[Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 20 May 2017 00:59:31 +0000 (00:59 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 20 May 2017 00:59:31 +0000 (00:59 +0000)
commit001f25c6ab35e8e7f9a48097e0ac710d9d1e7173
treee3426de661b133fc0f67c37af407b0e21e4c26ed
parent8bf56e25f2c6791f517b676158503b3f32f7f2b3
[Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
https://bugs.webkit.org/show_bug.cgi?id=172383
<rdar://problem/31418651>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-172383.js: Added.

Source/JavaScriptCore:

pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
available as a scratch register.  This assumption is wrong if this canTrample
register is used for a silentFill() after an operation that returns a result in
regT0 or regT1.

Turns out the only reason we need the canTrample register is for
SetDoubleConstant.  We can remove the need for this canTrample register by
introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.

Update for re-landing: Changed ARM64 to use scratchRegister() as well.
scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
as a scratch register.

* assembler/MacroAssembler.h:
(JSC::MacroAssembler::moveDouble):
* dfg/DFGArrayifySlowPathGenerator.h:
* dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
(JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
* dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
* dfg/DFGSaneStringGetByValSlowPathGenerator.h:
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallSlowPathGenerator::tearDown):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compileToLowerCase):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
(JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
(JSC::DFG::SpeculativeJIT::compileArithDiv):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
(JSC::DFG::SpeculativeJIT::compileStoreBarrier):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
(JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
(JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::convertAnyInt):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@217179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
JSTests/ChangeLog
JSTests/stress/regress-172383.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssembler.h
Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGCallArrayAllocatorSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGSaneStringGetByValSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp