Diff
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/ChangeLog (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/ChangeLog 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/ChangeLog 2020-02-20 00:29:51 UTC (rev 256992)
@@ -1,5 +1,70 @@
2020-02-19 Alan Coon <alanc...@apple.com>
+ Apply patch. rdar://problem/59576803
+
+ 2020-02-19 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures
+ https://bugs.webkit.org/show_bug.cgi?id=207356
+
+ Reviewed by Mark Lam.
+
+ Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address.
+ This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation
+ regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd
+ since they can add more constant registers.
+
+ Relanding it by fixing dead-lock.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::shrinkToFit):
+ * bytecode/CodeBlock.h:
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::compile):
+ (JSC::DFG::JITCompiler::compileFunction):
+ * dfg/DFGJITFinalizer.cpp:
+ (JSC::DFG::JITFinalizer::finalizeCommon):
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
+ * jit/JIT.cpp:
+ (JSC::JIT::link):
+ * jit/JIT.h:
+ * jit/JITInlines.h:
+ (JSC::JIT::emitLoadDouble):
+ (JSC::JIT::emitLoadInt32ToDouble): Deleted.
+
+2020-01-31 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] DFG::CommonData::shrinkToFit called before DFG::Plan::reallyAdd is called
+ https://bugs.webkit.org/show_bug.cgi?id=207083
+
+ Reviewed by Mark Lam.
+
+ We are calling DFG::CommonData::shrinkToFit, but calling this too early: we execute
+ DFG::Plan::reallyAdd(DFG::CommonData*) after that, and this adds many entries to
+ DFG::CommonData*. We should call DFG::CommonData::shrinkToFit after calling DFG::Plan::reallyAdd.
+
+ To implement it, we make DFG::JITCode::shrinkToFit virtual function in JSC::JITCode. Then, we
+ can also implement FTL::JITCode::shrinkToFit which was previously not implemented.
+
+ * dfg/DFGJITCode.cpp:
+ (JSC::DFG::JITCode::shrinkToFit):
+ * dfg/DFGJITCode.h:
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::compile):
+ (JSC::DFG::JITCompiler::compileFunction):
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
+ * ftl/FTLJITCode.cpp:
+ (JSC::FTL::JITCode::shrinkToFit):
+ * ftl/FTLJITCode.h:
+ * jit/JITCode.cpp:
+ (JSC::JITCode::shrinkToFit):
+ * jit/JITCode.h:
+
+2020-02-19 Alan Coon <alanc...@apple.com>
+
Apply patch. rdar://problem/59576778
2020-02-19 Yusuke Suzuki <ysuz...@apple.com>
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -1894,19 +1894,23 @@
return false;
}
-void CodeBlock::shrinkToFit(ShrinkMode shrinkMode)
+void CodeBlock::shrinkToFit(const ConcurrentJSLocker&, ShrinkMode shrinkMode)
{
- ConcurrentJSLocker locker(m_lock);
-
#if ENABLE(JIT)
if (auto* jitData = m_jitData.get())
jitData->m_rareCaseProfiles.shrinkToFit();
#endif
- if (shrinkMode == EarlyShrink) {
+#if USE(JSVALUE32_64)
+ // Only 32bit Baseline JIT is touching m_constantRegisters address directly.
+ if (shrinkMode == ShrinkMode::EarlyShrink)
m_constantRegisters.shrinkToFit();
- m_constantsSourceCodeRepresentation.shrinkToFit();
-
+#else
+ m_constantRegisters.shrinkToFit();
+#endif
+ m_constantsSourceCodeRepresentation.shrinkToFit();
+
+ if (shrinkMode == ShrinkMode::EarlyShrink) {
if (m_rareData) {
m_rareData->m_switchJumpTables.shrinkToFit();
m_rareData->m_stringSwitchJumpTables.shrinkToFit();
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/bytecode/CodeBlock.h (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/bytecode/CodeBlock.h 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/bytecode/CodeBlock.h 2020-02-20 00:29:51 UTC (rev 256992)
@@ -629,7 +629,7 @@
DirectEvalCodeCache& directEvalCodeCache() { createRareDataIfNecessary(); return m_rareData->m_directEvalCodeCache; }
- enum ShrinkMode {
+ enum class ShrinkMode {
// Shrink prior to generating machine code that may point directly into vectors.
EarlyShrink,
@@ -636,9 +636,9 @@
// Shrink after generating machine code, and after possibly creating new vectors
// and appending to others. At this time it is not safe to shrink certain vectors
// because we would have generated machine code that references them directly.
- LateShrink
+ LateShrink,
};
- void shrinkToFit(ShrinkMode);
+ void shrinkToFit(const ConcurrentJSLocker&, ShrinkMode);
// Functions for controlling when JITting kicks in, in a mixed mode
// execution world.
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCode.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCode.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCode.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -58,7 +58,7 @@
return this;
}
-void JITCode::shrinkToFit()
+void JITCode::shrinkToFit(const ConcurrentJSLocker&)
{
common.shrinkToFit();
osrEntry.shrinkToFit();
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCode.h (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCode.h 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCode.h 2020-02-20 00:29:51 UTC (rev 256992)
@@ -115,7 +115,7 @@
void validateReferences(const TrackedReferences&) override;
- void shrinkToFit();
+ void shrinkToFit(const ConcurrentJSLocker&) override;
RegisterSet liveRegistersToPreserveAtExceptionHandlingCallSite(CodeBlock*, CallSiteIndex) override;
#if ENABLE(FTL_JIT)
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -402,9 +402,6 @@
link(*linkBuffer);
m_speculative->linkOSREntries(*linkBuffer);
- m_jitCode->shrinkToFit();
- codeBlock()->shrinkToFit(CodeBlock::LateShrink);
-
disassemble(*linkBuffer);
m_graph.m_plan.setFinalizer(makeUnique<JITFinalizer>(
@@ -506,9 +503,6 @@
link(*linkBuffer);
m_speculative->linkOSREntries(*linkBuffer);
- m_jitCode->shrinkToFit();
- codeBlock()->shrinkToFit(CodeBlock::LateShrink);
-
if (requiresArityFixup)
linkBuffer->link(callArityFixup, FunctionPtr<JITThunkPtrTag>(vm().getCTIStub(arityFixupGenerator).code()));
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -83,13 +83,6 @@
{
CodeBlock* codeBlock = m_plan.codeBlock();
- // Some JIT finalizers may have added more constants. Shrink-to-fit those things now.
- {
- ConcurrentJSLocker locker(codeBlock->m_lock);
- codeBlock->constants().shrinkToFit();
- codeBlock->constantsSourceCodeRepresentation().shrinkToFit();
- }
-
#if ENABLE(FTL_JIT)
m_jitCode->optimizeAfterWarmUp(codeBlock);
#endif // ENABLE(FTL_JIT)
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGPlan.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGPlan.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/dfg/DFGPlan.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -272,7 +272,10 @@
// in the CodeBlock. This is a good time to perform an early shrink, which is more
// powerful than a late one. It's safe to do so because we haven't generated any code
// that references any of the tables directly, yet.
- m_codeBlock->shrinkToFit(CodeBlock::EarlyShrink);
+ {
+ ConcurrentJSLocker locker(m_codeBlock->m_lock);
+ m_codeBlock->shrinkToFit(locker, CodeBlock::ShrinkMode::EarlyShrink);
+ }
if (validationEnabled())
validate(dfg);
@@ -603,6 +606,11 @@
}
reallyAdd(m_codeBlock->jitCode()->dfgCommon());
+ {
+ ConcurrentJSLocker locker(m_codeBlock->m_lock);
+ m_codeBlock->jitCode()->shrinkToFit(locker);
+ m_codeBlock->shrinkToFit(locker, CodeBlock::ShrinkMode::LateShrink);
+ }
if (validationEnabled()) {
TrackedReferences trackedReferences;
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/ftl/FTLJITCode.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/ftl/FTLJITCode.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/ftl/FTLJITCode.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -131,6 +131,14 @@
return &common;
}
+void JITCode::shrinkToFit(const ConcurrentJSLocker&)
+{
+ common.shrinkToFit();
+ osrExit.shrinkToFit();
+ osrExitDescriptors.shrinkToFit();
+ lazySlowPaths.shrinkToFit();
+}
+
void JITCode::validateReferences(const TrackedReferences& trackedReferences)
{
common.validateReferences(trackedReferences);
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/ftl/FTLJITCode.h (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/ftl/FTLJITCode.h 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/ftl/FTLJITCode.h 2020-02-20 00:29:51 UTC (rev 256992)
@@ -67,6 +67,7 @@
JITCode* ftl() override;
DFG::CommonData* dfgCommon() override;
static ptrdiff_t commonDataOffset() { return OBJECT_OFFSETOF(JITCode, common); }
+ void shrinkToFit(const ConcurrentJSLocker&) override;
DFG::CommonData common;
SegmentedVector<OSRExit, 8> osrExit;
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JIT.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JIT.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JIT.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -927,7 +927,10 @@
static_cast<double>(result.size()) /
static_cast<double>(m_codeBlock->instructionsSize()));
- m_codeBlock->shrinkToFit(CodeBlock::LateShrink);
+ {
+ ConcurrentJSLocker locker(m_codeBlock->m_lock);
+ m_codeBlock->shrinkToFit(locker, CodeBlock::ShrinkMode::LateShrink);
+ }
m_codeBlock->setJITCode(
adoptRef(*new DirectJITCode(result, withArityCheck, JITType::BaselineJIT)));
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JIT.h (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JIT.h 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JIT.h 2020-02-20 00:29:51 UTC (rev 256992)
@@ -334,7 +334,6 @@
bool isOperandConstantDouble(int src);
void emitLoadDouble(int index, FPRegisterID value);
- void emitLoadInt32ToDouble(int index, FPRegisterID value);
enum WriteBarrierMode { UnconditionalWriteBarrier, ShouldFilterBase, ShouldFilterValue, ShouldFilterBaseAndValue };
// value register in write barrier is used before any scratch registers
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITCode.cpp (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITCode.cpp 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITCode.cpp 2020-02-20 00:29:51 UTC (rev 256992)
@@ -93,6 +93,10 @@
return 0;
}
+void JITCode::shrinkToFit(const ConcurrentJSLocker&)
+{
+}
+
JITCodeWithCodeRef::JITCodeWithCodeRef(JITType jitType)
: JITCode(jitType)
{
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITCode.h (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITCode.h 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITCode.h 2020-02-20 00:29:51 UTC (rev 256992)
@@ -192,6 +192,7 @@
virtual DFG::JITCode* dfg();
virtual FTL::JITCode* ftl();
virtual FTL::ForOSREntryJITCode* ftlForOSREntry();
+ virtual void shrinkToFit(const ConcurrentJSLocker&);
virtual void validateReferences(const TrackedReferences&);
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITInlines.h (256991 => 256992)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITInlines.h 2020-02-20 00:29:45 UTC (rev 256991)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/jit/JITInlines.h 2020-02-20 00:29:51 UTC (rev 256992)
@@ -380,6 +380,15 @@
#if USE(JSVALUE32_64)
+inline void JIT::emitLoadDouble(int index, FPRegisterID value)
+{
+ if (m_codeBlock->isConstantRegisterIndex(index)) {
+ WriteBarrier<Unknown>& inConstantPool = m_codeBlock->constantRegister(index);
+ loadDouble(TrustedImmPtr(&inConstantPool), value);
+ } else
+ loadDouble(addressFor(index), value);
+}
+
inline void JIT::emitLoadTag(int index, RegisterID tag)
{
if (m_codeBlock->isConstantRegisterIndex(index)) {
@@ -635,24 +644,6 @@
emitJumpSlowCaseIfNotJSCell(reg);
}
-inline void JIT::emitLoadDouble(int index, FPRegisterID value)
-{
- if (m_codeBlock->isConstantRegisterIndex(index)) {
- WriteBarrier<Unknown>& inConstantPool = m_codeBlock->constantRegister(index);
- loadDouble(TrustedImmPtr(&inConstantPool), value);
- } else
- loadDouble(addressFor(index), value);
-}
-
-inline void JIT::emitLoadInt32ToDouble(int index, FPRegisterID value)
-{
- if (m_codeBlock->isConstantRegisterIndex(index)) {
- ASSERT(isOperandConstantInt(index));
- convertInt32ToDouble(Imm32(getConstantOperand(index).asInt32()), value);
- } else
- convertInt32ToDouble(addressFor(index), value);
-}
-
ALWAYS_INLINE JIT::PatchableJump JIT::emitPatchableJumpIfNotInt(RegisterID reg)
{
return patchableBranch64(Below, reg, numberTagRegister);
