DFG OSR exit doesn't know which virtual register to use for the last result register...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Feb 2013 03:52:58 +0000 (03:52 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Feb 2013 03:52:58 +0000 (03:52 +0000)
commit59c6c1d64945d4e653a38933ffbf9ede4e13df4b
treeac83fffa8e1c4741654b51ae1b34d359e87cfde1
parent02546c17c3b46b704f0a1068197c3c2b4f826127
DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec
https://bugs.webkit.org/show_bug.cgi?id=109036
<rdar://problem/13292139>

Source/JavaScriptCore:

Reviewed by Gavin Barraclough.

This was a two-fold problem:

1) post_inc/dec has two results - the new value of the variable, and the old value of the variable. DFG OSR exit
   assumed that the "last result" used for the Baseline JIT's register allocation would be the new value. It was
   wrong in this assumption.

2) The Baseline JIT knew to disable its last result optimization in cases where it might confuse the DFG. But it
   was doing this only for code blocks that could be totally optimized, but not code blocks that could only be
   optimized when inlined.

This patch introduces a more rigorous notion of when the Baseline JIT emits profiling, when it does extra work
to account for the possibility of OSR exit, and when it does extra work to account for the possibility of OSR
entry. These notions are called shouldEmitProfiling(), canBeOptimizedOrInlined(), and canBeOptimized(),
respectively.

This is performance-neutral and fixes the reported bug. It probably fixes other bugs as well, since previously
we for example weren't doing the more conservative implementation of op_mov in the Baseline JIT for code blocks
that could be inlined but not optimized. So, if such a code block OSR exited at just the right point, you'd get
symptoms similar to this bug.

* dfg/DFGCapabilities.h:
(JSC::DFG::canCompileOpcode):
* dfg/DFGCommon.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JIT.h:
(JSC::JIT::compilePatchGetArrayLength):
(JSC::JIT::canBeOptimizedOrInlined):
(JIT):
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_post_inc):
(JSC::JIT::emit_op_post_dec):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emit_op_post_inc):
(JSC::JIT::emit_op_post_dec):
* jit/JITCall.cpp:
(JSC::JIT::emit_op_call_put_result):
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfilingSite):
(JSC::JIT::map):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_mov):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::privateCompilePutByIdTransition):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::privateCompilePutByIdTransition):

LayoutTests:

Reviewed by Gavin Barraclough.

* fast/js/dfg-post-inc-then-exit-expected.txt: Added.
* fast/js/dfg-post-inc-then-exit.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-post-inc-then-exit.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@144137 268f45cc-cd09-0410-ab3c-d52691b4dbfc
18 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-post-inc-then-exit-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-post-inc-then-exit.html [new file with mode: 0644]
LayoutTests/fast/js/jsc-test-list
LayoutTests/fast/js/script-tests/dfg-post-inc-then-exit.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCapabilities.h
Source/JavaScriptCore/dfg/DFGCommon.h
Source/JavaScriptCore/jit/JIT.cpp
Source/JavaScriptCore/jit/JIT.h
Source/JavaScriptCore/jit/JITArithmetic.cpp
Source/JavaScriptCore/jit/JITArithmetic32_64.cpp
Source/JavaScriptCore/jit/JITCall.cpp
Source/JavaScriptCore/jit/JITCall32_64.cpp
Source/JavaScriptCore/jit/JITInlines.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp