Bug 230622

Summary:

[JSC][32bit] Fix CSR restore on DFG tail calls, add extra register on ARMv7

Product:

WebKit

Reporter:

Geza Lore <glore>

Component:

New Bugs

Assignee:

Angelos Oikonomopoulos <angelos>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

angelos, commit-queue, ews-watchlist, keith_miller, mark.lam, mikhail, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer, xan.lopez, ysuzuki, zdobersek

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

232353

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
[fast-cq] Patch	none
[fast-cq] Patch	none
Patch	none

Geza Lore

Reported 2021-09-22 06:24:30 PDT

Allow DFG to use regCS0 GPR (LLInt metadataTable) on ARMv7

Attachments
Patch (3.88 KB, patch) 2021-09-22 06:33 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (20.50 KB, patch) 2021-09-27 15:37 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (20.54 KB, patch) 2021-09-27 16:02 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.32 KB, patch) 2021-09-28 04:34 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.35 KB, patch) 2021-09-28 04:45 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.31 KB, patch) 2021-09-28 04:48 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.34 KB, patch) 2021-10-05 14:03 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.44 KB, patch) 2021-10-05 14:05 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.44 KB, patch) 2021-10-07 02:56 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Patch (19.58 KB, patch) 2021-10-15 01:27 PDT, Geza Lore	no flags	Details Formatted Diff Diff
[fast-cq] Patch (19.58 KB, patch) 2021-10-15 09:44 PDT, Angelos Oikonomopoulos	no flags	Details Formatted Diff Diff
[fast-cq] Patch (19.58 KB, patch) 2021-10-15 09:47 PDT, Angelos Oikonomopoulos	no flags	Details Formatted Diff Diff
Patch (21.35 KB, patch) 2021-10-27 04:53 PDT, Geza Lore	no flags	Details Formatted Diff Diff
Show Obsolete (11) View All Add attachment proposed patch, testcase, etc.

Geza Lore

Comment 1 2021-09-22 06:33:35 PDT

Created attachment 438945 [details] Patch

Yusuke Suzuki

Comment 2 2021-09-22 14:35:58 PDT

Comment on attachment 438945 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438945&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:83 > + loadp CodeBlock::m_metadata[PB], metadataTable This looks incorrect to me since it is callee-save. If DFG uses it, then DFG should restore it, not LLInt.

Geza Lore

Comment 3 2021-09-22 14:54:26 PDT

I see your argument, but PB is restored on the line below, which is also a callee save, and that restore is necessary as DFG doesn't restore that either. Is that restore of PB wrong as well in this case?

Geza Lore

Comment 4 2021-09-27 15:37:52 PDT

Created attachment 439402 [details] Patch

Geza Lore

Comment 5 2021-09-27 16:02:03 PDT

Created attachment 439407 [details] Patch

Geza Lore

Comment 6 2021-09-28 04:34:43 PDT

Created attachment 439457 [details] Patch

Geza Lore

Comment 7 2021-09-28 04:45:14 PDT

Created attachment 439458 [details] Patch

Geza Lore

Comment 8 2021-09-28 04:48:35 PDT

Created attachment 439459 [details] Patch

Radar WebKit Bug Importer

Comment 9 2021-09-29 06:25:13 PDT

<rdar://problem/83668548>

Geza Lore

Comment 10 2021-10-05 14:03:08 PDT

Created attachment 440261 [details] Patch

Geza Lore

Comment 11 2021-10-05 14:05:43 PDT

Created attachment 440262 [details] Patch

Geza Lore

Comment 12 2021-10-07 02:56:41 PDT

Created attachment 440492 [details] Patch

Yusuke Suzuki

Comment 13 2021-10-08 15:29:29 PDT

@Saam Do you have an opinion on this change? I'm asking since you are working on unlinked DFG / FTL, so it is possible that metadata register can be used in DFG / FTL.

Saam Barati

Comment 14 2021-10-08 15:51:08 PDT

Comment on attachment 440492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440492&action=review > Source/JavaScriptCore/bytecode/ValueRecovery.h:195 > + static ValueRecovery calleeSaveRegDisplacedInJSStack(VirtualRegister virtualReg, bool inTag) why is the implication here that we're dealing with an Int32?

Geza Lore

Comment 15 2021-10-09 02:52:48 PDT

Comment on attachment 440492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440492&action=review >> Source/JavaScriptCore/bytecode/ValueRecovery.h:195 >> + static ValueRecovery calleeSaveRegDisplacedInJSStack(VirtualRegister virtualReg, bool inTag) > > why is the implication here that we're dealing with an Int32? On 32-bit platforms up to two 32-bit machine registers (which look like Int32) are stored in a single 64-bit VirtualRegister slot on the stack on procedure entry. Reusing the Int32 recovery mechanism takes care of restoring the one stored in the "payload" half of the VReg. I added the Int32Tag mechanism to restore the other 32-bit machine reg from the other half of the VReg.

Saam Barati

Comment 16 2021-10-14 11:51:57 PDT

Comment on attachment 440492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440492&action=review r=me > Source/JavaScriptCore/ChangeLog:3 > + Allow DFG to use regCS0 GPR (LLInt metadataTable) on ARMv7 nit: this patch is really doing 2 things: 1. Allow DFG to use this register 2. Make sure tail calls properly restore CSRs in DFG. I'd argue (2) is the really important part. I'd make the title reflect (1) and (2) perhaps, or at least make mention of (2) > Source/JavaScriptCore/jit/CallFrameShuffleData.cpp:63 > + if (saveSlotIndexInCPURegisters < 0) > + saveSlotIndexInCPURegisters -= 1; // Round towards -inf I'm pretty confused as to what this is doing and why it's needed. > Source/JavaScriptCore/jit/CallFrameShuffleData.cpp:64 > + VirtualRegister saveSlot { saveSlotIndexInCPURegisters / 2 }; Why /2?

Geza Lore

Comment 17 2021-10-14 12:37:49 PDT

> I'm pretty confused as to what this is doing and why it's needed. > > > Source/JavaScriptCore/jit/CallFrameShuffleData.cpp:64 > > + VirtualRegister saveSlot { saveSlotIndexInCPURegisters / 2 }; > > Why /2? there are two (32-bit) CPU register save slots per one (64-bit) virtual register slot on the stack. csr0/csr1 both need to map onto the first virual register slot (that's where the prologue puts them), but are in different halves (paload/tag). If we had csr2/csr3 would go into the second virtual register slot, hence the /2 (and the peculiar rounding bias above)

Geza Lore

Comment 18 2021-10-15 01:27:11 PDT

Created attachment 441346 [details] Patch

Angelos Oikonomopoulos

Comment 19 2021-10-15 09:44:29 PDT

Created attachment 441386 [details] [fast-cq] Patch

Angelos Oikonomopoulos

Comment 20 2021-10-15 09:47:04 PDT

Created attachment 441388 [details] [fast-cq] Patch

Angelos Oikonomopoulos

Comment 21 2021-10-15 09:50:10 PDT

Unclear why the patch couldn't be landed via the commit-queue, even though analyze-layout-tests-results passes. https://ews-build.webkit.org/#/builders/28/builds/16221) "Patch 441346 is not marked cq+.". Trying with [fast-cq] in case that makes a difference.

EWS

Comment 22 2021-10-15 10:41:00 PDT

Committed r284255 (243064@main): <https://commits.webkit.org/243064@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441388 [details].

WebKit Commit Bot

Comment 23 2021-10-26 16:45:49 PDT

Re-opened since this is blocked by bug 232353

Geza Lore

Comment 24 2021-10-27 04:53:25 PDT

Created attachment 442578 [details] Patch

Geza Lore

Comment 25 2021-10-27 05:47:15 PDT

Fixed C_LOOP breakage on 32-bit (and removed superfluous restore on 64-bit non C_LOOP). Only differences from landed (and reverted) patch are in LowLevelInterpreter*.asm.

Keith Miller

Comment 26 2021-10-27 08:08:18 PDT

Comment on attachment 442578 [details] Patch r=me

EWS

Comment 27 2021-10-27 08:34:48 PDT

Committed r284923 (243594@main): <https://commits.webkit.org/243594@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442578 [details].

Note You need to log in before you can comment on or make changes to this bug.