diff options
| author | Konstantin Tokarev <annulen@yandex.ru> | 2016-08-25 19:20:41 +0300 |
|---|---|---|
| committer | Konstantin Tokarev <annulen@yandex.ru> | 2017-02-02 12:30:55 +0000 |
| commit | 6882a04fb36642862b11efe514251d32070c3d65 (patch) | |
| tree | b7959826000b061fd5ccc7512035c7478742f7b0 /Source/JavaScriptCore/ftl/FTLOperations.cpp | |
| parent | ab6df191029eeeb0b0f16f127d553265659f739e (diff) | |
| download | qtwebkit-6882a04fb36642862b11efe514251d32070c3d65.tar.gz | |
Imported QtWebKit TP3 (git b57bc6801f1876c3220d5a4bfea33d620d477443)
Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
Diffstat (limited to 'Source/JavaScriptCore/ftl/FTLOperations.cpp')
| -rw-r--r-- | Source/JavaScriptCore/ftl/FTLOperations.cpp | 378 |
1 files changed, 378 insertions, 0 deletions
diff --git a/Source/JavaScriptCore/ftl/FTLOperations.cpp b/Source/JavaScriptCore/ftl/FTLOperations.cpp new file mode 100644 index 000000000..45c5bb9d5 --- /dev/null +++ b/Source/JavaScriptCore/ftl/FTLOperations.cpp @@ -0,0 +1,378 @@ +/* + * Copyright (C) 2014, 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "FTLOperations.h" + +#if ENABLE(FTL_JIT) + +#include "ClonedArguments.h" +#include "DirectArguments.h" +#include "FTLJITCode.h" +#include "FTLLazySlowPath.h" +#include "InlineCallFrame.h" +#include "JSCInlines.h" +#include "JSGeneratorFunction.h" +#include "JSLexicalEnvironment.h" + +namespace JSC { namespace FTL { + +using namespace JSC::DFG; + +extern "C" JSCell* JIT_OPERATION operationNewObjectWithButterfly(ExecState* exec, Structure* structure) +{ + VM& vm = exec->vm(); + NativeCallFrameTracer tracer(&vm, exec); + + Butterfly* butterfly = Butterfly::create( + vm, nullptr, 0, structure->outOfLineCapacity(), false, IndexingHeader(), 0); + + JSObject* result = JSFinalObject::create(exec, structure, butterfly); + result->butterfly(); // Ensure that the butterfly is in to-space. + return result; +} + +extern "C" void JIT_OPERATION operationPopulateObjectInOSR( + ExecState* exec, ExitTimeObjectMaterialization* materialization, + EncodedJSValue* encodedValue, EncodedJSValue* values) +{ + VM& vm = exec->vm(); + CodeBlock* codeBlock = exec->codeBlock(); + + // We cannot GC. We've got pointers in evil places. + // FIXME: We are not doing anything that can GC here, and this is + // probably unnecessary. + DeferGCForAWhile deferGC(vm.heap); + + switch (materialization->type()) { + case PhantomNewObject: { + JSFinalObject* object = jsCast<JSFinalObject*>(JSValue::decode(*encodedValue)); + Structure* structure = object->structure(); + + // Figure out what the heck to populate the object with. Use + // getPropertiesConcurrently() because that happens to be + // lower-level and more convenient. It doesn't change the + // materialization of the property table. We want to have + // minimal visible effects on the system. Also, don't mind + // that this is O(n^2). It doesn't matter. We only get here + // from OSR exit. + for (PropertyMapEntry entry : structure->getPropertiesConcurrently()) { + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() != NamedPropertyPLoc) + continue; + if (codeBlock->identifier(property.location().info()).impl() != entry.key) + continue; + + object->putDirect(vm, entry.offset, JSValue::decode(values[i])); + } + } + break; + } + + case PhantomNewFunction: + case PhantomNewGeneratorFunction: + case PhantomDirectArguments: + case PhantomClonedArguments: + // Those are completely handled by operationMaterializeObjectInOSR + break; + + case PhantomCreateActivation: { + JSLexicalEnvironment* activation = jsCast<JSLexicalEnvironment*>(JSValue::decode(*encodedValue)); + + // Figure out what to populate the activation with + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() != ClosureVarPLoc) + continue; + + activation->variableAt(ScopeOffset(property.location().info())).set(exec->vm(), activation, JSValue::decode(values[i])); + } + + break; + } + + + default: + RELEASE_ASSERT_NOT_REACHED(); + break; + + } +} + +extern "C" JSCell* JIT_OPERATION operationMaterializeObjectInOSR( + ExecState* exec, ExitTimeObjectMaterialization* materialization, EncodedJSValue* values) +{ + VM& vm = exec->vm(); + + // We cannot GC. We've got pointers in evil places. + DeferGCForAWhile deferGC(vm.heap); + + switch (materialization->type()) { + case PhantomNewObject: { + // Figure out what the structure is + Structure* structure = nullptr; + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location() != PromotedLocationDescriptor(StructurePLoc)) + continue; + + structure = jsCast<Structure*>(JSValue::decode(values[i])); + break; + } + RELEASE_ASSERT(structure); + + JSFinalObject* result = JSFinalObject::create(vm, structure); + + // The real values will be put subsequently by + // operationPopulateNewObjectInOSR. We can't fill them in + // now, because they may not be available yet (typically + // because we have a cyclic dependency graph). + + // We put a dummy value here in order to avoid super-subtle + // GC-and-OSR-exit crashes in case we have a bug and some + // field is, for any reason, not filled later. + // We use a random-ish number instead of a sensible value like + // undefined to make possible bugs easier to track. + for (PropertyMapEntry entry : structure->getPropertiesConcurrently()) + result->putDirect(vm, entry.offset, jsNumber(19723)); + + return result; + } + + case PhantomNewFunction: + case PhantomNewGeneratorFunction: { + // Figure out what the executable and activation are + FunctionExecutable* executable = nullptr; + JSScope* activation = nullptr; + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location() == PromotedLocationDescriptor(FunctionExecutablePLoc)) + executable = jsCast<FunctionExecutable*>(JSValue::decode(values[i])); + if (property.location() == PromotedLocationDescriptor(FunctionActivationPLoc)) + activation = jsCast<JSScope*>(JSValue::decode(values[i])); + } + RELEASE_ASSERT(executable && activation); + + if (materialization->type() == PhantomNewFunction) + return JSFunction::createWithInvalidatedReallocationWatchpoint(vm, executable, activation); + ASSERT(materialization->type() == PhantomNewGeneratorFunction); + return JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint(vm, executable, activation); + } + + case PhantomCreateActivation: { + // Figure out what the scope and symbol table are + JSScope* scope = nullptr; + SymbolTable* table = nullptr; + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location() == PromotedLocationDescriptor(ActivationScopePLoc)) + scope = jsCast<JSScope*>(JSValue::decode(values[i])); + else if (property.location() == PromotedLocationDescriptor(ActivationSymbolTablePLoc)) + table = jsCast<SymbolTable*>(JSValue::decode(values[i])); + } + RELEASE_ASSERT(scope); + RELEASE_ASSERT(table); + + CodeBlock* codeBlock = baselineCodeBlockForOriginAndBaselineCodeBlock( + materialization->origin(), exec->codeBlock()); + Structure* structure = codeBlock->globalObject()->activationStructure(); + + // It doesn't matter what values we initialize as bottom values inside the activation constructor because + // activation sinking will set bottom values for each slot. + // FIXME: Slight optimization would be to create a constructor that doesn't initialize all slots. + JSLexicalEnvironment* result = JSLexicalEnvironment::create(vm, structure, scope, table, jsUndefined()); + + RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize()); + + // The real values will be put subsequently by + // operationPopulateNewObjectInOSR. See the PhantomNewObject + // case for details. + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() != ClosureVarPLoc) + continue; + + result->variableAt(ScopeOffset(property.location().info())).set( + exec->vm(), result, jsNumber(29834)); + } + + if (validationEnabled()) { + // Validate to make sure every slot in the scope has one value. + ConcurrentJITLocker locker(table->m_lock); + for (auto iter = table->begin(locker), end = table->end(locker); iter != end; ++iter) { + bool found = false; + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() != ClosureVarPLoc) + continue; + if (ScopeOffset(property.location().info()) == iter->value.scopeOffset()) { + found = true; + break; + } + } + ASSERT_UNUSED(found, found); + } + unsigned numberOfClosureVarPloc = 0; + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() == ClosureVarPLoc) + numberOfClosureVarPloc++; + } + ASSERT(numberOfClosureVarPloc == table->scopeSize()); + } + + return result; + } + + case PhantomDirectArguments: + case PhantomClonedArguments: { + if (!materialization->origin().inlineCallFrame) { + switch (materialization->type()) { + case PhantomDirectArguments: + return DirectArguments::createByCopying(exec); + case PhantomClonedArguments: + return ClonedArguments::createWithMachineFrame(exec, exec, ArgumentsMode::Cloned); + default: + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; + } + } + + // First figure out the argument count. If there isn't one then we represent the machine frame. + unsigned argumentCount = 0; + if (materialization->origin().inlineCallFrame->isVarargs()) { + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location() != PromotedLocationDescriptor(ArgumentCountPLoc)) + continue; + + argumentCount = JSValue::decode(values[i]).asUInt32(); + RELEASE_ASSERT(argumentCount); + break; + } + RELEASE_ASSERT(argumentCount); + } else + argumentCount = materialization->origin().inlineCallFrame->arguments.size(); + + JSFunction* callee = nullptr; + if (materialization->origin().inlineCallFrame->isClosureCall) { + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location() != PromotedLocationDescriptor(ArgumentsCalleePLoc)) + continue; + + callee = jsCast<JSFunction*>(JSValue::decode(values[i])); + break; + } + } else + callee = materialization->origin().inlineCallFrame->calleeConstant(); + RELEASE_ASSERT(callee); + + CodeBlock* codeBlock = baselineCodeBlockForOriginAndBaselineCodeBlock( + materialization->origin(), exec->codeBlock()); + + // We have an inline frame and we have all of the data we need to recreate it. + switch (materialization->type()) { + case PhantomDirectArguments: { + unsigned length = argumentCount - 1; + unsigned capacity = std::max(length, static_cast<unsigned>(codeBlock->numParameters() - 1)); + DirectArguments* result = DirectArguments::create( + vm, codeBlock->globalObject()->directArgumentsStructure(), length, capacity); + result->callee().set(vm, result, callee); + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() != ArgumentPLoc) + continue; + + unsigned index = property.location().info(); + if (index >= capacity) + continue; + + // We don't want to use setIndexQuickly(), since that's only for the passed-in + // arguments but sometimes the number of named arguments is greater. For + // example: + // + // function foo(a, b, c) { ... } + // foo(); + // + // setIndexQuickly() would fail for indices 0, 1, 2 - but we need to recover + // those here. + result->argument(DirectArgumentsOffset(index)).set( + vm, result, JSValue::decode(values[i])); + } + return result; + } + case PhantomClonedArguments: { + unsigned length = argumentCount - 1; + ClonedArguments* result = ClonedArguments::createEmpty( + vm, codeBlock->globalObject()->outOfBandArgumentsStructure(), callee); + + for (unsigned i = materialization->properties().size(); i--;) { + const ExitPropertyValue& property = materialization->properties()[i]; + if (property.location().kind() != ArgumentPLoc) + continue; + + unsigned index = property.location().info(); + if (index >= length) + continue; + result->putDirectIndex(exec, index, JSValue::decode(values[i])); + } + + result->putDirect(vm, vm.propertyNames->length, jsNumber(length)); + return result; + } + default: + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; + } + } + + default: + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; + } +} + +extern "C" void* JIT_OPERATION compileFTLLazySlowPath(ExecState* exec, unsigned index) +{ + VM& vm = exec->vm(); + + // We cannot GC. We've got pointers in evil places. + DeferGCForAWhile deferGC(vm.heap); + + CodeBlock* codeBlock = exec->codeBlock(); + JITCode* jitCode = codeBlock->jitCode()->ftl(); + + LazySlowPath& lazySlowPath = *jitCode->lazySlowPaths[index]; + lazySlowPath.generate(codeBlock); + + return lazySlowPath.stub().code().executableAddress(); +} + +} } // namespace JSC::FTL + +#endif // ENABLE(FTL_JIT) + |