtualRegister { CallFrameSlot::argumentCount }).withOffset(TagOffset));
-    m_jit.store32(MacroAssembler::TrustedImm32(argCount()),
+    RELEASE_ASSERT(m_numPassedArgs != UINT_MAX);
+    m_jit.store32(MacroAssembler::TrustedImm32(m_numPassedArgs),
         addressForNew(VirtualRegister { CallFrameSlot::argumentCount }).withOffset(PayloadOffset));
 

trunk/Source/JavaScriptCore/jit/CallFrameShuffler.h

@@ -103 +103 @@
         CallFrameShuffleData data;
         data.numLocals = numLocals();
+        data.numPassedArgs = m_numPassedArgs;
         data.callee = getNew(VirtualRegister { CallFrameSlot::callee })->recovery();
         data.args.resize(argCount());
@@ -795 +796 @@
     // due to high register pressure.
     bool performSafeWrites();
+    
+    unsigned m_numPassedArgs { UINT_MAX };
 };
 

trunk/Source/JavaScriptCore/jit/JITCall.cpp

@@ -199 +199 @@
     if (opcodeID == op_tail_call) {
         CallFrameShuffleData shuffleData;
+        shuffleData.numPassedArgs = instruction[3].u.operand;
         shuffleData.tagTypeNumber = GPRInfo::tagTypeNumberRegister;
         shuffleData.numLocals =