Changeset 249661 in webkit

Timestamp:

Sep 9, 2019 1:32:56 PM (5 years ago)

Author:

keith_miller@apple.com

Message:

OSR entry into wasm misses some contexts
​https://bugs.webkit.org/show_bug.cgi?id=201569

Reviewed by Yusuke Suzuki.

JSTests:

Add a new harness and wast and the generated wasm file for
testing. The idea long term is to make it easy to test by creating
a C file and converting it to a wast then modify that to produce a
test.

• wasm.yaml:
• wasm/wast-tests/harness.js: Added.

(async.runWasmFile):

• wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
• wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
• wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
• wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
• wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
• wasm/wast-tests/osr-entry-inner-loop.wast: Added.
• wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
• wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.

Source/JavaScriptCore:

This patch fixes an issue where we could fail to capture some of
our contexts when OSR entering into wasm code. Before we would
only capture the state of the block immediately surrounding the
entrance loop block header. We actually need to capture all
enclosed stacks.

Additionally, we don't need to use variables for all the captured
values. We can use a Phi and insert an upsilon just below the
captured value.

• interpreter/CallFrame.h:
• jsc.cpp:

(GlobalObject::finishCreation):
(functionCallerIsOMGCompiled):

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::AirIRGenerator):
(JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
(JSC::Wasm::AirIRGenerator::addLoop):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::createStack):
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::addConstant):
(JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
(JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
(JSC::Wasm::B3IRGenerator::addLoop):
(JSC::Wasm::B3IRGenerator::addEndToUnreachable):
(JSC::Wasm::dumpExpressionStack):
(JSC::Wasm::B3IRGenerator::dump):
(JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
(JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser::controlStack):

Tools:

Add new test harness mode for tests created from wast files.

• Scripts/run-jsc-stress-tests:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm.yaml (modified) (3 diffs)
• JSTests/wasm/wast-tests (added)
• JSTests/wasm/wast-tests/harness.js (added)
• JSTests/wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm (added)
• JSTests/wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast (added)
• JSTests/wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm (added)
• JSTests/wasm/wast-tests/osr-entry-inner-loop-branch-above.wast (added)
• JSTests/wasm/wast-tests/osr-entry-inner-loop.wasm (added)
• JSTests/wasm/wast-tests/osr-entry-inner-loop.wast (added)
• JSTests/wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm (added)
• JSTests/wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CallFrame.h (modified) (1 diff)
• Source/JavaScriptCore/jsc.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (9 diffs)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (14 diffs)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmOpcodeOrigin.cpp (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Scripts/run-jsc-stress-tests (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-09-07  Keith Miller  <keith_miller@apple.com>
+
+        OSR entry into wasm misses some contexts
+        https://bugs.webkit.org/show_bug.cgi?id=201569
+
+        Reviewed by Yusuke Suzuki.
+
+        Add a new harness and wast and the generated wasm file for
+        testing. The idea long term is to make it easy to test by creating
+        a C file and converting it to a wast then modify that to produce a
+        test.
+
+        * wasm.yaml:
+        * wasm/wast-tests/harness.js: Added.
+        (async.runWasmFile):
+        * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
+        * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
+        * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
+        * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
+        * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
+        * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
+        * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
+        * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
+
 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/wasm.yaml

@@ -22 +22 @@
 # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-- path: wasm/self-test/
-  cmd: runWebAssemblySuite unless parseRunCommands
+- path: wasm/wast-tests/
+  cmd: runWebAssemblyWithHarness
 - path: wasm/js-api/
   cmd: runWebAssemblySuite unless parseRunCommands
@@ -44 +44 @@
 - path: wasm/modules/
   cmd: runWebAssembly unless parseRunCommands
+- path: wasm/self-test/
+  cmd: runWebAssemblySuite unless parseRunCommands
 
 - path: wasm/spec-tests/address.wast.js
@@ -186 +188 @@
 - path: wasm/modules/run-from-wasm.wasm
   cmd: runWebAssembly
+

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-09-07  Keith Miller  <keith_miller@apple.com>
+
+        OSR entry into wasm misses some contexts
+        https://bugs.webkit.org/show_bug.cgi?id=201569
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch fixes an issue where we could fail to capture some of
+        our contexts when OSR entering into wasm code. Before we would
+        only capture the state of the block immediately surrounding the
+        entrance loop block header. We actually need to capture all
+        enclosed stacks.
+
+        Additionally, we don't need to use variables for all the captured
+        values. We can use a Phi and insert an upsilon just below the
+        captured value.
+
+        * interpreter/CallFrame.h:
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionCallerIsOMGCompiled):
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
+        (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
+        (JSC::Wasm::AirIRGenerator::addLoop):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::createStack):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::addConstant):
+        (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
+        (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
+        (JSC::Wasm::B3IRGenerator::addLoop):
+        (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
+        (JSC::Wasm::dumpExpressionStack):
+        (JSC::Wasm::B3IRGenerator::dump):
+        (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
+        (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::controlStack):
+
 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/interpreter/CallFrame.h

@@ -133 +133 @@
         JSGlobalObject* wasmAwareLexicalGlobalObject(VM&);
 
-        bool isAnyWasmCallee();
+        JS_EXPORT_PRIVATE bool isAnyWasmCallee();
 
         // Global object in which the currently executing code was defined.

trunk/Source/JavaScriptCore/jsc.cpp

@@ -28 +28 @@
 #include "ButterflyInlines.h"
 #include "BytecodeCacheError.h"
+#include "CallFrameInlines.h"
 #include "CatchScope.h"
 #include "CodeBlock.h"
@@ -321 +322 @@
 static EncodedJSValue JSC_HOST_CALL functionOptimizeNextInvocation(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionNumberOfDFGCompiles(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionCallerIsOMGCompiled(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionJSCOptions(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionReoptimizationRetryCount(ExecState*);
@@ -542 +544 @@
         addFunction(vm, "noOSRExitFuzzing", functionNoOSRExitFuzzing, 1);
         addFunction(vm, "numberOfDFGCompiles", functionNumberOfDFGCompiles, 1);
+        addFunction(vm, "callerIsOMGCompiled", functionCallerIsOMGCompiled, 0);
         addFunction(vm, "jscOptions", functionJSCOptions, 0);
         addFunction(vm, "optimizeNextInvocation", functionOptimizeNextInvocation, 1);
@@ -1728 +1731 @@
 }
 
+EncodedJSValue JSC_HOST_CALL functionCallerIsOMGCompiled(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (!Options::useBBQTierUpChecks())
+        return JSValue::encode(jsBoolean(true));
+
+    CallerFunctor wasmToJSFrame;
+    StackVisitor::visit(exec, &vm, wasmToJSFrame);
+    if (!wasmToJSFrame.callerFrame()->isAnyWasmCallee())
+        return throwVMError(exec, scope, "caller is not a wasm->js import function");
+
+    // We have a wrapper frame that we generate for imports. If we ever can direct call from wasm we would need to change this.
+    ASSERT(!wasmToJSFrame.callerFrame()->callee().isWasm());
+    CallerFunctor wasmFrame;
+    StackVisitor::visit(wasmToJSFrame.callerFrame(), &vm, wasmFrame);
+    ASSERT(wasmFrame.callerFrame()->callee().isWasm());
+#if ENABLE(WEBASSEMBLY)
+    auto mode = wasmFrame.callerFrame()->callee().asWasmCallee()->compilationMode();
+    return JSValue::encode(jsBoolean(mode == Wasm::CompilationMode::OMGMode || mode == Wasm::CompilationMode::OMGForOSREntryMode));
+#endif
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
 Message::Message(ArrayBufferContents&& contents, int32_t index)
     : m_contents(WTFMove(contents))

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -592 +592 @@
     void emitThrowException(CCallHelpers&, ExceptionType);
 
-    void emitEntryTierUpCheck(int32_t incrementCount, B3::Origin);
-    void emitLoopTierUpCheck(int32_t incrementCount, const Stack&, uint32_t, uint32_t, B3::Origin);
+    void emitEntryTierUpCheck();
+    void emitLoopTierUpCheck(uint32_t loopIndex);
 
     void emitWriteBarrierForJSWrapper();
@@ -853 +853 @@
     });
 
-    emitEntryTierUpCheck(TierUpCount::functionEntryIncrement(), B3::Origin());
+    emitEntryTierUpCheck();
 }
 
@@ -1604 +1604 @@
 }
 
-void AirIRGenerator::emitEntryTierUpCheck(int32_t incrementCount, B3::Origin origin)
-{
-    UNUSED_PARAM(origin);
-
+void AirIRGenerator::emitEntryTierUpCheck()
+{
     if (!m_tierUp)
         return;
@@ -1625 +1623 @@
         AllowMacroScratchRegisterUsage allowScratch(jit);
 
-        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(incrementCount), CCallHelpers::Address(params[0].gpr()));
+        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(TierUpCount::functionEntryIncrement()), CCallHelpers::Address(params[0].gpr()));
         CCallHelpers::Label tierUpResume = jit.label();
 
@@ -1651 +1649 @@
 }
 
-void AirIRGenerator::emitLoopTierUpCheck(int32_t incrementCount, const Stack& expressionStack, uint32_t loopIndex, uint32_t outerLoopIndex, B3::Origin origin)
-{
-    UNUSED_PARAM(origin);
+void AirIRGenerator::emitLoopTierUpCheck(uint32_t loopIndex)
+{
+    uint32_t outerLoopIndex = this->outerLoopIndex();
+    m_outerLoops.append(loopIndex);
 
     if (!m_tierUp)
@@ -1681 +1680 @@
     patchArgs.append(countdownPtr);
 
-    Vector<B3::Type> types;
-    for (auto& local : m_locals) {
+    for (auto& local : m_locals)
         patchArgs.append(ConstrainedTmp(local, B3::ValueRep::ColdAny));
-        types.append(toB3Type(local.type()));
-    }
-    for (auto& expression : expressionStack) {
-        patchArgs.append(ConstrainedTmp(expression, B3::ValueRep::ColdAny));
-        types.append(toB3Type(expression.type()));
+    for (unsigned controlIndex = 0; controlIndex < m_parser->controlStack().size(); ++controlIndex) {
+        ExpressionList& expressionStack = m_parser->controlStack()[controlIndex].enclosedExpressionStack;
+        for (auto& value : expressionStack)
+            patchArgs.append(ConstrainedTmp(value, B3::ValueRep::ColdAny));
+
+        const auto& results = m_parser->controlStack()[controlIndex].controlData.result;
+        for (auto& value : results)
+            patchArgs.append(ConstrainedTmp(value, B3::ValueRep::ColdAny));
     }
 
@@ -1697 +1698 @@
         AllowMacroScratchRegisterUsage allowScratch(jit);
         CCallHelpers::Jump forceOSREntry = jit.branchTest8(CCallHelpers::NonZero, CCallHelpers::AbsoluteAddress(forceEntryTrigger));
-        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(incrementCount), CCallHelpers::Address(params[0].gpr()));
+        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(TierUpCount::loopIncrement()), CCallHelpers::Address(params[0].gpr()));
         MacroAssembler::Label tierUpResume = jit.label();
 
         OSREntryData& osrEntryData = m_tierUp->addOSREntryData(m_functionIndex, loopIndex);
-        for (unsigned index = 0; index < types.size(); ++index)
-            osrEntryData.values().constructAndAppend(params[index + 1], types[index]);
+        // First argument is the countdown location.
+        for (unsigned index = 1; index < params.value()->numChildren(); ++index)
+            osrEntryData.values().constructAndAppend(params[index], params.value()->child(index)->type());
         OSREntryData* osrEntryDataPtr = &osrEntryData;
 
@@ -1719 +1721 @@
 }
 
-AirIRGenerator::ControlData AirIRGenerator::addLoop(Type signature, const Stack& expressionStack, uint32_t loopIndex)
+AirIRGenerator::ControlData AirIRGenerator::addLoop(Type signature, const Stack&, uint32_t loopIndex)
 {
     BasicBlock* body = m_code.addBlock();
@@ -1727 +1729 @@
     m_currentBlock->setSuccessors(body);
 
-    uint32_t outerLoopIndex = this->outerLoopIndex();
-    m_outerLoops.append(loopIndex);
     m_currentBlock = body;
-    emitLoopTierUpCheck(TierUpCount::loopIncrement(), expressionStack, loopIndex, outerLoopIndex, origin());
+    emitLoopTierUpCheck(loopIndex);
 
     return ControlData(origin(), signature, tmpForType(signature), BlockType::Loop, continuation, body);

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -162 +162 @@
     typedef Vector<ExpressionType, 1> ExpressionList;
 
-    friend class Stack;
-    class Stack {
-    public:
-        Stack(B3IRGenerator* generator)
-            : m_generator(generator)
-        {
-        }
-
-        void append(ExpressionType expression)
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode) {
-                Variable* variable = m_generator->m_proc.addVariable(expression->type());
-                m_generator->m_currentBlock->appendNew<VariableValue>(m_generator->m_proc, Set, m_generator->origin(), variable, expression);
-                m_stack.append(variable);
-                return;
-            }
-            m_data.append(expression);
-        }
-
-        ExpressionType takeLast()
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode)
-                return m_generator->m_currentBlock->appendNew<VariableValue>(m_generator->m_proc, B3::Get, m_generator->origin(), m_stack.takeLast());
-            return m_data.takeLast();
-        }
-
-        ExpressionType last()
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode)
-                return m_generator->m_currentBlock->appendNew<VariableValue>(m_generator->m_proc, B3::Get, m_generator->origin(), m_stack.last());
-            return m_data.last();
-        }
-
-        unsigned size() const
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode)
-                return m_stack.size();
-            return m_data.size();
-        }
-        bool isEmpty() const { return size() == 0; }
-
-        ExpressionList convertToExpressionList()
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode) {
-                ExpressionList results;
-                for (unsigned i = 0; i < m_stack.size(); ++i)
-                    results.append(at(i));
-                return results;
-            }
-            return m_data;
-        }
-
-        ExpressionType at(unsigned i) const
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode)
-                return m_generator->m_currentBlock->appendNew<VariableValue>(m_generator->m_proc, B3::Get, m_generator->origin(), m_stack.at(i));
-            return m_data.at(i);
-        }
-
-        Variable* variableAt(unsigned i) const
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode)
-                return m_stack.at(i);
-            return nullptr;
-        }
-
-        void shrink(unsigned i)
-        {
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode) {
-                m_stack.shrink(i);
-                return;
-            }
-            m_data.shrink(i);
-        }
-
-        void swap(Stack& stack)
-        {
-            std::swap(m_generator, stack.m_generator);
-            m_data.swap(stack.m_data);
-            m_stack.swap(stack.m_stack);
-        }
-
-        void dump() const
-        {
-            CommaPrinter comma(", ", "");
-            dataLog(comma, "ExpressionStack:");
-            if (m_generator->m_compilationMode == CompilationMode::OMGForOSREntryMode) {
-                for (const auto& variable : m_stack)
-                    dataLog(comma, *variable);
-                return;
-            }
-            for (const auto& expression : m_data)
-                dataLog(comma, *expression);
-        }
-
-    private:
-        B3IRGenerator* m_generator { nullptr };
-        ExpressionList m_data;
-        Vector<Variable*> m_stack;
-    };
-    Stack createStack() { return Stack(this); }
+    using Stack = ExpressionList;
+    Stack createStack() { return { }; }
 
     using ControlType = ControlData;
@@ -352 +253 @@
     void emitExceptionCheck(CCallHelpers&, ExceptionType);
 
-    void emitEntryTierUpCheck(int32_t incrementCount, B3::Origin);
-    void emitLoopTierUpCheck(int32_t incrementCount, const Stack&, uint32_t, uint32_t, B3::Origin);
+    void emitEntryTierUpCheck();
+    void emitLoopTierUpCheck(uint32_t loopIndex);
 
     void emitWriteBarrierForJSWrapper();
@@ -585 +486 @@
     }
 
-    emitEntryTierUpCheck(TierUpCount::functionEntryIncrement(), Origin());
+    emitEntryTierUpCheck();
 
     if (m_compilationMode == CompilationMode::OMGForOSREntryMode)
@@ -1188 +1089 @@
 B3IRGenerator::ExpressionType B3IRGenerator::addConstant(Type type, uint64_t value)
 {
+
     return constant(toB3Type(type), value);
 }
 
-void B3IRGenerator::emitEntryTierUpCheck(int32_t incrementCount, Origin origin)
+void B3IRGenerator::emitEntryTierUpCheck()
 {
     if (!m_tierUp)
@@ -1197 +1099 @@
 
     ASSERT(m_tierUp);
-    Value* countDownLocation = constant(pointerType(), reinterpret_cast<uint64_t>(&m_tierUp->m_counter), origin);
-
-    PatchpointValue* patch = m_currentBlock->appendNew<PatchpointValue>(m_proc, B3::Void, origin);
+    Value* countDownLocation = constant(pointerType(), reinterpret_cast<uint64_t>(&m_tierUp->m_counter), Origin());
+
+    PatchpointValue* patch = m_currentBlock->appendNew<PatchpointValue>(m_proc, B3::Void, Origin());
     Effects effects = Effects::none();
     // FIXME: we should have a more precise heap range for the tier up count.
@@ -1210 +1112 @@
     patch->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
         AllowMacroScratchRegisterUsage allowScratch(jit);
-        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(incrementCount), CCallHelpers::Address(params[0].gpr()));
+        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(TierUpCount::functionEntryIncrement()), CCallHelpers::Address(params[0].gpr()));
         CCallHelpers::Label tierUpResume = jit.label();
 
@@ -1234 +1136 @@
 }
 
-void B3IRGenerator::emitLoopTierUpCheck(int32_t incrementCount, const Stack& expressionStack, uint32_t loopIndex, uint32_t outerLoopIndex, B3::Origin origin)
-{
+void B3IRGenerator::emitLoopTierUpCheck(uint32_t loopIndex)
+{
+    uint32_t outerLoopIndex = this->outerLoopIndex();
+    m_outerLoops.append(loopIndex);
+
     if (!m_tierUp)
         return;
 
-    ASSERT(m_tierUp);
-
+    Origin origin = this->origin();
     ASSERT(m_tierUp->osrEntryTriggers().size() == loopIndex);
     m_tierUp->osrEntryTriggers().append(TierUpCount::TriggerReason::DontTrigger);
@@ -1248 +1152 @@
 
     Vector<ExpressionType> stackmap;
-    Vector<B3::Type> types;
     for (auto& local : m_locals) {
         ExpressionType result = m_currentBlock->appendNew<VariableValue>(m_proc, B3::Get, origin, local);
         stackmap.append(result);
-        types.append(result->type());
-    }
-    for (unsigned i = 0; i < expressionStack.size(); ++i) {
-        ExpressionType result = expressionStack.at(i);
-        stackmap.append(result);
-        types.append(result->type());
+    }
+    for (unsigned controlIndex = 0; controlIndex < m_parser->controlStack().size(); ++controlIndex) {
+        auto& expressionStack = m_parser->controlStack()[controlIndex].enclosedExpressionStack;
+        for (Value* value : expressionStack)
+            stackmap.append(value);
     }
 
@@ -1282 +1184 @@
         AllowMacroScratchRegisterUsage allowScratch(jit);
         CCallHelpers::Jump forceOSREntry = jit.branchTest8(CCallHelpers::NonZero, CCallHelpers::AbsoluteAddress(forceEntryTrigger));
-        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(incrementCount), CCallHelpers::Address(params[0].gpr()));
+        CCallHelpers::Jump tierUp = jit.branchAdd32(CCallHelpers::PositiveOrZero, CCallHelpers::TrustedImm32(TierUpCount::loopIncrement()), CCallHelpers::Address(params[0].gpr()));
         MacroAssembler::Label tierUpResume = jit.label();
 
         OSREntryData& osrEntryData = m_tierUp->addOSREntryData(m_functionIndex, loopIndex);
-        for (unsigned index = 0; index < types.size(); ++index)
-            osrEntryData.values().constructAndAppend(params[index + 1], types[index]);
+        // First argument is the countdown location.
+        for (unsigned i = 1; i < params.value()->numChildren(); ++i)
+            osrEntryData.values().constructAndAppend(params[i], params.value()->child(i)->type());
         OSREntryData* osrEntryDataPtr = &osrEntryData;
 
@@ -1302 +1205 @@
 }
 
-B3IRGenerator::ControlData B3IRGenerator::addLoop(Type signature, const Stack& stack, uint32_t loopIndex)
+B3IRGenerator::ControlData B3IRGenerator::addLoop(Type signature, const Stack&, uint32_t loopIndex)
 {
     BasicBlock* body = m_proc.addBlock();
@@ -1309 +1212 @@
     m_currentBlock->appendNewControlValue(m_proc, Jump, origin(), body);
     if (loopIndex == m_loopIndexForOSREntry) {
+        dataLogLnIf(WasmB3IRGeneratorInternal::verbose, "Setting up for OSR entry");
         m_currentBlock = m_rootBlock;
-        m_osrEntryScratchBufferSize = m_locals.size() + stack.size();
         Value* pointer = m_rootBlock->appendNew<ArgumentRegValue>(m_proc, Origin(), GPRInfo::argumentGPR0);
 
-        auto loadFromScratchBuffer = [&] (B3::Type type, unsigned index) {
-            size_t offset = sizeof(uint64_t) * index;
-            switch (type.kind()) {
-            case B3::Int32:
-                return m_currentBlock->appendNew<MemoryValue>(m_proc, Load, Int32, origin(), pointer, offset);
-            case B3::Int64:
-                return m_currentBlock->appendNew<MemoryValue>(m_proc, Load, B3::Int64, origin(), pointer, offset);
-            case B3::Float:
-                return m_currentBlock->appendNew<MemoryValue>(m_proc, Load, B3::Float, origin(), pointer, offset);
-            case B3::Double:
-                return m_currentBlock->appendNew<MemoryValue>(m_proc, Load, B3::Double, origin(), pointer, offset);
-            default:
-                RELEASE_ASSERT_NOT_REACHED();
-                break;
+        unsigned indexInBuffer = 0;
+        auto loadFromScratchBuffer = [&] (B3::Type type) {
+            size_t offset = sizeof(uint64_t) * indexInBuffer++;
+            RELEASE_ASSERT(type.isNumeric());
+            return m_currentBlock->appendNew<MemoryValue>(m_proc, Load, type, origin(), pointer, offset);
+        };
+
+        for (auto& local : m_locals)
+            m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, loadFromScratchBuffer(local->type()));
+
+        for (unsigned controlIndex = 0; controlIndex < m_parser->controlStack().size(); ++controlIndex) {
+            const auto& data = m_parser->controlStack()[controlIndex].controlData;
+            auto& expressionStack = m_parser->controlStack()[controlIndex].enclosedExpressionStack;
+
+            // For each stack entry enclosed by this loop we need to replace the value with a phi so we can fill it on OSR entry.
+            BasicBlock* sourceBlock = nullptr;
+            unsigned blockIndex = 0;
+            B3::InsertionSet insertionSet(m_proc);
+            for (unsigned i = 0; i < expressionStack.size(); i++) {
+                auto* value = expressionStack[i];
+                if (value->isConstant())
+                    continue;
+
+                if (value->owner != sourceBlock) {
+                    insertionSet.execute(sourceBlock);
+                    ASSERT(insertionSet.isEmpty());
+                    dataLogLnIf(WasmB3IRGeneratorInternal::verbose && sourceBlock, "Executed insertion set into: ", *sourceBlock);
+                    blockIndex = 0;
+                    sourceBlock = value->owner;
+                }
+
+                while (sourceBlock->at(blockIndex++) != value)
+                    ASSERT(blockIndex < sourceBlock->size());
+                ASSERT(sourceBlock->at(blockIndex - 1) == value);
+
+                auto* phi = data.continuation->appendNew<Value>(m_proc, Phi,  value->type(), value->origin());
+                expressionStack[i] = phi;
+                m_currentBlock->appendNew<UpsilonValue>(m_proc, value->origin(), loadFromScratchBuffer(value->type()), phi);
+
+                auto* sourceUpsilon = m_proc.add<UpsilonValue>(value->origin(), value, phi);
+                insertionSet.insertValue(blockIndex, sourceUpsilon);
             }
-        };
-
-        unsigned indexInBuffer = 0;
-        for (auto& local : m_locals)
-            m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, loadFromScratchBuffer(local->type(), indexInBuffer++));
-        for (unsigned i = 0; i < stack.size(); ++i) {
-            auto* variable = stack.variableAt(i);
-            m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), variable, loadFromScratchBuffer(variable->type(), indexInBuffer++));
+            insertionSet.execute(sourceBlock);
         }
+
+        m_osrEntryScratchBufferSize = indexInBuffer;
         m_currentBlock->appendNewControlValue(m_proc, Jump, origin(), body);
         body->addPredecessor(m_currentBlock);
     }
 
-    uint32_t outerLoopIndex = this->outerLoopIndex();
-    m_outerLoops.append(loopIndex);
     m_currentBlock = body;
-    emitLoopTierUpCheck(TierUpCount::loopIncrement(), stack, loopIndex, outerLoopIndex, origin());
+    emitLoopTierUpCheck(loopIndex);
 
     return ControlData(m_proc, origin(), signature, BlockType::Loop, continuation, body);
@@ -1468 +1391 @@
     // TopLevel does not have any code after this so we need to make sure we emit a return here.
     if (data.type() == BlockType::TopLevel)
-        return addReturn(entry.controlData, entry.enclosedExpressionStack.convertToExpressionList());
+        return addReturn(entry.controlData, entry.enclosedExpressionStack);
 
     return { };
@@ -1740 +1663 @@
 }
 
+static void dumpExpressionStack(const CommaPrinter& comma, const B3IRGenerator::ExpressionList& expressionStack)
+{
+    dataLog(comma, "ExpressionStack:");
+    for (const auto& expression : expressionStack)
+        dataLog(comma, *expression);
+}
+
 void B3IRGenerator::dump(const Vector<ControlEntry>& controlStack, const Stack* expressionStack)
 {
@@ -1753 +1683 @@
     for (size_t i = controlStack.size(); i--;) {
         dataLog("  ", controlStack[i].controlData, ": ");
-        expressionStack->dump();
+        CommaPrinter comma(", ", "");
+        dumpExpressionStack(comma, *expressionStack);
         expressionStack = &controlStack[i].enclosedExpressionStack;
         dataLogLn();

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -61 +61 @@
     size_t currentOpcodeStartingOffset() const { return m_currentOpcodeStartingOffset; }
 
+    Vector<ControlEntry>& controlStack() { return m_controlStack; }
+
 private:
     static const bool verbose = false;

trunk/Source/JavaScriptCore/wasm/WasmOpcodeOrigin.cpp

@@ -33 +33 @@
 void OpcodeOrigin::dump(PrintStream& out) const
 {
-    out.print("{opcode: ", makeString(opcode()), ", location: ", location(), "}");
+    out.print("{opcode: ", makeString(opcode()), ", location: ", RawPointer(reinterpret_cast<void*>(location())), "}");
 }
 

trunk/Tools/ChangeLog

@@ +1 @@
+2019-09-07  Keith Miller  <keith_miller@apple.com>
+
+        OSR entry into wasm misses some contexts
+        https://bugs.webkit.org/show_bug.cgi?id=201569
+
+        Reviewed by Yusuke Suzuki.
+
+        Add new test harness mode for tests created from wast files.
+
+        * Scripts/run-jsc-stress-tests:
+
 2019-09-09  Daniel Bates  <dabates@apple.com>
 

trunk/Tools/Scripts/run-jsc-stress-tests

@@ -1115 +1115 @@
 end
 
+def runHarnessTest(kind, *options)
+    wasmFiles = allWasmFiles($collection)
+    wasmFiles.each {
+        | file |
+        basename = file.basename.to_s
+        addRunCommand("(" + basename + ")-" + kind, [pathToVM.to_s] + $testSpecificRequiredOptions + options + [$benchmark.to_s, "--", basename], silentOutputHandler, simpleErrorHandler)
+    }
+end
+
+def runWebAssemblyWithHarness(*optionalTestSpecificOptions)
+    raise unless $benchmark.to_s =~ /harness\.m?js/
+    return if !$jitTests
+    return if !$isFTLPlatform
+
+    wasmFiles = allWasmFiles($collection)
+    prepareExtraRelativeFiles(wasmFiles.map { |f| f.basename }, $collection)
+
+    runHarnessTest("default-wasm", *(FTL_OPTIONS + optionalTestSpecificOptions))
+    if $mode != "quick"
+        runHarnessTest("wasm-no-cjit-yes-tls-context", "--useFastTLSForWasmContext=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-eager", *(FTL_OPTIONS + EAGER_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-eager-jettison", "--forceCodeBlockToJettisonDueToOldAge=true", *(FTL_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-no-call-ic", "--useCallICsForWebAssemblyToJSCalls=false", *(FTL_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-no-tls-context", "--useFastTLSForWasmContext=false", *(FTL_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-slow-memory", "--useWebAssemblyFastMemory=false", *(FTL_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-no-air", "--wasmBBQUsesAir=false", *(FTL_OPTIONS + optionalTestSpecificOptions))
+        runHarnessTest("wasm-collect-continuously", "--collectContinuously=true", *(FTL_OPTIONS + optionalTestSpecificOptions)) if shouldCollectContinuously?
+    end
+end
+
 def runWebAssemblyEmscripten(mode)
     case mode
@@ -1482 +1512 @@
     $skipped = true
     puts "Skipping #{$collectionName}/#{$benchmark}"
+end
+
+def allWasmFiles(path)
+    if path.file?
+        [path]
+    else
+        result = []
+        Dir.foreach(path) {
+            | filename |
+            next unless filename =~ /\.m?wasm$/
+            next unless (path + filename).file?
+            result << path + filename
+        }
+        result
+    end
 end