Changeset 250750 in webkit

Timestamp:

Oct 4, 2019, 3:20:57 PM (6 years ago)

Author:

[email protected]

Message:

Allow OSR exit to the LLInt
​https://bugs.webkit.org/show_bug.cgi?id=197993

Reviewed by Tadeu Zagallo.

JSTests:

• stress/exit-from-getter-by-val.js: Added.
• stress/exit-from-setter-by-val.js: Added.

Source/JavaScriptCore:

This patch makes it so we can OSR exit to the LLInt.
Here are the interesting implementation details:

1. We no longer baseline compile everything in the inline stack.

2. When the top frame is a LLInt frame, we exit to the corresponding

LLInt bytecode. However, we need to materialize the LLInt registers
for PC, PB, and metadata.

3. When dealing with inline call frames where the caller is LLInt, we

need to return to the appropriate place. Let's consider we're exiting
at a place A->B (A calls B), where A is LLInt. If A is a normal call,
we place the return PC in the frame we materialize to B to be right
after the LLInt's inline cache for calls. If A is a varargs call, we place
it at the return location for vararg calls. The interesting scenario here
is where A is a getter/setter. This means that A might be get_by_id,
get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any
form of IC for getters/setters, we make this work by creating new LLInt
"return location" stubs for these opcodes.

4. We need to update what callee saves we store in the callee if the caller frame

is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame.
When we materialize the stack frame for B, we need to ensure that the LLInt callee
saves that A uses is stored into B's preserved callee saves. Specifically, this
is just the PB/metadata registers.

This patch also fixes offlineasm's macro expansion to allow us to
use computed label names for global labels.

In a future bug, I'm going to investigate some kind of control system for
throwing away baseline code when we tier up:
​https://bugs.webkit.org/show_bug.cgi?id=202503

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• bytecode/CodeBlock.h:

(JSC::CodeBlock::metadataTable):
(JSC::CodeBlock::instructionsRawPointer):

• dfg/DFGOSRExit.cpp:

(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::compileOSRExit):

• dfg/DFGOSRExit.h:

(JSC::DFG::OSRExitState::OSRExitState):

• dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::callerReturnPC):
(JSC::DFG::calleeSaveSlot):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):

• dfg/DFGOSRExitCompilerCommon.h:
• dfg/DFGOSRExitPreparation.cpp:

(JSC::DFG::prepareCodeOriginForOSRExit): Deleted.

• dfg/DFGOSRExitPreparation.h:
• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileFTLOSRExit):

• llint/LLIntData.h:

(JSC::LLInt::getCodePtr):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• offlineasm/asm.rb:
• offlineasm/transform.rb:
• runtime/OptionsList.h:

Tools:

• Scripts/run-jsc-stress-tests:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/exit-from-getter-by-val.js (added)
• JSTests/stress/exit-from-setter-by-val.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/Sources.txt (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/InlineCallFrame.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSRExit.cpp (modified) (11 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExit.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp (modified) (7 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSRExitPreparation.cpp (deleted)
• Source/JavaScriptCore/dfg/DFGOSRExitPreparation.h (deleted)
• Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (modified) (2 diffs)
• Source/JavaScriptCore/llint/LLIntData.h (modified) (4 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (11 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (5 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (6 diffs)
• Source/JavaScriptCore/offlineasm/asm.rb (modified) (2 diffs)
• Source/JavaScriptCore/offlineasm/transform.rb (modified) (2 diffs)
• Source/JavaScriptCore/runtime/OptionsList.h (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Scripts/run-jsc-stress-tests (modified) (4 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-10-04  Saam Barati  <[email protected]>
+
+        Allow OSR exit to the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=197993
+
+        Reviewed by Tadeu Zagallo.
+
+        * stress/exit-from-getter-by-val.js: Added.
+        * stress/exit-from-setter-by-val.js: Added.
+
 2019-10-04  Paulo Matos  <[email protected]>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-10-04  Saam Barati  <[email protected]>
+
+        Allow OSR exit to the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=197993
+
+        Reviewed by Tadeu Zagallo.
+
+        This patch makes it so we can OSR exit to the LLInt.
+        Here are the interesting implementation details:
+        
+        1. We no longer baseline compile everything in the inline stack.
+        
+        2. When the top frame is a LLInt frame, we exit to the corresponding
+        LLInt bytecode. However, we need to materialize the LLInt registers
+        for PC, PB, and metadata.
+        
+        3. When dealing with inline call frames where the caller is LLInt, we
+        need to return to the appropriate place. Let's consider we're exiting
+        at a place A->B (A calls B), where A is LLInt. If A is a normal call,
+        we place the return PC in the frame we materialize to B to be right
+        after the LLInt's inline cache for calls. If A is a varargs call, we place
+        it at the return location for vararg calls. The interesting scenario here
+        is where A is a getter/setter. This means that A might be get_by_id,
+        get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any
+        form of IC for getters/setters, we make this work by creating new LLInt
+        "return location" stubs for these opcodes.
+        
+        4. We need to update what callee saves we store in the callee if the caller frame
+        is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame.
+        When we materialize the stack frame for B, we need to ensure that the LLInt callee
+        saves that A uses is stored into B's preserved callee saves. Specifically, this
+        is just the PB/metadata registers.
+        
+        This patch also fixes offlineasm's macro expansion to allow us to
+        use computed label names for global labels.
+        
+        In a future bug, I'm going to investigate some kind of control system for
+        throwing away baseline code when we tier up:
+        https://bugs.webkit.org/show_bug.cgi?id=202503
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::metadataTable):
+        (JSC::CodeBlock::instructionsRawPointer):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGOSRExit.h:
+        (JSC::DFG::OSRExitState::OSRExitState):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::callerReturnPC):
+        (JSC::DFG::calleeSaveSlot):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        * dfg/DFGOSRExitPreparation.cpp:
+        (JSC::DFG::prepareCodeOriginForOSRExit): Deleted.
+        * dfg/DFGOSRExitPreparation.h:
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileFTLOSRExit):
+        * llint/LLIntData.h:
+        (JSC::LLInt::getCodePtr):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/asm.rb:
+        * offlineasm/transform.rb:
+        * runtime/OptionsList.h:
+
 2019-10-04  Truitt Savell  <[email protected]>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -183 +183 @@
                 0F235BE217178E1C00690C7F /* FTLThunks.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F235BCC17178E1C00690C7F /* FTLThunks.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F235BEC17178E7300690C7F /* DFGOSRExitBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F235BE817178E7300690C7F /* DFGOSRExitBase.h */; };
-                0F235BEE17178E7300690C7F /* DFGOSRExitPreparation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F235BEA17178E7300690C7F /* DFGOSRExitPreparation.h */; };
                 0F24E54117EA9F5900ABB217 /* AssemblyHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E53C17EA9F5900ABB217 /* AssemblyHelpers.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F24E54217EA9F5900ABB217 /* CCallHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E53D17EA9F5900ABB217 /* CCallHelpers.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2297 +2296 @@
                 0F235BE717178E7300690C7F /* DFGOSRExitBase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGOSRExitBase.cpp; path = dfg/DFGOSRExitBase.cpp; sourceTree = "<group>"; };
                 0F235BE817178E7300690C7F /* DFGOSRExitBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGOSRExitBase.h; path = dfg/DFGOSRExitBase.h; sourceTree = "<group>"; };
-                0F235BE917178E7300690C7F /* DFGOSRExitPreparation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGOSRExitPreparation.cpp; path = dfg/DFGOSRExitPreparation.cpp; sourceTree = "<group>"; };
-                0F235BEA17178E7300690C7F /* DFGOSRExitPreparation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGOSRExitPreparation.h; path = dfg/DFGOSRExitPreparation.h; sourceTree = "<group>"; };
                 0F24E53B17EA9F5900ABB217 /* AssemblyHelpers.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AssemblyHelpers.cpp; sourceTree = "<group>"; };
                 0F24E53C17EA9F5900ABB217 /* AssemblyHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AssemblyHelpers.h; sourceTree = "<group>"; };
@@ -7873 +7870 @@
                                 0FEFC9A71681A3B000567F53 /* DFGOSRExitJumpPlaceholder.cpp */,
                                 0FEFC9A81681A3B000567F53 /* DFGOSRExitJumpPlaceholder.h */,
-                                0F235BE917178E7300690C7F /* DFGOSRExitPreparation.cpp */,
-                                0F235BEA17178E7300690C7F /* DFGOSRExitPreparation.h */,
                                 0F6237951AE45CA700D402EA /* DFGPhantomInsertionPhase.cpp */,
                                 0F6237961AE45CA700D402EA /* DFGPhantomInsertionPhase.h */,
@@ -9240 +9235 @@
                                 0F392C8A1B46188400844728 /* DFGOSRExitFuzz.h in Headers */,
                                 0FEFC9AB1681A3B600567F53 /* DFGOSRExitJumpPlaceholder.h in Headers */,
-                                0F235BEE17178E7300690C7F /* DFGOSRExitPreparation.h in Headers */,
                                 0F6237981AE45CA700D402EA /* DFGPhantomInsertionPhase.h in Headers */,
                                 0FFFC95C14EF90AF00C72532 /* DFGPhase.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -383 +383 @@
 dfg/DFGOSRExitFuzz.cpp
 dfg/DFGOSRExitJumpPlaceholder.cpp
-dfg/DFGOSRExitPreparation.cpp
 dfg/DFGObjectAllocationSinkingPhase.cpp
 dfg/DFGObjectMaterializationData.cpp

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -893 +893 @@
     }
 
+    MetadataTable* metadataTable() { return m_metadata.get(); }
+    const void* instructionsRawPointer() { return m_instructionsRawPointer; }
+
 protected:
     void finalizeLLIntInlineCaches();

trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h

@@ -241 +241 @@
 inline CodeBlock* baselineCodeBlockForOriginAndBaselineCodeBlock(const CodeOrigin& codeOrigin, CodeBlock* baselineCodeBlock)
 {
-    ASSERT(baselineCodeBlock->jitType() == JITType::BaselineJIT);
+    ASSERT(JITCode::isBaselineCode(baselineCodeBlock->jitType()));
     auto* inlineCallFrame = codeOrigin.inlineCallFrame();
     if (inlineCallFrame)

trunk/Source/JavaScriptCore/dfg/DFGOSRExit.cpp

@@ -35 +35 @@
 #include "DFGMayExit.h"
 #include "DFGOSRExitCompilerCommon.h"
-#include "DFGOSRExitPreparation.h"
 #include "DFGOperations.h"
 #include "DFGSpeculativeJIT.h"
@@ -373 +372 @@
         // exit ramp code.
 
-        // Ensure we have baseline codeBlocks to OSR exit to.
-        prepareCodeOriginForOSRExit(exec, exit.m_codeOrigin);
-
         CodeBlock* baselineCodeBlock = codeBlock->baselineAlternative();
-        ASSERT(baselineCodeBlock->jitType() == JITType::BaselineJIT);
+        ASSERT(JITCode::isBaselineCode(baselineCodeBlock->jitType()));
 
         SpeculationRecovery* recovery = nullptr;
@@ -407 +403 @@
 
         CodeBlock* codeBlockForExit = baselineCodeBlockForOriginAndBaselineCodeBlock(exit.m_codeOrigin, baselineCodeBlock);
-        const JITCodeMap& codeMap = codeBlockForExit->jitCodeMap();
-        CodeLocationLabel<JSEntryPtrTag> codeLocation = codeMap.find(exit.m_codeOrigin.bytecodeIndex());
-        ASSERT(codeLocation);
-
-        void* jumpTarget = codeLocation.executableAddress();
+        bool exitToLLInt = Options::forceOSRExitToLLInt() || codeBlockForExit->jitType() == JITType::InterpreterThunk;
+        void* jumpTarget;
+        if (exitToLLInt) {
+            unsigned bytecodeOffset = exit.m_codeOrigin.bytecodeIndex();
+            const Instruction& currentInstruction = *codeBlockForExit->instructions().at(bytecodeOffset).ptr();
+            MacroAssemblerCodePtr<JSEntryPtrTag> destination = LLInt::getCodePtr<JSEntryPtrTag>(currentInstruction);
+            jumpTarget = destination.executableAddress();    
+        } else {
+            const JITCodeMap& codeMap = codeBlockForExit->jitCodeMap();
+            CodeLocationLabel<JSEntryPtrTag> codeLocation = codeMap.find(exit.m_codeOrigin.bytecodeIndex());
+            ASSERT(codeLocation);
+            jumpTarget = codeLocation.executableAddress();
+        }
 
         // Compute the value recoveries.
@@ -419 +423 @@
         ptrdiff_t stackPointerOffset = -static_cast<ptrdiff_t>(codeBlock->jitCode()->dfgCommon()->requiredRegisterCountForExit) * sizeof(Register);
 
-        exit.exitState = adoptRef(new OSRExitState(exit, codeBlock, baselineCodeBlock, operands, WTFMove(undefinedOperandSpans), recovery, stackPointerOffset, activeThreshold, adjustedThreshold, jumpTarget, arrayProfile));
+        exit.exitState = adoptRef(new OSRExitState(exit, codeBlock, baselineCodeBlock, operands, WTFMove(undefinedOperandSpans), recovery, stackPointerOffset, activeThreshold, adjustedThreshold, jumpTarget, arrayProfile, exitToLLInt));
 
         if (UNLIKELY(vm.m_perBytecodeProfiler && codeBlock->jitCode()->dfgCommon()->compilation)) {
@@ -447 +451 @@
     OSRExitState& exitState = *exit.exitState.get();
     CodeBlock* baselineCodeBlock = exitState.baselineCodeBlock;
-    ASSERT(baselineCodeBlock->jitType() == JITType::BaselineJIT);
+    ASSERT(JITCode::isBaselineCode(baselineCodeBlock->jitType()));
 
     Operands<ValueRecovery>& operands = exitState.operands;
@@ -758 +762 @@
     // in presence of inlined tail calls.
     // https://bugs.webkit.org/show_bug.cgi?id=147511
-    ASSERT(outermostBaselineCodeBlock->jitType() == JITType::BaselineJIT);
+    ASSERT(JITCode::isBaselineCode(outermostBaselineCodeBlock->jitType()));
     frame.setOperand<CodeBlock*>(CallFrameSlot::codeBlock, outermostBaselineCodeBlock);
 
@@ -769 +773 @@
         void* callerFrame = cpu.fp();
 
+        bool callerIsLLInt = false;
+
         if (!trueCaller) {
             ASSERT(inlineCallFrame->isTail());
@@ -782 +788 @@
             CodeBlock* baselineCodeBlockForCaller = baselineCodeBlockForOriginAndBaselineCodeBlock(*trueCaller, outermostBaselineCodeBlock);
             unsigned callBytecodeIndex = trueCaller->bytecodeIndex();
-            MacroAssemblerCodePtr<JSInternalPtrTag> jumpTarget;
-
-            switch (trueCallerCallKind) {
-            case InlineCallFrame::Call:
-            case InlineCallFrame::Construct:
-            case InlineCallFrame::CallVarargs:
-            case InlineCallFrame::ConstructVarargs:
-            case InlineCallFrame::TailCall:
-            case InlineCallFrame::TailCallVarargs: {
-                CallLinkInfo* callLinkInfo =
-                    baselineCodeBlockForCaller->getCallLinkInfoForBytecodeIndex(callBytecodeIndex);
-                RELEASE_ASSERT(callLinkInfo);
-
-                jumpTarget = callLinkInfo->callReturnLocation();
-                break;
-            }
-
-            case InlineCallFrame::GetterCall:
-            case InlineCallFrame::SetterCall: {
-                StructureStubInfo* stubInfo =
-                    baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
-                RELEASE_ASSERT(stubInfo);
-
-                jumpTarget = stubInfo->doneLocation();
-                break;
-            }
-
-            default:
-                RELEASE_ASSERT_NOT_REACHED();
-            }
+            void* jumpTarget = callerReturnPC(baselineCodeBlockForCaller, callBytecodeIndex, trueCallerCallKind, callerIsLLInt);
 
             if (trueCaller->inlineCallFrame())
                 callerFrame = cpu.fp<uint8_t*>() + trueCaller->inlineCallFrame()->stackOffset * sizeof(EncodedJSValue);
 
-            void* targetAddress = jumpTarget.executableAddress();
 #if CPU(ARM64E)
             void* newEntrySP = cpu.fp<uint8_t*>() + inlineCallFrame->returnPCOffset() + sizeof(void*);
-            targetAddress = retagCodePtr(targetAddress, JSInternalPtrTag, bitwise_cast<PtrTag>(newEntrySP));
-#endif
-            frame.set<void*>(inlineCallFrame->returnPCOffset(), targetAddress);
+            jumpTarget = tagCodePtr(jumpTarget, bitwise_cast<PtrTag>(newEntrySP));
+#endif
+            frame.set<void*>(inlineCallFrame->returnPCOffset(), jumpTarget);
         }
 
@@ -830 +806 @@
         // copy the prior contents of the tag registers already saved for the outer frame to this frame.
         saveOrCopyCalleeSavesFor(context, baselineCodeBlock, VirtualRegister(inlineCallFrame->stackOffset), !trueCaller);
+
+        if (callerIsLLInt) {
+            CodeBlock* baselineCodeBlockForCaller = baselineCodeBlockForOriginAndBaselineCodeBlock(*trueCaller, outermostBaselineCodeBlock);
+            frame.set<const void*>(calleeSaveSlot(inlineCallFrame, baselineCodeBlock, LLInt::Registers::metadataTableGPR).offset, baselineCodeBlockForCaller->metadataTable());
+#if USE(JSVALUE64)
+            frame.set<const void*>(calleeSaveSlot(inlineCallFrame, baselineCodeBlock, LLInt::Registers::pbGPR).offset, baselineCodeBlockForCaller->instructionsRawPointer());
+#endif
+        }
 
         if (!inlineCallFrame->isVarargs())
@@ -895 +879 @@
 
     vm.topCallFrame = context.fp<ExecState*>();
+
+    if (exitState->isJumpToLLInt) {
+        CodeBlock* codeBlockForExit = baselineCodeBlockForOriginAndBaselineCodeBlock(exit.m_codeOrigin, baselineCodeBlock);
+        unsigned bytecodeOffset = exit.m_codeOrigin.bytecodeIndex();
+        const Instruction& currentInstruction = *codeBlockForExit->instructions().at(bytecodeOffset).ptr();
+
+        context.gpr(LLInt::Registers::metadataTableGPR) = bitwise_cast<uintptr_t>(codeBlockForExit->metadataTable());
+#if USE(JSVALUE64)
+        context.gpr(LLInt::Registers::pbGPR) = bitwise_cast<uintptr_t>(codeBlockForExit->instructionsRawPointer());
+        context.gpr(LLInt::Registers::pcGPR) = static_cast<uintptr_t>(exit.m_codeOrigin.bytecodeIndex());
+#else
+        context.gpr(LLInt::Registers::pcGPR) = bitwise_cast<uintptr_t>(&currentInstruction);
+#endif
+
+        if (exit.isExceptionHandler())
+            vm.targetInterpreterPCForThrow = &currentInstruction;
+    }
+
     context.pc() = untagCodePtr<JSEntryPtrTag>(jumpTarget);
 }
@@ -1053 +1055 @@
     EXCEPTION_ASSERT_UNUSED(scope, !!scope.exception() || !exit.isExceptionHandler());
     
-    prepareCodeOriginForOSRExit(exec, exit.m_codeOrigin);
-
     // Compute the value recoveries.
     Operands<ValueRecovery> operands;

trunk/Source/JavaScriptCore/dfg/DFGOSRExit.h

@@ -107 +107 @@
 
 struct OSRExitState : RefCounted<OSRExitState> {
-    OSRExitState(OSRExitBase& exit, CodeBlock* codeBlock, CodeBlock* baselineCodeBlock, Operands<ValueRecovery>& operands, Vector<UndefinedOperandSpan>&& undefinedOperandSpans, SpeculationRecovery* recovery, ptrdiff_t stackPointerOffset, int32_t activeThreshold, double memoryUsageAdjustedThreshold, void* jumpTarget, ArrayProfile* arrayProfile)
+    OSRExitState(OSRExitBase& exit, CodeBlock* codeBlock, CodeBlock* baselineCodeBlock, Operands<ValueRecovery>& operands, Vector<UndefinedOperandSpan>&& undefinedOperandSpans, SpeculationRecovery* recovery, ptrdiff_t stackPointerOffset, int32_t activeThreshold, double memoryUsageAdjustedThreshold, void* jumpTarget, ArrayProfile* arrayProfile, bool isJumpToLLInt)
         : exit(exit)
         , codeBlock(codeBlock)
@@ -119 +119 @@
         , jumpTarget(jumpTarget)
         , arrayProfile(arrayProfile)
+        , isJumpToLLInt(isJumpToLLInt)
     { }
 
@@ -132 +133 @@
     void* jumpTarget;
     ArrayProfile* arrayProfile;
+    bool isJumpToLLInt;
 
     ExtraInitializationLevel extraInitializationLevel;

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp

@@ -34 +34 @@
 #include "JSCJSValueInlines.h"
 #include "JSCInlines.h"
+#include "LLIntData.h"
 #include "StructureStubInfo.h"
 
 namespace JSC { namespace DFG {
+
+// These are the LLInt OSR exit return points.
+extern "C" void op_call_return_location_narrow();
+extern "C" void op_call_return_location_wide_16();
+extern "C" void op_call_return_location_wide_32();
+
+extern "C" void op_construct_return_location_narrow();
+extern "C" void op_construct_return_location_wide_16();
+extern "C" void op_construct_return_location_wide_32();
+
+extern "C" void op_call_varargs_slow_return_location_narrow();
+extern "C" void op_call_varargs_slow_return_location_wide_16();
+extern "C" void op_call_varargs_slow_return_location_wide_32();
+
+extern "C" void op_construct_varargs_slow_return_location_narrow();
+extern "C" void op_construct_varargs_slow_return_location_wide_16();
+extern "C" void op_construct_varargs_slow_return_location_wide_32();
+
+extern "C" void op_get_by_id_return_location_narrow();
+extern "C" void op_get_by_id_return_location_wide_16();
+extern "C" void op_get_by_id_return_location_wide_32();
+
+extern "C" void op_get_by_val_return_location_narrow();
+extern "C" void op_get_by_val_return_location_wide_16();
+extern "C" void op_get_by_val_return_location_wide_32();
+
+extern "C" void op_put_by_id_return_location_narrow();
+extern "C" void op_put_by_id_return_location_wide_16();
+extern "C" void op_put_by_id_return_location_wide_32();
+
+extern "C" void op_put_by_val_return_location_narrow();
+extern "C" void op_put_by_val_return_location_wide_16();
+extern "C" void op_put_by_val_return_location_wide_32();
 
 void handleExitCounts(CCallHelpers& jit, const OSRExitBase& exit)
@@ -137 +171 @@
 }
 
+void* callerReturnPC(CodeBlock* baselineCodeBlockForCaller, unsigned callBytecodeIndex, InlineCallFrame::Kind trueCallerCallKind, bool& callerIsLLInt)
+{
+    callerIsLLInt = Options::forceOSRExitToLLInt() || baselineCodeBlockForCaller->jitType() == JITType::InterpreterThunk;
+
+    void* jumpTarget;
+
+    if (callerIsLLInt) {
+        const Instruction& callInstruction = *baselineCodeBlockForCaller->instructions().at(callBytecodeIndex).ptr();
+
+#define LLINT_RETURN_LOCATION(name) FunctionPtr<NoPtrTag>(callInstruction.isWide16() ? name##_return_location_wide_16 : (callInstruction.isWide32() ? name##_return_location_wide_32 : name##_return_location_narrow)).executableAddress()
+
+        switch (trueCallerCallKind) {
+        case InlineCallFrame::Call:
+            jumpTarget = LLINT_RETURN_LOCATION(op_call);
+            break;
+        case InlineCallFrame::Construct:
+            jumpTarget = LLINT_RETURN_LOCATION(op_construct);
+            break;
+        case InlineCallFrame::CallVarargs:
+            jumpTarget = LLINT_RETURN_LOCATION(op_call_varargs_slow);
+            break;
+        case InlineCallFrame::ConstructVarargs:
+            jumpTarget = LLINT_RETURN_LOCATION(op_construct_varargs_slow);
+            break;
+        case InlineCallFrame::GetterCall: {
+            if (callInstruction.opcodeID() == op_get_by_id)
+                jumpTarget = LLINT_RETURN_LOCATION(op_get_by_id);
+            else if (callInstruction.opcodeID() == op_get_by_val)
+                jumpTarget = LLINT_RETURN_LOCATION(op_get_by_val);
+            else
+                RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+        case InlineCallFrame::SetterCall: {
+            if (callInstruction.opcodeID() == op_put_by_id)
+                jumpTarget = LLINT_RETURN_LOCATION(op_put_by_id);
+            else if (callInstruction.opcodeID() == op_put_by_val)
+                jumpTarget = LLINT_RETURN_LOCATION(op_put_by_val);
+            else
+                RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+
+#undef LLINT_RETURN_LOCATION
+
+    } else {
+        switch (trueCallerCallKind) {
+        case InlineCallFrame::Call:
+        case InlineCallFrame::Construct:
+        case InlineCallFrame::CallVarargs:
+        case InlineCallFrame::ConstructVarargs: {
+            CallLinkInfo* callLinkInfo =
+                baselineCodeBlockForCaller->getCallLinkInfoForBytecodeIndex(callBytecodeIndex);
+            RELEASE_ASSERT(callLinkInfo);
+
+            jumpTarget = callLinkInfo->callReturnLocation().untaggedExecutableAddress();
+            break;
+        }
+
+        case InlineCallFrame::GetterCall:
+        case InlineCallFrame::SetterCall: {
+            StructureStubInfo* stubInfo =
+                baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
+            RELEASE_ASSERT(stubInfo);
+
+            jumpTarget = stubInfo->doneLocation().untaggedExecutableAddress();
+            break;
+        }
+
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+    }
+
+    return jumpTarget;
+}
+
+CCallHelpers::Address calleeSaveSlot(InlineCallFrame* inlineCallFrame, CodeBlock* baselineCodeBlock, GPRReg calleeSave)
+{
+    const RegisterAtOffsetList* calleeSaves = baselineCodeBlock->calleeSaveRegisters();
+    for (unsigned i = 0; i < calleeSaves->size(); i++) {
+        RegisterAtOffset entry = calleeSaves->at(i);
+        if (entry.reg() != calleeSave)
+            continue;
+        return CCallHelpers::Address(CCallHelpers::framePointerRegister, static_cast<VirtualRegister>(inlineCallFrame->stackOffset).offsetInBytes() + entry.offset());
+    }
+
+    RELEASE_ASSERT_NOT_REACHED();
+    return CCallHelpers::Address(CCallHelpers::framePointerRegister);
+}
+
 void reifyInlinedCallFrames(CCallHelpers& jit, const OSRExitBase& exit)
 {
@@ -142 +270 @@
     // in presence of inlined tail calls.
     // https://bugs.webkit.org/show_bug.cgi?id=147511
-    ASSERT(jit.baselineCodeBlock()->jitType() == JITType::BaselineJIT);
+    ASSERT(JITCode::isBaselineCode(jit.baselineCodeBlock()->jitType()));
     jit.storePtr(AssemblyHelpers::TrustedImmPtr(jit.baselineCodeBlock()), AssemblyHelpers::addressFor((VirtualRegister)CallFrameSlot::codeBlock));
 
@@ -152 +280 @@
         CodeOrigin* trueCaller = inlineCallFrame->getCallerSkippingTailCalls(&trueCallerCallKind);
         GPRReg callerFrameGPR = GPRInfo::callFrameRegister;
+
+        bool callerIsLLInt = false;
 
         if (!trueCaller) {
@@ -168 +298 @@
             CodeBlock* baselineCodeBlockForCaller = jit.baselineCodeBlockFor(*trueCaller);
             unsigned callBytecodeIndex = trueCaller->bytecodeIndex();
-            void* jumpTarget = nullptr;
-
-            switch (trueCallerCallKind) {
-            case InlineCallFrame::Call:
-            case InlineCallFrame::Construct:
-            case InlineCallFrame::CallVarargs:
-            case InlineCallFrame::ConstructVarargs:
-            case InlineCallFrame::TailCall:
-            case InlineCallFrame::TailCallVarargs: {
-                CallLinkInfo* callLinkInfo =
-                    baselineCodeBlockForCaller->getCallLinkInfoForBytecodeIndex(callBytecodeIndex);
-                RELEASE_ASSERT(callLinkInfo);
-
-                jumpTarget = callLinkInfo->callReturnLocation().untaggedExecutableAddress();
-                break;
-            }
-
-            case InlineCallFrame::GetterCall:
-            case InlineCallFrame::SetterCall: {
-                StructureStubInfo* stubInfo =
-                    baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
-                RELEASE_ASSERT(stubInfo);
-
-                jumpTarget = stubInfo->doneLocation().untaggedExecutableAddress();
-                break;
-            }
-
-            default:
-                RELEASE_ASSERT_NOT_REACHED();
-            }
+            void* jumpTarget = callerReturnPC(baselineCodeBlockForCaller, callBytecodeIndex, trueCallerCallKind, callerIsLLInt);
 
             if (trueCaller->inlineCallFrame()) {
@@ -227 +328 @@
             trueCaller ? AssemblyHelpers::UseExistingTagRegisterContents : AssemblyHelpers::CopyBaselineCalleeSavedRegistersFromBaseFrame,
             GPRInfo::regT2);
+
+        if (callerIsLLInt) {
+            CodeBlock* baselineCodeBlockForCaller = jit.baselineCodeBlockFor(*trueCaller);
+            jit.storePtr(CCallHelpers::TrustedImmPtr(baselineCodeBlockForCaller->metadataTable()), calleeSaveSlot(inlineCallFrame, baselineCodeBlock, LLInt::Registers::metadataTableGPR));
+#if USE(JSVALUE64)
+            jit.storePtr(CCallHelpers::TrustedImmPtr(baselineCodeBlockForCaller->instructionsRawPointer()), calleeSaveSlot(inlineCallFrame, baselineCodeBlock, LLInt::Registers::pbGPR));
+#endif
+        }
 
         if (!inlineCallFrame->isVarargs())
@@ -302 +411 @@
     CodeBlock* codeBlockForExit = jit.baselineCodeBlockFor(exit.m_codeOrigin);
     ASSERT(codeBlockForExit == codeBlockForExit->baselineVersion());
-    ASSERT(codeBlockForExit->jitType() == JITType::BaselineJIT);
-    CodeLocationLabel<JSEntryPtrTag> codeLocation = codeBlockForExit->jitCodeMap().find(exit.m_codeOrigin.bytecodeIndex());
-    ASSERT(codeLocation);
-
-    void* jumpTarget = codeLocation.retagged<OSRExitPtrTag>().executableAddress();
+    ASSERT(JITCode::isBaselineCode(codeBlockForExit->jitType()));
+
+    void* jumpTarget;
+    bool exitToLLInt = Options::forceOSRExitToLLInt() || codeBlockForExit->jitType() == JITType::InterpreterThunk;
+    if (exitToLLInt) {
+        unsigned bytecodeOffset = exit.m_codeOrigin.bytecodeIndex();
+        const Instruction& currentInstruction = *codeBlockForExit->instructions().at(bytecodeOffset).ptr();
+        MacroAssemblerCodePtr<JSEntryPtrTag> destination = LLInt::getCodePtr<JSEntryPtrTag>(currentInstruction);
+
+        if (exit.isExceptionHandler()) {
+            jit.move(CCallHelpers::TrustedImmPtr(&currentInstruction), GPRInfo::regT2);
+            jit.storePtr(GPRInfo::regT2, &vm.targetInterpreterPCForThrow);
+        }
+
+        jit.move(CCallHelpers::TrustedImmPtr(codeBlockForExit->metadataTable()), LLInt::Registers::metadataTableGPR);
+#if USE(JSVALUE64)
+        jit.move(CCallHelpers::TrustedImmPtr(codeBlockForExit->instructionsRawPointer()), LLInt::Registers::pbGPR);
+        jit.move(CCallHelpers::TrustedImm32(bytecodeOffset), LLInt::Registers::pcGPR);
+#else
+        jit.move(CCallHelpers::TrustedImmPtr(&currentInstruction), LLInt::Registers::pcGPR);
+#endif
+        jumpTarget = destination.retagged<OSRExitPtrTag>().executableAddress();
+    } else {
+        CodeLocationLabel<JSEntryPtrTag> codeLocation = codeBlockForExit->jitCodeMap().find(exit.m_codeOrigin.bytecodeIndex());
+        ASSERT(codeLocation);
+
+        jumpTarget = codeLocation.retagged<OSRExitPtrTag>().executableAddress();
+    }
+
     jit.addPtr(AssemblyHelpers::TrustedImm32(JIT::stackPointerOffsetFor(codeBlockForExit) * sizeof(Register)), GPRInfo::callFrameRegister, AssemblyHelpers::stackPointerRegister);
     if (exit.isExceptionHandler()) {

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h

@@ -40 +40 @@
 void reifyInlinedCallFrames(CCallHelpers&, const OSRExitBase&);
 void adjustAndJumpToTarget(VM&, CCallHelpers&, const OSRExitBase&);
+void* callerReturnPC(CodeBlock* baselineCodeBlockForCaller, unsigned callBytecodeOffset, InlineCallFrame::Kind callerKind, bool& callerIsLLInt);
+CCallHelpers::Address calleeSaveSlot(InlineCallFrame*, CodeBlock* baselineCodeBlock, GPRReg calleeSave);
 
 template <typename JITCodeType>

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -31 +31 @@
 #include "BytecodeStructs.h"
 #include "DFGOSRExitCompilerCommon.h"
-#include "DFGOSRExitPreparation.h"
 #include "FTLExitArgumentForOperand.h"
 #include "FTLJITCode.h"
@@ -545 +544 @@
     }
 
-    prepareCodeOriginForOSRExit(exec, exit.m_codeOrigin);
-
     compileStub(exitID, jitCode, exit, &vm, codeBlock);
 

trunk/Source/JavaScriptCore/llint/LLIntData.h

@@ -26 +26 @@
 #pragma once
 
+#include "GPRInfo.h"
+#include "Instruction.h"
 #include "JSCJSValue.h"
 #include "MacroAssemblerCodeRef.h"
@@ -33 +35 @@
 
 class VM;
-struct Instruction;
 
 #if ENABLE(C_LOOP)
@@ -146 +147 @@
 
 template<PtrTag tag>
+ALWAYS_INLINE MacroAssemblerCodePtr<tag> getCodePtr(const Instruction& instruction)
+{
+    if (instruction.isWide16())
+        return getWide16CodePtr<tag>(instruction.opcodeID());
+    if (instruction.isWide32())
+        return getWide32CodePtr<tag>(instruction.opcodeID());
+    return getCodePtr<tag>(instruction.opcodeID());
+}
+
+template<PtrTag tag>
 ALWAYS_INLINE MacroAssemblerCodeRef<tag> getCodeRef(OpcodeID opcodeID)
 {
@@ -185 +196 @@
 }
 
+#if ENABLE(JIT)
+struct Registers {
+    static const GPRReg pcGPR = GPRInfo::regT4;
+
+#if CPU(X86_64) && !OS(WINDOWS)
+    static const GPRReg metadataTableGPR = GPRInfo::regCS1;
+    static const GPRReg pbGPR = GPRInfo::regCS2;
+#elif CPU(X86_64) && OS(WINDOWS)
+    static const GPRReg metadataTableGPR = GPRInfo::regCS3;
+    static const GPRReg pbGPR = GPRInfo::regCS4;
+#elif CPU(ARM64)
+    static const GPRReg metadataTableGPR = GPRInfo::regCS6;
+    static const GPRReg pbGPR = GPRInfo::regCS7;
+#elif CPU(MIPS) || CPU(ARM_THUMB2)
+    static const GPRReg metadataTableGPR = GPRInfo::regCS0;
+#endif
+};
+#endif
+
 } } // namespace JSC::LLInt

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -930 +930 @@
 end
 
-macro callTargetFunction(size, opcodeStruct, dispatch, callee, callPtrTag)
+macro defineOSRExitReturnLabel(opcodeName, size)
+    macro defineNarrow()
+        global _%opcodeName%_return_location_narrow
+        _%opcodeName%_return_location_narrow:
+    end
+
+    macro defineWide16()
+        global _%opcodeName%_return_location_wide_16
+        _%opcodeName%_return_location_wide_16:
+    end
+
+    macro defineWide32()
+        global _%opcodeName%_return_location_wide_32
+        _%opcodeName%_return_location_wide_32:
+    end
+
+    size(defineNarrow, defineWide16, defineWide32, macro (f) f() end)
+end
+
+macro callTargetFunction(opcodeName, size, opcodeStruct, dispatch, callee, callPtrTag)
     if C_LOOP or C_LOOP_WIN
         cloopCallJSFunction callee
@@ -936 +955 @@
         call callee, callPtrTag
     end
+
+    defineOSRExitReturnLabel(opcodeName, size)
     restoreStackPointerAfterCall()
     dispatchAfterCall(size, opcodeStruct, dispatch)
@@ -1005 +1026 @@
 end
 
-macro slowPathForCall(size, opcodeStruct, dispatch, slowPath, prepareCall)
+macro slowPathForCall(opcodeName, size, opcodeStruct, dispatch, slowPath, prepareCall)
     callCallSlowPath(
         slowPath,
@@ -1014 +1035 @@
             prepareCall(callee, t2, t3, t4, SlowPathPtrTag)
         .dontUpdateSP:
-            callTargetFunction(size, opcodeStruct, dispatch, callee, SlowPathPtrTag)
+            callTargetFunction(%opcodeName%_slow, size, opcodeStruct, dispatch, callee, SlowPathPtrTag)
         end)
+end
+
+macro getterSetterOSRExitReturnPoint(opName, size)
+    crash() # We don't reach this in straight line code. We only reach it via returning to the code below when reconstructing stack frames during OSR exit.
+
+    defineOSRExitReturnLabel(opName, size)
+
+    restoreStackPointerAfterCall()
+    loadi ArgumentCount + TagOffset[cfr], PC
 end
 
@@ -1742 +1772 @@
 
 
-macro doCallVarargs(size, opcodeStruct, dispatch, frameSlowPath, slowPath, prepareCall)
+macro doCallVarargs(opcodeName, size, opcodeStruct, dispatch, frameSlowPath, slowPath, prepareCall)
     callSlowPath(frameSlowPath)
     branchIfException(_llint_throw_from_slow_path_trampoline)
@@ -1757 +1787 @@
         end
     end
-    slowPathForCall(size, opcodeStruct, dispatch, slowPath, prepareCall)
+    slowPathForCall(opcodeName, size, opcodeStruct, dispatch, slowPath, prepareCall)
 end
 
 
 llintOp(op_call_varargs, OpCallVarargs, macro (size, get, dispatch)
-    doCallVarargs(size, OpCallVarargs, dispatch, _llint_slow_path_size_frame_for_varargs, _llint_slow_path_call_varargs, prepareForRegularCall)
+    doCallVarargs(op_call_varargs, size, OpCallVarargs, dispatch, _llint_slow_path_size_frame_for_varargs, _llint_slow_path_call_varargs, prepareForRegularCall)
 end)
 
@@ -1769 +1799 @@
     # We lie and perform the tail call instead of preparing it since we can't
     # prepare the frame for a call opcode
-    doCallVarargs(size, OpTailCallVarargs, dispatch, _llint_slow_path_size_frame_for_varargs, _llint_slow_path_tail_call_varargs, prepareForTailCall)
+    doCallVarargs(op_tail_call_varargs, size, OpTailCallVarargs, dispatch, _llint_slow_path_size_frame_for_varargs, _llint_slow_path_tail_call_varargs, prepareForTailCall)
 end)
 
@@ -1777 +1807 @@
     # We lie and perform the tail call instead of preparing it since we can't
     # prepare the frame for a call opcode
-    doCallVarargs(size, OpTailCallForwardArguments, dispatch, _llint_slow_path_size_frame_for_forward_arguments, _llint_slow_path_tail_call_forward_arguments, prepareForTailCall)
+    doCallVarargs(op_tail_call_forward_arguments, size, OpTailCallForwardArguments, dispatch, _llint_slow_path_size_frame_for_forward_arguments, _llint_slow_path_tail_call_forward_arguments, prepareForTailCall)
 end)
 
 
 llintOp(op_construct_varargs, OpConstructVarargs, macro (size, get, dispatch)
-    doCallVarargs(size, OpConstructVarargs, dispatch, _llint_slow_path_size_frame_for_varargs, _llint_slow_path_construct_varargs, prepareForRegularCall)
+    doCallVarargs(op_construct_varargs, size, OpConstructVarargs, dispatch, _llint_slow_path_size_frame_for_varargs, _llint_slow_path_construct_varargs, prepareForRegularCall)
 end)
 
@@ -1821 +1851 @@
 _llint_op_call_eval:
     slowPathForCall(
+        op_call_eval_narrow,
         narrow,
         OpCallEval,
@@ -1829 +1860 @@
 _llint_op_call_eval_wide16:
     slowPathForCall(
+        op_call_eval_wide16,
         wide16,
         OpCallEval,
@@ -1837 +1869 @@
 _llint_op_call_eval_wide32:
     slowPathForCall(
+        op_call_eval_wide32,
         wide32,
         OpCallEval,

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1399 +1399 @@
     callSlowPath(_llint_slow_path_get_by_id)
     dispatch()
+
+# osr return point
+    getterSetterOSRExitReturnPoint(op_get_by_id, size)
+    metadata(t2, t3)
+    valueProfile(OpGetById, t2, r1, r0)
+    return(r1, r0)
+
 end)
 
@@ -1461 +1468 @@
     callSlowPath(_llint_slow_path_put_by_id)
     dispatch()
+
+# osr return point
+    getterSetterOSRExitReturnPoint(op_put_by_id, size)
+    dispatch()
+
 end)
 
@@ -1512 +1524 @@
     callSlowPath(_llint_slow_path_get_by_val)
     dispatch()
-end)
-
-
-macro putByValOp(opcodeName, opcodeStruct)
+
+# osr return point
+    getterSetterOSRExitReturnPoint(op_get_by_val, size)
+    metadata(t2, t3)
+    valueProfile(OpGetByVal, t2, r1, r0)
+    return(r1, r0)
+
+end)
+
+
+macro putByValOp(opcodeName, opcodeStruct, osrExitPoint)
     llintOpWithMetadata(op_%opcodeName%, opcodeStruct, macro (size, get, dispatch, metadata, return)
         macro contiguousPutByVal(storeCallback)
@@ -1603 +1622 @@
         callSlowPath(_llint_slow_path_%opcodeName%)
         dispatch()
+
+    .osrExitPoint:
+        osrExitPoint(size, dispatch)
     end)
 end
 
 
-putByValOp(put_by_val, OpPutByVal)
-
-putByValOp(put_by_val_direct, OpPutByValDirect)
+putByValOp(put_by_val, OpPutByVal, macro (size, dispatch)
+    # osr return point
+    getterSetterOSRExitReturnPoint(op_put_by_val, size)
+    dispatch()
+end)
+
+putByValOp(put_by_val_direct, OpPutByValDirect, macro (a, b) end)
 
 
@@ -1876 +1902 @@
         move t3, sp
         prepareCall(%opcodeStruct%::Metadata::m_callLinkInfo.m_machineCodeTarget[t5], t2, t3, t4, JSEntryPtrTag)
-        callTargetFunction(size, opcodeStruct, dispatch, %opcodeStruct%::Metadata::m_callLinkInfo.m_machineCodeTarget[t5], JSEntryPtrTag)
+        callTargetFunction(opcodeName, size, opcodeStruct, dispatch, %opcodeStruct%::Metadata::m_callLinkInfo.m_machineCodeTarget[t5], JSEntryPtrTag)
 
     .opCallSlow:
-        slowPathForCall(size, opcodeStruct, dispatch, slowPath, prepareCall)
+        slowPathForCall(opcodeName, size, opcodeStruct, dispatch, slowPath, prepareCall)
     end)
 end

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1326 +1326 @@
 end)
 
-
 llintOpWithMetadata(op_get_by_id, OpGetById, macro (size, get, dispatch, metadata, return)
     metadata(t2, t1)
@@ -1377 +1376 @@
     callSlowPath(_llint_slow_path_get_by_id)
     dispatch()
+
+# osr return point
+    getterSetterOSRExitReturnPoint(op_get_by_id, size)
+    metadata(t2, t3)
+    valueProfile(OpGetById, t2, r0)
+    return(r0)
+
 end)
 
@@ -1449 +1455 @@
     callSlowPath(_llint_slow_path_put_by_id)
     dispatch()
+
+# osr return point
+    getterSetterOSRExitReturnPoint(op_put_by_id, size)
+    dispatch()
+
 end)
 
@@ -1620 +1631 @@
     callSlowPath(_llint_slow_path_get_by_val)
     dispatch()
-end)
-
-
-macro putByValOp(opcodeName, opcodeStruct)
+
+# osr return point
+    getterSetterOSRExitReturnPoint(op_get_by_val, size)
+    metadata(t5, t2)
+    valueProfile(OpGetByVal, t5, r0)
+    return(r0)
+
+end)
+
+
+macro putByValOp(opcodeName, opcodeStruct, osrExitPoint)
     llintOpWithMetadata(op_%opcodeName%, opcodeStruct, macro (size, get, dispatch, metadata, return)
         macro contiguousPutByVal(storeCallback)
@@ -1711 +1729 @@
         callSlowPath(_llint_slow_path_%opcodeName%)
         dispatch()
+
+        osrExitPoint(size, dispatch)
+        
     end)
 end
 
-putByValOp(put_by_val, OpPutByVal)
-
-putByValOp(put_by_val_direct, OpPutByValDirect)
+putByValOp(put_by_val, OpPutByVal, macro (size, dispatch)
+    # osr return point
+    getterSetterOSRExitReturnPoint(op_put_by_val, size)
+    dispatch()
+end)
+
+putByValOp(put_by_val_direct, OpPutByValDirect, macro (a, b) end)
 
 
@@ -2005 +2030 @@
         move t3, sp
         prepareCall(%opcodeStruct%::Metadata::m_callLinkInfo.m_machineCodeTarget[t5], t2, t3, t4, JSEntryPtrTag)
-        callTargetFunction(size, opcodeStruct, dispatch, %opcodeStruct%::Metadata::m_callLinkInfo.m_machineCodeTarget[t5], JSEntryPtrTag)
+        callTargetFunction(opcodeName, size, opcodeStruct, dispatch, %opcodeStruct%::Metadata::m_callLinkInfo.m_machineCodeTarget[t5], JSEntryPtrTag)
 
     .opCallSlow:
-        slowPathForCall(size, opcodeStruct, dispatch, slowPath, prepareCall)
+        slowPathForCall(opcodeName, size, opcodeStruct, dispatch, slowPath, prepareCall)
     end)
 end

trunk/Source/JavaScriptCore/offlineasm/asm.rb

@@ -215 +215 @@
     def putsLabel(labelName, isGlobal)
         raise unless @state == :asm
-        @deferredNextLabelActions.each {
-            | action |
-            action.call()
-        }
+        unless isGlobal
+            @deferredNextLabelActions.each {
+                | action |
+                action.call()
+            }
+        end
         @deferredNextLabelActions = []
         @numGlobalLabels += 1
@@ -402 +404 @@
             lowLevelAST.validate
             emitCodeInConfiguration(concreteSettings, lowLevelAST, backend) {
-                 $currentSettings = concreteSettings
+                $currentSettings = concreteSettings
                 $asm.inAsm {
                     lowLevelAST.lower(backend)

trunk/Source/JavaScriptCore/offlineasm/transform.rb

@@ -260 +260 @@
                 end
             }
-            Label.forName(codeOrigin, name, @definedInFile)
+            result = Label.forName(codeOrigin, name, @definedInFile)
+            result.setGlobal() if @global
+            result
         else
             self
@@ -273 +275 @@
                 mapping[var].name
             }
-            Label.forName(codeOrigin, name, @definedInFile)
+            result = Label.forName(codeOrigin, name, @definedInFile)
+            result.setGlobal() if @global
+            result
         else
             self

trunk/Source/JavaScriptCore/runtime/OptionsList.h

@@ -465 +465 @@
     v(Double, dumpJITMemoryFlushInterval, 10, Restricted, "Maximum time in between flushes of the JIT memory dump in seconds.") \
     v(Bool, useUnlinkedCodeBlockJettisoning, false, Normal, "If true, UnlinkedCodeBlock can be jettisoned.") \
+    v(Bool, forceOSRExitToLLInt, false, Normal, "If true, we always exit to the LLInt. If false, we exit to whatever is most convenient.") \
 
 enum OptionEquivalence {

trunk/Tools/ChangeLog

@@ +1 @@
+2019-10-04  Saam Barati  <[email protected]>
+
+        Allow OSR exit to the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=197993
+
+        Reviewed by Tadeu Zagallo.
+
+        * Scripts/run-jsc-stress-tests:
+
 2019-10-04  Matt Lewis  <[email protected]>
 

trunk/Tools/Scripts/run-jsc-stress-tests

@@ -496 +496 @@
 FTL_OPTIONS = ["--useFTLJIT=true"]
 PROBE_OSR_EXIT_OPTION = ["--useProbeOSRExit=true"]
+FORCE_LLINT_EXIT_OPTIONS = ["--forceOSRExitToLLInt=true"]
 
 require_relative "webkitruby/jsc-stress-test-writer-#{$testWriter}"
@@ -709 +710 @@
 
 def runFTLNoCJITB3O0(*optionalTestSpecificOptions)
-    run("ftl-no-cjit-b3o0", "--useArrayAllocationProfiling=false", "--forcePolyProto=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + B3O0_OPTIONS + optionalTestSpecificOptions))
+    run("ftl-no-cjit-b3o0", "--useArrayAllocationProfiling=false", "--forcePolyProto=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + B3O0_OPTIONS + FORCE_LLINT_EXIT_OPTIONS + optionalTestSpecificOptions))
 end
 
@@ -729 +730 @@
 
 def runDFGEager(*optionalTestSpecificOptions)
-    run("dfg-eager", *(EAGER_OPTIONS + COLLECT_CONTINUOUSLY_OPTIONS + PROBE_OSR_EXIT_OPTION + optionalTestSpecificOptions))
+    run("dfg-eager", *(EAGER_OPTIONS + COLLECT_CONTINUOUSLY_OPTIONS + PROBE_OSR_EXIT_OPTION + FORCE_LLINT_EXIT_OPTIONS + optionalTestSpecificOptions))
 end
 
@@ -746 +747 @@
 
 def runFTLEagerNoCJITValidate(*optionalTestSpecificOptions)
-    run("ftl-eager-no-cjit", "--validateGraph=true", "--airForceIRCAllocator=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + EAGER_OPTIONS + COLLECT_CONTINUOUSLY_OPTIONS + optionalTestSpecificOptions))
+    run("ftl-eager-no-cjit", "--validateGraph=true", "--airForceIRCAllocator=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + EAGER_OPTIONS + COLLECT_CONTINUOUSLY_OPTIONS + FORCE_LLINT_EXIT_OPTIONS + optionalTestSpecificOptions))
 end