Bug 147893

Summary: jsc-tailcall: Arity fixup should make use of the possible extra empty slots at top of the frame
Product: WebKit Reporter: Basile Clement <basile_clement>
Component: JavaScriptCoreAssignee: Basile Clement <basile_clement>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch msaboff: review+

Basile Clement
Reported 2015-08-11 12:28:00 PDT
This would: - Allow to not have to move the call frame when there is a single missing argument and the top of the frame was not aligned - Make computing the "real" frame simpler: any frame always has aligned size alignUp(max(argCount, numParameters) + CallFrameHeaderSize). Right now, the formula is quite contrived: alignUp(max(argCount, argCount + alignUp(numParameters - argCount)) + CallFrameHeaderSize)
Attachments
Patch (13.37 KB, patch)
2015-08-11 17:35 PDT, Basile Clement 		msaboff: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Basile Clement
Comment 1 2015-08-11 17:35:58 PDT
Created attachment 258786 [details] Patch
Michael Saboff
Comment 2 2015-08-11 17:58:06 PDT
Comment on attachment 258786 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=258786&action=review r=me > Source/JavaScriptCore/jit/ThunkGenerators.cpp:443 > + jit.store32(JSInterfaceJIT::regT5, MacroAssembler::BaseIndex(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::argumentGPR2, JSInterfaceJIT::TimesEight)); > + jit.move(JSInterfaceJIT::TrustedImm32(JSValue::UndefinedTag), JSInterfaceJIT::regT5); > + jit.store32(JSInterfaceJIT::regT5, MacroAssembler::BaseIndex(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::argumentGPR2, JSInterfaceJIT::TimesEight, 4)); Instead of no offset or 4 and even though the existing code does this, use OBJECT_OFFSETOF(JSValue, u.asBits.payload) and OBJECT_OFFSETOF(JSValue, u.asBits.tag).
Basile Clement
Comment 3 2015-08-11 18:03:49 PDT
(In reply to comment #2) > Comment on attachment 258786 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=258786&action=review > > r=me > > > Source/JavaScriptCore/jit/ThunkGenerators.cpp:443 > > + jit.store32(JSInterfaceJIT::regT5, MacroAssembler::BaseIndex(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::argumentGPR2, JSInterfaceJIT::TimesEight)); > > + jit.move(JSInterfaceJIT::TrustedImm32(JSValue::UndefinedTag), JSInterfaceJIT::regT5); > > + jit.store32(JSInterfaceJIT::regT5, MacroAssembler::BaseIndex(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::argumentGPR2, JSInterfaceJIT::TimesEight, 4)); > > Instead of no offset or 4 and even though the existing code does this, use > OBJECT_OFFSETOF(JSValue, u.asBits.payload) and OBJECT_OFFSETOF(JSValue, > u.asBits.tag). Fixed locally (with the TagOffset and PayloadOffset shorthands).
Basile Clement
Comment 4 2015-08-11 19:00:24 PDT
Committed r188318 <http://trac.webkit.org/changeset/188318>.
Note You need to log in before you can comment on or make changes to this bug.