Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 11:25:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out 2 changesets (bug 1705113) for causing js related webgl crashes. CLOSED TREE

Browse Source 
Backed out changeset 7ba65785616a (bug 1705113)
Backed out changeset 07210c06a0d8 (bug 1705113)
This commit is contained in:
Cosmin Sabou 2021-04-16 19:59:56 +03:00
parent 9276371d2f
commit c6e0f47a92
12 changed files with 44 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
js/src/jit/BaselineCacheIRCompiler.cpp
View File

@ -1875,7 +1875,6 @@ bool BaselineCacheIRCompiler::init(CacheKind kind) {
case CacheKind::OptimizeSpreadCall:
case CacheKind::ToBool:
case CacheKind::UnaryArith:
case CacheKind::NewArray:
MOZ_ASSERT(numInputs == 1);
allocator.initInputLocation(0, R0);
break;
@ -2935,109 +2934,3 @@ bool BaselineCacheIRCompiler::emitCallInlinedFunction(ObjOperandId calleeId,
return true;
}
bool BaselineCacheIRCompiler::emitNewArrayObjectResult(uint32_t arrayLength,
uint32_t shapeOffset) {
JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
gc::AllocKind allocKind = GuessArrayGCKind(arrayLength);
MOZ_ASSERT(CanChangeToBackgroundAllocKind(allocKind, &ArrayObject::class_));
allocKind = ForegroundToBackgroundAllocKind(allocKind);
uint32_t slotCount = GetGCKindSlots(allocKind);
MOZ_ASSERT(slotCount >= ObjectElements::VALUES_PER_HEADER);
uint32_t arrayCapacity = slotCount - ObjectElements::VALUES_PER_HEADER;
AutoOutputRegister output(*this);
AutoScratchRegister result(allocator, masm);
AutoScratchRegister scratch(allocator, masm);
AutoScratchRegisterMaybeOutput shape(allocator, masm, output);
Address shapeAddr(stubAddress(shapeOffset));
masm.loadPtr(shapeAddr, shape);
allocator.discardStack(masm);
Label done;
Label fail;
masm.createArrayWithFixedElements(result, shape, scratch, arrayLength,
arrayCapacity, allocKind, gc::DefaultHeap,
&fail);
masm.jump(&done);
{
masm.bind(&fail);
// We get here if the nursery is full (unlikely) but also for tenured
// allocations if the current arena is full and we need to allocate a new
// one (fairly common).
AutoStubFrame stubFrame(*this);
stubFrame.enter(masm, scratch);
masm.Push(Imm32(GenericObject));
masm.Push(Imm32(arrayLength));
using Fn = ArrayObject* (*)(JSContext*, uint32_t, NewObjectKind);
callVM<Fn, NewArrayOperation>(masm);
stubFrame.leave(masm);
masm.mov(ReturnReg, result);
}
masm.bind(&done);
masm.tagValue(JSVAL_TYPE_OBJECT, result, output.valueReg());
return true;
}
bool BaselineCacheIRCompiler::emitNewPlainObjectResult(uint32_t numFixedSlots,
uint32_t numDynamicSlots,
gc::AllocKind allocKind,
uint32_t shapeOffset) {
JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
AutoOutputRegister output(*this);
AutoScratchRegister obj(allocator, masm);
AutoScratchRegister scratch(allocator, masm);
AutoScratchRegisterMaybeOutput shape(allocator, masm, output);
Address shapeAddr(stubAddress(shapeOffset));
masm.loadPtr(shapeAddr, shape);
allocator.discardStack(masm);
Label done;
Label fail;
masm.createPlainGCObject(obj, shape, scratch, shape, numFixedSlots,
numDynamicSlots, allocKind, gc::DefaultHeap, &fail);
masm.jump(&done);
{
masm.bind(&fail);
// We get here if the nursery is full (unlikely) but also for tenured
// allocations if the current arena is full and we need to allocate a new
// one (fairly common).
AutoStubFrame stubFrame(*this);
stubFrame.enter(masm, scratch);
masm.Push(Imm32(gc::DefaultHeap));
masm.Push(Imm32(int32_t(allocKind)));
masm.loadPtr(shapeAddr, shape); // This might have been overwritten.
masm.Push(shape);
using Fn =
JSObject* (*)(JSContext*, HandleShape, gc::AllocKind, gc::InitialHeap);
callVM<Fn, NewPlainObject>(masm);
stubFrame.leave(masm);
masm.mov(ReturnReg, obj);
}
masm.bind(&done);
masm.tagValue(JSVAL_TYPE_OBJECT, obj, output.valueReg());
return true;
}

11
js/src/jit/BaselineIC.cpp
View File

@ -2623,18 +2623,11 @@ bool DoNewArrayFallback(JSContext* cx, BaselineFrame* frame,
MaybeNotifyWarp(frame->outerScript(), stub);
FallbackICSpew(cx, stub, "NewArray");
RootedArrayObject templateObject(cx, stub->templateObject());
if (!templateObject) {
templateObject = NewArrayOperation(cx, length, TenuredObject);
if (!stub->templateObject()) {
ArrayObject* templateObject = NewArrayOperation(cx, length, TenuredObject);
if (!templateObject) {
return false;
}
RootedScript script(cx, frame->script());
jsbytecode* pc = stub->icEntry()->pc(script);
TryAttachStub<NewArrayIRGenerator>("NewArray", cx, frame, stub, JSOp(*pc),
templateObject);
stub->setTemplateObject(templateObject);
}

63
js/src/jit/CacheIR.cpp
View File

@ -102,7 +102,6 @@ size_t js::jit::NumInputsForCacheKind(CacheKind kind) {
case CacheKind::BindName:
case CacheKind::Call:
case CacheKind::OptimizeSpreadCall:
case CacheKind::NewArray:
return 1;
case CacheKind::Compare:
case CacheKind::GetElem:
@ -11040,68 +11039,6 @@ AttachDecision BinaryArithIRGenerator::tryAttachStringInt32Arith() {
return AttachDecision::Attach;
}
NewArrayIRGenerator::NewArrayIRGenerator(JSContext* cx, HandleScript script,
jsbytecode* pc, ICState::Mode mode,
JSOp op, HandleObject templateObj)
: IRGenerator(cx, script, pc, CacheKind::NewArray, mode),
#ifdef JS_CACHEIR_SPEW
op_(op),
#endif
templateObject_(templateObj) {
MOZ_ASSERT(templateObject_);
}
void NewArrayIRGenerator::trackAttached(const char* name) {
#ifdef JS_CACHEIR_SPEW
if (const CacheIRSpewer::Guard& sp = CacheIRSpewer::Guard(*this, name)) {
sp.opcodeProperty("op", op_);
}
#endif
}
AttachDecision NewArrayIRGenerator::tryAttachArrayObject() {
ArrayObject* arrayObj = &templateObject_->as<ArrayObject>();
MOZ_ASSERT(arrayObj->numUsedFixedSlots() == 0);
MOZ_ASSERT(arrayObj->numDynamicSlots() == 0);
MOZ_ASSERT(!arrayObj->hasPrivate());
MOZ_ASSERT(!arrayObj->isSharedMemory());
// The macro assembler only supports creating arrays with fixed elements.
if (arrayObj->hasDynamicElements()) {
return AttachDecision::NoAction;
}
// Stub doesn't support metadata builder
if (cx_->realm()->hasAllocationMetadataBuilder()) {
return AttachDecision::NoAction;
}
writer.guardNoAllocationMetadataBuilder();
// Length input is not currently used.
mozilla::Unused << writer.setInputOperandId(0);
Shape* shape = arrayObj->lastProperty();
uint32_t length = arrayObj->length();
writer.newArrayObjectResult(length, shape);
writer.returnFromIC();
trackAttached("NewArrayObject");
return AttachDecision::Attach;
}
AttachDecision NewArrayIRGenerator::tryAttachStub() {
AutoAssertNoPendingException aanpe(cx_);
TRY_ATTACH(tryAttachArrayObject());
trackAttached(IRGenerator::NotAttached);
return AttachDecision::NoAction;
}
NewObjectIRGenerator::NewObjectIRGenerator(JSContext* cx, HandleScript script,
jsbytecode* pc, ICState::Mode mode,
JSOp op, HandleObject templateObj)

19
js/src/jit/CacheIR.h
View File

@ -209,8 +209,7 @@ class TypedOperandId : public OperandId {
_(Call) \
_(UnaryArith) \
_(BinaryArith) \
_(NewObject) \
_(NewArray)
_(NewObject)
enum class CacheKind : uint8_t {
#define DEFINE_KIND(kind) kind,
@ -1914,22 +1913,6 @@ class MOZ_RAII BinaryArithIRGenerator : public IRGenerator {
AttachDecision tryAttachStub();
};
class MOZ_RAII NewArrayIRGenerator : public IRGenerator {
#ifdef JS_CACHEIR_SPEW
JSOp op_;
#endif
HandleObject templateObject_;
void trackAttached(const char* name);
public:
NewArrayIRGenerator(JSContext* cx, HandleScript, jsbytecode* pc,
ICState::Mode, JSOp op, HandleObject templateObj);
AttachDecision tryAttachStub();
AttachDecision tryAttachArrayObject();
};
class MOZ_RAII NewObjectIRGenerator : public IRGenerator {
#ifdef JS_CACHEIR_SPEW
JSOp op_;

41
js/src/jit/CacheIRCompiler.cpp
View File

@ -46,7 +46,6 @@
#include "vm/Uint8Clamped.h"
#include "builtin/Boolean-inl.h"
#include "gc/ObjectKind-inl.h"
#include "jit/MacroAssembler-inl.h"
#include "jit/SharedICHelpers-inl.h"
#include "jit/VMFunctionList-inl.h"
@ -6102,6 +6101,46 @@ bool CacheIRCompiler::emitLoadNewObjectFromTemplateResult(
return true;
}
bool CacheIRCompiler::emitNewPlainObjectResult(uint32_t numFixedSlots,
uint32_t numDynamicSlots,
gc::AllocKind allocKind,
uint32_t shapeOffset) {
JitSpew(JitSpew_Codegen, "%s", __FUNCTION__);
AutoCallVM callvm(masm, this, allocator);
AutoScratchRegister obj(allocator, masm);
AutoScratchRegister scratch(allocator, masm);
AutoScratchRegisterMaybeOutput shape(allocator, masm, callvm.output());
StubFieldOffset shapeSlot(shapeOffset, StubField::Type::Shape);
Label success;
Label fail;
emitLoadStubField(shapeSlot, shape);
masm.createPlainGCObject(obj, shape, scratch, shape, numFixedSlots,
numDynamicSlots, allocKind, gc::DefaultHeap, &fail);
masm.tagValue(JSVAL_TYPE_OBJECT, obj, callvm.output().valueReg());
masm.jump(&success);
masm.bind(&fail);
// We get here if the nursery is full (unlikely) but also if the current arena
// is full and we need to allocate a new one (fairly common).
callvm.prepare();
masm.Push(Imm32(gc::DefaultHeap));
masm.Push(Imm32(int32_t(allocKind)));
emitLoadStubField(shapeSlot, shape); // This might have been overwritten.
masm.Push(shape);
using Fn =
JSObject* (*)(JSContext*, HandleShape, gc::AllocKind, gc::InitialHeap);
callvm.call<Fn, NewPlainObject>();
masm.bind(&success);
return true;
}
bool CacheIRCompiler::emitComparePointerResultShared(JSOp op,
TypedOperandId lhsId,
TypedOperandId rhsId) {

10
js/src/jit/CacheIROps.yaml
View File

@ -2469,7 +2469,7 @@
disambiguationIdLo: UInt32Imm
- name: NewPlainObjectResult
shared: false
shared: true
transpile: false
cost_estimate: 4
args:
@ -2478,14 +2478,6 @@
allocKind: AllocKindImm
shape: ShapeField
- name: NewArrayObjectResult
shared: false
transpile: false
cost_estimate: 4
args:
arrayLength: UInt32Imm
shape: ShapeField
- name: CallStringConcatResult
shared: true
transpile: true

1
js/src/jit/CodeGenerator.cpp
View File

@ -933,7 +933,6 @@ void CodeGenerator::visitOutOfLineICFallback(OutOfLineICFallback* ool) {
case CacheKind::TypeOf:
case CacheKind::ToBool:
case CacheKind::GetIntrinsic:
case CacheKind::NewArray:
case CacheKind::NewObject:
MOZ_CRASH("Unsupported IC");
}

14
js/src/jit/IonCacheIRCompiler.cpp
View File

@ -520,7 +520,6 @@ bool IonCacheIRCompiler::init() {
case CacheKind::TypeOf:
case CacheKind::ToBool:
case CacheKind::GetIntrinsic:
case CacheKind::NewArray:
case CacheKind::NewObject:
MOZ_CRASH("Unsupported IC");
}
@ -625,7 +624,6 @@ void IonCacheIRCompiler::assertFloatRegisterAvailable(FloatRegister reg) {
case CacheKind::TypeOf:
case CacheKind::ToBool:
case CacheKind::GetIntrinsic:
case CacheKind::NewArray:
case CacheKind::NewObject:
MOZ_CRASH("Unsupported IC");
}
@ -2028,15 +2026,3 @@ bool IonCacheIRCompiler::emitHasClassResult(ObjOperandId objId,
uint32_t claspOffset) {
MOZ_CRASH("Call ICs not used in ion");
}
bool IonCacheIRCompiler::emitNewArrayObjectResult(uint32_t arrayLength,
uint32_t shapeOffset) {
MOZ_CRASH("NewArray ICs not used in ion");
}
bool IonCacheIRCompiler::emitNewPlainObjectResult(uint32_t numFixedSlots,
uint32_t numDynamicSlots,
gc::AllocKind allocKind,
uint32_t shapeOffset) {
MOZ_CRASH("NewObject ICs not used in ion");
}

1
js/src/jit/IonIC.cpp
View File

@ -68,7 +68,6 @@ Register IonIC::scratchRegisterForEntryJump() {
case CacheKind::TypeOf:
case CacheKind::ToBool:
case CacheKind::GetIntrinsic:
case CacheKind::NewArray:
case CacheKind::NewObject:
MOZ_CRASH("Unsupported IC");
}

37
js/src/jit/MacroAssembler.cpp
View File

@ -475,43 +475,6 @@ void MacroAssembler::createPlainGCObject(
}
}
void MacroAssembler::createArrayWithFixedElements(
Register result, Register shape, Register temp, uint32_t arrayLength,
uint32_t arrayCapacity, gc::AllocKind allocKind,
gc::InitialHeap initialHeap, Label* fail) {
MOZ_ASSERT(gc::IsObjectAllocKind(allocKind));
MOZ_ASSERT(shape != temp, "shape can overlap with temp2, but not temp");
MOZ_ASSERT(result != temp);
// This only supports allocating arrays with fixed elements and does not
// support any dynamic slots or elements.
MOZ_ASSERT(arrayCapacity >= arrayLength);
MOZ_ASSERT(gc::GetGCKindSlots(allocKind) >=
arrayCapacity + ObjectElements::VALUES_PER_HEADER);
// Allocate object.
allocateObject(result, temp, allocKind, 0, initialHeap, fail);
// Initialize shape field.
storePtr(shape, Address(result, JSObject::offsetOfShape()));
// There are no dynamic slots.
storePtr(ImmPtr(emptyObjectSlots),
Address(result, NativeObject::offsetOfSlots()));
// Initialize elements pointer for fixed (inline) elements.
computeEffectiveAddress(
Address(result, NativeObject::offsetOfFixedElements()), temp);
storePtr(temp, Address(result, NativeObject::offsetOfElements()));
// Initialize elements header.
store32(Imm32(0), Address(temp, ObjectElements::offsetOfFlags()));
store32(Imm32(0), Address(temp, ObjectElements::offsetOfInitializedLength()));
store32(Imm32(arrayCapacity),
Address(temp, ObjectElements::offsetOfCapacity()));
store32(Imm32(arrayLength), Address(temp, ObjectElements::offsetOfLength()));
}
// Inline version of Nursery::allocateString.
void MacroAssembler::nurseryAllocateString(Register result, Register temp,
gc::AllocKind allocKind,

6
js/src/jit/MacroAssembler.h
View File

@ -4629,12 +4629,6 @@ class MacroAssembler : public MacroAssemblerSpecific {
uint32_t numDynamicSlots, gc::AllocKind allocKind,
gc::InitialHeap initialHeap, Label* fail);
void createArrayWithFixedElements(Register result, Register shape,
Register temp, uint32_t arrayLength,
uint32_t arrayCapacity,
gc::AllocKind allocKind,
gc::InitialHeap initialHeap, Label* fail);
void initGCThing(Register obj, Register temp,
const TemplateObject& templateObj, bool initContents = true);

2
js/src/jit/WarpBuilder.cpp
View File

@ -3290,7 +3290,6 @@ bool WarpBuilder::buildIC(BytecodeLocation loc, CacheKind kind,
case CacheKind::GetIntrinsic:
case CacheKind::ToBool:
case CacheKind::Call:
case CacheKind::NewArray:
case CacheKind::NewObject:
// We're currently not using an IC or transpiling CacheIR for these kinds.
MOZ_CRASH("Unexpected kind");
@ -3322,7 +3321,6 @@ bool WarpBuilder::buildBailoutForColdIC(BytecodeLocation loc, CacheKind kind) {
break;
case CacheKind::BindName:
case CacheKind::GetIterator:
case CacheKind::NewArray:
case CacheKind::NewObject:
resultType = MIRType::Object;
break;