Changeset 284923 in webkit

Timestamp:

Oct 27, 2021, 8:34:42 AM (4 years ago)

Author:

[email protected]

Message:

[JSC][32bit] Fix CSR restore on DFG tail calls, add extra register on ARMv7
​https://bugs.webkit.org/show_bug.cgi?id=230622

Patch by Geza Lore <Geza Lore> on 2021-10-27
Reviewed by Keith Miller.

This re-introduces the patch reverted by
​https://trac.webkit.org/changeset/284911/webkit
with the C_LOOP interpreter now fixed.

The only difference between the original patch and this version is in
LowLevelInterpreter32_64.asm and LowLevelInterpreter64.asm, which
need the PC base (PB) register restored on C_LOOP on return from a
call, as C_LOOP does not seem to handle this as a proper callee save
register (CSR). On non C_LOOP builds, the CSR restore mechanism takes
care of this, so removed the superfluous instructions.

--- Original ChangeLog ---

This patch does two things:

1. Adds an extra callee save register (CSR) to be available to DFG on

ARMv7. To do this properly required the following:

2. Implements the necessary shuffling in CallFrameShuffler on 32-bit

architectures that is required to restore CSRs properly after a tail
call on these architectures. This also fixes the remaining failures in
the 32-bit build of the unlinked baseline JIT.

• bytecode/ValueRecovery.cpp:

(JSC::ValueRecovery::dumpInContext const):

• bytecode/ValueRecovery.h:

(JSC::ValueRecovery::calleeSaveRegDisplacedInJSStack):
(JSC::ValueRecovery::isInJSStack const):
(JSC::ValueRecovery::dataFormat const):
(JSC::ValueRecovery::withLocalsOffset const):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• jit/CachedRecovery.cpp:

(JSC::CachedRecovery::loadsIntoGPR const):

• jit/CallFrameShuffleData.cpp:

(JSC::CallFrameShuffleData::setupCalleeSaveRegisters):

• jit/CallFrameShuffleData.h:
• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::CallFrameShuffler):

• jit/CallFrameShuffler.h:

(JSC::CallFrameShuffler::snapshot const):
(JSC::CallFrameShuffler::addNew):

• jit/CallFrameShuffler32_64.cpp:

(JSC::CallFrameShuffler::emitLoad):
(JSC::CallFrameShuffler::emitDisplace):

• jit/GPRInfo.h:

(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):

• jit/RegisterSet.cpp:

(JSC::RegisterSet::dfgCalleeSaveRegisters):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/ValueRecovery.cpp (modified) (1 diff)
• bytecode/ValueRecovery.h (modified) (5 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• jit/CachedRecovery.cpp (modified) (1 diff)
• jit/CallFrameShuffleData.cpp (modified) (3 diffs)
• jit/CallFrameShuffleData.h (modified) (1 diff)
• jit/CallFrameShuffler.cpp (modified) (2 diffs)
• jit/CallFrameShuffler.h (modified) (2 diffs)
• jit/CallFrameShuffler32_64.cpp (modified) (3 diffs)
• jit/GPRInfo.h (modified) (3 diffs)
• jit/RegisterSet.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-10-27  Geza Lore  <[email protected]>
+
+        [JSC][32bit] Fix CSR restore on DFG tail calls, add extra register on ARMv7
+        https://bugs.webkit.org/show_bug.cgi?id=230622
+
+        Reviewed by Keith Miller.
+
+        This re-introduces the patch reverted by
+        https://trac.webkit.org/changeset/284911/webkit
+        with the C_LOOP interpreter now fixed.
+
+        The only difference between the original patch and this version is in
+        LowLevelInterpreter32_64.asm and LowLevelInterpreter64.asm, which
+        need the PC base (PB) register restored on C_LOOP on return from a
+        call, as C_LOOP does not seem to handle this as a proper callee save
+        register (CSR). On non C_LOOP builds, the CSR restore mechanism takes
+        care of this, so removed the superfluous instructions.
+
+        --- Original ChangeLog ---
+
+        This patch does two things:
+
+        1. Adds an extra callee save register (CSR) to be available to DFG on
+        ARMv7. To do this properly required the following:
+
+        2. Implements the necessary shuffling in CallFrameShuffler on 32-bit
+        architectures that is required to restore CSRs properly after a tail
+        call on these architectures. This also fixes the remaining failures in
+        the 32-bit build of the unlinked baseline JIT.
+
+        * bytecode/ValueRecovery.cpp:
+        (JSC::ValueRecovery::dumpInContext const):
+        * bytecode/ValueRecovery.h:
+        (JSC::ValueRecovery::calleeSaveRegDisplacedInJSStack):
+        (JSC::ValueRecovery::isInJSStack const):
+        (JSC::ValueRecovery::dataFormat const):
+        (JSC::ValueRecovery::withLocalsOffset const):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * jit/CachedRecovery.cpp:
+        (JSC::CachedRecovery::loadsIntoGPR const):
+        * jit/CallFrameShuffleData.cpp:
+        (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
+        * jit/CallFrameShuffleData.h:
+        * jit/CallFrameShuffler.cpp:
+        (JSC::CallFrameShuffler::CallFrameShuffler):
+        * jit/CallFrameShuffler.h:
+        (JSC::CallFrameShuffler::snapshot const):
+        (JSC::CallFrameShuffler::addNew):
+        * jit/CallFrameShuffler32_64.cpp:
+        (JSC::CallFrameShuffler::emitLoad):
+        (JSC::CallFrameShuffler::emitDisplace):
+        * jit/GPRInfo.h:
+        (JSC::GPRInfo::toRegister):
+        (JSC::GPRInfo::toIndex):
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::dfgCalleeSaveRegisters):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2021-10-26  Commit Queue  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/ValueRecovery.cpp

@@ -100 +100 @@
         out.print("*int32(", virtualRegister(), ")");
         return;
+#if USE(JSVALUE32_64)
+    case Int32TagDisplacedInJSStack:
+        out.print("*int32Tag(", virtualRegister(), ")");
+        return;
+#endif
     case Int52DisplacedInJSStack:
         out.print("*int52(", virtualRegister(), ")");

trunk/Source/JavaScriptCore/bytecode/ValueRecovery.h

@@ -61 +61 @@
     // It's in the stack, at a different location, and it's unboxed.
     Int32DisplacedInJSStack,
+#if USE(JSVALUE32_64)
+    Int32TagDisplacedInJSStack, // int32 stored in tag field
+#endif
     Int52DisplacedInJSStack,
     StrictInt52DisplacedInJSStack,
@@ -188 +191 @@
         return result;
     }
-    
+
+#if USE(JSVALUE32_64)
+    static ValueRecovery calleeSaveRegDisplacedInJSStack(VirtualRegister virtualReg, bool inTag)
+    {
+        ValueRecovery result;
+        UnionType u;
+        u.virtualReg = virtualReg.offset();
+        result.m_source = WTFMove(u);
+        result.m_technique = inTag ? Int32TagDisplacedInJSStack : Int32DisplacedInJSStack;
+        return result;
+    }
+#endif
+
     static ValueRecovery constant(JSValue value)
     {
@@ -259 +274 @@
         case DisplacedInJSStack:
         case Int32DisplacedInJSStack:
+#if USE(JSVALUE32_64)
+        case Int32TagDisplacedInJSStack:
+#endif
         case Int52DisplacedInJSStack:
         case StrictInt52DisplacedInJSStack:
@@ -283 +301 @@
         case UnboxedInt32InGPR:
         case Int32DisplacedInJSStack:
+#if USE(JSVALUE32_64)
+        case Int32TagDisplacedInJSStack:
+#endif
             return DataFormatInt32;
         case UnboxedInt52InGPR:
@@ -359 +380 @@
         case DisplacedInJSStack:
         case Int32DisplacedInJSStack:
+#if USE(JSVALUE32_64)
+        case Int32TagDisplacedInJSStack:
+#endif
         case DoubleDisplacedInJSStack:
         case CellDisplacedInJSStack:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -743 +743 @@
             for (unsigned i = numPassedArgs; i < numAllocatedArgs; ++i)
                 shuffleData.args[i] = ValueRecovery::constant(jsUndefined());
+
+            shuffleData.setupCalleeSaveRegisters(m_jit.codeBlock());
         } else {
             m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), m_jit.calleeFramePayloadSlot(CallFrameSlot::argumentCountIncludingThis));

trunk/Source/JavaScriptCore/jit/CachedRecovery.cpp

@@ -53 +53 @@
     switch (recovery().technique()) {
     case Int32DisplacedInJSStack:
-#if USE(JSVALUE64)
+#if USE(JSVALUE32_64)
+    case Int32TagDisplacedInJSStack:
+#elif USE(JSVALUE64)
     case Int52DisplacedInJSStack:
     case StrictInt52DisplacedInJSStack:

trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.cpp

@@ -34 +34 @@
 namespace JSC {
 
-#if USE(JSVALUE64)
-
 void CallFrameShuffleData::setupCalleeSaveRegisters(CodeBlock* codeBlock)
 {
@@ -50 +48 @@
             continue;
 
-        VirtualRegister saveSlot { entry.offsetAsIndex() };
+        int saveSlotIndexInCPURegisters = entry.offsetAsIndex();
+
+#if USE(JSVALUE64)
+        // CPU registers are the same size as virtual registers
+        VirtualRegister saveSlot { saveSlotIndexInCPURegisters };
         registers[entry.reg()]
             = ValueRecovery::displacedInJSStack(saveSlot, DataFormatJS);
+#elif USE(JSVALUE32_64)
+        // On 32-bit architectures, 2 callee saved registers may be packed into the same slot
+        static_assert(!PayloadOffset || !TagOffset);
+        static_assert(PayloadOffset == 4 || TagOffset == 4);
+        bool inTag = (saveSlotIndexInCPURegisters & 1) == !!TagOffset;
+        if (saveSlotIndexInCPURegisters < 0)
+            saveSlotIndexInCPURegisters -= 1; // Round towards -inf
+        VirtualRegister saveSlot { saveSlotIndexInCPURegisters / 2 };
+        registers[entry.reg()]
+            = ValueRecovery::calleeSaveRegDisplacedInJSStack(saveSlot, inTag);
+#endif
     }
 
@@ -62 +75 @@
             continue;
 
+#if USE(JSVALUE64)
         registers[reg] = ValueRecovery::inRegister(reg, DataFormatJS);
+#elif USE(JSVALUE32_64)
+        registers[reg] = ValueRecovery::inRegister(reg, DataFormatInt32);
+#endif
     }
 }
-
-#endif // USE(JSVALUE64)
 
 } // namespace JSC

trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.h

@@ -45 +45 @@
     unsigned numPassedArgs { UINT_MAX };
     unsigned numParameters { UINT_MAX }; // On our machine frame.
+    RegisterMap<ValueRecovery> registers;
 #if USE(JSVALUE64)
-    RegisterMap<ValueRecovery> registers;
     GPRReg numberTagRegister { InvalidGPRReg };
+#endif
 
     void setupCalleeSaveRegisters(CodeBlock*);
     void setupCalleeSaveRegisters(const RegisterAtOffsetList*);
-#endif
     ValueRecovery callee;
 };

trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp

@@ -53 +53 @@
         m_lockedRegisters.clear(FPRInfo::toRegister(i));
 
-#if USE(JSVALUE64)
-    // ... as well as the runtime registers on 64-bit architectures.
-    // However do not use these registers on 32-bit architectures since
-    // saving and restoring callee-saved registers in CallFrameShuffler isn't supported
-    // on 32-bit architectures yet.
+    // ... as well as the callee saved registers
     m_lockedRegisters.exclude(RegisterSet::vmCalleeSaveRegisters());
-#endif
 
     ASSERT(!data.callee.isInJSStack() || data.callee.virtualRegister().isLocal());
@@ -69 +64 @@
     }
 
-#if USE(JSVALUE64)
     for (Reg reg = Reg::first(); reg <= Reg::last(); reg = reg.next()) {
         if (!data.registers[reg].isSet())
             continue;
 
-        if (reg.isGPR())
+        if (reg.isGPR()) {
+#if USE(JSVALUE64)
             addNew(JSValueRegs(reg.gpr()), data.registers[reg]);
-        else
+#elif USE(JSVALUE32_64)
+            addNew(reg.gpr(), data.registers[reg]);
+#endif
+        } else
             addNew(reg.fpr(), data.registers[reg]);
     }
 
+#if USE(JSVALUE64)
     m_numberTagRegister = data.numberTagRegister;
     if (m_numberTagRegister != InvalidGPRReg)

trunk/Source/JavaScriptCore/jit/CallFrameShuffler.h

@@ -118 +118 @@
 #if USE(JSVALUE64)
             data.registers[reg] = cachedRecovery->recovery();
+#elif USE(JSVALUE32_64)
+            ValueRecovery recovery = cachedRecovery->recovery();
+            if (recovery.technique() == DisplacedInJSStack) {
+                JSValueRegs wantedJSValueReg = cachedRecovery->wantedJSValueRegs();
+                ASSERT(reg == wantedJSValueReg.payloadGPR() || reg == wantedJSValueReg.tagGPR());
+                bool inTag = reg == wantedJSValueReg.tagGPR();
+                data.registers[reg] = ValueRecovery::calleeSaveRegDisplacedInJSStack(recovery.virtualRegister(), inTag);
+            } else
+                data.registers[reg] = recovery;
 #else
             RELEASE_ASSERT_NOT_REACHED();
@@ -665 +674 @@
     }
 
+#if USE(JSVALUE32_64)
+    void addNew(GPRReg gpr, ValueRecovery recovery)
+    {
+        ASSERT(gpr != InvalidGPRReg && !m_newRegisters[gpr]);
+        ASSERT(recovery.technique() == Int32DisplacedInJSStack
+            || recovery.technique() == Int32TagDisplacedInJSStack);
+        CachedRecovery* cachedRecovery = addCachedRecovery(recovery);
+        if (JSValueRegs oldRegs { cachedRecovery->wantedJSValueRegs() }) {
+            // Combine with the other CSR in the same virtual register slot
+            ASSERT(oldRegs.tagGPR() == InvalidGPRReg);
+            ASSERT(oldRegs.payloadGPR() != InvalidGPRReg && oldRegs.payloadGPR() != gpr);
+            if (recovery.technique() == Int32DisplacedInJSStack) {
+                ASSERT(cachedRecovery->recovery().technique() == Int32TagDisplacedInJSStack);
+                cachedRecovery->setWantedJSValueRegs(JSValueRegs(oldRegs.payloadGPR(), gpr));
+            } else {
+                ASSERT(cachedRecovery->recovery().technique() == Int32DisplacedInJSStack);
+                cachedRecovery->setWantedJSValueRegs(JSValueRegs(gpr, oldRegs.payloadGPR()));
+            }
+            cachedRecovery->setRecovery(
+                ValueRecovery::displacedInJSStack(recovery.virtualRegister(), DataFormatJS));
+        } else
+            cachedRecovery->setWantedJSValueRegs(JSValueRegs::payloadOnly(gpr));
+        m_newRegisters[gpr] = cachedRecovery;
+    }
+#endif
+
     void addNew(FPRReg fpr, ValueRecovery recovery)
     {

trunk/Source/JavaScriptCore/jit/CallFrameShuffler32_64.cpp

@@ -125 +125 @@
             resultGPR = getFreeGPR();
         ASSERT(resultGPR != InvalidGPRReg);
-        m_jit.loadPtr(address.withOffset(PayloadOffset), resultGPR);
-        updateRecovery(location, 
+        if (location.recovery().technique() == Int32TagDisplacedInJSStack)
+            m_jit.loadPtr(address.withOffset(TagOffset), resultGPR);
+        else
+            m_jit.loadPtr(address.withOffset(PayloadOffset), resultGPR);
+        updateRecovery(location,
             ValueRecovery::inGPR(resultGPR, location.recovery().dataFormat()));
         if (verbose)
@@ -191 +194 @@
         ASSERT(!m_lockedRegisters.get(wantedTagGPR));
         if (CachedRecovery* currentTag { m_registers[wantedTagGPR] }) {
-            if (currentTag == &location) {
-                if (verbose)
-                    dataLog("   + ", wantedTagGPR, " is OK\n");
-            } else {
-                // This can never happen on 32bit platforms since we
-                // have at most one wanted JSValueRegs, for the
-                // callee, and no callee-save registers.
-                RELEASE_ASSERT_NOT_REACHED();
-            }
+            RELEASE_ASSERT(currentTag == &location);
+            if (verbose)
+                dataLog("   + ", wantedTagGPR, " is OK\n");
         }
     }
@@ -206 +203 @@
         ASSERT(!m_lockedRegisters.get(wantedPayloadGPR));
         if (CachedRecovery* currentPayload { m_registers[wantedPayloadGPR] }) {
-            if (currentPayload == &location) {
-                if (verbose)
-                    dataLog("   + ", wantedPayloadGPR, " is OK\n");
-            } else {
-                // See above
-                RELEASE_ASSERT_NOT_REACHED();
-            }
+            RELEASE_ASSERT(currentPayload == &location);
+            if (verbose)
+                dataLog("   + ", wantedPayloadGPR, " is OK\n");
         }
     }

trunk/Source/JavaScriptCore/jit/GPRInfo.h

@@ -554 +554 @@
 public:
     typedef GPRReg RegisterType;
-    static constexpr unsigned numberOfRegisters = 9;
+    static constexpr unsigned numberOfRegisters = 10;
     static constexpr unsigned numberOfArgumentRegisters = NUMBER_OF_ARGUMENT_REGISTERS;
 
@@ -583 +583 @@
     {
         ASSERT(index < numberOfRegisters);
-        static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regT6, regT7, regCS1 };
+        static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regT6, regT7, regCS0, regCS1 };
         return registerForIndex[index];
     }
@@ -599 +599 @@
         ASSERT(static_cast<int>(reg) < 16);
         static const unsigned indexForRegister[16] =
-            { 0, 1, 2, 3, 7, 6, InvalidIndex, InvalidIndex, 4, 5, 8, InvalidIndex, InvalidIndex, InvalidIndex, InvalidIndex, InvalidIndex };
+            { 0, 1, 2, 3, 7, 6, InvalidIndex, InvalidIndex, 4, 5, 9, 8, InvalidIndex, InvalidIndex, InvalidIndex, InvalidIndex };
         unsigned result = indexForRegister[reg];
         return result;

trunk/Source/JavaScriptCore/jit/RegisterSet.cpp

@@ -255 +255 @@
 #endif
 #elif CPU(ARM_THUMB2)
+    result.set(GPRInfo::regCS0);
     result.set(GPRInfo::regCS1);
 #elif CPU(ARM64)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -80 +80 @@
 macro dispatchAfterCall(size, opcodeStruct, valueProfileName, dstVirtualRegister, dispatch)
     loadi ArgumentCountIncludingThis + TagOffset[cfr], PC
-    loadp CodeBlock[cfr], PB
-    loadp CodeBlock::m_instructionsRawPointer[PB], PB
+    if C_LOOP or C_LOOP_WIN
+        # On non C_LOOP builds, CSR restore takes care of this.
+        loadp CodeBlock[cfr], PB
+        loadp CodeBlock::m_instructionsRawPointer[PB], PB
+    end
     get(size, opcodeStruct, dstVirtualRegister, t3)
     storei r1, TagOffset[cfr, t3, 8]

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -83 +83 @@
 macro dispatchAfterCall(size, opcodeStruct, valueProfileName, dstVirtualRegister, dispatch)
     loadPC()
-    loadp CodeBlock[cfr], PB
-    loadp CodeBlock::m_instructionsRawPointer[PB], PB
+    if C_LOOP or C_LOOP_WIN
+        # On non C_LOOP builds, CSR restore takes care of this.
+        loadp CodeBlock[cfr], PB
+        loadp CodeBlock::m_instructionsRawPointer[PB], PB
+    end
     get(size, opcodeStruct, dstVirtualRegister, t1)
     storeq r0, [cfr, t1, 8]