Changeset 90502 in webkit

Timestamp:

Jul 6, 2011 2:40:11 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

2011-07-06 Filip Pizlo <​fpizlo@apple.com>

DFG JIT op_call implementation will flush registers even when those registers are dead
​https://bugs.webkit.org/show_bug.cgi?id=64023

Reviewed by Gavin Barraclough.

• dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall):
• dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::integerResult): (JSC::DFG::JITCodeGenerator::noResult): (JSC::DFG::JITCodeGenerator::cellResult): (JSC::DFG::JITCodeGenerator::jsValueResult): (JSC::DFG::JITCodeGenerator::doubleResult):
• dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGJITCodeGenerator.cpp (modified) (5 diffs)
• dfg/DFGJITCodeGenerator.h (modified) (7 diffs)
• dfg/DFGNonSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT op_call implementation will flush registers even when those registers are dead
+        https://bugs.webkit.org/show_bug.cgi?id=64023
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::JITCodeGenerator::integerResult):
+        (JSC::DFG::JITCodeGenerator::noResult):
+        (JSC::DFG::JITCodeGenerator::cellResult):
+        (JSC::DFG::JITCodeGenerator::jsValueResult):
+        (JSC::DFG::JITCodeGenerator::doubleResult):
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp

@@ -431 +431 @@
 }
 
-void JITCodeGenerator::emitCall(Node& node, GPRReg targetGPR)
-{
+void JITCodeGenerator::emitCall(Node& node)
+{
+    NodeIndex calleeNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
+    JSValueOperand callee(this, calleeNodeIndex);
+    GPRReg calleeGPR = callee.gpr();
+    use(calleeNodeIndex);
+    
     // the call instruction's first child is either the function (normal call) or the
     // receiver (method call). subsequent children are the arguments.
@@ -451 +456 @@
     
     for (int argIdx = 0; argIdx < numArgs; argIdx++) {
-        JSValueOperand arg(this, m_jit.graph().m_varArgChildren[node.firstChild() + 1 + argIdx]);
+        NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + argIdx];
+        JSValueOperand arg(this, argNodeIndex);
         GPRReg argGPR = arg.gpr();
+        use(argNodeIndex);
         
         m_jit.storePtr(argGPR, addressOfCallData(-callDataSize + argIdx));
@@ -459 +466 @@
     switch (node.op) {
     case Call:
-        m_jit.storePtr(targetGPR, addressOfCallData(RegisterFile::Callee));
+        m_jit.storePtr(calleeGPR, addressOfCallData(RegisterFile::Callee));
         break;
         
@@ -476 +483 @@
     switch (node.op) {
     case Call:
-        slowPath = m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, targetGPR, targetToCheck, MacroAssembler::TrustedImmPtr(JSValue::encode(JSValue())));
-        m_jit.loadPtr(MacroAssembler::Address(targetGPR, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), resultGPR);
+        slowPath = m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, calleeGPR, targetToCheck, MacroAssembler::TrustedImmPtr(JSValue::encode(JSValue())));
+        m_jit.loadPtr(MacroAssembler::Address(calleeGPR, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), resultGPR);
         m_jit.storePtr(resultGPR, addressOfCallData(RegisterFile::ScopeChain));
         break;
@@ -504 +511 @@
     m_jit.move(GPRInfo::returnValueGPR, resultGPR);
     
-    jsValueResult(resultGPR, m_compileIndex);
+    jsValueResult(resultGPR, m_compileIndex, DataFormatJS, UseChildrenCalledExplicitly);
     
     m_jit.addJSCall(fastCall, slowCall, targetToCheck, true, m_jit.graph()[m_compileIndex].exceptionInfo);

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -65 +65 @@
         SpillOrderDouble = 6,   // needs spill and convert
     };
+    
+    enum UseChildrenMode { CallUseChildren, UseChildrenCalledExplicitly };
 
 
@@ -529 +531 @@
     }
     
-    void emitCall(Node&, GPRReg targetGPR);
+    void emitCall(Node&);
 
     // Called once a node has completed code generation but prior to setting
@@ -539 +541 @@
     // These method called to initialize the the GenerationInfo
     // to describe the result of an operation.
-    void integerResult(GPRReg reg, NodeIndex nodeIndex, DataFormat format = DataFormatInteger)
+    void integerResult(GPRReg reg, NodeIndex nodeIndex, DataFormat format = DataFormatInteger, UseChildrenMode mode = CallUseChildren)
     {
         Node& node = m_jit.graph()[nodeIndex];
-        useChildren(node);
+        if (mode == CallUseChildren)
+            useChildren(node);
 
         VirtualRegister virtualRegister = node.virtualRegister();
@@ -558 +561 @@
         }
     }
-    void noResult(NodeIndex nodeIndex)
-    {
+    void noResult(NodeIndex nodeIndex, UseChildrenMode mode = CallUseChildren)
+    {
+        if (mode == UseChildrenCalledExplicitly)
+            return;
         Node& node = m_jit.graph()[nodeIndex];
         useChildren(node);
     }
-    void cellResult(GPRReg reg, NodeIndex nodeIndex)
+    void cellResult(GPRReg reg, NodeIndex nodeIndex, UseChildrenMode mode = CallUseChildren)
     {
         Node& node = m_jit.graph()[nodeIndex];
-        useChildren(node);
+        if (mode == CallUseChildren)
+            useChildren(node);
 
         VirtualRegister virtualRegister = node.virtualRegister();
@@ -573 +579 @@
         info.initCell(nodeIndex, node.refCount(), reg);
     }
-    void jsValueResult(GPRReg reg, NodeIndex nodeIndex, DataFormat format = DataFormatJS)
+    void jsValueResult(GPRReg reg, NodeIndex nodeIndex, DataFormat format = DataFormatJS, UseChildrenMode mode = CallUseChildren)
     {
         if (format == DataFormatJSInteger)
@@ -579 +585 @@
         
         Node& node = m_jit.graph()[nodeIndex];
-        useChildren(node);
+        if (mode == CallUseChildren)
+            useChildren(node);
 
         VirtualRegister virtualRegister = node.virtualRegister();
@@ -586 +593 @@
         info.initJSValue(nodeIndex, node.refCount(), reg, format);
     }
-    void doubleResult(FPRReg reg, NodeIndex nodeIndex)
+    void doubleResult(FPRReg reg, NodeIndex nodeIndex, UseChildrenMode mode = CallUseChildren)
     {
         Node& node = m_jit.graph()[nodeIndex];
-        useChildren(node);
+        if (mode == CallUseChildren)
+            useChildren(node);
 
         VirtualRegister virtualRegister = node.virtualRegister();

trunk/Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp

@@ -1055 +1055 @@
         
     case Call:
-        JSValueOperand callee(this, m_jit.graph().m_varArgChildren[node.firstChild()]);
-        GPRReg calleeGPR = callee.gpr();
-        emitCall(node, calleeGPR);
+        emitCall(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1134 +1134 @@
         
     case Call:
-        JSValueOperand callee(this, m_jit.graph().m_varArgChildren[node.firstChild()]);
-        GPRReg calleeGPR = callee.gpr();
-        emitCall(node, calleeGPR);
+        emitCall(node);
         break;
     }