Add SetCallee as DFG-Operation
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 15:42:11 +0000 (15:42 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 15:42:11 +0000 (15:42 +0000)
commitf82a360a2fd06992216f797b3b75d37d30d3f82f
tree59c209130d94a3e72a43f95733d61d40cb4a8c47
parent4003d02f761a24b7e7d68a45dd0507ec5418029b
Add SetCallee as DFG-Operation
https://bugs.webkit.org/show_bug.cgi?id=184582

Patch by Dominik Infuehr <dinfuehr@igalia.com> on 2018-05-01
Reviewed by Filip Pizlo.

JSTests:

Added test that runs into infinite loop without updating the callee and
therefore emitting SetCallee in DFG for recursive tail calls.

* stress/closure-recursive-tail-call-infinite-loop.js: Added.
(Foo):
(second):
(first):
(return.closure):
(createClosure):

Source/JavaScriptCore:

For recursive tail calls not only the argument count can change but also the
callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
Also update the callee when optimizing a recursive tail call.
Enable recursive tail call optimization also for closures.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
(JSC::DFG::ByteCodeParser::handleCallVariant):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetCallee):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231195 268f45cc-cd09-0410-ab3c-d52691b4dbfc
18 files changed:
JSTests/ChangeLog
JSTests/stress/closure-recursive-tail-call-infinite-loop.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGMayExit.cpp
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp