Title: [92148] trunk/Source/_javascript_Core
- Revision
- 92148
- Author
- fpi...@apple.com
- Date
- 2011-08-01 15:32:07 -0700 (Mon, 01 Aug 2011)
Log Message
DFG JIT sometimes creates speculation check data structures that have
invalid information about the format of a register
https://bugs.webkit.org/show_bug.cgi?id=65490
Reviewed by Gavin Barraclough.
The code now makes sure to (1) always have correct and up-to-date
information about register format at the time that a speculation
check is emitted, (2) assert that speculation data is correct
inside the speculation check implementation, and (3) avoid creating
speculation data altogether if compilation has already failed, since
at that point the format data is almost guaranteed to be bogus.
* dfg/DFGNonSpeculativeJIT.cpp:
(JSC::DFG::EntryLocation::EntryLocation):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculationCheck::SpeculationCheck):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::speculationCheck):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (92147 => 92148)
--- trunk/Source/_javascript_Core/ChangeLog 2011-08-01 22:22:27 UTC (rev 92147)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-08-01 22:32:07 UTC (rev 92148)
@@ -1,5 +1,29 @@
2011-08-01 Filip Pizlo <fpi...@apple.com>
+ DFG JIT sometimes creates speculation check data structures that have
+ invalid information about the format of a register
+ https://bugs.webkit.org/show_bug.cgi?id=65490
+
+ Reviewed by Gavin Barraclough.
+
+ The code now makes sure to (1) always have correct and up-to-date
+ information about register format at the time that a speculation
+ check is emitted, (2) assert that speculation data is correct
+ inside the speculation check implementation, and (3) avoid creating
+ speculation data altogether if compilation has already failed, since
+ at that point the format data is almost guaranteed to be bogus.
+
+ * dfg/DFGNonSpeculativeJIT.cpp:
+ (JSC::DFG::EntryLocation::EntryLocation):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculationCheck::SpeculationCheck):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+
+2011-08-01 Filip Pizlo <fpi...@apple.com>
+
REGRESSION(r92092): Build fails on 64 bit
https://bugs.webkit.org/show_bug.cgi?id=65458
Modified: trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp (92147 => 92148)
--- trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-08-01 22:22:27 UTC (rev 92147)
+++ trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-08-01 22:32:07 UTC (rev 92148)
@@ -43,6 +43,7 @@
GenerationInfo& info = jit->m_generationInfo[iter.name()];
m_gprInfo[iter.index()].nodeIndex = info.nodeIndex();
m_gprInfo[iter.index()].format = info.registerFormat();
+ ASSERT(m_gprInfo[iter.index()].format != DataFormatNone);
m_gprInfo[iter.index()].isSpilled = info.spillFormat() != DataFormatNone;
} else
m_gprInfo[iter.index()].nodeIndex = NoNode;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (92147 => 92148)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-08-01 22:22:27 UTC (rev 92147)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-08-01 22:32:07 UTC (rev 92148)
@@ -150,6 +150,7 @@
GenerationInfo& info = jit->m_generationInfo[iter.name()];
m_gprInfo[iter.index()].nodeIndex = info.nodeIndex();
m_gprInfo[iter.index()].format = info.registerFormat();
+ ASSERT(m_gprInfo[iter.index()].format != DataFormatNone);
m_gprInfo[iter.index()].isSpilled = info.spillFormat() != DataFormatNone;
} else
m_gprInfo[iter.index()].nodeIndex = NoNode;
@@ -315,6 +316,7 @@
m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), gpr);
+ info.fillJSValue(gpr, DataFormatJS);
if (info.spillFormat() != DataFormatJSCell)
speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister));
info.fillJSValue(gpr, DataFormatJSCell);
@@ -684,7 +686,7 @@
SpeculateIntegerOperand op1(this, node.child1());
int32_t imm2 = valueOfInt32Constant(node.child2());
GPRTemporary result(this);
-
+
speculationCheck(m_jit.branchAdd32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
integerResult(result.gpr(), m_compileIndex);
@@ -903,6 +905,9 @@
GPRReg baseReg = base.gpr();
GPRReg propertyReg = property.gpr();
GPRReg storageReg = storage.gpr();
+
+ if (!m_compileOkay)
+ return;
// Get the array storage. We haven't yet checked this is a JSArray, so this is only safe if
// an access with offset JSArray::storageOffset() is valid for all JSCells!
@@ -940,7 +945,7 @@
if (!m_compileOkay)
return;
-
+
writeBarrier(m_jit, baseReg, scratchReg);
// Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (92147 => 92148)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2011-08-01 22:22:27 UTC (rev 92147)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2011-08-01 22:32:07 UTC (rev 92148)
@@ -186,11 +186,15 @@
// Add a speculation check without additional recovery.
void speculationCheck(MacroAssembler::Jump jumpToFail)
{
+ if (!m_compileOkay)
+ return;
m_speculationChecks.append(SpeculationCheck(jumpToFail, this));
}
// Add a speculation check with additional recovery.
void speculationCheck(MacroAssembler::Jump jumpToFail, const SpeculationRecovery& recovery)
{
+ if (!m_compileOkay)
+ return;
m_speculationRecoveryList.append(recovery);
m_speculationChecks.append(SpeculationCheck(jumpToFail, this, m_speculationRecoveryList.size()));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
