Diff
Modified: trunk/JSTests/ChangeLog (280197 => 280198)
--- trunk/JSTests/ChangeLog 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/JSTests/ChangeLog 2021-07-22 21:37:02 UTC (rev 280198)
@@ -1,3 +1,13 @@
+2021-07-22 Saam Barati <sbar...@apple.com>
+
+ AirStackSlot's uint16_t byte size is too small
+ https://bugs.webkit.org/show_bug.cgi?id=228193
+ <rdar://80888059>
+
+ Reviewed by Mark Lam.
+
+ * stress/stack-slot-needs-to-use-more-than-uint16.js: Added.
+
2021-07-20 Yusuke Suzuki <ysuz...@apple.com>
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
Added: trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js (0 => 280198)
--- trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js (rev 0)
+++ trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js 2021-07-22 21:37:02 UTC (rev 280198)
@@ -0,0 +1,8 @@
+//@ skip if $buildType == "debug"
+
+let script = '_,'.repeat(5000);
+script += '';
+let g = new Function(script, 'if (0) g();');
+for (let i = 0; i < 1000; ++i) {
+ g(0);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (280197 => 280198)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 21:37:02 UTC (rev 280198)
@@ -1,5 +1,29 @@
2021-07-22 Saam Barati <sbar...@apple.com>
+ AirStackSlot's uint16_t byte size is too small
+ https://bugs.webkit.org/show_bug.cgi?id=228193
+ <rdar://80888059>
+
+ Reviewed by Mark Lam.
+
+ * b3/B3Procedure.cpp:
+ (JSC::B3::Procedure::addStackSlot):
+ * b3/B3Procedure.h:
+ * b3/air/AirCode.cpp:
+ (JSC::B3::Air::Code::addStackSlot):
+ * b3/air/AirCode.h:
+ * b3/air/AirStackSlot.cpp:
+ (JSC::B3::Air::StackSlot::StackSlot):
+ * b3/air/AirStackSlot.h:
+ (JSC::B3::Air::StackSlot::ensureSize):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lower):
+ * ftl/FTLOutput.cpp:
+ (JSC::FTL::Output::lockedStackSlot):
+ * ftl/FTLOutput.h:
+
+2021-07-22 Saam Barati <sbar...@apple.com>
+
Fix uses of Dependency::fence with respect to the compiler outsmarting us
https://bugs.webkit.org/show_bug.cgi?id=227757
<rdar://problem/80280931>
Modified: trunk/Source/_javascript_Core/b3/B3Procedure.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@ -73,7 +73,7 @@
return result;
}
-Air::StackSlot* Procedure::addStackSlot(unsigned byteSize)
+Air::StackSlot* Procedure::addStackSlot(uint64_t byteSize)
{
return m_code->addStackSlot(byteSize, Air::StackSlotKind::Locked);
}
Modified: trunk/Source/_javascript_Core/b3/B3Procedure.h (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-07-22 21:37:02 UTC (rev 280198)
@@ -114,7 +114,7 @@
setBlockOrderImpl(blocks);
}
- JS_EXPORT_PRIVATE Air::StackSlot* addStackSlot(unsigned byteSize);
+ JS_EXPORT_PRIVATE Air::StackSlot* addStackSlot(uint64_t byteSize);
JS_EXPORT_PRIVATE Variable* addVariable(Type);
JS_EXPORT_PRIVATE Type addTuple(Vector<Type>&& types);
Modified: trunk/Source/_javascript_Core/b3/air/AirCode.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@ -163,7 +163,7 @@
return result;
}
-StackSlot* Code::addStackSlot(unsigned byteSize, StackSlotKind kind)
+StackSlot* Code::addStackSlot(uint64_t byteSize, StackSlotKind kind)
{
StackSlot* result = m_stackSlots.addNew(byteSize, kind);
if (m_stackIsAllocated) {
Modified: trunk/Source/_javascript_Core/b3/air/AirCode.h (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/air/AirCode.h 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/air/AirCode.h 2021-07-22 21:37:02 UTC (rev 280198)
@@ -112,7 +112,7 @@
// Note that you can rely on stack slots always getting indices that are larger than the index
// of any prior stack slot. In fact, all stack slots you create in the future will have an index
// that is >= stackSlots().size().
- JS_EXPORT_PRIVATE StackSlot* addStackSlot(unsigned byteSize, StackSlotKind);
+ JS_EXPORT_PRIVATE StackSlot* addStackSlot(uint64_t byteSize, StackSlotKind);
JS_EXPORT_PRIVATE Special* addSpecial(std::unique_ptr<Special>);
Modified: trunk/Source/_javascript_Core/b3/air/AirStackSlot.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/air/AirStackSlot.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/air/AirStackSlot.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@ -54,13 +54,13 @@
out.print("byteSize = ", m_byteSize, ", offsetFromFP = ", m_offsetFromFP, ", kind = ", m_kind);
}
-StackSlot::StackSlot(unsigned byteSize, StackSlotKind kind, intptr_t offsetFromFP)
- : m_byteSize(static_cast<uint16_t>(byteSize))
+StackSlot::StackSlot(uint64_t byteSize, StackSlotKind kind, intptr_t offsetFromFP)
+ : m_byteSize(static_cast<uint32_t>(byteSize))
, m_kind(kind)
, m_offsetFromFP(offsetFromFP)
{
ASSERT(byteSize);
- RELEASE_ASSERT(byteSize <= std::numeric_limits<uint16_t>::max());
+ RELEASE_ASSERT(byteSize <= std::numeric_limits<uint32_t>::max());
}
} } } // namespace JSC::B3::Air
Modified: trunk/Source/_javascript_Core/b3/air/AirStackSlot.h (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/air/AirStackSlot.h 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/air/AirStackSlot.h 2021-07-22 21:37:02 UTC (rev 280198)
@@ -50,11 +50,11 @@
bool isSpill() const { return m_kind == StackSlotKind::Spill; }
unsigned index() const { return m_index; }
- void ensureSize(unsigned requestedSize)
+ void ensureSize(uint64_t requestedSize)
{
ASSERT(!m_offsetFromFP);
- RELEASE_ASSERT(requestedSize <= std::numeric_limits<uint16_t>::max());
- m_byteSize = std::max(m_byteSize, static_cast<uint16_t>(requestedSize));
+ RELEASE_ASSERT(requestedSize <= std::numeric_limits<uint32_t>::max());
+ m_byteSize = std::max(m_byteSize, static_cast<uint32_t>(requestedSize));
}
unsigned alignment() const
@@ -85,9 +85,9 @@
friend class Code;
friend class SparseCollection<StackSlot>;
- StackSlot(unsigned byteSize, StackSlotKind, intptr_t offsetFromFP = 0);
+ StackSlot(uint64_t byteSize, StackSlotKind, intptr_t offsetFromFP = 0);
- uint16_t m_byteSize { 0 };
+ uint32_t m_byteSize { 0 };
StackSlotKind m_kind { StackSlotKind::Locked };
unsigned m_index { UINT_MAX };
intptr_t m_offsetFromFP { 0 };
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@ -249,7 +249,7 @@
m_out.initializeConstants(m_proc, prologue);
createPhiVariables();
- size_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
+ uint64_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
B3::SlotBaseValue* capturedBase = m_out.lockedStackSlot(sizeOfCaptured);
m_captured = m_out.add(capturedBase, m_out.constIntPtr(sizeOfCaptured));
state->capturedValue = capturedBase->slot();
Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/ftl/FTLOutput.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/ftl/FTLOutput.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@ -91,7 +91,7 @@
return m_block->appendNew<B3::Value>(m_proc, B3::FramePointer, origin());
}
-SlotBaseValue* Output::lockedStackSlot(size_t bytes)
+SlotBaseValue* Output::lockedStackSlot(uint64_t bytes)
{
return m_block->appendNew<SlotBaseValue>(m_proc, origin(), m_proc.addStackSlot(bytes));
}
Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.h (280197 => 280198)
--- trunk/Source/_javascript_Core/ftl/FTLOutput.h 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/ftl/FTLOutput.h 2021-07-22 21:37:02 UTC (rev 280198)
@@ -100,7 +100,7 @@
LValue framePointer();
- B3::SlotBaseValue* lockedStackSlot(size_t bytes);
+ B3::SlotBaseValue* lockedStackSlot(uint64_t bytes);
LValue constBool(bool value);
LValue constInt32(int32_t value);
