Changeset 284923 in webkit for trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.cpp

Timestamp:

Oct 27, 2021, 8:34:42 AM (4 years ago)

Author:

[email protected]

Message:

[JSC][32bit] Fix CSR restore on DFG tail calls, add extra register on ARMv7
​https://bugs.webkit.org/show_bug.cgi?id=230622

Patch by Geza Lore <Geza Lore> on 2021-10-27
Reviewed by Keith Miller.

This re-introduces the patch reverted by
​https://trac.webkit.org/changeset/284911/webkit
with the C_LOOP interpreter now fixed.

The only difference between the original patch and this version is in
LowLevelInterpreter32_64.asm and LowLevelInterpreter64.asm, which
need the PC base (PB) register restored on C_LOOP on return from a
call, as C_LOOP does not seem to handle this as a proper callee save
register (CSR). On non C_LOOP builds, the CSR restore mechanism takes
care of this, so removed the superfluous instructions.

--- Original ChangeLog ---

This patch does two things:

1. Adds an extra callee save register (CSR) to be available to DFG on

ARMv7. To do this properly required the following:

2. Implements the necessary shuffling in CallFrameShuffler on 32-bit

architectures that is required to restore CSRs properly after a tail
call on these architectures. This also fixes the remaining failures in
the 32-bit build of the unlinked baseline JIT.

• bytecode/ValueRecovery.cpp:

(JSC::ValueRecovery::dumpInContext const):

• bytecode/ValueRecovery.h:

(JSC::ValueRecovery::calleeSaveRegDisplacedInJSStack):
(JSC::ValueRecovery::isInJSStack const):
(JSC::ValueRecovery::dataFormat const):
(JSC::ValueRecovery::withLocalsOffset const):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• jit/CachedRecovery.cpp:

(JSC::CachedRecovery::loadsIntoGPR const):

• jit/CallFrameShuffleData.cpp:

(JSC::CallFrameShuffleData::setupCalleeSaveRegisters):

• jit/CallFrameShuffleData.h:
• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::CallFrameShuffler):

• jit/CallFrameShuffler.h:

(JSC::CallFrameShuffler::snapshot const):
(JSC::CallFrameShuffler::addNew):

• jit/CallFrameShuffler32_64.cpp:

(JSC::CallFrameShuffler::emitLoad):
(JSC::CallFrameShuffler::emitDisplace):

• jit/GPRInfo.h:

(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):

• jit/RegisterSet.cpp:

(JSC::RegisterSet::dfgCalleeSaveRegisters):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

File:

• trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.cpp

@@ -34 +34 @@
 namespace JSC {
 
-#if USE(JSVALUE64)
-
 void CallFrameShuffleData::setupCalleeSaveRegisters(CodeBlock* codeBlock)
 {
@@ -50 +48 @@
             continue;
 
-        VirtualRegister saveSlot { entry.offsetAsIndex() };
+        int saveSlotIndexInCPURegisters = entry.offsetAsIndex();
+
+#if USE(JSVALUE64)
+        // CPU registers are the same size as virtual registers
+        VirtualRegister saveSlot { saveSlotIndexInCPURegisters };
         registers[entry.reg()]
             = ValueRecovery::displacedInJSStack(saveSlot, DataFormatJS);
+#elif USE(JSVALUE32_64)
+        // On 32-bit architectures, 2 callee saved registers may be packed into the same slot
+        static_assert(!PayloadOffset || !TagOffset);
+        static_assert(PayloadOffset == 4 || TagOffset == 4);
+        bool inTag = (saveSlotIndexInCPURegisters & 1) == !!TagOffset;
+        if (saveSlotIndexInCPURegisters < 0)
+            saveSlotIndexInCPURegisters -= 1; // Round towards -inf
+        VirtualRegister saveSlot { saveSlotIndexInCPURegisters / 2 };
+        registers[entry.reg()]
+            = ValueRecovery::calleeSaveRegDisplacedInJSStack(saveSlot, inTag);
+#endif
     }
 
@@ -62 +75 @@
             continue;
 
+#if USE(JSVALUE64)
         registers[reg] = ValueRecovery::inRegister(reg, DataFormatJS);
+#elif USE(JSVALUE32_64)
+        registers[reg] = ValueRecovery::inRegister(reg, DataFormatInt32);
+#endif
     }
 }
-
-#endif // USE(JSVALUE64)
 
 } // namespace JSC