Ignore:
Timestamp:
Jan 2, 2013, 3:54:42 PM (12 years ago)
Author:
[email protected]
Message:

DFG inlining machinery should be robust against the inline callee varying while the executable stays the same
https://bugs.webkit.org/show_bug.cgi?id=105953

Reviewed by Mark Hahnenberg.

This institutes the policy that if InlineCallFrame::callee is null, then the callee and scope have already
been stored into the true call frame (i.e. the place where the call frame of the inlined call would have
been) and so any attempt to access the callee or scope should do a load instead of assuming that the value
is constant. This wires the changes through the bytecode parser, the stack scanning logic, and the compiler
optimization phases and backends.

  • bytecode/CodeOrigin.cpp:

(JSC::InlineCallFrame::dump):

  • bytecode/CodeOrigin.h:

(CodeOrigin):
(InlineCallFrame):
(JSC::InlineCallFrame::isClosureCall):
(JSC::CodeOrigin::stackOffset):
(JSC):

  • dfg/DFGAssemblyHelpers.h:
  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::get):
(InlineStackEntry):
(JSC::DFG::ByteCodeParser::getScope):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):

  • dfg/DFGCSEPhase.cpp:

(CSEPhase):
(JSC::DFG::CSEPhase::genericPureCSE):
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::pureCSERequiringSameInlineCallFrame):
(JSC::DFG::CSEPhase::getMyScopeLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

  • dfg/DFGOSRExitCompiler32_64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

  • dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • interpreter/CallFrame.cpp:

(JSC::CallFrame::trueCallFrame):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h

    r136601 r138669  
    11/*
    2  * Copyright (C) 2011, 2012 Apple Inc. All rights reserved.
     2 * Copyright (C) 2011, 2012, 2013 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    8484    ExecutableBase* codeOriginOwner() const;
    8585   
     86    unsigned stackOffset() const;
     87   
    8688    static unsigned inlineDepthForCallFrame(InlineCallFrame*);
    8789   
     
    99101    Vector<ValueRecovery> arguments;
    100102    WriteBarrier<ExecutableBase> executable;
    101     WriteBarrier<JSFunction> callee;
     103    WriteBarrier<JSFunction> callee; // This may be null, indicating that this is a closure call and that the JSFunction and JSScope are already on the stack.
    102104    CodeOrigin caller;
    103105    BitVector capturedVars; // Indexed by the machine call frame's variable numbering.
     
    106108   
    107109    CodeSpecializationKind specializationKind() const { return specializationFromIsCall(isCall); }
     110   
     111    bool isClosureCall() const { return !callee; }
    108112   
    109113    CodeBlockHash hash() const;
     
    118122    unsigned callReturnOffset;
    119123};
     124
     125inline unsigned CodeOrigin::stackOffset() const
     126{
     127    if (!inlineCallFrame)
     128        return 0;
     129   
     130    return inlineCallFrame->stackOffset;
     131}
    120132
    121133inline bool CodeOrigin::operator==(const CodeOrigin& other) const
Note: See TracChangeset for help on using the changeset viewer.