Changeset 209725 in webkit for trunk/Source/JavaScriptCore/dfg/DFGOSREntrypointCreationPhase.cpp

Timestamp:

Dec 12, 2016, 1:46:45 PM (9 years ago)

Author:

[email protected]

Message:

REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
​https://bugs.webkit.org/show_bug.cgi?id=165748

Reviewed by Filip Pizlo.

JSTests:

New regression test.

• stress/regress-165748.js: Added.

(sum1):
(sum2):
(sum3):
(sum4):
(sum5):
(sum6):
(tailCaller):
(test):

Source/JavaScriptCore:

The virtual slow path for tailcalls always passes arguments on the stack.
The fix here is to link to the stack argument entrypoint instead of a register
argument entrypoint.

While fixing this bug, I found that we weren't clearing the code origin when
shuffling the call frame for a register argument tailcall.

Also rolling back in r209653, r209654, r209663, and r209673.

• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::prepareAny):

• jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):

Source/WTF:

Rolling back in r209653, r209654, r209663, and r209673.

• wtf/Platform.h:

File:

• trunk/Source/JavaScriptCore/dfg/DFGOSREntrypointCreationPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGOSREntrypointCreationPhase.cpp

@@ -113 +113 @@
         origin = target->at(0)->origin;
         
-        for (int argument = 0; argument < baseline->numParameters(); ++argument) {
+        for (unsigned argument = 0; argument < static_cast<unsigned>(baseline->numParameters()); ++argument) {
             Node* oldNode = target->variablesAtHead.argument(argument);
             if (!oldNode) {
-                // Just for sanity, always have a SetArgument even if it's not needed.
-                oldNode = m_graph.m_arguments[argument];
+                // Just for sanity, always have an argument node even if it's not needed.
+                oldNode = m_graph.m_argumentsForChecking[argument];
             }
-            Node* node = newRoot->appendNode(
-                m_graph, SpecNone, SetArgument, origin,
-                OpInfo(oldNode->variableAccessData()));
-            m_graph.m_arguments[argument] = node;
+            Node* node;
+            Node* stackNode;
+            if (argument < NUMBER_OF_JS_FUNCTION_ARGUMENT_REGISTERS) {
+                node = newRoot->appendNode(
+                    m_graph, SpecNone, GetArgumentRegister, origin,
+                    OpInfo(oldNode->variableAccessData()),
+                    OpInfo(argumentRegisterIndexForJSFunctionArgument(argument)));
+                stackNode = newRoot->appendNode(
+                    m_graph, SpecNone, SetLocal, origin,
+                    OpInfo(oldNode->variableAccessData()),
+                    Edge(node));
+            } else {
+                node = newRoot->appendNode(
+                    m_graph, SpecNone, SetArgument, origin,
+                    OpInfo(oldNode->variableAccessData()));
+                stackNode = node;
+            }
+
+            m_graph.m_argumentsForChecking[argument] = node;
+            m_graph.m_argumentsOnStack[argument] = stackNode;
         }