RESOLVED FIXED Bug 230622
[JSC][32bit] Fix CSR restore on DFG tail calls, add extra register on ARMv7 
https://bugs.webkit.org/show_bug.cgi?id=230622
Summary [JSC][32bit] Fix CSR restore on DFG tail calls, add extra register on ARMv7
Geza Lore
Reported 2021-09-22 06:24:30 PDT
Allow DFG to use regCS0 GPR (LLInt metadataTable) on ARMv7
Attachments
Patch (3.88 KB, patch)
2021-09-22 06:33 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (20.50 KB, patch)
2021-09-27 15:37 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (20.54 KB, patch)
2021-09-27 16:02 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.32 KB, patch)
2021-09-28 04:34 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.35 KB, patch)
2021-09-28 04:45 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.31 KB, patch)
2021-09-28 04:48 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.34 KB, patch)
2021-10-05 14:03 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.44 KB, patch)
2021-10-05 14:05 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.44 KB, patch)
2021-10-07 02:56 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Patch (19.58 KB, patch)
2021-10-15 01:27 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
[fast-cq] Patch (19.58 KB, patch)
2021-10-15 09:44 PDT, Angelos Oikonomopoulos 		no flags
DetailsFormatted DiffDiff
[fast-cq] Patch (19.58 KB, patch)
2021-10-15 09:47 PDT, Angelos Oikonomopoulos 		no flags
DetailsFormatted DiffDiff
Patch (21.35 KB, patch)
2021-10-27 04:53 PDT, Geza Lore 		no flags
DetailsFormatted DiffDiff
Show Obsolete (11) View All Add attachment proposed patch, testcase, etc.
Geza Lore
Comment 1 2021-09-22 06:33:35 PDT
Created attachment 438945 [details] Patch
Yusuke Suzuki
Comment 2 2021-09-22 14:35:58 PDT
Comment on attachment 438945 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438945&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:83 > + loadp CodeBlock::m_metadata[PB], metadataTable This looks incorrect to me since it is callee-save. If DFG uses it, then DFG should restore it, not LLInt.
Geza Lore
Comment 3 2021-09-22 14:54:26 PDT
I see your argument, but PB is restored on the line below, which is also a callee save, and that restore is necessary as DFG doesn't restore that either. Is that restore of PB wrong as well in this case?
Geza Lore
Comment 4 2021-09-27 15:37:52 PDT
Created attachment 439402 [details] Patch
Geza Lore
Comment 5 2021-09-27 16:02:03 PDT
Created attachment 439407 [details] Patch
Geza Lore
Comment 6 2021-09-28 04:34:43 PDT
Created attachment 439457 [details] Patch
Geza Lore
Comment 7 2021-09-28 04:45:14 PDT
Created attachment 439458 [details] Patch
Geza Lore
Comment 8 2021-09-28 04:48:35 PDT
Created attachment 439459 [details] Patch
Radar WebKit Bug Importer
Comment 9 2021-09-29 06:25:13 PDT
<rdar://problem/83668548>
Geza Lore
Comment 10 2021-10-05 14:03:08 PDT
Created attachment 440261 [details] Patch
Geza Lore
Comment 11 2021-10-05 14:05:43 PDT
Created attachment 440262 [details] Patch
Geza Lore
Comment 12 2021-10-07 02:56:41 PDT
Created attachment 440492 [details] Patch
Yusuke Suzuki
Comment 13 2021-10-08 15:29:29 PDT
@Saam Do you have an opinion on this change? I'm asking since you are working on unlinked DFG / FTL, so it is possible that metadata register can be used in DFG / FTL.
Saam Barati
Comment 14 2021-10-08 15:51:08 PDT
Comment on attachment 440492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440492&action=review > Source/JavaScriptCore/bytecode/ValueRecovery.h:195 > + static ValueRecovery calleeSaveRegDisplacedInJSStack(VirtualRegister virtualReg, bool inTag) why is the implication here that we're dealing with an Int32?
Geza Lore
Comment 15 2021-10-09 02:52:48 PDT
Comment on attachment 440492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440492&action=review >> Source/JavaScriptCore/bytecode/ValueRecovery.h:195 >> + static ValueRecovery calleeSaveRegDisplacedInJSStack(VirtualRegister virtualReg, bool inTag) > > why is the implication here that we're dealing with an Int32? On 32-bit platforms up to two 32-bit machine registers (which look like Int32) are stored in a single 64-bit VirtualRegister slot on the stack on procedure entry. Reusing the Int32 recovery mechanism takes care of restoring the one stored in the "payload" half of the VReg. I added the Int32Tag mechanism to restore the other 32-bit machine reg from the other half of the VReg.
Saam Barati
Comment 16 2021-10-14 11:51:57 PDT
Comment on attachment 440492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440492&action=review r=me > Source/JavaScriptCore/ChangeLog:3 > + Allow DFG to use regCS0 GPR (LLInt metadataTable) on ARMv7 nit: this patch is really doing 2 things: 1. Allow DFG to use this register 2. Make sure tail calls properly restore CSRs in DFG. I'd argue (2) is the really important part. I'd make the title reflect (1) and (2) perhaps, or at least make mention of (2) > Source/JavaScriptCore/jit/CallFrameShuffleData.cpp:63 > + if (saveSlotIndexInCPURegisters < 0) > + saveSlotIndexInCPURegisters -= 1; // Round towards -inf I'm pretty confused as to what this is doing and why it's needed. > Source/JavaScriptCore/jit/CallFrameShuffleData.cpp:64 > + VirtualRegister saveSlot { saveSlotIndexInCPURegisters / 2 }; Why /2?
Geza Lore
Comment 17 2021-10-14 12:37:49 PDT
> I'm pretty confused as to what this is doing and why it's needed. > > > Source/JavaScriptCore/jit/CallFrameShuffleData.cpp:64 > > + VirtualRegister saveSlot { saveSlotIndexInCPURegisters / 2 }; > > Why /2? there are two (32-bit) CPU register save slots per one (64-bit) virtual register slot on the stack. csr0/csr1 both need to map onto the first virual register slot (that's where the prologue puts them), but are in different halves (paload/tag). If we had csr2/csr3 would go into the second virtual register slot, hence the /2 (and the peculiar rounding bias above)
Geza Lore
Comment 18 2021-10-15 01:27:11 PDT
Created attachment 441346 [details] Patch
Angelos Oikonomopoulos
Comment 19 2021-10-15 09:44:29 PDT
Created attachment 441386 [details] [fast-cq] Patch
Angelos Oikonomopoulos
Comment 20 2021-10-15 09:47:04 PDT
Created attachment 441388 [details] [fast-cq] Patch
Angelos Oikonomopoulos
Comment 21 2021-10-15 09:50:10 PDT
Unclear why the patch couldn't be landed via the commit-queue, even though analyze-layout-tests-results passes. https://ews-build.webkit.org/#/builders/28/builds/16221) "Patch 441346 is not marked cq+.". Trying with [fast-cq] in case that makes a difference.
EWS
Comment 22 2021-10-15 10:41:00 PDT
Committed r284255 (243064@main): <https://commits.webkit.org/243064@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441388 [details].
WebKit Commit Bot
Comment 23 2021-10-26 16:45:49 PDT
Re-opened since this is blocked by bug 232353
Geza Lore
Comment 24 2021-10-27 04:53:25 PDT
Created attachment 442578 [details] Patch
Geza Lore
Comment 25 2021-10-27 05:47:15 PDT
Fixed C_LOOP breakage on 32-bit (and removed superfluous restore on 64-bit non C_LOOP). Only differences from landed (and reverted) patch are in LowLevelInterpreter*.asm.
Keith Miller
Comment 26 2021-10-27 08:08:18 PDT
Comment on attachment 442578 [details] Patch r=me
EWS
Comment 27 2021-10-27 08:34:48 PDT
Committed r284923 (243594@main): <https://commits.webkit.org/243594@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442578 [details].
Note You need to log in before you can comment on or make changes to this bug.