]> git.saurik.com Git - apple/javascriptcore.git/blob - jit/Repatch.cpp
projects / apple / javascriptcore.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
JavaScriptCore-7600.1.4.9.tar.gz
[apple/javascriptcore.git] / jit / Repatch.cpp
1 /*
2 * Copyright (C) 2011, 2012, 2013, 2014 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include "config.h"
27 #include "Repatch.h"
28
29 #if ENABLE(JIT)
30
31 #include "AccessorCallJITStubRoutine.h"
32 #include "CCallHelpers.h"
33 #include "DFGOperations.h"
34 #include "DFGSpeculativeJIT.h"
35 #include "FTLThunks.h"
36 #include "GCAwareJITStubRoutine.h"
37 #include "GetterSetter.h"
38 #include "JIT.h"
39 #include "JITInlines.h"
40 #include "LinkBuffer.h"
41 #include "JSCInlines.h"
42 #include "PolymorphicGetByIdList.h"
43 #include "PolymorphicPutByIdList.h"
44 #include "RegExpMatchesArray.h"
45 #include "RepatchBuffer.h"
46 #include "ScratchRegisterAllocator.h"
47 #include "StackAlignment.h"
48 #include "StructureRareDataInlines.h"
49 #include "StructureStubClearingWatchpoint.h"
50 #include "ThunkGenerators.h"
51 #include <wtf/StringPrintStream.h>
52
53 namespace JSC {
54
55 // Beware: in this code, it is not safe to assume anything about the following registers
56 // that would ordinarily have well-known values:
57 // - tagTypeNumberRegister
58 // - tagMaskRegister
59
60 static FunctionPtr readCallTarget(RepatchBuffer& repatchBuffer, CodeLocationCall call)
61 {
62 FunctionPtr result = MacroAssembler::readCallTarget(call);
63 #if ENABLE(FTL_JIT)
64 CodeBlock* codeBlock = repatchBuffer.codeBlock();
65 if (codeBlock->jitType() == JITCode::FTLJIT) {
66 return FunctionPtr(codeBlock->vm()->ftlThunks->keyForSlowPathCallThunk(
67 MacroAssemblerCodePtr::createFromExecutableAddress(
68 result.executableAddress())).callTarget());
69 }
70 #else
71 UNUSED_PARAM(repatchBuffer);
72 #endif // ENABLE(FTL_JIT)
73 return result;
74 }
75
76 static void repatchCall(RepatchBuffer& repatchBuffer, CodeLocationCall call, FunctionPtr newCalleeFunction)
77 {
78 #if ENABLE(FTL_JIT)
79 CodeBlock* codeBlock = repatchBuffer.codeBlock();
80 if (codeBlock->jitType() == JITCode::FTLJIT) {
81 VM& vm = *codeBlock->vm();
82 FTL::Thunks& thunks = *vm.ftlThunks;
83 FTL::SlowPathCallKey key = thunks.keyForSlowPathCallThunk(
84 MacroAssemblerCodePtr::createFromExecutableAddress(
85 MacroAssembler::readCallTarget(call).executableAddress()));
86 key = key.withCallTarget(newCalleeFunction.executableAddress());
87 newCalleeFunction = FunctionPtr(
88 thunks.getSlowPathCallThunk(vm, key).code().executableAddress());
89 }
90 #endif // ENABLE(FTL_JIT)
91 repatchBuffer.relink(call, newCalleeFunction);
92 }
93
94 static void repatchCall(CodeBlock* codeblock, CodeLocationCall call, FunctionPtr newCalleeFunction)
95 {
96 RepatchBuffer repatchBuffer(codeblock);
97 repatchCall(repatchBuffer, call, newCalleeFunction);
98 }
99
100 static void repatchByIdSelfAccess(VM& vm, CodeBlock* codeBlock, StructureStubInfo& stubInfo, Structure* structure, const Identifier& propertyName, PropertyOffset offset,
101 const FunctionPtr &slowPathFunction, bool compact)
102 {
103 if (structure->typeInfo().newImpurePropertyFiresWatchpoints())
104 vm.registerWatchpointForImpureProperty(propertyName, stubInfo.addWatchpoint(codeBlock));
105
106 RepatchBuffer repatchBuffer(codeBlock);
107
108 // Only optimize once!
109 repatchCall(repatchBuffer, stubInfo.callReturnLocation, slowPathFunction);
110
111 // Patch the structure check & the offset of the load.
112 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall), bitwise_cast<int32_t>(structure->id()));
113 repatchBuffer.setLoadInstructionIsActive(stubInfo.callReturnLocation.convertibleLoadAtOffset(stubInfo.patch.deltaCallToStorageLoad), isOutOfLineOffset(offset));
114 #if USE(JSVALUE64)
115 if (compact)
116 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToLoadOrStore), offsetRelativeToPatchedStorage(offset));
117 else
118 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToLoadOrStore), offsetRelativeToPatchedStorage(offset));
119 #elif USE(JSVALUE32_64)
120 if (compact) {
121 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToTagLoadOrStore), offsetRelativeToPatchedStorage(offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
122 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToPayloadLoadOrStore), offsetRelativeToPatchedStorage(offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
123 } else {
124 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToTagLoadOrStore), offsetRelativeToPatchedStorage(offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
125 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToPayloadLoadOrStore), offsetRelativeToPatchedStorage(offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
126 }
127 #endif
128 }
129
130 static void addStructureTransitionCheck(
131 JSCell* object, Structure* structure, CodeBlock* codeBlock, StructureStubInfo& stubInfo,
132 MacroAssembler& jit, MacroAssembler::JumpList& failureCases, GPRReg scratchGPR)
133 {
134 if (object->structure() == structure && structure->transitionWatchpointSetIsStillValid()) {
135 structure->addTransitionWatchpoint(stubInfo.addWatchpoint(codeBlock));
136 if (!ASSERT_DISABLED) {
137 // If we execute this code, the object must have the structure we expect. Assert
138 // this in debug modes.
139 jit.move(MacroAssembler::TrustedImmPtr(object), scratchGPR);
140 MacroAssembler::Jump ok = branchStructure(
141 jit,
142 MacroAssembler::Equal,
143 MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
144 structure);
145 jit.abortWithReason(RepatchIneffectiveWatchpoint);
146 ok.link(&jit);
147 }
148 return;
149 }
150
151 jit.move(MacroAssembler::TrustedImmPtr(object), scratchGPR);
152 failureCases.append(
153 branchStructure(jit,
154 MacroAssembler::NotEqual,
155 MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
156 structure));
157 }
158
159 static void addStructureTransitionCheck(
160 JSValue prototype, CodeBlock* codeBlock, StructureStubInfo& stubInfo,
161 MacroAssembler& jit, MacroAssembler::JumpList& failureCases, GPRReg scratchGPR)
162 {
163 if (prototype.isNull())
164 return;
165
166 ASSERT(prototype.isCell());
167
168 addStructureTransitionCheck(
169 prototype.asCell(), prototype.asCell()->structure(), codeBlock, stubInfo, jit,
170 failureCases, scratchGPR);
171 }
172
173 static void replaceWithJump(RepatchBuffer& repatchBuffer, StructureStubInfo& stubInfo, const MacroAssemblerCodePtr target)
174 {
175 if (MacroAssembler::canJumpReplacePatchableBranch32WithPatch()) {
176 repatchBuffer.replaceWithJump(
177 RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress(
178 stubInfo.callReturnLocation.dataLabel32AtOffset(
179 -(intptr_t)stubInfo.patch.deltaCheckImmToCall)),
180 CodeLocationLabel(target));
181 return;
182 }
183
184 repatchBuffer.relink(
185 stubInfo.callReturnLocation.jumpAtOffset(
186 stubInfo.patch.deltaCallToJump),
187 CodeLocationLabel(target));
188 }
189
190 static void emitRestoreScratch(MacroAssembler& stubJit, bool needToRestoreScratch, GPRReg scratchGPR, MacroAssembler::Jump& success, MacroAssembler::Jump& fail, MacroAssembler::JumpList failureCases)
191 {
192 if (needToRestoreScratch) {
193 stubJit.popToRestore(scratchGPR);
194
195 success = stubJit.jump();
196
197 // link failure cases here, so we can pop scratchGPR, and then jump back.
198 failureCases.link(&stubJit);
199
200 stubJit.popToRestore(scratchGPR);
201
202 fail = stubJit.jump();
203 return;
204 }
205
206 success = stubJit.jump();
207 }
208
209 static void linkRestoreScratch(LinkBuffer& patchBuffer, bool needToRestoreScratch, MacroAssembler::Jump success, MacroAssembler::Jump fail, MacroAssembler::JumpList failureCases, CodeLocationLabel successLabel, CodeLocationLabel slowCaseBegin)
210 {
211 patchBuffer.link(success, successLabel);
212
213 if (needToRestoreScratch) {
214 patchBuffer.link(fail, slowCaseBegin);
215 return;
216 }
217
218 // link failure cases directly back to normal path
219 patchBuffer.link(failureCases, slowCaseBegin);
220 }
221
222 static void linkRestoreScratch(LinkBuffer& patchBuffer, bool needToRestoreScratch, StructureStubInfo& stubInfo, MacroAssembler::Jump success, MacroAssembler::Jump fail, MacroAssembler::JumpList failureCases)
223 {
224 linkRestoreScratch(patchBuffer, needToRestoreScratch, success, fail, failureCases, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
225 }
226
227 enum ByIdStubKind {
228 GetValue,
229 CallGetter,
230 CallCustomGetter,
231 CallSetter,
232 CallCustomSetter
233 };
234
235 static const char* toString(ByIdStubKind kind)
236 {
237 switch (kind) {
238 case GetValue:
239 return "GetValue";
240 case CallGetter:
241 return "CallGetter";
242 case CallCustomGetter:
243 return "CallCustomGetter";
244 case CallSetter:
245 return "CallSetter";
246 case CallCustomSetter:
247 return "CallCustomSetter";
248 default:
249 RELEASE_ASSERT_NOT_REACHED();
250 return nullptr;
251 }
252 }
253
254 static ByIdStubKind kindFor(const PropertySlot& slot)
255 {
256 if (slot.isCacheableValue())
257 return GetValue;
258 if (slot.isCacheableCustom())
259 return CallCustomGetter;
260 RELEASE_ASSERT(slot.isCacheableGetter());
261 return CallGetter;
262 }
263
264 static FunctionPtr customFor(const PropertySlot& slot)
265 {
266 if (!slot.isCacheableCustom())
267 return FunctionPtr();
268 return FunctionPtr(slot.customGetter());
269 }
270
271 static ByIdStubKind kindFor(const PutPropertySlot& slot)
272 {
273 RELEASE_ASSERT(!slot.isCacheablePut());
274 if (slot.isCacheableSetter())
275 return CallSetter;
276 RELEASE_ASSERT(slot.isCacheableCustom());
277 return CallCustomSetter;
278 }
279
280 static FunctionPtr customFor(const PutPropertySlot& slot)
281 {
282 if (!slot.isCacheableCustom())
283 return FunctionPtr();
284 return FunctionPtr(slot.customSetter());
285 }
286
287 static void generateByIdStub(
288 ExecState* exec, ByIdStubKind kind, const Identifier& propertyName,
289 FunctionPtr custom, StructureStubInfo& stubInfo, StructureChain* chain, size_t count,
290 PropertyOffset offset, Structure* structure, bool loadTargetFromProxy, WatchpointSet* watchpointSet,
291 CodeLocationLabel successLabel, CodeLocationLabel slowCaseLabel, RefPtr<JITStubRoutine>& stubRoutine)
292 {
293 VM* vm = &exec->vm();
294 GPRReg baseGPR = static_cast<GPRReg>(stubInfo.patch.baseGPR);
295 JSValueRegs valueRegs = JSValueRegs(
296 #if USE(JSVALUE32_64)
297 static_cast<GPRReg>(stubInfo.patch.valueTagGPR),
298 #endif
299 static_cast<GPRReg>(stubInfo.patch.valueGPR));
300 GPRReg scratchGPR = TempRegisterSet(stubInfo.patch.usedRegisters).getFreeGPR();
301 bool needToRestoreScratch = scratchGPR == InvalidGPRReg;
302 RELEASE_ASSERT(!needToRestoreScratch || kind == GetValue);
303
304 CCallHelpers stubJit(&exec->vm(), exec->codeBlock());
305 if (needToRestoreScratch) {
306 scratchGPR = AssemblyHelpers::selectScratchGPR(
307 baseGPR, valueRegs.tagGPR(), valueRegs.payloadGPR());
308 stubJit.pushToSave(scratchGPR);
309 needToRestoreScratch = true;
310 }
311
312 MacroAssembler::JumpList failureCases;
313
314 GPRReg baseForGetGPR;
315 if (loadTargetFromProxy) {
316 baseForGetGPR = valueRegs.payloadGPR();
317 failureCases.append(stubJit.branch8(
318 MacroAssembler::NotEqual,
319 MacroAssembler::Address(baseGPR, JSCell::typeInfoTypeOffset()),
320 MacroAssembler::TrustedImm32(PureForwardingProxyType)));
321
322 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSProxy::targetOffset()), scratchGPR);
323
324 failureCases.append(branchStructure(stubJit,
325 MacroAssembler::NotEqual,
326 MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
327 structure));
328 } else {
329 baseForGetGPR = baseGPR;
330
331 failureCases.append(branchStructure(stubJit,
332 MacroAssembler::NotEqual,
333 MacroAssembler::Address(baseForGetGPR, JSCell::structureIDOffset()),
334 structure));
335 }
336
337 CodeBlock* codeBlock = exec->codeBlock();
338 if (structure->typeInfo().newImpurePropertyFiresWatchpoints())
339 vm->registerWatchpointForImpureProperty(propertyName, stubInfo.addWatchpoint(codeBlock));
340
341 if (watchpointSet)
342 watchpointSet->add(stubInfo.addWatchpoint(codeBlock));
343
344 Structure* currStructure = structure;
345 JSObject* protoObject = 0;
346 if (chain) {
347 WriteBarrier<Structure>* it = chain->head();
348 for (unsigned i = 0; i < count; ++i, ++it) {
349 protoObject = asObject(currStructure->prototypeForLookup(exec));
350 Structure* protoStructure = protoObject->structure();
351 if (protoStructure->typeInfo().newImpurePropertyFiresWatchpoints())
352 vm->registerWatchpointForImpureProperty(propertyName, stubInfo.addWatchpoint(codeBlock));
353 addStructureTransitionCheck(
354 protoObject, protoStructure, codeBlock, stubInfo, stubJit,
355 failureCases, scratchGPR);
356 currStructure = it->get();
357 }
358 }
359
360 GPRReg baseForAccessGPR;
361 if (chain) {
362 // We could have clobbered scratchGPR earlier, so we have to reload from baseGPR to get the target.
363 if (loadTargetFromProxy)
364 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSProxy::targetOffset()), baseForGetGPR);
365 stubJit.move(MacroAssembler::TrustedImmPtr(protoObject), scratchGPR);
366 baseForAccessGPR = scratchGPR;
367 } else {
368 // For proxy objects, we need to do all the Structure checks before moving the baseGPR into
369 // baseForGetGPR because if we fail any of the checks then we would have the wrong value in baseGPR
370 // on the slow path.
371 if (loadTargetFromProxy)
372 stubJit.move(scratchGPR, baseForGetGPR);
373 baseForAccessGPR = baseForGetGPR;
374 }
375
376 GPRReg loadedValueGPR = InvalidGPRReg;
377 if (kind != CallCustomGetter && kind != CallCustomSetter) {
378 if (kind == GetValue)
379 loadedValueGPR = valueRegs.payloadGPR();
380 else
381 loadedValueGPR = scratchGPR;
382
383 GPRReg storageGPR;
384 if (isInlineOffset(offset))
385 storageGPR = baseForAccessGPR;
386 else {
387 stubJit.loadPtr(MacroAssembler::Address(baseForAccessGPR, JSObject::butterflyOffset()), loadedValueGPR);
388 storageGPR = loadedValueGPR;
389 }
390
391 #if USE(JSVALUE64)
392 stubJit.load64(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset)), loadedValueGPR);
393 #else
394 if (kind == GetValue)
395 stubJit.load32(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset) + TagOffset), valueRegs.tagGPR());
396 stubJit.load32(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset) + PayloadOffset), loadedValueGPR);
397 #endif
398 }
399
400 // Stuff for custom getters.
401 MacroAssembler::Call operationCall;
402 MacroAssembler::Call handlerCall;
403
404 // Stuff for JS getters.
405 MacroAssembler::DataLabelPtr addressOfLinkFunctionCheck;
406 MacroAssembler::Call fastPathCall;
407 MacroAssembler::Call slowPathCall;
408 std::unique_ptr<CallLinkInfo> callLinkInfo;
409
410 MacroAssembler::Jump success, fail;
411 if (kind != GetValue) {
412 // Need to make sure that whenever this call is made in the future, we remember the
413 // place that we made it from. It just so happens to be the place that we are at
414 // right now!
415 stubJit.store32(MacroAssembler::TrustedImm32(exec->locationAsRawBits()),
416 CCallHelpers::tagFor(static_cast<VirtualRegister>(JSStack::ArgumentCount)));
417
418 if (kind == CallGetter || kind == CallSetter) {
419 // Create a JS call using a JS call inline cache. Assume that:
420 //
421 // - SP is aligned and represents the extent of the calling compiler's stack usage.
422 //
423 // - FP is set correctly (i.e. it points to the caller's call frame header).
424 //
425 // - SP - FP is an aligned difference.
426 //
427 // - Any byte between FP (exclusive) and SP (inclusive) could be live in the calling
428 // code.
429 //
430 // Therefore, we temporarily grow the stack for the purpose of the call and then
431 // shrink it after.
432
433 callLinkInfo = std::make_unique<CallLinkInfo>();
434 callLinkInfo->callType = CallLinkInfo::Call;
435 callLinkInfo->codeOrigin = stubInfo.codeOrigin;
436 callLinkInfo->calleeGPR = loadedValueGPR;
437
438 MacroAssembler::JumpList done;
439
440 // There is a 'this' argument but nothing else.
441 unsigned numberOfParameters = 1;
442 // ... unless we're calling a setter.
443 if (kind == CallSetter)
444 numberOfParameters++;
445
446 // Get the accessor; if there ain't one then the result is jsUndefined().
447 if (kind == CallSetter) {
448 stubJit.loadPtr(
449 MacroAssembler::Address(loadedValueGPR, GetterSetter::offsetOfSetter()),
450 loadedValueGPR);
451 } else {
452 stubJit.loadPtr(
453 MacroAssembler::Address(loadedValueGPR, GetterSetter::offsetOfGetter()),
454 loadedValueGPR);
455 }
456 MacroAssembler::Jump returnUndefined = stubJit.branchTestPtr(
457 MacroAssembler::Zero, loadedValueGPR);
458
459 unsigned numberOfRegsForCall =
460 JSStack::CallFrameHeaderSize + numberOfParameters;
461
462 unsigned numberOfBytesForCall =
463 numberOfRegsForCall * sizeof(Register) - sizeof(CallerFrameAndPC);
464
465 unsigned alignedNumberOfBytesForCall =
466 WTF::roundUpToMultipleOf(stackAlignmentBytes(), numberOfBytesForCall);
467
468 stubJit.subPtr(
469 MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
470 MacroAssembler::stackPointerRegister);
471
472 MacroAssembler::Address calleeFrame = MacroAssembler::Address(
473 MacroAssembler::stackPointerRegister,
474 -static_cast<ptrdiff_t>(sizeof(CallerFrameAndPC)));
475
476 stubJit.store32(
477 MacroAssembler::TrustedImm32(numberOfParameters),
478 calleeFrame.withOffset(
479 JSStack::ArgumentCount * sizeof(Register) + PayloadOffset));
480
481 stubJit.storeCell(
482 loadedValueGPR, calleeFrame.withOffset(JSStack::Callee * sizeof(Register)));
483
484 stubJit.storeCell(
485 baseForGetGPR,
486 calleeFrame.withOffset(
487 virtualRegisterForArgument(0).offset() * sizeof(Register)));
488
489 if (kind == CallSetter) {
490 stubJit.storeValue(
491 valueRegs,
492 calleeFrame.withOffset(
493 virtualRegisterForArgument(1).offset() * sizeof(Register)));
494 }
495
496 MacroAssembler::Jump slowCase = stubJit.branchPtrWithPatch(
497 MacroAssembler::NotEqual, loadedValueGPR, addressOfLinkFunctionCheck,
498 MacroAssembler::TrustedImmPtr(0));
499
500 // loadedValueGPR is already burned. We can reuse it. From here on we assume that
501 // any volatile register will be clobbered anyway.
502 stubJit.loadPtr(
503 MacroAssembler::Address(loadedValueGPR, JSFunction::offsetOfScopeChain()),
504 loadedValueGPR);
505 stubJit.storeCell(
506 loadedValueGPR, calleeFrame.withOffset(JSStack::ScopeChain * sizeof(Register)));
507 fastPathCall = stubJit.nearCall();
508
509 stubJit.addPtr(
510 MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
511 MacroAssembler::stackPointerRegister);
512 if (kind == CallGetter)
513 stubJit.setupResults(valueRegs);
514
515 done.append(stubJit.jump());
516 slowCase.link(&stubJit);
517
518 stubJit.move(loadedValueGPR, GPRInfo::regT0);
519 #if USE(JSVALUE32_64)
520 stubJit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), GPRInfo::regT1);
521 #endif
522 stubJit.move(MacroAssembler::TrustedImmPtr(callLinkInfo.get()), GPRInfo::regT2);
523 slowPathCall = stubJit.nearCall();
524
525 stubJit.addPtr(
526 MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
527 MacroAssembler::stackPointerRegister);
528 if (kind == CallGetter)
529 stubJit.setupResults(valueRegs);
530
531 done.append(stubJit.jump());
532 returnUndefined.link(&stubJit);
533
534 if (kind == CallGetter)
535 stubJit.moveTrustedValue(jsUndefined(), valueRegs);
536
537 done.link(&stubJit);
538 } else {
539 // getter: EncodedJSValue (*GetValueFunc)(ExecState*, JSObject* slotBase, EncodedJSValue thisValue, PropertyName);
540 // setter: void (*PutValueFunc)(ExecState*, JSObject* base, EncodedJSValue thisObject, EncodedJSValue value);
541 #if USE(JSVALUE64)
542 if (kind == CallCustomGetter)
543 stubJit.setupArgumentsWithExecState(baseForAccessGPR, baseForGetGPR, MacroAssembler::TrustedImmPtr(propertyName.impl()));
544 else
545 stubJit.setupArgumentsWithExecState(baseForAccessGPR, baseForGetGPR, valueRegs.gpr());
546 #else
547 if (kind == CallCustomGetter)
548 stubJit.setupArgumentsWithExecState(baseForAccessGPR, baseForGetGPR, MacroAssembler::TrustedImm32(JSValue::CellTag), MacroAssembler::TrustedImmPtr(propertyName.impl()));
549 else
550 stubJit.setupArgumentsWithExecState(baseForAccessGPR, baseForGetGPR, MacroAssembler::TrustedImm32(JSValue::CellTag), valueRegs.payloadGPR(), valueRegs.tagGPR());
551 #endif
552 stubJit.storePtr(GPRInfo::callFrameRegister, &vm->topCallFrame);
553
554 operationCall = stubJit.call();
555 if (kind == CallCustomGetter)
556 stubJit.setupResults(valueRegs);
557 MacroAssembler::Jump noException = stubJit.emitExceptionCheck(CCallHelpers::InvertedExceptionCheck);
558
559 stubJit.setupArguments(CCallHelpers::TrustedImmPtr(vm), GPRInfo::callFrameRegister);
560 handlerCall = stubJit.call();
561 stubJit.jumpToExceptionHandler();
562
563 noException.link(&stubJit);
564 }
565 }
566 emitRestoreScratch(stubJit, needToRestoreScratch, scratchGPR, success, fail, failureCases);
567
568 LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
569
570 linkRestoreScratch(patchBuffer, needToRestoreScratch, success, fail, failureCases, successLabel, slowCaseLabel);
571 if (kind == CallCustomGetter || kind == CallCustomSetter) {
572 patchBuffer.link(operationCall, custom);
573 patchBuffer.link(handlerCall, lookupExceptionHandler);
574 } else if (kind == CallGetter || kind == CallSetter) {
575 callLinkInfo->hotPathOther = patchBuffer.locationOfNearCall(fastPathCall);
576 callLinkInfo->hotPathBegin = patchBuffer.locationOf(addressOfLinkFunctionCheck);
577 callLinkInfo->callReturnLocation = patchBuffer.locationOfNearCall(slowPathCall);
578
579 ThunkGenerator generator = linkThunkGeneratorFor(
580 CodeForCall, RegisterPreservationNotRequired);
581 patchBuffer.link(
582 slowPathCall, CodeLocationLabel(vm->getCTIStub(generator).code()));
583 }
584
585 MacroAssemblerCodeRef code = FINALIZE_CODE_FOR(
586 exec->codeBlock(), patchBuffer,
587 ("%s access stub for %s, return point %p",
588 toString(kind), toCString(*exec->codeBlock()).data(),
589 successLabel.executableAddress()));
590
591 if (kind == CallGetter || kind == CallSetter)
592 stubRoutine = adoptRef(new AccessorCallJITStubRoutine(code, *vm, WTF::move(callLinkInfo)));
593 else
594 stubRoutine = createJITStubRoutine(code, *vm, codeBlock->ownerExecutable(), true);
595 }
596
597 enum InlineCacheAction {
598 GiveUpOnCache,
599 RetryCacheLater,
600 AttemptToCache
601 };
602
603 static InlineCacheAction actionForCell(VM& vm, JSCell* cell)
604 {
605 Structure* structure = cell->structure(vm);
606
607 TypeInfo typeInfo = structure->typeInfo();
608 if (typeInfo.prohibitsPropertyCaching())
609 return GiveUpOnCache;
610
611 if (structure->isUncacheableDictionary()) {
612 if (structure->hasBeenFlattenedBefore())
613 return GiveUpOnCache;
614 // Flattening could have changed the offset, so return early for another try.
615 asObject(cell)->flattenDictionaryObject(vm);
616 return RetryCacheLater;
617 }
618 ASSERT(!structure->isUncacheableDictionary());
619
620 if (typeInfo.hasImpureGetOwnPropertySlot() && !typeInfo.newImpurePropertyFiresWatchpoints())
621 return GiveUpOnCache;
622
623 return AttemptToCache;
624 }
625
626 static InlineCacheAction tryCacheGetByID(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot, StructureStubInfo& stubInfo)
627 {
628 if (Options::forceICFailure())
629 return GiveUpOnCache;
630
631 // FIXME: Write a test that proves we need to check for recursion here just
632 // like the interpreter does, then add a check for recursion.
633
634 CodeBlock* codeBlock = exec->codeBlock();
635 VM* vm = &exec->vm();
636
637 if ((isJSArray(baseValue) || isRegExpMatchesArray(baseValue) || isJSString(baseValue)) && propertyName == exec->propertyNames().length) {
638 GPRReg baseGPR = static_cast<GPRReg>(stubInfo.patch.baseGPR);
639 #if USE(JSVALUE32_64)
640 GPRReg resultTagGPR = static_cast<GPRReg>(stubInfo.patch.valueTagGPR);
641 #endif
642 GPRReg resultGPR = static_cast<GPRReg>(stubInfo.patch.valueGPR);
643
644 MacroAssembler stubJit;
645
646 if (isJSArray(baseValue) || isRegExpMatchesArray(baseValue)) {
647 GPRReg scratchGPR = TempRegisterSet(stubInfo.patch.usedRegisters).getFreeGPR();
648 bool needToRestoreScratch = false;
649
650 if (scratchGPR == InvalidGPRReg) {
651 #if USE(JSVALUE64)
652 scratchGPR = AssemblyHelpers::selectScratchGPR(baseGPR, resultGPR);
653 #else
654 scratchGPR = AssemblyHelpers::selectScratchGPR(baseGPR, resultGPR, resultTagGPR);
655 #endif
656 stubJit.pushToSave(scratchGPR);
657 needToRestoreScratch = true;
658 }
659
660 MacroAssembler::JumpList failureCases;
661
662 stubJit.load8(MacroAssembler::Address(baseGPR, JSCell::indexingTypeOffset()), scratchGPR);
663 failureCases.append(stubJit.branchTest32(MacroAssembler::Zero, scratchGPR, MacroAssembler::TrustedImm32(IsArray)));
664 failureCases.append(stubJit.branchTest32(MacroAssembler::Zero, scratchGPR, MacroAssembler::TrustedImm32(IndexingShapeMask)));
665
666 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
667 stubJit.load32(MacroAssembler::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
668 failureCases.append(stubJit.branch32(MacroAssembler::LessThan, scratchGPR, MacroAssembler::TrustedImm32(0)));
669
670 stubJit.move(scratchGPR, resultGPR);
671 #if USE(JSVALUE64)
672 stubJit.or64(AssemblyHelpers::TrustedImm64(TagTypeNumber), resultGPR);
673 #elif USE(JSVALUE32_64)
674 stubJit.move(AssemblyHelpers::TrustedImm32(0xffffffff), resultTagGPR); // JSValue::Int32Tag
675 #endif
676
677 MacroAssembler::Jump success, fail;
678
679 emitRestoreScratch(stubJit, needToRestoreScratch, scratchGPR, success, fail, failureCases);
680
681 LinkBuffer patchBuffer(*vm, stubJit, codeBlock);
682
683 linkRestoreScratch(patchBuffer, needToRestoreScratch, stubInfo, success, fail, failureCases);
684
685 stubInfo.stubRoutine = FINALIZE_CODE_FOR_STUB(
686 exec->codeBlock(), patchBuffer,
687 ("GetById array length stub for %s, return point %p",
688 toCString(*exec->codeBlock()).data(), stubInfo.callReturnLocation.labelAtOffset(
689 stubInfo.patch.deltaCallToDone).executableAddress()));
690
691 RepatchBuffer repatchBuffer(codeBlock);
692 replaceWithJump(repatchBuffer, stubInfo, stubInfo.stubRoutine->code().code());
693 repatchCall(repatchBuffer, stubInfo.callReturnLocation, operationGetById);
694
695 return RetryCacheLater;
696 }
697
698 // String.length case
699 MacroAssembler::Jump failure = stubJit.branch8(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(StringType));
700
701 stubJit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
702
703 #if USE(JSVALUE64)
704 stubJit.or64(AssemblyHelpers::TrustedImm64(TagTypeNumber), resultGPR);
705 #elif USE(JSVALUE32_64)
706 stubJit.move(AssemblyHelpers::TrustedImm32(0xffffffff), resultTagGPR); // JSValue::Int32Tag
707 #endif
708
709 MacroAssembler::Jump success = stubJit.jump();
710
711 LinkBuffer patchBuffer(*vm, stubJit, codeBlock);
712
713 patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
714 patchBuffer.link(failure, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
715
716 stubInfo.stubRoutine = FINALIZE_CODE_FOR_STUB(
717 exec->codeBlock(), patchBuffer,
718 ("GetById string length stub for %s, return point %p",
719 toCString(*exec->codeBlock()).data(), stubInfo.callReturnLocation.labelAtOffset(
720 stubInfo.patch.deltaCallToDone).executableAddress()));
721
722 RepatchBuffer repatchBuffer(codeBlock);
723 replaceWithJump(repatchBuffer, stubInfo, stubInfo.stubRoutine->code().code());
724 repatchCall(repatchBuffer, stubInfo.callReturnLocation, operationGetById);
725
726 return RetryCacheLater;
727 }
728
729 // FIXME: Cache property access for immediates.
730 if (!baseValue.isCell())
731 return GiveUpOnCache;
732 JSCell* baseCell = baseValue.asCell();
733 Structure* structure = baseCell->structure();
734 if (!slot.isCacheable())
735 return GiveUpOnCache;
736
737 InlineCacheAction action = actionForCell(*vm, baseCell);
738 if (action != AttemptToCache)
739 return action;
740
741 // Optimize self access.
742 if (slot.slotBase() == baseValue
743 && slot.isCacheableValue()
744 && !slot.watchpointSet()
745 && MacroAssembler::isCompactPtrAlignedAddressOffset(maxOffsetRelativeToPatchedStorage(slot.cachedOffset()))) {
746 repatchByIdSelfAccess(*vm, codeBlock, stubInfo, structure, propertyName, slot.cachedOffset(), operationGetByIdBuildList, true);
747 stubInfo.initGetByIdSelf(*vm, codeBlock->ownerExecutable(), structure);
748 return RetryCacheLater;
749 }
750
751 repatchCall(codeBlock, stubInfo.callReturnLocation, operationGetByIdBuildList);
752 return RetryCacheLater;
753 }
754
755 void repatchGetByID(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot, StructureStubInfo& stubInfo)
756 {
757 GCSafeConcurrentJITLocker locker(exec->codeBlock()->m_lock, exec->vm().heap);
758
759 if (tryCacheGetByID(exec, baseValue, propertyName, slot, stubInfo) == GiveUpOnCache)
760 repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, operationGetById);
761 }
762
763 static void patchJumpToGetByIdStub(CodeBlock* codeBlock, StructureStubInfo& stubInfo, JITStubRoutine* stubRoutine)
764 {
765 RELEASE_ASSERT(stubInfo.accessType == access_get_by_id_list);
766 RepatchBuffer repatchBuffer(codeBlock);
767 if (stubInfo.u.getByIdList.list->didSelfPatching()) {
768 repatchBuffer.relink(
769 stubInfo.callReturnLocation.jumpAtOffset(
770 stubInfo.patch.deltaCallToJump),
771 CodeLocationLabel(stubRoutine->code().code()));
772 return;
773 }
774
775 replaceWithJump(repatchBuffer, stubInfo, stubRoutine->code().code());
776 }
777
778 static InlineCacheAction tryBuildGetByIDList(ExecState* exec, JSValue baseValue, const Identifier& ident, const PropertySlot& slot, StructureStubInfo& stubInfo)
779 {
780 if (!baseValue.isCell()
781 || !slot.isCacheable())
782 return GiveUpOnCache;
783
784 JSCell* baseCell = baseValue.asCell();
785 bool loadTargetFromProxy = false;
786 if (baseCell->type() == PureForwardingProxyType) {
787 baseValue = jsCast<JSProxy*>(baseCell)->target();
788 baseCell = baseValue.asCell();
789 loadTargetFromProxy = true;
790 }
791
792 VM* vm = &exec->vm();
793 CodeBlock* codeBlock = exec->codeBlock();
794
795 InlineCacheAction action = actionForCell(*vm, baseCell);
796 if (action != AttemptToCache)
797 return action;
798
799 Structure* structure = baseCell->structure(*vm);
800 TypeInfo typeInfo = structure->typeInfo();
801
802 if (stubInfo.patch.spillMode == NeedToSpill) {
803 // We cannot do as much inline caching if the registers were not flushed prior to this GetById. In particular,
804 // non-Value cached properties require planting calls, which requires registers to have been flushed. Thus,
805 // if registers were not flushed, don't do non-Value caching.
806 if (!slot.isCacheableValue())
807 return GiveUpOnCache;
808 }
809
810 PropertyOffset offset = slot.cachedOffset();
811 StructureChain* prototypeChain = 0;
812 size_t count = 0;
813
814 if (slot.slotBase() != baseValue) {
815 if (typeInfo.prohibitsPropertyCaching() || structure->isDictionary())
816 return GiveUpOnCache;
817
818 count = normalizePrototypeChainForChainAccess(
819 exec, baseValue, slot.slotBase(), ident, offset);
820 if (count == InvalidPrototypeChain)
821 return GiveUpOnCache;
822 prototypeChain = structure->prototypeChain(exec);
823 }
824
825 PolymorphicGetByIdList* list = PolymorphicGetByIdList::from(stubInfo);
826 if (list->isFull()) {
827 // We need this extra check because of recursion.
828 return GiveUpOnCache;
829 }
830
831 RefPtr<JITStubRoutine> stubRoutine;
832 generateByIdStub(
833 exec, kindFor(slot), ident, customFor(slot), stubInfo, prototypeChain, count, offset,
834 structure, loadTargetFromProxy, slot.watchpointSet(),
835 stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone),
836 CodeLocationLabel(list->currentSlowPathTarget(stubInfo)), stubRoutine);
837
838 GetByIdAccess::AccessType accessType;
839 if (slot.isCacheableValue())
840 accessType = slot.watchpointSet() ? GetByIdAccess::WatchedStub : GetByIdAccess::SimpleStub;
841 else if (slot.isCacheableGetter())
842 accessType = GetByIdAccess::Getter;
843 else
844 accessType = GetByIdAccess::CustomGetter;
845
846 list->addAccess(GetByIdAccess(
847 *vm, codeBlock->ownerExecutable(), accessType, stubRoutine, structure,
848 prototypeChain, count));
849
850 patchJumpToGetByIdStub(codeBlock, stubInfo, stubRoutine.get());
851
852 return list->isFull() ? GiveUpOnCache : RetryCacheLater;
853 }
854
855 void buildGetByIDList(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot, StructureStubInfo& stubInfo)
856 {
857 GCSafeConcurrentJITLocker locker(exec->codeBlock()->m_lock, exec->vm().heap);
858
859 if (tryBuildGetByIDList(exec, baseValue, propertyName, slot, stubInfo) == GiveUpOnCache)
860 repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, operationGetById);
861 }
862
863 static V_JITOperation_ESsiJJI appropriateGenericPutByIdFunction(const PutPropertySlot &slot, PutKind putKind)
864 {
865 if (slot.isStrictMode()) {
866 if (putKind == Direct)
867 return operationPutByIdDirectStrict;
868 return operationPutByIdStrict;
869 }
870 if (putKind == Direct)
871 return operationPutByIdDirectNonStrict;
872 return operationPutByIdNonStrict;
873 }
874
875 static V_JITOperation_ESsiJJI appropriateListBuildingPutByIdFunction(const PutPropertySlot &slot, PutKind putKind)
876 {
877 if (slot.isStrictMode()) {
878 if (putKind == Direct)
879 return operationPutByIdDirectStrictBuildList;
880 return operationPutByIdStrictBuildList;
881 }
882 if (putKind == Direct)
883 return operationPutByIdDirectNonStrictBuildList;
884 return operationPutByIdNonStrictBuildList;
885 }
886
887 static void emitPutReplaceStub(
888 ExecState* exec,
889 JSValue,
890 const Identifier&,
891 const PutPropertySlot& slot,
892 StructureStubInfo& stubInfo,
893 PutKind,
894 Structure* structure,
895 CodeLocationLabel failureLabel,
896 RefPtr<JITStubRoutine>& stubRoutine)
897 {
898 VM* vm = &exec->vm();
899 GPRReg baseGPR = static_cast<GPRReg>(stubInfo.patch.baseGPR);
900 #if USE(JSVALUE32_64)
901 GPRReg valueTagGPR = static_cast<GPRReg>(stubInfo.patch.valueTagGPR);
902 #endif
903 GPRReg valueGPR = static_cast<GPRReg>(stubInfo.patch.valueGPR);
904
905 ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
906 allocator.lock(baseGPR);
907 #if USE(JSVALUE32_64)
908 allocator.lock(valueTagGPR);
909 #endif
910 allocator.lock(valueGPR);
911
912 GPRReg scratchGPR1 = allocator.allocateScratchGPR();
913
914 CCallHelpers stubJit(vm, exec->codeBlock());
915
916 allocator.preserveReusedRegistersByPushing(stubJit);
917
918 MacroAssembler::Jump badStructure = branchStructure(stubJit,
919 MacroAssembler::NotEqual,
920 MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()),
921 structure);
922
923 #if USE(JSVALUE64)
924 if (isInlineOffset(slot.cachedOffset()))
925 stubJit.store64(valueGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue)));
926 else {
927 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR1);
928 stubJit.store64(valueGPR, MacroAssembler::Address(scratchGPR1, offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue)));
929 }
930 #elif USE(JSVALUE32_64)
931 if (isInlineOffset(slot.cachedOffset())) {
932 stubJit.store32(valueGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
933 stubJit.store32(valueTagGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
934 } else {
935 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR1);
936 stubJit.store32(valueGPR, MacroAssembler::Address(scratchGPR1, offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
937 stubJit.store32(valueTagGPR, MacroAssembler::Address(scratchGPR1, offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
938 }
939 #endif
940
941 MacroAssembler::Jump success;
942 MacroAssembler::Jump failure;
943
944 if (allocator.didReuseRegisters()) {
945 allocator.restoreReusedRegistersByPopping(stubJit);
946 success = stubJit.jump();
947
948 badStructure.link(&stubJit);
949 allocator.restoreReusedRegistersByPopping(stubJit);
950 failure = stubJit.jump();
951 } else {
952 success = stubJit.jump();
953 failure = badStructure;
954 }
955
956 LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
957 patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
958 patchBuffer.link(failure, failureLabel);
959
960 stubRoutine = FINALIZE_CODE_FOR_STUB(
961 exec->codeBlock(), patchBuffer,
962 ("PutById replace stub for %s, return point %p",
963 toCString(*exec->codeBlock()).data(), stubInfo.callReturnLocation.labelAtOffset(
964 stubInfo.patch.deltaCallToDone).executableAddress()));
965 }
966
967 static void emitPutTransitionStub(
968 ExecState* exec,
969 JSValue,
970 const Identifier&,
971 const PutPropertySlot& slot,
972 StructureStubInfo& stubInfo,
973 PutKind putKind,
974 Structure* structure,
975 Structure* oldStructure,
976 StructureChain* prototypeChain,
977 CodeLocationLabel failureLabel,
978 RefPtr<JITStubRoutine>& stubRoutine)
979 {
980 VM* vm = &exec->vm();
981
982 GPRReg baseGPR = static_cast<GPRReg>(stubInfo.patch.baseGPR);
983 #if USE(JSVALUE32_64)
984 GPRReg valueTagGPR = static_cast<GPRReg>(stubInfo.patch.valueTagGPR);
985 #endif
986 GPRReg valueGPR = static_cast<GPRReg>(stubInfo.patch.valueGPR);
987
988 ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
989 allocator.lock(baseGPR);
990 #if USE(JSVALUE32_64)
991 allocator.lock(valueTagGPR);
992 #endif
993 allocator.lock(valueGPR);
994
995 CCallHelpers stubJit(vm);
996
997 bool needThirdScratch = false;
998 if (structure->outOfLineCapacity() != oldStructure->outOfLineCapacity()
999 && oldStructure->outOfLineCapacity()) {
1000 needThirdScratch = true;
1001 }
1002
1003 GPRReg scratchGPR1 = allocator.allocateScratchGPR();
1004 ASSERT(scratchGPR1 != baseGPR);
1005 ASSERT(scratchGPR1 != valueGPR);
1006
1007 GPRReg scratchGPR2 = allocator.allocateScratchGPR();
1008 ASSERT(scratchGPR2 != baseGPR);
1009 ASSERT(scratchGPR2 != valueGPR);
1010 ASSERT(scratchGPR2 != scratchGPR1);
1011
1012 GPRReg scratchGPR3;
1013 if (needThirdScratch) {
1014 scratchGPR3 = allocator.allocateScratchGPR();
1015 ASSERT(scratchGPR3 != baseGPR);
1016 ASSERT(scratchGPR3 != valueGPR);
1017 ASSERT(scratchGPR3 != scratchGPR1);
1018 ASSERT(scratchGPR3 != scratchGPR2);
1019 } else
1020 scratchGPR3 = InvalidGPRReg;
1021
1022 allocator.preserveReusedRegistersByPushing(stubJit);
1023
1024 MacroAssembler::JumpList failureCases;
1025
1026 ASSERT(oldStructure->transitionWatchpointSetHasBeenInvalidated());
1027
1028 failureCases.append(branchStructure(stubJit,
1029 MacroAssembler::NotEqual,
1030 MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()),
1031 oldStructure));
1032
1033 addStructureTransitionCheck(
1034 oldStructure->storedPrototype(), exec->codeBlock(), stubInfo, stubJit, failureCases,
1035 scratchGPR1);
1036
1037 if (putKind == NotDirect) {
1038 for (WriteBarrier<Structure>* it = prototypeChain->head(); *it; ++it) {
1039 addStructureTransitionCheck(
1040 (*it)->storedPrototype(), exec->codeBlock(), stubInfo, stubJit, failureCases,
1041 scratchGPR1);
1042 }
1043 }
1044
1045 MacroAssembler::JumpList slowPath;
1046
1047 bool scratchGPR1HasStorage = false;
1048
1049 if (structure->outOfLineCapacity() != oldStructure->outOfLineCapacity()) {
1050 size_t newSize = structure->outOfLineCapacity() * sizeof(JSValue);
1051 CopiedAllocator* copiedAllocator = &vm->heap.storageAllocator();
1052
1053 if (!oldStructure->outOfLineCapacity()) {
1054 stubJit.loadPtr(&copiedAllocator->m_currentRemaining, scratchGPR1);
1055 slowPath.append(stubJit.branchSubPtr(MacroAssembler::Signed, MacroAssembler::TrustedImm32(newSize), scratchGPR1));
1056 stubJit.storePtr(scratchGPR1, &copiedAllocator->m_currentRemaining);
1057 stubJit.negPtr(scratchGPR1);
1058 stubJit.addPtr(MacroAssembler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), scratchGPR1);
1059 stubJit.addPtr(MacroAssembler::TrustedImm32(sizeof(JSValue)), scratchGPR1);
1060 } else {
1061 size_t oldSize = oldStructure->outOfLineCapacity() * sizeof(JSValue);
1062 ASSERT(newSize > oldSize);
1063
1064 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
1065 stubJit.loadPtr(&copiedAllocator->m_currentRemaining, scratchGPR1);
1066 slowPath.append(stubJit.branchSubPtr(MacroAssembler::Signed, MacroAssembler::TrustedImm32(newSize), scratchGPR1));
1067 stubJit.storePtr(scratchGPR1, &copiedAllocator->m_currentRemaining);
1068 stubJit.negPtr(scratchGPR1);
1069 stubJit.addPtr(MacroAssembler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), scratchGPR1);
1070 stubJit.addPtr(MacroAssembler::TrustedImm32(sizeof(JSValue)), scratchGPR1);
1071 // We have scratchGPR1 = new storage, scratchGPR3 = old storage, scratchGPR2 = available
1072 for (size_t offset = 0; offset < oldSize; offset += sizeof(void*)) {
1073 stubJit.loadPtr(MacroAssembler::Address(scratchGPR3, -static_cast<ptrdiff_t>(offset + sizeof(JSValue) + sizeof(void*))), scratchGPR2);
1074 stubJit.storePtr(scratchGPR2, MacroAssembler::Address(scratchGPR1, -static_cast<ptrdiff_t>(offset + sizeof(JSValue) + sizeof(void*))));
1075 }
1076 }
1077
1078 stubJit.storePtr(scratchGPR1, MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()));
1079 scratchGPR1HasStorage = true;
1080 }
1081
1082 ASSERT(oldStructure->typeInfo().type() == structure->typeInfo().type());
1083 ASSERT(oldStructure->typeInfo().inlineTypeFlags() == structure->typeInfo().inlineTypeFlags());
1084 ASSERT(oldStructure->indexingType() == structure->indexingType());
1085 #if USE(JSVALUE64)
1086 uint32_t val = structure->id();
1087 #else
1088 uint32_t val = reinterpret_cast<uint32_t>(structure->id());
1089 #endif
1090 stubJit.store32(MacroAssembler::TrustedImm32(val), MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()));
1091 #if USE(JSVALUE64)
1092 if (isInlineOffset(slot.cachedOffset()))
1093 stubJit.store64(valueGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue)));
1094 else {
1095 if (!scratchGPR1HasStorage)
1096 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR1);
1097 stubJit.store64(valueGPR, MacroAssembler::Address(scratchGPR1, offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue)));
1098 }
1099 #elif USE(JSVALUE32_64)
1100 if (isInlineOffset(slot.cachedOffset())) {
1101 stubJit.store32(valueGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
1102 stubJit.store32(valueTagGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
1103 } else {
1104 if (!scratchGPR1HasStorage)
1105 stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR1);
1106 stubJit.store32(valueGPR, MacroAssembler::Address(scratchGPR1, offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
1107 stubJit.store32(valueTagGPR, MacroAssembler::Address(scratchGPR1, offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
1108 }
1109 #endif
1110
1111 MacroAssembler::Jump success;
1112 MacroAssembler::Jump failure;
1113
1114 if (allocator.didReuseRegisters()) {
1115 allocator.restoreReusedRegistersByPopping(stubJit);
1116 success = stubJit.jump();
1117
1118 failureCases.link(&stubJit);
1119 allocator.restoreReusedRegistersByPopping(stubJit);
1120 failure = stubJit.jump();
1121 } else
1122 success = stubJit.jump();
1123
1124 MacroAssembler::Call operationCall;
1125 MacroAssembler::Jump successInSlowPath;
1126
1127 if (structure->outOfLineCapacity() != oldStructure->outOfLineCapacity()) {
1128 slowPath.link(&stubJit);
1129
1130 allocator.restoreReusedRegistersByPopping(stubJit);
1131 ScratchBuffer* scratchBuffer = vm->scratchBufferForSize(allocator.desiredScratchBufferSizeForCall());
1132 allocator.preserveUsedRegistersToScratchBufferForCall(stubJit, scratchBuffer, scratchGPR1);
1133 #if USE(JSVALUE64)
1134 stubJit.setupArgumentsWithExecState(baseGPR, MacroAssembler::TrustedImmPtr(structure), MacroAssembler::TrustedImm32(slot.cachedOffset()), valueGPR);
1135 #else
1136 stubJit.setupArgumentsWithExecState(baseGPR, MacroAssembler::TrustedImmPtr(structure), MacroAssembler::TrustedImm32(slot.cachedOffset()), valueGPR, valueTagGPR);
1137 #endif
1138 operationCall = stubJit.call();
1139 allocator.restoreUsedRegistersFromScratchBufferForCall(stubJit, scratchBuffer, scratchGPR1);
1140 successInSlowPath = stubJit.jump();
1141 }
1142
1143 LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
1144 patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
1145 if (allocator.didReuseRegisters())
1146 patchBuffer.link(failure, failureLabel);
1147 else
1148 patchBuffer.link(failureCases, failureLabel);
1149 if (structure->outOfLineCapacity() != oldStructure->outOfLineCapacity()) {
1150 patchBuffer.link(operationCall, operationReallocateStorageAndFinishPut);
1151 patchBuffer.link(successInSlowPath, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
1152 }
1153
1154 stubRoutine =
1155 createJITStubRoutine(
1156 FINALIZE_CODE_FOR(
1157 exec->codeBlock(), patchBuffer,
1158 ("PutById %stransition stub (%p -> %p) for %s, return point %p",
1159 structure->outOfLineCapacity() != oldStructure->outOfLineCapacity() ? "reallocating " : "",
1160 oldStructure, structure,
1161 toCString(*exec->codeBlock()).data(), stubInfo.callReturnLocation.labelAtOffset(
1162 stubInfo.patch.deltaCallToDone).executableAddress())),
1163 *vm,
1164 exec->codeBlock()->ownerExecutable(),
1165 structure->outOfLineCapacity() != oldStructure->outOfLineCapacity(),
1166 structure);
1167 }
1168
1169 static InlineCacheAction tryCachePutByID(ExecState* exec, JSValue baseValue, const Identifier& ident, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
1170 {
1171 if (Options::forceICFailure())
1172 return GiveUpOnCache;
1173
1174 CodeBlock* codeBlock = exec->codeBlock();
1175 VM* vm = &exec->vm();
1176
1177 if (!baseValue.isCell())
1178 return GiveUpOnCache;
1179 JSCell* baseCell = baseValue.asCell();
1180 Structure* structure = baseCell->structure();
1181 Structure* oldStructure = structure->previousID();
1182
1183 if (!slot.isCacheablePut() && !slot.isCacheableCustom() && !slot.isCacheableSetter())
1184 return GiveUpOnCache;
1185 if (!structure->propertyAccessesAreCacheable())
1186 return GiveUpOnCache;
1187
1188 // Optimize self access.
1189 if (slot.base() == baseValue && slot.isCacheablePut()) {
1190 if (slot.type() == PutPropertySlot::NewProperty) {
1191 if (structure->isDictionary())
1192 return GiveUpOnCache;
1193
1194 // Skip optimizing the case where we need a realloc, if we don't have
1195 // enough registers to make it happen.
1196 if (GPRInfo::numberOfRegisters < 6
1197 && oldStructure->outOfLineCapacity() != structure->outOfLineCapacity()
1198 && oldStructure->outOfLineCapacity())
1199 return GiveUpOnCache;
1200
1201 // Skip optimizing the case where we need realloc, and the structure has
1202 // indexing storage.
1203 // FIXME: We shouldn't skip this! Implement it!
1204 // https://bugs.webkit.org/show_bug.cgi?id=130914
1205 if (oldStructure->couldHaveIndexingHeader())
1206 return GiveUpOnCache;
1207
1208 if (normalizePrototypeChain(exec, baseCell) == InvalidPrototypeChain)
1209 return GiveUpOnCache;
1210
1211 StructureChain* prototypeChain = structure->prototypeChain(exec);
1212
1213 emitPutTransitionStub(
1214 exec, baseValue, ident, slot, stubInfo, putKind,
1215 structure, oldStructure, prototypeChain,
1216 stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase),
1217 stubInfo.stubRoutine);
1218
1219 RepatchBuffer repatchBuffer(codeBlock);
1220 repatchBuffer.relink(
1221 stubInfo.callReturnLocation.jumpAtOffset(
1222 stubInfo.patch.deltaCallToJump),
1223 CodeLocationLabel(stubInfo.stubRoutine->code().code()));
1224 repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateListBuildingPutByIdFunction(slot, putKind));
1225
1226 stubInfo.initPutByIdTransition(*vm, codeBlock->ownerExecutable(), oldStructure, structure, prototypeChain, putKind == Direct);
1227
1228 return RetryCacheLater;
1229 }
1230
1231 if (!MacroAssembler::isPtrAlignedAddressOffset(offsetRelativeToPatchedStorage(slot.cachedOffset())))
1232 return GiveUpOnCache;
1233
1234 repatchByIdSelfAccess(*vm, codeBlock, stubInfo, structure, ident, slot.cachedOffset(), appropriateListBuildingPutByIdFunction(slot, putKind), false);
1235 stubInfo.initPutByIdReplace(*vm, codeBlock->ownerExecutable(), structure);
1236 return RetryCacheLater;
1237 }
1238 if ((slot.isCacheableCustom() || slot.isCacheableSetter())
1239 && stubInfo.patch.spillMode == DontSpill) {
1240 RefPtr<JITStubRoutine> stubRoutine;
1241
1242 StructureChain* prototypeChain = 0;
1243 PropertyOffset offset = slot.cachedOffset();
1244 size_t count = 0;
1245 if (baseValue != slot.base()) {
1246 count = normalizePrototypeChainForChainAccess(exec, baseCell, slot.base(), ident, offset);
1247 if (count == InvalidPrototypeChain)
1248 return GiveUpOnCache;
1249
1250 prototypeChain = structure->prototypeChain(exec);
1251 }
1252 PolymorphicPutByIdList* list;
1253 list = PolymorphicPutByIdList::from(putKind, stubInfo);
1254
1255 generateByIdStub(
1256 exec, kindFor(slot), ident, customFor(slot), stubInfo, prototypeChain, count,
1257 offset, structure, false, nullptr,
1258 stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone),
1259 stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase),
1260 stubRoutine);
1261
1262 list->addAccess(PutByIdAccess::setter(
1263 *vm, codeBlock->ownerExecutable(),
1264 slot.isCacheableSetter() ? PutByIdAccess::Setter : PutByIdAccess::CustomSetter,
1265 structure, prototypeChain, slot.customSetter(), stubRoutine));
1266
1267 RepatchBuffer repatchBuffer(codeBlock);
1268 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
1269 repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateListBuildingPutByIdFunction(slot, putKind));
1270 RELEASE_ASSERT(!list->isFull());
1271 return RetryCacheLater;
1272 }
1273
1274 return GiveUpOnCache;
1275 }
1276
1277 void repatchPutByID(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
1278 {
1279 GCSafeConcurrentJITLocker locker(exec->codeBlock()->m_lock, exec->vm().heap);
1280
1281 if (tryCachePutByID(exec, baseValue, propertyName, slot, stubInfo, putKind) == GiveUpOnCache)
1282 repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
1283 }
1284
1285 static InlineCacheAction tryBuildPutByIdList(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
1286 {
1287 CodeBlock* codeBlock = exec->codeBlock();
1288 VM* vm = &exec->vm();
1289
1290 if (!baseValue.isCell())
1291 return GiveUpOnCache;
1292 JSCell* baseCell = baseValue.asCell();
1293 Structure* structure = baseCell->structure();
1294 Structure* oldStructure = structure->previousID();
1295
1296
1297 if (!slot.isCacheablePut() && !slot.isCacheableCustom() && !slot.isCacheableSetter())
1298 return GiveUpOnCache;
1299
1300 if (!structure->propertyAccessesAreCacheable())
1301 return GiveUpOnCache;
1302
1303 // Optimize self access.
1304 if (slot.base() == baseValue && slot.isCacheablePut()) {
1305 PolymorphicPutByIdList* list;
1306 RefPtr<JITStubRoutine> stubRoutine;
1307
1308 if (slot.type() == PutPropertySlot::NewProperty) {
1309 if (structure->isDictionary())
1310 return GiveUpOnCache;
1311
1312 // Skip optimizing the case where we need a realloc, if we don't have
1313 // enough registers to make it happen.
1314 if (GPRInfo::numberOfRegisters < 6
1315 && oldStructure->outOfLineCapacity() != structure->outOfLineCapacity()
1316 && oldStructure->outOfLineCapacity())
1317 return GiveUpOnCache;
1318
1319 // Skip optimizing the case where we need realloc, and the structure has
1320 // indexing storage.
1321 if (oldStructure->couldHaveIndexingHeader())
1322 return GiveUpOnCache;
1323
1324 if (normalizePrototypeChain(exec, baseCell) == InvalidPrototypeChain)
1325 return GiveUpOnCache;
1326
1327 StructureChain* prototypeChain = structure->prototypeChain(exec);
1328
1329 list = PolymorphicPutByIdList::from(putKind, stubInfo);
1330 if (list->isFull())
1331 return GiveUpOnCache; // Will get here due to recursion.
1332
1333 // We're now committed to creating the stub. Mogrify the meta-data accordingly.
1334 emitPutTransitionStub(
1335 exec, baseValue, propertyName, slot, stubInfo, putKind,
1336 structure, oldStructure, prototypeChain,
1337 CodeLocationLabel(list->currentSlowPathTarget()),
1338 stubRoutine);
1339
1340 list->addAccess(
1341 PutByIdAccess::transition(
1342 *vm, codeBlock->ownerExecutable(),
1343 oldStructure, structure, prototypeChain,
1344 stubRoutine));
1345 } else {
1346 list = PolymorphicPutByIdList::from(putKind, stubInfo);
1347 if (list->isFull())
1348 return GiveUpOnCache; // Will get here due to recursion.
1349
1350 // We're now committed to creating the stub. Mogrify the meta-data accordingly.
1351 emitPutReplaceStub(
1352 exec, baseValue, propertyName, slot, stubInfo, putKind,
1353 structure, CodeLocationLabel(list->currentSlowPathTarget()), stubRoutine);
1354
1355 list->addAccess(
1356 PutByIdAccess::replace(
1357 *vm, codeBlock->ownerExecutable(),
1358 structure, stubRoutine));
1359 }
1360
1361 RepatchBuffer repatchBuffer(codeBlock);
1362 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
1363
1364 if (list->isFull())
1365 repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
1366
1367 return RetryCacheLater;
1368 }
1369
1370 if ((slot.isCacheableCustom() || slot.isCacheableSetter())
1371 && stubInfo.patch.spillMode == DontSpill) {
1372 RefPtr<JITStubRoutine> stubRoutine;
1373 StructureChain* prototypeChain = 0;
1374 PropertyOffset offset = slot.cachedOffset();
1375 size_t count = 0;
1376 if (baseValue != slot.base()) {
1377 count = normalizePrototypeChainForChainAccess(exec, baseCell, slot.base(), propertyName, offset);
1378 if (count == InvalidPrototypeChain)
1379 return GiveUpOnCache;
1380
1381 prototypeChain = structure->prototypeChain(exec);
1382 }
1383 PolymorphicPutByIdList* list;
1384 list = PolymorphicPutByIdList::from(putKind, stubInfo);
1385
1386 generateByIdStub(
1387 exec, kindFor(slot), propertyName, customFor(slot), stubInfo, prototypeChain, count,
1388 offset, structure, false, nullptr,
1389 stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone),
1390 CodeLocationLabel(list->currentSlowPathTarget()),
1391 stubRoutine);
1392
1393 list->addAccess(PutByIdAccess::setter(
1394 *vm, codeBlock->ownerExecutable(),
1395 slot.isCacheableSetter() ? PutByIdAccess::Setter : PutByIdAccess::CustomSetter,
1396 structure, prototypeChain, slot.customSetter(), stubRoutine));
1397
1398 RepatchBuffer repatchBuffer(codeBlock);
1399 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
1400 if (list->isFull())
1401 repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
1402
1403 return RetryCacheLater;
1404 }
1405 return GiveUpOnCache;
1406 }
1407
1408 void buildPutByIdList(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
1409 {
1410 GCSafeConcurrentJITLocker locker(exec->codeBlock()->m_lock, exec->vm().heap);
1411
1412 if (tryBuildPutByIdList(exec, baseValue, propertyName, slot, stubInfo, putKind) == GiveUpOnCache)
1413 repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
1414 }
1415
1416 static InlineCacheAction tryRepatchIn(
1417 ExecState* exec, JSCell* base, const Identifier& ident, bool wasFound,
1418 const PropertySlot& slot, StructureStubInfo& stubInfo)
1419 {
1420 if (Options::forceICFailure())
1421 return GiveUpOnCache;
1422
1423 if (!base->structure()->propertyAccessesAreCacheable())
1424 return GiveUpOnCache;
1425
1426 if (wasFound) {
1427 if (!slot.isCacheable())
1428 return GiveUpOnCache;
1429 }
1430
1431 CodeBlock* codeBlock = exec->codeBlock();
1432 VM* vm = &exec->vm();
1433 Structure* structure = base->structure();
1434
1435 PropertyOffset offsetIgnored;
1436 size_t count = normalizePrototypeChainForChainAccess(exec, base, wasFound ? slot.slotBase() : JSValue(), ident, offsetIgnored);
1437 if (count == InvalidPrototypeChain)
1438 return GiveUpOnCache;
1439
1440 PolymorphicAccessStructureList* polymorphicStructureList;
1441 int listIndex;
1442
1443 CodeLocationLabel successLabel = stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone);
1444 CodeLocationLabel slowCaseLabel;
1445
1446 if (stubInfo.accessType == access_unset) {
1447 polymorphicStructureList = new PolymorphicAccessStructureList();
1448 stubInfo.initInList(polymorphicStructureList, 0);
1449 slowCaseLabel = stubInfo.callReturnLocation.labelAtOffset(
1450 stubInfo.patch.deltaCallToSlowCase);
1451 listIndex = 0;
1452 } else {
1453 RELEASE_ASSERT(stubInfo.accessType == access_in_list);
1454 polymorphicStructureList = stubInfo.u.inList.structureList;
1455 listIndex = stubInfo.u.inList.listSize;
1456 slowCaseLabel = CodeLocationLabel(polymorphicStructureList->list[listIndex - 1].stubRoutine->code().code());
1457
1458 if (listIndex == POLYMORPHIC_LIST_CACHE_SIZE)
1459 return GiveUpOnCache;
1460 }
1461
1462 StructureChain* chain = structure->prototypeChain(exec);
1463 RefPtr<JITStubRoutine> stubRoutine;
1464
1465 {
1466 GPRReg baseGPR = static_cast<GPRReg>(stubInfo.patch.baseGPR);
1467 GPRReg resultGPR = static_cast<GPRReg>(stubInfo.patch.valueGPR);
1468 GPRReg scratchGPR = TempRegisterSet(stubInfo.patch.usedRegisters).getFreeGPR();
1469
1470 CCallHelpers stubJit(vm);
1471
1472 bool needToRestoreScratch;
1473 if (scratchGPR == InvalidGPRReg) {
1474 scratchGPR = AssemblyHelpers::selectScratchGPR(baseGPR, resultGPR);
1475 stubJit.pushToSave(scratchGPR);
1476 needToRestoreScratch = true;
1477 } else
1478 needToRestoreScratch = false;
1479
1480 MacroAssembler::JumpList failureCases;
1481 failureCases.append(branchStructure(stubJit,
1482 MacroAssembler::NotEqual,
1483 MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()),
1484 structure));
1485
1486 CodeBlock* codeBlock = exec->codeBlock();
1487 if (structure->typeInfo().newImpurePropertyFiresWatchpoints())
1488 vm->registerWatchpointForImpureProperty(ident, stubInfo.addWatchpoint(codeBlock));
1489
1490 if (slot.watchpointSet())
1491 slot.watchpointSet()->add(stubInfo.addWatchpoint(codeBlock));
1492
1493 Structure* currStructure = structure;
1494 WriteBarrier<Structure>* it = chain->head();
1495 for (unsigned i = 0; i < count; ++i, ++it) {
1496 JSObject* prototype = asObject(currStructure->prototypeForLookup(exec));
1497 Structure* protoStructure = prototype->structure();
1498 addStructureTransitionCheck(
1499 prototype, protoStructure, exec->codeBlock(), stubInfo, stubJit,
1500 failureCases, scratchGPR);
1501 if (protoStructure->typeInfo().newImpurePropertyFiresWatchpoints())
1502 vm->registerWatchpointForImpureProperty(ident, stubInfo.addWatchpoint(codeBlock));
1503 currStructure = it->get();
1504 }
1505
1506 #if USE(JSVALUE64)
1507 stubJit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsBoolean(wasFound))), resultGPR);
1508 #else
1509 stubJit.move(MacroAssembler::TrustedImm32(wasFound), resultGPR);
1510 #endif
1511
1512 MacroAssembler::Jump success, fail;
1513
1514 emitRestoreScratch(stubJit, needToRestoreScratch, scratchGPR, success, fail, failureCases);
1515
1516 LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
1517
1518 linkRestoreScratch(patchBuffer, needToRestoreScratch, success, fail, failureCases, successLabel, slowCaseLabel);
1519
1520 stubRoutine = FINALIZE_CODE_FOR_STUB(
1521 exec->codeBlock(), patchBuffer,
1522 ("In (found = %s) stub for %s, return point %p",
1523 wasFound ? "yes" : "no", toCString(*exec->codeBlock()).data(),
1524 successLabel.executableAddress()));
1525 }
1526
1527 polymorphicStructureList->list[listIndex].set(*vm, codeBlock->ownerExecutable(), stubRoutine, structure, true);
1528 stubInfo.u.inList.listSize++;
1529
1530 RepatchBuffer repatchBuffer(codeBlock);
1531 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
1532
1533 return listIndex < (POLYMORPHIC_LIST_CACHE_SIZE - 1) ? RetryCacheLater : GiveUpOnCache;
1534 }
1535
1536 void repatchIn(
1537 ExecState* exec, JSCell* base, const Identifier& ident, bool wasFound,
1538 const PropertySlot& slot, StructureStubInfo& stubInfo)
1539 {
1540 if (tryRepatchIn(exec, base, ident, wasFound, slot, stubInfo) == GiveUpOnCache)
1541 repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, operationIn);
1542 }
1543
1544 static void linkSlowFor(
1545 RepatchBuffer& repatchBuffer, VM* vm, CallLinkInfo& callLinkInfo,
1546 CodeSpecializationKind kind, RegisterPreservationMode registers)
1547 {
1548 repatchBuffer.relink(
1549 callLinkInfo.callReturnLocation,
1550 vm->getCTIStub(virtualThunkGeneratorFor(kind, registers)).code());
1551 }
1552
1553 void linkFor(
1554 ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock* calleeCodeBlock,
1555 JSFunction* callee, MacroAssemblerCodePtr codePtr, CodeSpecializationKind kind,
1556 RegisterPreservationMode registers)
1557 {
1558 ASSERT(!callLinkInfo.stub);
1559
1560 CodeBlock* callerCodeBlock = exec->callerFrame()->codeBlock();
1561
1562 // If you're being call-linked from a DFG caller then you obviously didn't get inlined.
1563 if (calleeCodeBlock && JITCode::isOptimizingJIT(callerCodeBlock->jitType()))
1564 calleeCodeBlock->m_shouldAlwaysBeInlined = false;
1565
1566 VM* vm = callerCodeBlock->vm();
1567
1568 RepatchBuffer repatchBuffer(callerCodeBlock);
1569
1570 ASSERT(!callLinkInfo.isLinked());
1571 callLinkInfo.callee.set(exec->callerFrame()->vm(), callLinkInfo.hotPathBegin, callerCodeBlock->ownerExecutable(), callee);
1572 callLinkInfo.lastSeenCallee.set(exec->callerFrame()->vm(), callerCodeBlock->ownerExecutable(), callee);
1573 if (shouldShowDisassemblyFor(callerCodeBlock))
1574 dataLog("Linking call in ", *callerCodeBlock, " at ", callLinkInfo.codeOrigin, " to ", pointerDump(calleeCodeBlock), ", entrypoint at ", codePtr, "\n");
1575 repatchBuffer.relink(callLinkInfo.hotPathOther, codePtr);
1576
1577 if (calleeCodeBlock)
1578 calleeCodeBlock->linkIncomingCall(exec->callerFrame(), &callLinkInfo);
1579
1580 if (kind == CodeForCall) {
1581 repatchBuffer.relink(callLinkInfo.callReturnLocation, vm->getCTIStub(linkClosureCallThunkGeneratorFor(registers)).code());
1582 return;
1583 }
1584
1585 ASSERT(kind == CodeForConstruct);
1586 linkSlowFor(repatchBuffer, vm, callLinkInfo, CodeForConstruct, registers);
1587 }
1588
1589 void linkSlowFor(
1590 ExecState* exec, CallLinkInfo& callLinkInfo, CodeSpecializationKind kind,
1591 RegisterPreservationMode registers)
1592 {
1593 CodeBlock* callerCodeBlock = exec->callerFrame()->codeBlock();
1594 VM* vm = callerCodeBlock->vm();
1595
1596 RepatchBuffer repatchBuffer(callerCodeBlock);
1597
1598 linkSlowFor(repatchBuffer, vm, callLinkInfo, kind, registers);
1599 }
1600
1601 void linkClosureCall(
1602 ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock* calleeCodeBlock,
1603 Structure* structure, ExecutableBase* executable, MacroAssemblerCodePtr codePtr,
1604 RegisterPreservationMode registers)
1605 {
1606 ASSERT(!callLinkInfo.stub);
1607
1608 CodeBlock* callerCodeBlock = exec->callerFrame()->codeBlock();
1609 VM* vm = callerCodeBlock->vm();
1610
1611 GPRReg calleeGPR = static_cast<GPRReg>(callLinkInfo.calleeGPR);
1612
1613 CCallHelpers stubJit(vm, callerCodeBlock);
1614
1615 CCallHelpers::JumpList slowPath;
1616
1617 ptrdiff_t offsetToFrame = -sizeof(CallerFrameAndPC);
1618
1619 if (!ASSERT_DISABLED) {
1620 CCallHelpers::Jump okArgumentCount = stubJit.branch32(
1621 CCallHelpers::Below, CCallHelpers::Address(CCallHelpers::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ArgumentCount) + offsetToFrame + PayloadOffset), CCallHelpers::TrustedImm32(10000000));
1622 stubJit.abortWithReason(RepatchInsaneArgumentCount);
1623 okArgumentCount.link(&stubJit);
1624 }
1625
1626 #if USE(JSVALUE64)
1627 // We can safely clobber everything except the calleeGPR. We can't rely on tagMaskRegister
1628 // being set. So we do this the hard way.
1629 GPRReg scratch = AssemblyHelpers::selectScratchGPR(calleeGPR);
1630 stubJit.move(MacroAssembler::TrustedImm64(TagMask), scratch);
1631 slowPath.append(stubJit.branchTest64(CCallHelpers::NonZero, calleeGPR, scratch));
1632 #else
1633 // We would have already checked that the callee is a cell.
1634 #endif
1635
1636 slowPath.append(
1637 branchStructure(stubJit,
1638 CCallHelpers::NotEqual,
1639 CCallHelpers::Address(calleeGPR, JSCell::structureIDOffset()),
1640 structure));
1641
1642 slowPath.append(
1643 stubJit.branchPtr(
1644 CCallHelpers::NotEqual,
1645 CCallHelpers::Address(calleeGPR, JSFunction::offsetOfExecutable()),
1646 CCallHelpers::TrustedImmPtr(executable)));
1647
1648 stubJit.loadPtr(
1649 CCallHelpers::Address(calleeGPR, JSFunction::offsetOfScopeChain()),
1650 GPRInfo::returnValueGPR);
1651
1652 #if USE(JSVALUE64)
1653 stubJit.store64(
1654 GPRInfo::returnValueGPR,
1655 CCallHelpers::Address(MacroAssembler::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + offsetToFrame));
1656 #else
1657 stubJit.storePtr(
1658 GPRInfo::returnValueGPR,
1659 CCallHelpers::Address(MacroAssembler::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload) + offsetToFrame));
1660 stubJit.store32(
1661 CCallHelpers::TrustedImm32(JSValue::CellTag),
1662 CCallHelpers::Address(MacroAssembler::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) + offsetToFrame));
1663 #endif
1664
1665 AssemblyHelpers::Call call = stubJit.nearCall();
1666 AssemblyHelpers::Jump done = stubJit.jump();
1667
1668 slowPath.link(&stubJit);
1669 stubJit.move(calleeGPR, GPRInfo::regT0);
1670 #if USE(JSVALUE32_64)
1671 stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::regT1);
1672 #endif
1673 stubJit.move(CCallHelpers::TrustedImmPtr(&callLinkInfo), GPRInfo::regT2);
1674 stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::regT4);
1675
1676 stubJit.restoreReturnAddressBeforeReturn(GPRInfo::regT4);
1677 AssemblyHelpers::Jump slow = stubJit.jump();
1678
1679 LinkBuffer patchBuffer(*vm, stubJit, callerCodeBlock);
1680
1681 patchBuffer.link(call, FunctionPtr(codePtr.executableAddress()));
1682 if (JITCode::isOptimizingJIT(callerCodeBlock->jitType()))
1683 patchBuffer.link(done, callLinkInfo.callReturnLocation.labelAtOffset(0));
1684 else
1685 patchBuffer.link(done, callLinkInfo.hotPathOther.labelAtOffset(0));
1686 patchBuffer.link(slow, CodeLocationLabel(vm->getCTIStub(virtualThunkGeneratorFor(CodeForCall, registers)).code()));
1687
1688 RefPtr<ClosureCallStubRoutine> stubRoutine = adoptRef(new ClosureCallStubRoutine(
1689 FINALIZE_CODE_FOR(
1690 callerCodeBlock, patchBuffer,
1691 ("Closure call stub for %s, return point %p, target %p (%s)",
1692 toCString(*callerCodeBlock).data(), callLinkInfo.callReturnLocation.labelAtOffset(0).executableAddress(),
1693 codePtr.executableAddress(), toCString(pointerDump(calleeCodeBlock)).data())),
1694 *vm, callerCodeBlock->ownerExecutable(), structure, executable, callLinkInfo.codeOrigin));
1695
1696 RepatchBuffer repatchBuffer(callerCodeBlock);
1697
1698 repatchBuffer.replaceWithJump(
1699 RepatchBuffer::startOfBranchPtrWithPatchOnRegister(callLinkInfo.hotPathBegin),
1700 CodeLocationLabel(stubRoutine->code().code()));
1701 linkSlowFor(repatchBuffer, vm, callLinkInfo, CodeForCall, registers);
1702
1703 callLinkInfo.stub = stubRoutine.release();
1704
1705 ASSERT(!calleeCodeBlock || calleeCodeBlock->isIncomingCallAlreadyLinked(&callLinkInfo));
1706 }
1707
1708 void resetGetByID(RepatchBuffer& repatchBuffer, StructureStubInfo& stubInfo)
1709 {
1710 repatchCall(repatchBuffer, stubInfo.callReturnLocation, operationGetByIdOptimize);
1711 CodeLocationDataLabel32 structureLabel = stubInfo.callReturnLocation.dataLabel32AtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall);
1712 if (MacroAssembler::canJumpReplacePatchableBranch32WithPatch()) {
1713 repatchBuffer.revertJumpReplacementToPatchableBranch32WithPatch(
1714 RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress(structureLabel),
1715 MacroAssembler::Address(
1716 static_cast<MacroAssembler::RegisterID>(stubInfo.patch.baseGPR),
1717 JSCell::structureIDOffset()),
1718 static_cast<int32_t>(unusedPointer));
1719 }
1720 repatchBuffer.repatch(structureLabel, static_cast<int32_t>(unusedPointer));
1721 #if USE(JSVALUE64)
1722 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToLoadOrStore), 0);
1723 #else
1724 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToTagLoadOrStore), 0);
1725 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToPayloadLoadOrStore), 0);
1726 #endif
1727 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
1728 }
1729
1730 void resetPutByID(RepatchBuffer& repatchBuffer, StructureStubInfo& stubInfo)
1731 {
1732 V_JITOperation_ESsiJJI unoptimizedFunction = bitwise_cast<V_JITOperation_ESsiJJI>(readCallTarget(repatchBuffer, stubInfo.callReturnLocation).executableAddress());
1733 V_JITOperation_ESsiJJI optimizedFunction;
1734 if (unoptimizedFunction == operationPutByIdStrict || unoptimizedFunction == operationPutByIdStrictBuildList)
1735 optimizedFunction = operationPutByIdStrictOptimize;
1736 else if (unoptimizedFunction == operationPutByIdNonStrict || unoptimizedFunction == operationPutByIdNonStrictBuildList)
1737 optimizedFunction = operationPutByIdNonStrictOptimize;
1738 else if (unoptimizedFunction == operationPutByIdDirectStrict || unoptimizedFunction == operationPutByIdDirectStrictBuildList)
1739 optimizedFunction = operationPutByIdDirectStrictOptimize;
1740 else {
1741 ASSERT(unoptimizedFunction == operationPutByIdDirectNonStrict || unoptimizedFunction == operationPutByIdDirectNonStrictBuildList);
1742 optimizedFunction = operationPutByIdDirectNonStrictOptimize;
1743 }
1744 repatchCall(repatchBuffer, stubInfo.callReturnLocation, optimizedFunction);
1745 CodeLocationDataLabel32 structureLabel = stubInfo.callReturnLocation.dataLabel32AtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall);
1746 if (MacroAssembler::canJumpReplacePatchableBranch32WithPatch()) {
1747 repatchBuffer.revertJumpReplacementToPatchableBranch32WithPatch(
1748 RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress(structureLabel),
1749 MacroAssembler::Address(
1750 static_cast<MacroAssembler::RegisterID>(stubInfo.patch.baseGPR),
1751 JSCell::structureIDOffset()),
1752 static_cast<int32_t>(unusedPointer));
1753 }
1754 repatchBuffer.repatch(structureLabel, static_cast<int32_t>(unusedPointer));
1755 #if USE(JSVALUE64)
1756 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToLoadOrStore), 0);
1757 #else
1758 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToTagLoadOrStore), 0);
1759 repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToPayloadLoadOrStore), 0);
1760 #endif
1761 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
1762 }
1763
1764 void resetIn(RepatchBuffer& repatchBuffer, StructureStubInfo& stubInfo)
1765 {
1766 repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
1767 }
1768
1769 } // namespace JSC
1770
1771 #endif
mirror of JavaScriptCore