Changeset 209725 in webkit for trunk/Source/JavaScriptCore/jit/JITCall.cpp

Timestamp:

Dec 12, 2016, 1:46:45 PM (9 years ago)

Author:

[email protected]

Message:

REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
​https://bugs.webkit.org/show_bug.cgi?id=165748

Reviewed by Filip Pizlo.

JSTests:

New regression test.

• stress/regress-165748.js: Added.

(sum1):
(sum2):
(sum3):
(sum4):
(sum5):
(sum6):
(tailCaller):
(test):

Source/JavaScriptCore:

The virtual slow path for tailcalls always passes arguments on the stack.
The fix here is to link to the stack argument entrypoint instead of a register
argument entrypoint.

While fixing this bug, I found that we weren't clearing the code origin when
shuffling the call frame for a register argument tailcall.

Also rolling back in r209653, r209654, r209663, and r209673.

• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::prepareAny):

• jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):

Source/WTF:

Rolling back in r209653, r209654, r209663, and r209673.

• wtf/Platform.h:

File:

• trunk/Source/JavaScriptCore/jit/JITCall.cpp (modified) (11 diffs)

trunk/Source/JavaScriptCore/jit/JITCall.cpp

@@ -92 +92 @@
 
     addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), regT1, stackPointerRegister);
+    incrementCounter(this, VM::BaselineCaller);
+    incrementCounter(this, VM::CallVarargs);
 }
 
@@ -99 +101 @@
     storePtr(callFrameRegister, Address(regT1, CallFrame::callerFrameOffset()));
 
+    incrementCounter(this, VM::BaselineCaller);
+    incrementCounter(this, VM::CallEval);
+
     addPtr(TrustedImm32(stackPointerOffsetFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister);
     checkStackPointerAlignment();
@@ -114 +119 @@
 {
     CallLinkInfo* info = m_codeBlock->addCallLinkInfo();
-    info->setUpCall(CallLinkInfo::Call, CodeOrigin(m_bytecodeOffset), regT0);
+    info->setUpCall(CallLinkInfo::Call, StackArgs, CodeOrigin(m_bytecodeOffset), regT0);
 
     linkSlowCase(iter);
@@ -155 +160 @@
 
     CallLinkInfo* info = nullptr;
+    ArgumentsLocation argumentsLocation = StackArgs;
+
     if (opcodeID != op_call_eval)
         info = m_codeBlock->addCallLinkInfo();
@@ -160 +167 @@
         compileSetupVarargsFrame(opcodeID, instruction, info);
     else {
-        int argCount = instruction[3].u.operand;
+        unsigned argCount = instruction[3].u.unsignedValue;
         int registerOffset = -instruction[4].u.operand;
 
@@ -172 +179 @@
     
         addPtr(TrustedImm32(registerOffset * sizeof(Register) + sizeof(CallerFrameAndPC)), callFrameRegister, stackPointerRegister);
+        if (argumentsLocation != StackArgs) {
+            move(TrustedImm32(argCount), argumentRegisterForArgumentCount());
+            unsigned registerArgs = std::min(argCount, NUMBER_OF_JS_FUNCTION_ARGUMENT_REGISTERS);
+            for (unsigned arg = 0; arg < registerArgs; arg++)
+                load64(Address(stackPointerRegister, (CallFrameSlot::thisArgument + arg) * static_cast<int>(sizeof(Register)) - sizeof(CallerFrameAndPC)), argumentRegisterForFunctionArgument(arg));
+        }
         store32(TrustedImm32(argCount), Address(stackPointerRegister, CallFrameSlot::argumentCount * static_cast<int>(sizeof(Register)) + PayloadOffset - sizeof(CallerFrameAndPC)));
     } // SP holds newCallFrame + sizeof(CallerFrameAndPC), with ArgumentCount initialized.
+
+    incrementCounter(this, VM::BaselineCaller);
     
     uint32_t bytecodeOffset = instruction - m_codeBlock->instructions().begin();
@@ -179 +194 @@
     store32(TrustedImm32(locationBits), Address(callFrameRegister, CallFrameSlot::argumentCount * static_cast<int>(sizeof(Register)) + TagOffset));
 
-    emitGetVirtualRegister(callee, regT0); // regT0 holds callee.
-    store64(regT0, Address(stackPointerRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register)) - sizeof(CallerFrameAndPC)));
+    GPRReg calleeRegister = argumentRegisterForCallee();
+
+    emitGetVirtualRegister(callee, calleeRegister);
+    store64(calleeRegister, Address(stackPointerRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register)) - sizeof(CallerFrameAndPC)));
 
     if (opcodeID == op_call_eval) {
@@ -188 +205 @@
 
     DataLabelPtr addressOfLinkedFunctionCheck;
-    Jump slowCase = branchPtrWithPatch(NotEqual, regT0, addressOfLinkedFunctionCheck, TrustedImmPtr(0));
+    Jump slowCase = branchPtrWithPatch(NotEqual, calleeRegister, addressOfLinkedFunctionCheck, TrustedImmPtr(0));
     addSlowCase(slowCase);
 
     ASSERT(m_callCompilationInfo.size() == callLinkInfoIndex);
-    info->setUpCall(CallLinkInfo::callTypeFor(opcodeID), CodeOrigin(m_bytecodeOffset), regT0);
+    info->setUpCall(CallLinkInfo::callTypeFor(opcodeID), argumentsLocation, CodeOrigin(m_bytecodeOffset), calleeRegister);
     m_callCompilationInfo.append(CallCompilationInfo());
     m_callCompilationInfo[callLinkInfoIndex].hotPathBegin = addressOfLinkedFunctionCheck;
@@ -198 +215 @@
 
     if (opcodeID == op_tail_call) {
+        incrementCounter(this, VM::TailCall);
+
         CallFrameShuffleData shuffleData;
         shuffleData.tagTypeNumber = GPRInfo::tagTypeNumberRegister;
@@ -210 +229 @@
         }
         shuffleData.callee =
-            ValueRecovery::inGPR(regT0, DataFormatJS);
+            ValueRecovery::inGPR(calleeRegister, DataFormatJS);
         shuffleData.setupCalleeSaveRegisters(m_codeBlock);
         info->setFrameShuffleData(shuffleData);
@@ -247 +266 @@
         emitRestoreCalleeSaves();
 
-    move(TrustedImmPtr(m_callCompilationInfo[callLinkInfoIndex].callLinkInfo), regT2);
-
-    m_callCompilationInfo[callLinkInfoIndex].callReturnLocation = emitNakedCall(m_vm->getCTIStub(linkCallThunkGenerator).code());
+    CallLinkInfo* callLinkInfo = m_callCompilationInfo[callLinkInfoIndex].callLinkInfo;
+    move(TrustedImmPtr(callLinkInfo), nonArgGPR0);
+
+    m_callCompilationInfo[callLinkInfoIndex].callReturnLocation = emitNakedCall(m_vm->getJITCallThunkEntryStub(linkCallThunkGenerator).entryFor(callLinkInfo->argumentsLocation()));
 
     if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs) {