Changeset 96458 in webkit

Timestamp:

Oct 1, 2011 12:21:44 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

JSVALUE32_64 DFG JIT - unboxed integers and cells in register file must be reboxed before exiting from DFG JIT
​https://bugs.webkit.org/show_bug.cgi?id=69205

Patch by Yuqiang Xian <​yuqiang.xian@intel.com> on 2011-10-01
Reviewed by Gavin Barraclough.

If there are unboxed integers and cells in register file (e.g. by SetLocal),
they must be reboxed before exiting from the speculative DFG JIT execution.
This patch also adds a new ValueSourceKind (CellInRegisterFile) and a new
ValueRecoveryTechnique (AlreadyInRegisterFileAsCell).

• dfg/DFGJITCompiler32_64.cpp:

(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::ValueSource::dump):
(JSC::DFG::ValueRecovery::dump):
(JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::ValueSource::forPrediction):
(JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedCell):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGJITCompiler32_64.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-10-01  Yuqiang Xian  <yuqiang.xian@intel.com>
+
+        JSVALUE32_64 DFG JIT - unboxed integers and cells in register file must be reboxed before exiting from DFG JIT
+        https://bugs.webkit.org/show_bug.cgi?id=69205
+
+        Reviewed by Gavin Barraclough.
+
+        If there are unboxed integers and cells in register file (e.g. by SetLocal), 
+        they must be reboxed before exiting from the speculative DFG JIT execution.
+        This patch also adds a new ValueSourceKind (CellInRegisterFile) and a new
+        ValueRecoveryTechnique (AlreadyInRegisterFileAsCell).
+
+        * dfg/DFGJITCompiler32_64.cpp:
+        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::ValueSource::dump):
+        (JSC::DFG::ValueRecovery::dump):
+        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::ValueSource::forPrediction):
+        (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedCell):
+
 2011-10-01  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler32_64.cpp

@@ -147 +147 @@
     // expect most of them to be jsUndefined(); if that's true then we handle that
     // specially to minimize code size and execution time.
-    bool haveUnboxedInt32s = false;
+    bool haveUnboxedInt32InRegisterFile = false;
+    bool haveUnboxedCellInRegisterFile = false;
     bool haveFPRs = false;
     bool haveConstants = false;
@@ -183 +184 @@
             break;
             
-        case UnboxedInt32InGPR:
-            haveUnboxedInt32s = true;
+        case AlreadyInRegisterFileAsUnboxedInt32:
+            haveUnboxedInt32InRegisterFile = true;
+            break;
+            
+        case AlreadyInRegisterFileAsUnboxedCell:
+            haveUnboxedCellInRegisterFile = true;
             break;
             
@@ -207 +212 @@
     // between when something is computed and when it is stored.
     
-    // 4) Perform all reboxing of integers.
-    //    Currently we don't rebox for JSValue32_64.
-    
+    // 4) Perform all reboxing of integers and cells, except for those in registers.
+
+    if (haveUnboxedInt32InRegisterFile || haveUnboxedCellInRegisterFile) {
+        for (int index = 0; index < exit.numberOfRecoveries(); ++index) {
+            const ValueRecovery& recovery = exit.valueRecovery(index);
+            switch (recovery.technique()) {
+            case AlreadyInRegisterFileAsUnboxedInt32:
+                store32(TrustedImm32(JSValue::Int32Tag), tagFor(static_cast<VirtualRegister>(exit.operandForIndex(index))));
+                break;
+
+            case AlreadyInRegisterFileAsUnboxedCell:
+                store32(TrustedImm32(JSValue::CellTag), tagFor(static_cast<VirtualRegister>(exit.operandForIndex(index))));
+                break;
+
+            default:
+                break;
+            }
+        }
+    }
+
     // 5) Dump all non-poisoned GPRs. For poisoned GPRs, save them into the scratch storage.
     //    Note that GPRs do not have a fast change (like haveFPRs) because we expect that

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -45 +45 @@
         fprintf(out, "Int32");
         break;
+    case CellInRegisterFile:
+        fprintf(out, "Cell");
+        break;
     case HaveNode:
         fprintf(out, "Node(%d)", m_nodeIndex);
@@ -59 +62 @@
     case AlreadyInRegisterFileAsUnboxedInt32:
         fprintf(out, "(int32)");
+        break;
+    case AlreadyInRegisterFileAsUnboxedCell:
+        fprintf(out, "(cell)");
         break;
     case InGPR:
@@ -399 +405 @@
     case Int32InRegisterFile:
         return ValueRecovery::alreadyInRegisterFileAsUnboxedInt32();
+
+    case CellInRegisterFile:
+        return ValueRecovery::alreadyInRegisterFileAsUnboxedCell();
 
     case HaveNode: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -71 +71 @@
     ValueInRegisterFile,
     Int32InRegisterFile,
+    CellInRegisterFile,
     HaveNode
 };
@@ -98 +99 @@
         if (isInt32Prediction(prediction))
             return ValueSource(Int32InRegisterFile);
+        if (isCellPrediction(prediction))
+            return ValueSource(CellInRegisterFile);
         return ValueSource(ValueInRegisterFile);
     }
@@ -146 +149 @@
     // It's already in the register file but unboxed.
     AlreadyInRegisterFileAsUnboxedInt32,
+    AlreadyInRegisterFileAsUnboxedCell,
     // It's in a register.
     InGPR,
@@ -179 +183 @@
         ValueRecovery result;
         result.m_technique = AlreadyInRegisterFileAsUnboxedInt32;
+        return result;
+    }
+    
+    static ValueRecovery alreadyInRegisterFileAsUnboxedCell()
+    {
+        ValueRecovery result;
+        result.m_technique = AlreadyInRegisterFileAsUnboxedCell;
         return result;
     }