From 206d9f15c433ea0b2bb514f0c14ea275b17a89c9 Mon Sep 17 00:00:00 2001 From: "commit-queue@webkit.org" Date: Sat, 1 Oct 2011 02:14:36 +0000 Subject: [PATCH] DFG operation results are not set correctly in JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69126 Patch by Yuqiang Xian on 2011-09-30 Reviewed by Gavin Barraclough. The setupResults routine has the bug of reversing the source and destination. Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::setupTwoStubArgs): (JSC::DFG::setupResults): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96451 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- Source/JavaScriptCore/ChangeLog | 18 ++++++++++++++++++ Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h | 18 ++++++++++++++++-- Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp | 8 +++++--- 3 files changed, 39 insertions(+), 5 deletions(-) diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 4155b13..b4f09be 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,21 @@ +2011-09-30 Yuqiang Xian + + DFG operation results are not set correctly in JSVALUE32_64 DFG JIT + https://bugs.webkit.org/show_bug.cgi?id=69126 + + Reviewed by Gavin Barraclough. + + The setupResults routine has the bug of reversing the source and destination. + Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT. + + * dfg/DFGJITCodeGenerator.h: + (JSC::DFG::setupTwoStubArgs): + (JSC::DFG::setupResults): + * dfg/DFGJITCodeGenerator32_64.cpp: + (JSC::DFG::JITCodeGenerator::fillJSValue): + (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): + (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): + 2011-09-30 Gavin Barraclough Remove toStrictThisObject, toThisString, toThisJSString diff --git a/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h b/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h index 8ccc358..402994c 100644 --- a/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h +++ b/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h @@ -921,6 +921,7 @@ protected: m_generationInfo[node.virtualRegister()].initConstant(nodeIndex, node.refCount()); } +#if CPU(X86_64) // These methods used to sort arguments into the correct registers. template void setupTwoStubArgs(GPRReg srcA, GPRReg srcB) @@ -950,7 +951,6 @@ protected: } else m_jit.swap(destA, destB); } -#if CPU(X86_64) template void setupTwoStubArgs(FPRReg srcA, FPRReg srcB) { @@ -1182,7 +1182,21 @@ protected: void setupResults(GPRReg tag, GPRReg payload) { - setupTwoStubArgs(payload, tag); + GPRReg srcA = GPRInfo::returnValueGPR; + GPRReg srcB = GPRInfo::returnValueGPR2; + GPRReg destA = payload; + GPRReg destB = tag; + + if (srcB != destA) { + // Handle the easy cases - two simple moves. + m_jit.move(srcA, destA); + m_jit.move(srcB, destB); + } else if (srcA != destB) { + // Handle the non-swap case - just put srcB in place first. + m_jit.move(srcB, destB); + m_jit.move(srcA, destA); + } else + m_jit.swap(destA, destB); } // These methods add calls to C++ helper functions. diff --git a/Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp b/Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp index 0677e32..20a54d4 100644 --- a/Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp +++ b/Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp @@ -253,7 +253,6 @@ bool JITCodeGenerator::fillJSValue(NodeIndex nodeIndex, GPRReg& tagGPR, GPRReg& GPRReg gpr = info.gpr(); // If the register has already been locked we need to take a copy. // If not, we'll zero extend in place, so mark on the info that this is now type DataFormatInteger, not DataFormatJSInteger. - tagGPR = allocate(); if (m_gprs.isLocked(gpr)) { payloadGPR = allocate(); m_jit.move(gpr, payloadGPR); @@ -261,6 +260,7 @@ bool JITCodeGenerator::fillJSValue(NodeIndex nodeIndex, GPRReg& tagGPR, GPRReg& payloadGPR = gpr; m_gprs.lock(gpr); } + tagGPR = allocate(); m_jit.move(info.registerFormat() == DataFormatInteger ? JITCompiler::TrustedImm32(JSValue::Int32Tag) : JITCompiler::TrustedImm32(JSValue::CellTag), tagGPR); m_gprs.release(gpr); m_gprs.retain(tagGPR, virtualRegister, SpillOrderJS); @@ -386,9 +386,11 @@ void JITCodeGenerator::nonSpeculativeValueToInt32(Node& node) silentSpillAllRegisters(gpr); - m_jit.moveDouble(fpr, FPRInfo::argumentFPR0); + m_jit.subPtr(TrustedImm32(sizeof(double)), JITCompiler::stackPointerRegister); + m_jit.storeDouble(fpr, JITCompiler::stackPointerRegister); appendCallWithExceptionCheck(toInt32); m_jit.move(GPRInfo::returnValueGPR, gpr); + m_jit.addPtr(TrustedImm32(sizeof(double)), JITCompiler::stackPointerRegister); silentFillAllRegisters(gpr); @@ -1353,7 +1355,7 @@ void JITCodeGenerator::nonSpeculativeNonPeepholeCompare(Node& node, MacroAssembl } else { GPRTemporary resultTag(this, arg1); GPRTemporary resultPayload(this, arg1, false); - GPRReg resultTagGPR = resultPayload.gpr(); + GPRReg resultTagGPR = resultTag.gpr(); GPRReg resultPayloadGPR = resultPayload.gpr(); arg1.use(); -- 2.7.4