<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[205283] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/205283">205283</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2016-09-01 01:22:21 -0700 (Thu, 01 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>JITMathIC was misusing maxJumpReplacementSize
https://bugs.webkit.org/show_bug.cgi?id=161356
<rdar://problem/28065560>
Reviewed by Benjamin Poulain.
JITMathIC was assuming that maxJumpReplacementSize is the size
you'd get if you emitted a patchableJump() using the macro assembler.
This is not true, however. It happens to be true on arm64, x86 and x86-64,
however, it is not true on armv7. This patch introduces an alternative to
maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
to use that number instead.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::patchableJumpSize):
(JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::patchableJumpSize):
(JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::patchableJumpSize):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::patchableJumpSize):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::patchableJumpSize):
* assembler/X86Assembler.h:
(JSC::X86Assembler::patchableJumpSize):
(JSC::X86Assembler::maxJumpReplacementSize): Deleted.
* jit/JITMathIC.h:
(JSC::JITMathIC::generateInline):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerARM64Assemblerh">trunk/Source/JavaScriptCore/assembler/ARM64Assembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerARMv7Assemblerh">trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerARM64h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerARMv7h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerX86Commonh">trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerX86Assemblerh">trunk/Source/JavaScriptCore/assembler/X86Assembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITMathICh">trunk/Source/JavaScriptCore/jit/JITMathIC.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -1,3 +1,36 @@
</span><ins>+2016-09-01 Saam Barati <sbarati@apple.com>
+
+ JITMathIC was misusing maxJumpReplacementSize
+ https://bugs.webkit.org/show_bug.cgi?id=161356
+ <rdar://problem/28065560>
+
+ Reviewed by Benjamin Poulain.
+
+ JITMathIC was assuming that maxJumpReplacementSize is the size
+ you'd get if you emitted a patchableJump() using the macro assembler.
+ This is not true, however. It happens to be true on arm64, x86 and x86-64,
+ however, it is not true on armv7. This patch introduces an alternative to
+ maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
+ to use that number instead.
+
+ * assembler/ARM64Assembler.h:
+ (JSC::ARM64Assembler::patchableJumpSize):
+ (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::patchableJumpSize):
+ (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
+ * assembler/MacroAssemblerARM64.h:
+ (JSC::MacroAssemblerARM64::patchableJumpSize):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::patchableJumpSize):
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::patchableJumpSize):
+ * assembler/X86Assembler.h:
+ (JSC::X86Assembler::patchableJumpSize):
+ (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
+ * jit/JITMathIC.h:
+ (JSC::JITMathIC::generateInline):
+
</ins><span class="cx"> 2016-08-31 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> [JSC] Add initiator parameter to module pipeline
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerARM64Assemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/ARM64Assembler.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/ARM64Assembler.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/assembler/ARM64Assembler.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -2512,6 +2512,11 @@
</span><span class="cx"> {
</span><span class="cx"> return 4;
</span><span class="cx"> }
</span><ins>+
+ static constexpr ptrdiff_t patchableJumpSize()
+ {
+ return 4;
+ }
</ins><span class="cx">
</span><span class="cx"> static void replaceWithLoad(void* where)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerARMv7Assemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -2340,6 +2340,11 @@
</span><span class="cx"> return 4;
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><ins>+
+ static constexpr ptrdiff_t patchableJumpSize()
+ {
+ return 10;
+ }
</ins><span class="cx">
</span><span class="cx"> static void replaceWithLoad(void* instructionStart)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerARM64h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -3249,6 +3249,11 @@
</span><span class="cx"> return ARM64Assembler::maxJumpReplacementSize();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static ptrdiff_t patchableJumpSize()
+ {
+ return ARM64Assembler::patchableJumpSize();
+ }
+
</ins><span class="cx"> RegisterID scratchRegisterForBlinding()
</span><span class="cx"> {
</span><span class="cx"> // We *do not* have a scratch register for blinding.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerARMv7h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -1350,6 +1350,11 @@
</span><span class="cx"> return ARMv7Assembler::maxJumpReplacementSize();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static ptrdiff_t patchableJumpSize()
+ {
+ return ARMv7Assembler::patchableJumpSize();
+ }
+
</ins><span class="cx"> // Forwards / external control flow operations:
</span><span class="cx"> //
</span><span class="cx"> // This set of jump and conditional branch operations return a Jump
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerX86Commonh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -2633,6 +2633,11 @@
</span><span class="cx"> return X86Assembler::maxJumpReplacementSize();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static ptrdiff_t patchableJumpSize()
+ {
+ return X86Assembler::patchableJumpSize();
+ }
+
</ins><span class="cx"> static bool supportsFloatingPointRounding()
</span><span class="cx"> {
</span><span class="cx"> if (s_sse4_1CheckState == CPUIDCheckState::NotChecked)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerX86Assemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/X86Assembler.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/X86Assembler.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/assembler/X86Assembler.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -2813,6 +2813,11 @@
</span><span class="cx"> {
</span><span class="cx"> return 5;
</span><span class="cx"> }
</span><ins>+
+ static constexpr ptrdiff_t patchableJumpSize()
+ {
+ return 5;
+ }
</ins><span class="cx">
</span><span class="cx"> #if CPU(X86_64)
</span><span class="cx"> static void revertJumpTo_movq_i64r(void* instructionStart, int64_t imm, RegisterID dst)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITMathICh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITMathIC.h (205282 => 205283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITMathIC.h 2016-09-01 07:37:19 UTC (rev 205282)
+++ trunk/Source/JavaScriptCore/jit/JITMathIC.h 2016-09-01 08:22:21 UTC (rev 205283)
</span><span class="lines">@@ -81,12 +81,12 @@
</span><span class="cx"> // code, it's a win. Second, if the operation does execute, we can emit better code
</span><span class="cx"> // once we have an idea about the types of lhs and rhs.
</span><span class="cx"> state.slowPathJumps.append(jit.patchableJump());
</span><ins>+ size_t inlineSize = jit.m_assembler.buffer().codeSize() - startSize;
+ ASSERT_UNUSED(inlineSize, static_cast<ptrdiff_t>(inlineSize) <= MacroAssembler::patchableJumpSize());
</ins><span class="cx"> state.shouldSlowPathRepatch = true;
</span><span class="cx"> state.fastPathEnd = jit.label();
</span><span class="cx"> ASSERT(!m_generateFastPathOnRepatch); // We should have gathered some observed type info for lhs and rhs before trying to regenerate again.
</span><span class="cx"> m_generateFastPathOnRepatch = true;
</span><del>- size_t inlineSize = jit.m_assembler.buffer().codeSize() - startSize;
- ASSERT_UNUSED(inlineSize, static_cast<ptrdiff_t>(inlineSize) <= MacroAssembler::maxJumpReplacementSize());
</del><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -96,8 +96,8 @@
</span><span class="cx"> switch (result) {
</span><span class="cx"> case JITMathICInlineResult::GeneratedFastPath: {
</span><span class="cx"> size_t inlineSize = jit.m_assembler.buffer().codeSize() - startSize;
</span><del>- if (static_cast<ptrdiff_t>(inlineSize) < MacroAssembler::maxJumpReplacementSize()) {
- size_t nopsToEmitInBytes = MacroAssembler::maxJumpReplacementSize() - inlineSize;
</del><ins>+ if (static_cast<ptrdiff_t>(inlineSize) < MacroAssembler::patchableJumpSize()) {
+ size_t nopsToEmitInBytes = MacroAssembler::patchableJumpSize() - inlineSize;
</ins><span class="cx"> jit.emitNops(nopsToEmitInBytes);
</span><span class="cx"> }
</span><span class="cx"> state.shouldSlowPathRepatch = true;
</span></span></pre>
</div>
</div>
</body>
</html>