Bug 179355

Summary:

AccessCase::generateImpl() should exclude the result register when restoring registers after a call.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

buildbot, fpizlo, jfbastien, keith_miller, msaboff, rmorisset, saam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	none
proposed patch.	saam: review-
proposed patch.	saam: review+

Mark Lam

Reported 2017-11-06 17:30:01 PST

We should be using this exclude list to exclude result registers from being preserved, instead of needing to exclude them from being restored later. <rdar://problem/35263053>

Attachments
proposed patch. (12.31 KB, patch) 2017-11-06 17:45 PST, Mark Lam	no flags	Details Formatted Diff Diff
proposed patch. (12.40 KB, patch) 2017-11-06 17:50 PST, Mark Lam	saam: review-	Details Formatted Diff Diff
proposed patch. (3.46 KB, patch) 2017-11-07 11:02 PST, Mark Lam	saam: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2017-11-06 17:45:09 PST

Created attachment 326176 [details] proposed patch.

Mark Lam

Comment 2 2017-11-06 17:50:54 PST

Created attachment 326177 [details] proposed patch.

Michael Saboff

Comment 3 2017-11-06 18:06:58 PST

Comment on attachment 326177 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=326177&action=review r=me > Source/JavaScriptCore/ChangeLog:25 > + 1. Added support to specify an exclude RegisterSet for > + AccessGenerationState::preserveLiveRegistersToStackForCall(). This allows us > + to exclude the result registers from the set of registers to preserve. > + > + 2. Removed the exclude RegisterSet from restoreLiveRegistersFromStackForCall(). > + Instead, restoreLiveRegistersFromStackForCall() should only restore registers > + that were preserved. This simplifies the restoration code. > + > + 3. Changed preserveLiveRegistersToStackForCall() and restoreLiveRegistersFromStackForCall() > + to take RegisterSet arguments by value instead of by reference. RegisterSet > + is designed to be passed by value. > + > + 4. Added an implicit default constructor to RegisterSet. This allows us to use > + the { } notation for instantiation an empty set. There is an explicit > + RegisterSet(Regs... regs) constructor which was made explicit so that we don't > + inadvertently convert register IDs into RegisterSet. Having a default > + constructor does not break intent of the RegisterSet(Regs... regs) constructor. Most of these are change descriptions for the affected functions. Move that detail down under the appropriate changed file / function section below. A summary of what the change does here would be great.

Saam Barati

Comment 4 2017-11-06 18:10:52 PST

Comment on attachment 326177 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=326177&action=review > Source/JavaScriptCore/bytecode/AccessCase.cpp:677 > + RegisterSet resultRegistersToExclude; > + if (isGetter()) > + resultRegistersToExclude.set(valueRegs); I believe this is wrong. Imagine we make a getter call, and the base/result are allocated the same register. Assume that the getter throws an exception. Assume OSR exit now needs to recover the original base. This code breaks that.

Mark Lam

Comment 5 2017-11-07 10:25:23 PST

Comment on attachment 326177 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=326177&action=review >> Source/JavaScriptCore/bytecode/AccessCase.cpp:677 >> + resultRegistersToExclude.set(valueRegs); > > I believe this is wrong. Imagine we make a getter call, and the base/result are allocated the same register. Assume that the getter throws an exception. Assume OSR exit now needs to recover the original base. This code breaks that. Thanks for catching that. You made a very good point. This completely invalidates my approach of skipping the result on the preservation pass. I will redo the entire patch. I'll also leave out the refactoring parts for a subsequent patch.

Mark Lam

Comment 6 2017-11-07 11:02:18 PST

Created attachment 326222 [details] proposed patch.

Mark Lam

Comment 7 2017-11-07 11:34:53 PST

Thanks for the review. I noticed that the title in the JSTests/ChangeLog was from the old patch. I've updated it before landing. Landed in r224539: <http://trac.webkit.org/r224539>.

Note You need to log in before you can comment on or make changes to this bug.