Unreviewed, rolling out r184123.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 May 2015 05:48:57 +0000 (05:48 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 May 2015 05:48:57 +0000 (05:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=144899

Seems to have introduced flaky crashes in many JS tests
(Requested by rniwa on #webkit).

Reverted changeset:

"REGRESSION(r180595): same-callee profiling no longer works"
https://bugs.webkit.org/show_bug.cgi?id=144787
http://trac.webkit.org/changeset/184123

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184152 268f45cc-cd09-0410-ab3c-d52691b4dbfc

14 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/BytecodeList.json
Source/JavaScriptCore/bytecode/BytecodeUseDef.h
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/JSCell.h
Source/JavaScriptCore/runtime/WriteBarrier.h
Source/JavaScriptCore/tests/stress/create-this-with-callee-variants.js [deleted file]

index 3642923..803a4b4 100644 (file)
@@ -1,3 +1,17 @@
+2015-05-11  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r184123.
+        https://bugs.webkit.org/show_bug.cgi?id=144899
+
+        Seems to have introduced flaky crashes in many JS tests
+        (Requested by rniwa on #webkit).
+
+        Reverted changeset:
+
+        "REGRESSION(r180595): same-callee profiling no longer works"
+        https://bugs.webkit.org/show_bug.cgi?id=144787
+        http://trac.webkit.org/changeset/184123
+
 2015-05-11  Brent Fulgham  <bfulgham@apple.com>
 
         [Win] Move Windows build target to Windows 7 (or newer)
index 7e7849f..e3ed1dc 100644 (file)
@@ -9,7 +9,7 @@
             { "name" : "op_create_direct_arguments", "length" : 2 },
             { "name" : "op_create_scoped_arguments", "length" : 3 },
             { "name" : "op_create_out_of_band_arguments", "length" : 2 },
-            { "name" : "op_create_this", "length" : 5 },
+            { "name" : "op_create_this", "length" : 4 },
             { "name" : "op_to_this", "length" : 4 },
             { "name" : "op_check_tdz", "length" : 2 },
             { "name" : "op_new_object", "length" : 4 },
index fbaec9f..7667e68 100644 (file)
@@ -142,6 +142,7 @@ void computeUsesForBytecodeOffset(
     case op_not:
     case op_mov:
     case op_new_array_with_size:
+    case op_create_this:
     case op_del_by_id:
     case op_unsigned:
     case op_new_func:
@@ -182,11 +183,6 @@ void computeUsesForBytecodeOffset(
         functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
         return;
     }
-    case op_create_this: {
-        functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
-        functor(codeBlock, instruction, opcodeID, instruction[4].u.operand);
-        return;
-    }
     case op_has_structure_property:
     case op_construct_varargs:
     case op_call_varargs: {
index 918fe20..90138f9 100644 (file)
@@ -795,9 +795,8 @@ void CodeBlock::dumpBytecode(
             int r0 = (++it)->u.operand;
             int r1 = (++it)->u.operand;
             unsigned inferredInlineCapacity = (++it)->u.operand;
-            unsigned cachedFunction = (++it)->u.operand;
             printLocationAndOp(out, exec, location, it, "create_this");
-            out.printf("%s, %s, %u, %u", registerName(r0).data(), registerName(r1).data(), inferredInlineCapacity, cachedFunction);
+            out.printf("%s, %s, %u", registerName(r0).data(), registerName(r1).data(), inferredInlineCapacity);
             break;
         }
         case op_to_this: {
@@ -2554,18 +2553,6 @@ void CodeBlock::finalizeUnconditionally()
                 curInstruction[3].u.toThisStatus = merge(
                     curInstruction[3].u.toThisStatus, ToThisClearedByGC);
                 break;
-            case op_create_this: {
-                auto& cacheWriteBarrier = curInstruction[4].u.jsCell;
-                if (!cacheWriteBarrier || cacheWriteBarrier.unvalidatedGet() == JSCell::seenMultipleCalleeObjects())
-                    break;
-                JSCell* cachedFunction = cacheWriteBarrier.get();
-                if (Heap::isMarked(cachedFunction))
-                    break;
-                if (Options::verboseOSR())
-                    dataLogF("Clearing LLInt create_this with cached callee %p.\n", cachedFunction);
-                cacheWriteBarrier.clear();
-                break;
-            }
             case op_resolve_scope: {
                 // Right now this isn't strictly necessary. Any symbol tables that this will refer to
                 // are for outer functions, and we refer to those functions strongly, and they refer
index 2829391..c3ce875 100644 (file)
@@ -1653,12 +1653,10 @@ RegisterID* BytecodeGenerator::emitCreateThis(RegisterID* dst)
     size_t begin = instructions().size();
     m_staticPropertyAnalyzer.createThis(m_thisRegister.index(), begin + 3);
 
-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
     emitOpcode(op_create_this); 
     instructions().append(m_thisRegister.index()); 
     instructions().append(m_thisRegister.index()); 
     instructions().append(0);
-    instructions().append(0);
     return dst;
 }
 
index d621337..abc51d4 100644 (file)
@@ -2669,24 +2669,8 @@ bool ByteCodeParser::parseBlock(unsigned limit)
         case op_create_this: {
             int calleeOperand = currentInstruction[2].u.operand;
             Node* callee = get(VirtualRegister(calleeOperand));
-
-            JSFunction* function = callee->dynamicCastConstant<JSFunction*>();
-            if (!function) {
-                JSCell* cachedFunction = currentInstruction[4].u.jsCell.unvalidatedGet();
-                RELEASE_ASSERT(cachedFunction); // LLint and BaselineJIT always set it to a JSFunction* or seenMultipleCalleeObjects().
-                if (cachedFunction != JSCell::seenMultipleCalleeObjects()) {
-                    ASSERT(cachedFunction->inherits(JSFunction::info()));
-
-                    FrozenValue* frozen = m_graph.freeze(cachedFunction);
-                    addToGraph(CheckCell, OpInfo(frozen), callee);
-                    set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(JSConstant, OpInfo(frozen)));
-
-                    function = static_cast<JSFunction*>(cachedFunction);
-                }
-            }
-
             bool alreadyEmitted = false;
-            if (function) {
+            if (JSFunction* function = callee->dynamicCastConstant<JSFunction*>()) {
                 if (FunctionRareData* rareData = function->rareData()) {
                     if (Structure* structure = rareData->allocationStructure()) {
                         m_graph.freeze(rareData);
index 730361a..5d4d0b9 100644 (file)
@@ -705,13 +705,11 @@ void JIT::emit_op_to_this(Instruction* currentInstruction)
 void JIT::emit_op_create_this(Instruction* currentInstruction)
 {
     int callee = currentInstruction[2].u.operand;
-    WriteBarrierBase<JSCell>* cachedFunction = &currentInstruction[4].u.jsCell;
     RegisterID calleeReg = regT0;
-    RegisterID rareDataReg = regT4;
+    RegisterID rareDataReg = regT0;
     RegisterID resultReg = regT0;
     RegisterID allocatorReg = regT1;
     RegisterID structureReg = regT2;
-    RegisterID cachedFunctionReg = regT4;
     RegisterID scratchReg = regT3;
 
     emitGetVirtualRegister(callee, calleeReg);
@@ -721,11 +719,6 @@ void JIT::emit_op_create_this(Instruction* currentInstruction)
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
     addSlowCase(branchTestPtr(Zero, allocatorReg));
 
-    loadPtr(cachedFunction, cachedFunctionReg);
-    Jump hasSeenMultipleCallees = branchPtr(Equal, cachedFunctionReg, TrustedImmPtr(JSCell::seenMultipleCalleeObjects()));
-    addSlowCase(branchPtr(NotEqual, calleeReg, cachedFunctionReg));
-    hasSeenMultipleCallees.link(this);
-
     emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);
     emitPutVirtualRegister(currentInstruction[1].u.operand);
 }
@@ -735,7 +728,6 @@ void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCa
     linkSlowCase(iter); // doesn't have rare data
     linkSlowCase(iter); // doesn't have an allocation profile
     linkSlowCase(iter); // allocation failed
-    linkSlowCase(iter); // cached function didn't match
 
     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_create_this);
     slowPathCall.call();
index 1920225..acd460b 100644 (file)
@@ -936,13 +936,11 @@ void JIT::emit_op_get_scope(Instruction* currentInstruction)
 void JIT::emit_op_create_this(Instruction* currentInstruction)
 {
     int callee = currentInstruction[2].u.operand;
-    WriteBarrierBase<JSCell>* cachedFunction = &currentInstruction[4].u.jsCell;
     RegisterID calleeReg = regT0;
-    RegisterID rareDataReg = regT4;
+    RegisterID rareDataReg = regT0;
     RegisterID resultReg = regT0;
     RegisterID allocatorReg = regT1;
     RegisterID structureReg = regT2;
-    RegisterID cachedFunctionReg = regT4;
     RegisterID scratchReg = regT3;
 
     emitLoadPayload(callee, calleeReg);
@@ -952,11 +950,6 @@ void JIT::emit_op_create_this(Instruction* currentInstruction)
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
     addSlowCase(branchTestPtr(Zero, allocatorReg));
 
-    loadPtr(cachedFunction, cachedFunctionReg);
-    Jump hasSeenMultipleCallees = branchPtr(Equal, cachedFunctionReg, TrustedImmPtr(JSCell::seenMultipleCalleeObjects()));
-    addSlowCase(branchPtr(NotEqual, calleeReg, cachedFunctionReg));
-    hasSeenMultipleCallees.link(this);
-
     emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);
     emitStoreCell(currentInstruction[1].u.operand, resultReg);
 }
@@ -966,7 +959,6 @@ void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCa
     linkSlowCase(iter); // doesn't have rare data
     linkSlowCase(iter); // doesn't have an allocation profile
     linkSlowCase(iter); // allocation failed
-    linkSlowCase(iter); // cached function didn't match
 
     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_create_this);
     slowPathCall.call();
index 5ac24a8..7ced21a 100644 (file)
@@ -745,19 +745,15 @@ _llint_op_create_this:
     loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t4], t1
     loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t4], t2
     btpz t1, .opCreateThisSlow
-    loadpFromInstruction(4, t4)
-    bpeq t4, 1, .hasSeenMultipleCallee
-    bpneq t4, t0, .opCreateThisSlow
-.hasSeenMultipleCallee:
     allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
     loadi 4[PC], t1
     storei CellTag, TagOffset[cfr, t1, 8]
     storei t0, PayloadOffset[cfr, t1, 8]
-    dispatch(5)
+    dispatch(4)
 
 .opCreateThisSlow:
     callSlowPath(_slow_path_create_this)
-    dispatch(5)
+    dispatch(4)
 
 
 _llint_op_to_this:
index 0f11e67..68a9c62 100644 (file)
@@ -631,18 +631,14 @@ _llint_op_create_this:
     loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t4], t1
     loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t4], t2
     btpz t1, .opCreateThisSlow
-    loadpFromInstruction(4, t4)
-    bpeq t4, 1, .hasSeenMultipleCallee
-    bpneq t4, t0, .opCreateThisSlow
-.hasSeenMultipleCallee:
     allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
     loadisFromInstruction(1, t1)
     storeq t0, [cfr, t1, 8]
-    dispatch(5)
+    dispatch(4)
 
 .opCreateThisSlow:
     callSlowPath(_slow_path_create_this)
-    dispatch(5)
+    dispatch(4)
 
 
 _llint_op_to_this:
index 56d46ed..009b350 100644 (file)
@@ -235,12 +235,6 @@ SLOW_PATH_DECL(slow_path_create_this)
     ASSERT(constructor->methodTable()->getConstructData(constructor, constructData) == ConstructTypeJS);
 #endif
 
-    auto& cacheWriteBarrier = pc[4].u.jsCell;
-    if (!cacheWriteBarrier)
-        cacheWriteBarrier.set(exec->vm(), exec->codeBlock()->ownerExecutable(), constructor);
-    else if (cacheWriteBarrier.unvalidatedGet() != JSCell::seenMultipleCalleeObjects() && cacheWriteBarrier.get() != constructor)
-        cacheWriteBarrier.setWithoutWriteBarrier(JSCell::seenMultipleCalleeObjects());
-
     size_t inlineCapacity = pc[3].u.operand;
     Structure* structure = constructor->rareData(exec, inlineCapacity)->allocationProfile()->structure();
     RETURN(constructEmptyObject(exec, structure));
index 6d648ad..26df1e3 100644 (file)
@@ -74,8 +74,6 @@ public:
 
     static const bool needsDestruction = false;
 
-    static JSCell* seenMultipleCalleeObjects() { return bitwise_cast<JSCell*>(static_cast<uintptr_t>(1)); }
-
     enum CreatingEarlyCellTag { CreatingEarlyCell };
     JSCell(CreatingEarlyCellTag);
 
index ac7c55b..b7a42c9 100644 (file)
@@ -126,7 +126,9 @@ public:
         this->m_cell = reinterpret_cast<JSCell*>(value);
     }
 
+#if ENABLE(GC_VALIDATION)
     T* unvalidatedGet() const { return reinterpret_cast<T*>(static_cast<void*>(m_cell)); }
+#endif
 
 private:
     JSCell* m_cell;
diff --git a/Source/JavaScriptCore/tests/stress/create-this-with-callee-variants.js b/Source/JavaScriptCore/tests/stress/create-this-with-callee-variants.js
deleted file mode 100644 (file)
index a7368ae..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-function createInLoop(x, count) {
-    noInline(x)
-    for (var i = 0; i < 5000; i++) {
-        var obj = new x;
-        if (!(obj instanceof x))
-            throw "Failed to instantiate the right object";
-    }
-}
-
-function y() { return function () {} }
-
-createInLoop(y());
-
-function z() { return function () {} }
-
-createInLoop(z());
-createInLoop(z());
-createInLoop(z());