Skip to content

Commit

Permalink
Cherry-pick dd1c094. rdar://122345846
Browse files Browse the repository at this point in the history 
    [JSC] Suppress broken assertion in DFG register allocation
    https://bugs.webkit.org/show_bug.cgi?id=268727
    rdar://122279383

    Reviewed by Mark Lam.

    DFG register allocation check's assertion is broken. It records register-allocation offset, and attempt to do assert when jump is going over it.
    But this does not work at all if register allocation does not emit any instructions. In that case, the offset can be valid instruction' one
    after the register allocation is done. And this is what is happening here.

    We workaround this silly bug by reordering instruction and jump target a bit. emitStoreCallSiteIndex always emits some instructions, so it distinguishes
    register allocation offset from the actual one. And when retrying (jumping to mainPath), we do not need to perform emitStoreCallSiteIndex again.

    * Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::emitCall):

    Canonical link: https://commits.webkit.org/274116@main

Canonical link: https://commits.webkit.org/274066.9@safari-7619.1.3-branch
  • Loading branch information
@Constellation @rjepstein
Constellation authored and rjepstein committed Feb 9, 2024
1 parent 6f80f7f commit c56ef7e
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
6 changes: 3 additions & 3 deletions Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -932,10 +932,9 @@ void SpeculativeJIT::emitCall(Node* node)
if (isTail) {
RELEASE_ASSERT(node->op() == DirectTailCall);

Label mainPath = label();

emitStoreCallSiteIndex(callSite);

Label mainPath = label();
auto slowCases = callLinkInfo->emitDirectTailCallFastPath(*this, scopedLambda<void()>([&] {
CallFrameShuffler shuffler { *this, shuffleData };
shuffler.prepareForTailCall();
Expand All @@ -958,8 +957,9 @@ void SpeculativeJIT::emitCall(Node* node)
return;
}

Label mainPath = label();
emitStoreCallSiteIndex(callSite);

Label mainPath = label();
auto slowCases = callLinkInfo->emitDirectFastPath(*this);
Label slowPath = label();
if (!callLinkInfo->isDataIC() || !slowCases.empty()) {
Expand Down
5 changes: 3 additions & 2 deletions Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1102,9 +1102,9 @@ void SpeculativeJIT::emitCall(Node* node)
if (isTail) {
RELEASE_ASSERT(node->op() == DirectTailCall);

Label mainPath = label();
emitStoreCallSiteIndex(callSite);

Label mainPath = label();
auto slowCases = callLinkInfo->emitDirectTailCallFastPath(*this, scopedLambda<void()>([&] {
CallFrameShuffler shuffler { *this, shuffleData };
shuffler.prepareForTailCall();
Expand All @@ -1124,8 +1124,9 @@ void SpeculativeJIT::emitCall(Node* node)
return;
}

Label mainPath = label();
emitStoreCallSiteIndex(callSite);

Label mainPath = label();
auto slowCases = callLinkInfo->emitDirectFastPath(*this);
Label slowPath = label();
if (!callLinkInfo->isDataIC() || !slowCases.empty()) {
Expand Down

0 comments on commit c56ef7e

Please sign in to comment.