Currently the JS stack grows from low address towards high addresses. The native C/C++ stack grows from high to low addresses. Before using the C stack for JS processing, the direction of the stack should change.
Created attachment 206832[details]
Work in progress
Compiles and runs testapi with LLint with one exception error and with value profiling turned off.
I'll fix those and then try running all of JS tests.
Created attachment 207406[details]
Passing JS tests with LLint + Baseline JIT
Now will work through the fast/js Layout failures for the LLInt and baseline JIT
Created attachment 208674[details]
Baseline JIT passes JS tests and Layout/fast/js tests
Running with LLInt and DFG disabled.
There are 4 failures in the fast/js layout tests:
Regressions: Unexpected text-only failures (3)
fast/js/exception-sequencing.html [ Failure ]
fast/js/exception-thrown-from-new.html [ Failure ]
fast/js/kde/Array.html [ Failure ]
Regressions: Unexpected crashes (1)
fast/js/global-recursion-on-full-stack.html [ Crash ]
The three unexpected failures match without the changes. The crash is due to stack overflow checking. I'll address that later.
Going on to DFG.
(In reply to comment #10)
> (In reply to comment #9)
> > Created an attachment (id=209690) [details] [details]
> > LLInt + Baseline JIT + DFG Passes all JS tests
>
> 32 and 64bit?
64 bit only at this point.
Created attachment 210319[details]
64 Bit LLInt, Baseline JIT, DFG Passes all but one test
DFG passes all DFG tests. Baseline JIT fails stack overflow check. LLint passes this test. Will investigate.
fast/js/global-recursion-on-full-stack.html
(In reply to comment #14)
> Created an attachment (id=210319) [details]
> 64 Bit LLInt, Baseline JIT, DFG Passes all but one test
>
> DFG passes all DFG tests. Baseline JIT fails stack overflow check. LLint passes this test. Will investigate.
That's awesome!
>
> fast/js/global-recursion-on-full-stack.html
(In reply to comment #18)
> (In reply to comment #17)
> > Created an attachment (id=210822) [details] [details]
> > LLint/Baseline JIT/DFG 32&64 bit pass all JS tests
> >
> > 32bit WebKit tests next
>
> There are 3 WebKit tests failures running 32 bit:
> fast/js/invalid-syntax-for-function.html [ Crash ]
> fast/js/regress/function-dot-apply.html [ Crash ]
> fast/js/typed-array-access.html [ Crash ]
Down to one failing test:
fast/js/invalid-syntax-for-function.html [ Crash ]
It only fails when run with a group of other tests and doesn't fail by itself. The crash is due to an ASSERT failure in
void JSStack::disableErrorStackReserve()
{
char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + commitSize;
m_useableEnd = reinterpret_cast_ptr<Register*>(useableEnd);
// By the time we get here, we are guaranteed to be destructing the last
// Interpreter::ErrorHandlingMode that enabled this reserve in the first
// place. That means the stack space beyond m_useableEnd before we
// enabled the reserve was not previously in use. Hence, it is safe to
// shrink back to that m_useableEnd.
if (m_end < m_useableEnd) {
ASSERT(m_topCallFrame->frameExtent() >= m_useableEnd); <==
shrink(m_useableEnd);
}
}
m_topCallFrame is null, therefore the crash.
Created attachment 211338[details]
Patch
I reverted the change made in XX to return a VirtualRegister from localToOperand(). I also changed stackOffset bit field in CodeOrigin to be "int" instead of "signed int". check-webkit-style doesn't like this, but I'll fix that separately.
Comment on attachment 211338[details]
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=211338&action=review>> Source/JavaScriptCore/bytecode/CodeBlock.cpp:3434
>> + }
>
> Why is this change necessary in this patch?
When is symbolTable() null? This seems like a bug.
> Source/JavaScriptCore/jit/JITOpcodes.cpp:-848
> - emitPutVirtualRegister(dst);
Why is it OK not to store the activation to the stack here? This seems like a bug.
> Source/JavaScriptCore/jit/JITOpcodes.cpp:-1119
> - signExtend32ToPtr(regT1, regT1);
Does add32 automatically zero the high bits in regT1? If not, we still need to sign-extend.
> > Source/JavaScriptCore/jit/JITOpcodes.cpp:-848
> > - emitPutVirtualRegister(dst);
>
> Why is it OK not to store the activation to the stack here? This seems like a bug.
I see: the above instruction stores to dst, too. Can you edit the instruction to use "dst"? Then the change will be clearer.
Created attachment 211343[details]
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-16 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.4
Created attachment 211359[details]
Patch addressing review and ewe bot issues
Removed the "if (symbolTable())" check in CodeBlock.cpp.
Have speculative fixes for Qt compile failure (moved definition of trustedImm32ForShift() up in the file).
Have speculative fix for failure found in mac-wk2-ews - Made stackOffset int in CodeOrigin::stackOffset() and inlinedFrameOffset in StackVisitor.cpp.
Created attachment 211368[details]
Archive of layout-test-results from webkit-ews-15 for mac-mountainlion-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-15 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.4
Created attachment 211404[details]
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-08 Port: mac-mountainlion Platform: Mac OS X 10.8.4
Created attachment 211490[details]
Patch with final fix
Fixed a bug in Arguments::tearOff() for the inlined call frame case where the Register* for the torn off arguments wasn't being calculated correctly. The calculation for the non-inline case was correct.
> Fixed a bug in Arguments::tearOff() for the inlined call frame case where the Register* for the torn off arguments wasn't being calculated correctly.
Can we improve the disassembly diff-er to catch the cases you've been fixing?
(In reply to comment #38)
> > Fixed a bug in Arguments::tearOff() for the inlined call frame case where the Register* for the torn off arguments wasn't being calculated correctly.
>
> Can we improve the disassembly diff-er to catch the cases you've been fixing?
The fixes I made yesterday and today aren't in code that generates instructions. I believe that this is the final patch.
2013-07-16 18:24 PDT, Michael Saboff
2013-07-17 16:34 PDT, Michael Saboff
2013-07-23 13:56 PDT, Michael Saboff
2013-07-24 11:30 PDT, Michael Saboff
2013-07-25 16:07 PDT, Michael Saboff
2013-08-13 14:16 PDT, Michael Saboff
2013-08-20 17:41 PDT, Michael Saboff
2013-08-26 16:01 PDT, Michael Saboff
2013-08-26 16:18 PDT, Michael Saboff
2013-08-27 15:39 PDT, Michael Saboff
2013-08-27 20:31 PDT, Michael Saboff
2013-09-02 21:44 PDT, Michael Saboff
2013-09-06 17:21 PDT, Michael Saboff
2013-09-06 17:34 PDT, Michael Saboff
2013-09-11 12:01 PDT, Michael Saboff
webkit-ews: commit-queue-
2013-09-11 13:09 PDT, Build Bot
2013-09-11 15:19 PDT, Michael Saboff
2013-09-11 17:24 PDT, Build Bot
2013-09-11 23:56 PDT, Build Bot
2013-09-12 10:59 PDT, Michael Saboff
2013-09-12 16:23 PDT, Michael Saboff