Changeset 92148 in webkit


Ignore:
Timestamp:
Aug 1, 2011 3:32:07 PM (13 years ago)
Author:
fpizlo@apple.com
Message:

DFG JIT sometimes creates speculation check data structures that have
invalid information about the format of a register
https://bugs.webkit.org/show_bug.cgi?id=65490

Reviewed by Gavin Barraclough.

The code now makes sure to (1) always have correct and up-to-date
information about register format at the time that a speculation
check is emitted, (2) assert that speculation data is correct
inside the speculation check implementation, and (3) avoid creating
speculation data altogether if compilation has already failed, since
at that point the format data is almost guaranteed to be bogus.

  • dfg/DFGNonSpeculativeJIT.cpp:

(JSC::DFG::EntryLocation::EntryLocation):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculationCheck::SpeculationCheck):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::speculationCheck):

Location:
trunk/Source/JavaScriptCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r92146 r92148  
     12011-08-01  Filip Pizlo  <fpizlo@apple.com>
     2
     3        DFG JIT sometimes creates speculation check data structures that have
     4        invalid information about the format of a register
     5        https://bugs.webkit.org/show_bug.cgi?id=65490
     6
     7        Reviewed by Gavin Barraclough.
     8       
     9        The code now makes sure to (1) always have correct and up-to-date
     10        information about register format at the time that a speculation
     11        check is emitted, (2) assert that speculation data is correct
     12        inside the speculation check implementation, and (3) avoid creating
     13        speculation data altogether if compilation has already failed, since
     14        at that point the format data is almost guaranteed to be bogus.
     15
     16        * dfg/DFGNonSpeculativeJIT.cpp:
     17        (JSC::DFG::EntryLocation::EntryLocation):
     18        * dfg/DFGSpeculativeJIT.cpp:
     19        (JSC::DFG::SpeculationCheck::SpeculationCheck):
     20        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
     21        (JSC::DFG::SpeculativeJIT::compile):
     22        * dfg/DFGSpeculativeJIT.h:
     23        (JSC::DFG::SpeculativeJIT::speculationCheck):
     24
    1252011-08-01  Filip Pizlo  <fpizlo@apple.com>
    226

  • trunk/Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp

    r92085 r92148  
    4444            m_gprInfo[iter.index()].nodeIndex = info.nodeIndex();
    4545            m_gprInfo[iter.index()].format = info.registerFormat();
     46            ASSERT(m_gprInfo[iter.index()].format != DataFormatNone);
    4647            m_gprInfo[iter.index()].isSpilled = info.spillFormat() != DataFormatNone;
    4748        } else

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r92010 r92148  
    151151            m_gprInfo[iter.index()].nodeIndex = info.nodeIndex();
    152152            m_gprInfo[iter.index()].format = info.registerFormat();
     153            ASSERT(m_gprInfo[iter.index()].format != DataFormatNone);
    153154            m_gprInfo[iter.index()].isSpilled = info.spillFormat() != DataFormatNone;
    154155        } else
     
    316317        m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), gpr);
    317318
     319        info.fillJSValue(gpr, DataFormatJS);
    318320        if (info.spillFormat() != DataFormatJSCell)
    319321            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister));
     
    685687                int32_t imm2 = valueOfInt32Constant(node.child2());
    686688                GPRTemporary result(this);
    687 
     689               
    688690                speculationCheck(m_jit.branchAdd32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
    689691
     
    904906        GPRReg propertyReg = property.gpr();
    905907        GPRReg storageReg = storage.gpr();
     908       
     909        if (!m_compileOkay)
     910            return;
    906911
    907912        // Get the array storage. We haven't yet checked this is a JSArray, so this is only safe if
     
    941946        if (!m_compileOkay)
    942947            return;
    943 
     948       
    944949        writeBarrier(m_jit, baseReg, scratchReg);
    945950

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

    r91894 r92148  
    187187    void speculationCheck(MacroAssembler::Jump jumpToFail)
    188188    {
     189        if (!m_compileOkay)
     190            return;
    189191        m_speculationChecks.append(SpeculationCheck(jumpToFail, this));
    190192    }
     
    192194    void speculationCheck(MacroAssembler::Jump jumpToFail, const SpeculationRecovery& recovery)
    193195    {
     196        if (!m_compileOkay)
     197            return;
    194198        m_speculationRecoveryList.append(recovery);
    195199        m_speculationChecks.append(SpeculationCheck(jumpToFail, this, m_speculationRecoveryList.size()));
Note: See TracChangeset for help on using the changeset viewer.