Changeset 209725 in webkit for trunk/Source/JavaScriptCore/jit/Repatch.cpp

Timestamp:

Dec 12, 2016, 1:46:45 PM (9 years ago)

Author:

[email protected]

Message:

REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
​https://bugs.webkit.org/show_bug.cgi?id=165748

Reviewed by Filip Pizlo.

JSTests:

New regression test.

• stress/regress-165748.js: Added.

(sum1):
(sum2):
(sum3):
(sum4):
(sum5):
(sum6):
(tailCaller):
(test):

Source/JavaScriptCore:

The virtual slow path for tailcalls always passes arguments on the stack.
The fix here is to link to the stack argument entrypoint instead of a register
argument entrypoint.

While fixing this bug, I found that we weren't clearing the code origin when
shuffling the call frame for a register argument tailcall.

Also rolling back in r209653, r209654, r209663, and r209673.

• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::prepareAny):

• jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):

Source/WTF:

Rolling back in r209653, r209654, r209663, and r209673.

• wtf/Platform.h:

File:

• trunk/Source/JavaScriptCore/jit/Repatch.cpp (modified) (13 diffs)

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -541 +541 @@
 }
 
-static void linkSlowFor(VM*, CallLinkInfo& callLinkInfo, MacroAssemblerCodeRef codeRef)
-{
-    MacroAssembler::repatchNearCall(callLinkInfo.callReturnLocation(), CodeLocationLabel(codeRef.code()));
-}
-
-static void linkSlowFor(VM* vm, CallLinkInfo& callLinkInfo, ThunkGenerator generator)
-{
-    linkSlowFor(vm, callLinkInfo, vm->getCTIStub(generator));
+static void linkSlowFor(VM*, CallLinkInfo& callLinkInfo, JITJSCallThunkEntryPointsWithRef thunkEntryPoints)
+{
+    MacroAssembler::repatchNearCall(callLinkInfo.callReturnLocation(), CodeLocationLabel(thunkEntryPoints.entryFor(callLinkInfo.argumentsLocation())));
+}
+
+static void linkSlowFor(VM* vm, CallLinkInfo& callLinkInfo, JITCallThunkEntryGenerator generator)
+{
+    linkSlowFor(vm, callLinkInfo, vm->getJITCallThunkEntryStub(generator));
 }
 
 static void linkSlowFor(VM* vm, CallLinkInfo& callLinkInfo)
 {
-    MacroAssemblerCodeRef virtualThunk = virtualThunkFor(vm, callLinkInfo);
+    JITJSCallThunkEntryPointsWithRef virtualThunk = virtualThunkFor(vm, callLinkInfo);
     linkSlowFor(vm, callLinkInfo, virtualThunk);
-    callLinkInfo.setSlowStub(createJITStubRoutine(virtualThunk, *vm, nullptr, true));
+    callLinkInfo.setSlowStub(createJITStubRoutine(virtualThunk.codeRef(), *vm, nullptr, true));
 }
 
@@ -645 +645 @@
 }
 
-static void revertCall(VM* vm, CallLinkInfo& callLinkInfo, MacroAssemblerCodeRef codeRef)
+static void revertCall(VM* vm, CallLinkInfo& callLinkInfo, JITJSCallThunkEntryPointsWithRef codeRef)
 {
     if (callLinkInfo.isDirect()) {
@@ -672 +672 @@
         dataLog("Unlinking call at ", callLinkInfo.hotPathOther(), "\n");
     
-    revertCall(&vm, callLinkInfo, vm.getCTIStub(linkCallThunkGenerator));
+    revertCall(&vm, callLinkInfo, vm.getJITCallThunkEntryStub(linkCallThunkGenerator));
 }
 
@@ -684 +684 @@
         dataLog("Linking virtual call at ", *callerCodeBlock, " ", callerFrame->codeOrigin(), "\n");
 
-    MacroAssemblerCodeRef virtualThunk = virtualThunkFor(&vm, callLinkInfo);
+    JITJSCallThunkEntryPointsWithRef virtualThunk = virtualThunkFor(&vm, callLinkInfo);
     revertCall(&vm, callLinkInfo, virtualThunk);
-    callLinkInfo.setSlowStub(createJITStubRoutine(virtualThunk, vm, nullptr, true));
+    callLinkInfo.setSlowStub(createJITStubRoutine(virtualThunk.codeRef(), vm, nullptr, true));
 }
 
@@ -741 +741 @@
     
     Vector<PolymorphicCallCase> callCases;
+    size_t callerArgumentCount = exec->argumentCountIncludingThis();
     
     // Figure out what our cases are.
@@ -752 +753 @@
             // If we cannot handle a callee, either because we don't have a CodeBlock or because arity mismatch,
             // assume that it's better for this whole thing to be a virtual call.
-            if (!codeBlock || exec->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()) || callLinkInfo.isVarargs()) {
+            if (!codeBlock || callerArgumentCount < static_cast<size_t>(codeBlock->numParameters()) || callLinkInfo.isVarargs()) {
                 linkVirtualFor(exec, callLinkInfo);
                 return;
@@ -776 +777 @@
     
     GPRReg calleeGPR = static_cast<GPRReg>(callLinkInfo.calleeGPR());
-    
+
+    if (callLinkInfo.argumentsInRegisters())
+        ASSERT(calleeGPR == argumentRegisterForCallee());
+
     CCallHelpers stubJit(&vm, callerCodeBlock);
     
@@ -798 +802 @@
         if (frameShuffler)
             scratchGPR = frameShuffler->acquireGPR();
+        else if (callLinkInfo.argumentsInRegisters())
+            scratchGPR = GPRInfo::nonArgGPR0;
         else
             scratchGPR = AssemblyHelpers::selectScratchGPR(calleeGPR);
@@ -863 +869 @@
     if (frameShuffler)
         fastCountsBaseGPR = frameShuffler->acquireGPR();
+    else if (callLinkInfo.argumentsInRegisters())
+#if CPU(ARM64)
+        fastCountsBaseGPR = GPRInfo::nonArgGPR1;
+#else
+        fastCountsBaseGPR = GPRInfo::regT0;
+#endif
     else {
         fastCountsBaseGPR =
             AssemblyHelpers::selectScratchGPR(calleeGPR, comparisonValueGPR, GPRInfo::regT3);
     }
-    stubJit.move(CCallHelpers::TrustedImmPtr(fastCounts.get()), fastCountsBaseGPR);
+    if (fastCounts)
+        stubJit.move(CCallHelpers::TrustedImmPtr(fastCounts.get()), fastCountsBaseGPR);
     if (!frameShuffler && callLinkInfo.isTailCall())
         stubJit.emitRestoreCalleeSaves();
+
+    incrementCounter(&stubJit, VM::PolymorphicCall);
+
     BinarySwitch binarySwitch(comparisonValueGPR, caseValues, BinarySwitch::IntPtr);
     CCallHelpers::JumpList done;
@@ -878 +894 @@
         
         ASSERT(variant.executable()->hasJITCodeForCall());
+
+        EntryPointType entryType = StackArgsArityCheckNotRequired;
+#if NUMBER_OF_JS_FUNCTION_ARGUMENT_REGISTERS
+        if (callLinkInfo.argumentsInRegisters()) {
+            CodeBlock* codeBlock = callCases[caseIndex].codeBlock();
+            if (codeBlock) {
+                size_t calleeArgumentCount = static_cast<size_t>(codeBlock->numParameters());
+                if (calleeArgumentCount == callerArgumentCount || calleeArgumentCount >= NUMBER_OF_JS_FUNCTION_ARGUMENT_REGISTERS)
+                    entryType = RegisterArgsArityCheckNotRequired;
+                else {
+                    EntryPointType entryForArgCount = JITEntryPoints::registerEntryTypeForArgumentCount(callerArgumentCount);
+                    MacroAssemblerCodePtr codePtr =
+                        variant.executable()->generatedJITCodeForCall()->addressForCall(entryForArgCount);
+                    if (codePtr)
+                        entryType = entryForArgCount;
+                    else
+                        entryType = RegisterArgsPossibleExtraArgs;
+                }
+            } else
+                entryType = RegisterArgsPossibleExtraArgs;
+        }
+#endif
+
         MacroAssemblerCodePtr codePtr =
-            variant.executable()->generatedJITCodeForCall()->addressForCall(ArityCheckNotRequired);
+            variant.executable()->generatedJITCodeForCall()->addressForCall(entryType);
+        ASSERT(codePtr);
         
         if (fastCounts) {
@@ -887 +927 @@
         }
         if (frameShuffler) {
-            CallFrameShuffler(stubJit, frameShuffler->snapshot()).prepareForTailCall();
+            CallFrameShuffler(stubJit, frameShuffler->snapshot(callLinkInfo.argumentsLocation())).prepareForTailCall();
             calls[caseIndex].call = stubJit.nearTailCall();
         } else if (callLinkInfo.isTailCall()) {
@@ -908 +948 @@
         frameShuffler->setCalleeJSValueRegs(JSValueRegs(GPRInfo::regT1, GPRInfo::regT0));
 #else
-        frameShuffler->setCalleeJSValueRegs(JSValueRegs(GPRInfo::regT0));
+        if (callLinkInfo.argumentsLocation() == StackArgs)
+            frameShuffler->setCalleeJSValueRegs(JSValueRegs(argumentRegisterForCallee()));
 #endif
         frameShuffler->prepareForSlowPath();
     } else {
-        stubJit.move(calleeGPR, GPRInfo::regT0);
 #if USE(JSVALUE32_64)
         stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::regT1);
 #endif
     }
-    stubJit.move(CCallHelpers::TrustedImmPtr(&callLinkInfo), GPRInfo::regT2);
-    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation().executableAddress()), GPRInfo::regT4);
-    
-    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::regT4);
+    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation().executableAddress()), GPRInfo::nonArgGPR1);
+    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR1);
+
+    stubJit.move(CCallHelpers::TrustedImmPtr(&callLinkInfo), GPRInfo::nonArgGPR0);
     AssemblyHelpers::Jump slow = stubJit.jump();
         
@@ -941 +981 @@
     else
         patchBuffer.link(done, callLinkInfo.hotPathOther().labelAtOffset(0));
-    patchBuffer.link(slow, CodeLocationLabel(vm.getCTIStub(linkPolymorphicCallThunkGenerator).code()));
+    patchBuffer.link(slow, CodeLocationLabel(vm.getJITCallThunkEntryStub(linkPolymorphicCallThunkGenerator).entryFor(callLinkInfo.argumentsLocation())));
     
     auto stubRoutine = adoptRef(*new PolymorphicCallStubRoutine(