| /* |
| * Copyright (C) 2017-2019 Apple Inc. All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * |
| * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY |
| * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR |
| * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| */ |
| |
| #include "config.h" |
| #include "AccessCase.h" |
| |
| #if ENABLE(JIT) |
| |
| #include "CCallHelpers.h" |
| #include "CallLinkInfo.h" |
| #include "DOMJITGetterSetter.h" |
| #include "DirectArguments.h" |
| #include "GetterSetter.h" |
| #include "GetterSetterAccessCase.h" |
| #include "InstanceOfAccessCase.h" |
| #include "IntrinsicGetterAccessCase.h" |
| #include "JSCInlines.h" |
| #include "JSModuleEnvironment.h" |
| #include "JSModuleNamespaceObject.h" |
| #include "LinkBuffer.h" |
| #include "ModuleNamespaceAccessCase.h" |
| #include "PolymorphicAccess.h" |
| #include "ScopedArguments.h" |
| #include "ScratchRegisterAllocator.h" |
| #include "StructureStubInfo.h" |
| #include "SuperSampler.h" |
| #include "ThunkGenerators.h" |
| |
| namespace JSC { |
| |
| namespace AccessCaseInternal { |
| static constexpr bool verbose = false; |
| } |
| |
| AccessCase::AccessCase(VM& vm, JSCell* owner, AccessType type, PropertyOffset offset, Structure* structure, const ObjectPropertyConditionSet& conditionSet, std::unique_ptr<PolyProtoAccessChain> prototypeAccessChain) |
| : m_type(type) |
| , m_offset(offset) |
| , m_polyProtoAccessChain(WTFMove(prototypeAccessChain)) |
| { |
| m_structure.setMayBeNull(vm, owner, structure); |
| m_conditionSet = conditionSet; |
| RELEASE_ASSERT(m_conditionSet.isValid()); |
| } |
| |
| std::unique_ptr<AccessCase> AccessCase::create(VM& vm, JSCell* owner, AccessType type, PropertyOffset offset, Structure* structure, const ObjectPropertyConditionSet& conditionSet, std::unique_ptr<PolyProtoAccessChain> prototypeAccessChain) |
| { |
| switch (type) { |
| case InHit: |
| case InMiss: |
| break; |
| case ArrayLength: |
| case StringLength: |
| case DirectArgumentsLength: |
| case ScopedArgumentsLength: |
| case ModuleNamespaceLoad: |
| case Replace: |
| case InstanceOfGeneric: |
| RELEASE_ASSERT(!prototypeAccessChain); |
| break; |
| default: |
| RELEASE_ASSERT_NOT_REACHED(); |
| }; |
| |
| return std::unique_ptr<AccessCase>(new AccessCase(vm, owner, type, offset, structure, conditionSet, WTFMove(prototypeAccessChain))); |
| } |
| |
| std::unique_ptr<AccessCase> AccessCase::create( |
| VM& vm, JSCell* owner, PropertyOffset offset, Structure* oldStructure, Structure* newStructure, |
| const ObjectPropertyConditionSet& conditionSet, std::unique_ptr<PolyProtoAccessChain> prototypeAccessChain) |
| { |
| RELEASE_ASSERT(oldStructure == newStructure->previousID()); |
| |
| // Skip optimizing the case where we need a realloc, if we don't have |
| // enough registers to make it happen. |
| if (GPRInfo::numberOfRegisters < 6 |
| && oldStructure->outOfLineCapacity() != newStructure->outOfLineCapacity() |
| && oldStructure->outOfLineCapacity()) { |
| return nullptr; |
| } |
| |
| return std::unique_ptr<AccessCase>(new AccessCase(vm, owner, Transition, offset, newStructure, conditionSet, WTFMove(prototypeAccessChain))); |
| } |
| |
| AccessCase::~AccessCase() |
| { |
| } |
| |
| std::unique_ptr<AccessCase> AccessCase::fromStructureStubInfo( |
| VM& vm, JSCell* owner, StructureStubInfo& stubInfo) |
| { |
| switch (stubInfo.cacheType) { |
| case CacheType::GetByIdSelf: |
| return ProxyableAccessCase::create(vm, owner, Load, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get()); |
| |
| case CacheType::PutByIdReplace: |
| return AccessCase::create(vm, owner, Replace, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get()); |
| |
| case CacheType::InByIdSelf: |
| return AccessCase::create(vm, owner, InHit, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get()); |
| |
| case CacheType::ArrayLength: |
| return AccessCase::create(vm, owner, AccessCase::ArrayLength); |
| |
| case CacheType::StringLength: |
| return AccessCase::create(vm, owner, AccessCase::StringLength); |
| |
| default: |
| return nullptr; |
| } |
| } |
| |
| bool AccessCase::hasAlternateBase() const |
| { |
| return !conditionSet().isEmpty(); |
| } |
| |
| JSObject* AccessCase::alternateBase() const |
| { |
| return conditionSet().slotBaseCondition().object(); |
| } |
| |
| std::unique_ptr<AccessCase> AccessCase::clone() const |
| { |
| std::unique_ptr<AccessCase> result(new AccessCase(*this)); |
| result->resetState(); |
| return result; |
| } |
| |
| Vector<WatchpointSet*, 2> AccessCase::commit(VM& vm, const Identifier& ident) |
| { |
| // It's fine to commit something that is already committed. That arises when we switch to using |
| // newly allocated watchpoints. When it happens, it's not efficient - but we think that's OK |
| // because most AccessCases have no extra watchpoints anyway. |
| RELEASE_ASSERT(m_state == Primordial || m_state == Committed); |
| |
| Vector<WatchpointSet*, 2> result; |
| Structure* structure = this->structure(); |
| |
| if (!ident.isNull()) { |
| if ((structure && structure->needImpurePropertyWatchpoint()) |
| || m_conditionSet.needImpurePropertyWatchpoint() |
| || (m_polyProtoAccessChain && m_polyProtoAccessChain->needImpurePropertyWatchpoint())) |
| result.append(vm.ensureWatchpointSetForImpureProperty(ident)); |
| } |
| |
| if (additionalSet()) |
| result.append(additionalSet()); |
| |
| if (structure |
| && structure->hasRareData() |
| && structure->rareData()->hasSharedPolyProtoWatchpoint() |
| && structure->rareData()->sharedPolyProtoWatchpoint()->isStillValid()) { |
| WatchpointSet* set = structure->rareData()->sharedPolyProtoWatchpoint()->inflate(); |
| result.append(set); |
| } |
| |
| m_state = Committed; |
| |
| return result; |
| } |
| |
| bool AccessCase::guardedByStructureCheck() const |
| { |
| if (viaProxy()) |
| return false; |
| |
| if (m_polyProtoAccessChain) |
| return false; |
| |
| switch (m_type) { |
| case ArrayLength: |
| case StringLength: |
| case DirectArgumentsLength: |
| case ScopedArgumentsLength: |
| case ModuleNamespaceLoad: |
| case InstanceOfHit: |
| case InstanceOfMiss: |
| case InstanceOfGeneric: |
| return false; |
| default: |
| return true; |
| } |
| } |
| |
| template<typename Functor> |
| void AccessCase::forEachDependentCell(const Functor& functor) const |
| { |
| m_conditionSet.forEachDependentCell(functor); |
| if (m_structure) |
| functor(m_structure.get()); |
| if (m_polyProtoAccessChain) { |
| for (Structure* structure : m_polyProtoAccessChain->chain()) |
| functor(structure); |
| } |
| |
| switch (type()) { |
| case Getter: |
| case Setter: { |
| auto& accessor = this->as<GetterSetterAccessCase>(); |
| if (accessor.callLinkInfo()) |
| accessor.callLinkInfo()->forEachDependentCell(functor); |
| break; |
| } |
| case CustomValueGetter: |
| case CustomValueSetter: { |
| auto& accessor = this->as<GetterSetterAccessCase>(); |
| if (accessor.customSlotBase()) |
| functor(accessor.customSlotBase()); |
| break; |
| } |
| case IntrinsicGetter: { |
| auto& intrinsic = this->as<IntrinsicGetterAccessCase>(); |
| if (intrinsic.intrinsicFunction()) |
| functor(intrinsic.intrinsicFunction()); |
| break; |
| } |
| case ModuleNamespaceLoad: { |
| auto& accessCase = this->as<ModuleNamespaceAccessCase>(); |
| if (accessCase.moduleNamespaceObject()) |
| functor(accessCase.moduleNamespaceObject()); |
| if (accessCase.moduleEnvironment()) |
| functor(accessCase.moduleEnvironment()); |
| break; |
| } |
| case InstanceOfHit: |
| case InstanceOfMiss: |
| if (as<InstanceOfAccessCase>().prototype()) |
| functor(as<InstanceOfAccessCase>().prototype()); |
| break; |
| case CustomAccessorGetter: |
| case CustomAccessorSetter: |
| case Load: |
| case Transition: |
| case Replace: |
| case Miss: |
| case GetGetter: |
| case InHit: |
| case InMiss: |
| case ArrayLength: |
| case StringLength: |
| case DirectArgumentsLength: |
| case ScopedArgumentsLength: |
| case InstanceOfGeneric: |
| break; |
| } |
| } |
| |
| bool AccessCase::doesCalls(Vector<JSCell*>* cellsToMarkIfDoesCalls) const |
| { |
| bool doesCalls; |
| switch (type()) { |
| case Transition: |
| doesCalls = newStructure()->outOfLineCapacity() != structure()->outOfLineCapacity() && structure()->couldHaveIndexingHeader(); |
| break; |
| case Getter: |
| case Setter: |
| case CustomValueGetter: |
| case CustomAccessorGetter: |
| case CustomValueSetter: |
| case CustomAccessorSetter: |
| doesCalls = true; |
| break; |
| case Load: |
| case Replace: |
| case Miss: |
| case GetGetter: |
| case IntrinsicGetter: |
| case InHit: |
| case InMiss: |
| case ArrayLength: |
| case StringLength: |
| case DirectArgumentsLength: |
| case ScopedArgumentsLength: |
| case ModuleNamespaceLoad: |
| case InstanceOfHit: |
| case InstanceOfMiss: |
| case InstanceOfGeneric: |
| doesCalls = false; |
| break; |
| } |
| |
| if (doesCalls && cellsToMarkIfDoesCalls) { |
| forEachDependentCell([&](JSCell* cell) { |
| cellsToMarkIfDoesCalls->append(cell); |
| }); |
| } |
| return doesCalls; |
| } |
| |
| bool AccessCase::couldStillSucceed() const |
| { |
| for (const ObjectPropertyCondition& condition : m_conditionSet) { |
| if (condition.condition().kind() == PropertyCondition::Equivalence) { |
| if (!condition.isWatchableAssumingImpurePropertyWatchpoint(PropertyCondition::WatchabilityEffort::EnsureWatchability)) |
| return false; |
| } else { |
| if (!condition.structureEnsuresValidityAssumingImpurePropertyWatchpoint()) |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| bool AccessCase::canReplace(const AccessCase& other) const |
| { |
| // This puts in a good effort to try to figure out if 'other' is made superfluous by '*this'. |
| // It's fine for this to return false if it's in doubt. |
| // |
| // Note that if A->guardedByStructureCheck() && B->guardedByStructureCheck() then |
| // A->canReplace(B) == B->canReplace(A). |
| |
| switch (type()) { |
| case ArrayLength: |
| case StringLength: |
| case DirectArgumentsLength: |
| case ScopedArgumentsLength: |
| return other.type() == type(); |
| case ModuleNamespaceLoad: { |
| if (other.type() != type()) |
| return false; |
| auto& thisCase = this->as<ModuleNamespaceAccessCase>(); |
| auto& otherCase = this->as<ModuleNamespaceAccessCase>(); |
| return thisCase.moduleNamespaceObject() == otherCase.moduleNamespaceObject(); |
| } |
| case InstanceOfHit: |
| case InstanceOfMiss: { |
| if (other.type() != type()) |
| return false; |
| |
| if (this->as<InstanceOfAccessCase>().prototype() != other.as<InstanceOfAccessCase>().prototype()) |
| return false; |
| |
| return structure() == other.structure(); |
| } |
| case InstanceOfGeneric: |
| switch (other.type()) { |
| case InstanceOfGeneric: |
| case InstanceOfHit: |
| case InstanceOfMiss: |
| return true; |
| default: |
| return false; |
| } |
| default: |
| if (other.type() != type()) |
| return false; |
| |
| if (m_polyProtoAccessChain) { |
| if (!other.m_polyProtoAccessChain) |
| return false; |
| // This is the only check we need since PolyProtoAccessChain contains the base structure. |
| // If we ever change it to contain only the prototype chain, we'll also need to change |
| // this to check the base structure. |
| return structure() == other.structure() |
| && *m_polyProtoAccessChain == *other.m_polyProtoAccessChain; |
| } |
| |
| if (!guardedByStructureCheck() || !other.guardedByStructureCheck()) |
| return false; |
| |
| return structure() == other.structure(); |
| } |
| } |
| |
| void AccessCase::dump(PrintStream& out) const |
| { |
| out.print("\n", m_type, ":("); |
| |
| CommaPrinter comma; |
| |
| out.print(comma, m_state); |
| |
| if (isValidOffset(m_offset)) |
| out.print(comma, "offset = ", m_offset); |
| if (!m_conditionSet.isEmpty()) |
| out.print(comma, "conditions = ", m_conditionSet); |
| |
| if (m_polyProtoAccessChain) { |
| out.print(comma, "prototype access chain = "); |
| m_polyProtoAccessChain->dump(structure(), out); |
| } else { |
| if (m_type == Transition) |
| out.print(comma, "structure = ", pointerDump(structure()), " -> ", pointerDump(newStructure())); |
| else if (m_structure) |
| out.print(comma, "structure = ", pointerDump(m_structure.get())); |
| } |
| |
| dumpImpl(out, comma); |
| out.print(")"); |
| } |
| |
| bool AccessCase::visitWeak(VM& vm) const |
| { |
| if (isAccessor()) { |
| auto& accessor = this->as<GetterSetterAccessCase>(); |
| if (accessor.callLinkInfo()) |
| accessor.callLinkInfo()->visitWeak(vm); |
| } |
| |
| bool isValid = true; |
| forEachDependentCell([&](JSCell* cell) { |
| isValid &= vm.heap.isMarked(cell); |
| }); |
| return isValid; |
| } |
| |
| bool AccessCase::propagateTransitions(SlotVisitor& visitor) const |
| { |
| bool result = true; |
| |
| if (m_structure) |
| result &= m_structure->markIfCheap(visitor); |
| |
| if (m_polyProtoAccessChain) { |
| for (Structure* structure : m_polyProtoAccessChain->chain()) |
| result &= structure->markIfCheap(visitor); |
| } |
| |
| switch (m_type) { |
| case Transition: |
| if (visitor.vm().heap.isMarked(m_structure->previousID())) |
| visitor.appendUnbarriered(m_structure.get()); |
| else |
| result = false; |
| break; |
| default: |
| break; |
| } |
| |
| return result; |
| } |
| |
| void AccessCase::generateWithGuard( |
| AccessGenerationState& state, CCallHelpers::JumpList& fallThrough) |
| { |
| SuperSamplerScope superSamplerScope(false); |
| |
| RELEASE_ASSERT(m_state == Committed); |
| m_state = Generated; |
| |
| CCallHelpers& jit = *state.jit; |
| StructureStubInfo& stubInfo = *state.stubInfo; |
| VM& vm = state.m_vm; |
| JSValueRegs valueRegs = state.valueRegs; |
| GPRReg baseGPR = state.baseGPR; |
| GPRReg scratchGPR = state.scratchGPR; |
| |
| UNUSED_PARAM(vm); |
| |
| auto emitDefaultGuard = [&] () { |
| if (m_polyProtoAccessChain) { |
| GPRReg baseForAccessGPR = state.scratchGPR; |
| jit.move(state.baseGPR, baseForAccessGPR); |
| m_polyProtoAccessChain->forEach(structure(), [&] (Structure* structure, bool atEnd) { |
| fallThrough.append( |
| jit.branchStructure( |
| CCallHelpers::NotEqual, |
| CCallHelpers::Address(baseForAccessGPR, JSCell::structureIDOffset()), |
| structure)); |
| if (atEnd) { |
| if ((m_type == Miss || m_type == InMiss || m_type == Transition) && structure->hasPolyProto()) { |
| // For a Miss/InMiss/Transition, we must ensure we're at the end when the last item is poly proto. |
| // Transitions must do this because they need to verify there isn't a setter in the chain. |
| // Miss/InMiss need to do this to ensure there isn't a new item at the end of the chain that |
| // has the property. |
| #if USE(JSVALUE64) |
| jit.load64(MacroAssembler::Address(baseForAccessGPR, offsetRelativeToBase(knownPolyProtoOffset)), baseForAccessGPR); |
| fallThrough.append(jit.branch64(CCallHelpers::NotEqual, baseForAccessGPR, CCallHelpers::TrustedImm64(JSValue::ValueNull))); |
| #else |
| jit.load32(MacroAssembler::Address(baseForAccessGPR, offsetRelativeToBase(knownPolyProtoOffset) + PayloadOffset), baseForAccessGPR); |
| fallThrough.append(jit.branchTestPtr(CCallHelpers::NonZero, baseForAccessGPR)); |
| #endif |
| } |
| } else { |
| if (structure->hasMonoProto()) { |
| JSValue prototype = structure->prototypeForLookup(state.m_globalObject); |
| RELEASE_ASSERT(prototype.isObject()); |
| jit.move(CCallHelpers::TrustedImmPtr(asObject(prototype)), baseForAccessGPR); |
| } else { |
| RELEASE_ASSERT(structure->isObject()); // Primitives must have a stored prototype. We use prototypeForLookup for them. |
| #if USE(JSVALUE64) |
| jit.load64(MacroAssembler::Address(baseForAccessGPR, offsetRelativeToBase(knownPolyProtoOffset)), baseForAccessGPR); |
| fallThrough.append(jit.branch64(CCallHelpers::Equal, baseForAccessGPR, CCallHelpers::TrustedImm64(JSValue::ValueNull))); |
| #else |
| jit.load32(MacroAssembler::Address(baseForAccessGPR, offsetRelativeToBase(knownPolyProtoOffset) + PayloadOffset), baseForAccessGPR); |
| fallThrough.append(jit.branchTestPtr(CCallHelpers::Zero, baseForAccessGPR)); |
| #endif |
| } |
| } |
| }); |
| return; |
| } |
| |
| if (viaProxy()) { |
| fallThrough.append( |
| jit.branchIfNotType(baseGPR, PureForwardingProxyType)); |
| |
| jit.loadPtr(CCallHelpers::Address(baseGPR, JSProxy::targetOffset()), scratchGPR); |
| |
| fallThrough.append( |
| jit.branchStructure( |
| CCallHelpers::NotEqual, |
| CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), |
| structure())); |
| return; |
| } |
| |
| fallThrough.append( |
| jit.branchStructure( |
| CCallHelpers::NotEqual, |
| CCallHelpers::Address(baseGPR, JSCell::structureIDOffset()), |
| structure())); |
| }; |
| |
| switch (m_type) { |
| case ArrayLength: { |
| ASSERT(!viaProxy()); |
| jit.load8(CCallHelpers::Address(baseGPR, JSCell::indexingTypeAndMiscOffset()), scratchGPR); |
| fallThrough.append( |
| jit.branchTest32( |
| CCallHelpers::Zero, scratchGPR, CCallHelpers::TrustedImm32(IsArray))); |
| fallThrough.append( |
| jit.branchTest32( |
| CCallHelpers::Zero, scratchGPR, CCallHelpers::TrustedImm32(IndexingShapeMask))); |
| break; |
| } |
| |
| case StringLength: { |
| ASSERT(!viaProxy()); |
| fallThrough.append( |
| jit.branchIfNotString(baseGPR)); |
| break; |
| } |
| |
| case DirectArgumentsLength: { |
| ASSERT(!viaProxy()); |
| fallThrough.append( |
| jit.branchIfNotType(baseGPR, DirectArgumentsType)); |
| |
| fallThrough.append( |
| jit.branchTestPtr( |
| CCallHelpers::NonZero, |
| CCallHelpers::Address(baseGPR, DirectArguments::offsetOfMappedArguments()))); |
| jit.load32( |
| CCallHelpers::Address(baseGPR, DirectArguments::offsetOfLength()), |
| valueRegs.payloadGPR()); |
| jit.boxInt32(valueRegs.payloadGPR(), valueRegs); |
| state.succeed(); |
| return; |
| } |
| |
| case ScopedArgumentsLength: { |
| ASSERT(!viaProxy()); |
| fallThrough.append( |
| jit.branchIfNotType(baseGPR, ScopedArgumentsType)); |
| |
| jit.loadPtr( |
| CCallHelpers::Address(baseGPR, ScopedArguments::offsetOfStorage()), |
| scratchGPR); |
| fallThrough.append( |
| jit.branchTest8( |
| CCallHelpers::NonZero, |
| CCallHelpers::Address(scratchGPR, ScopedArguments::offsetOfOverrodeThingsInStorage()))); |
| jit.load32( |
| CCallHelpers::Address(scratchGPR, ScopedArguments::offsetOfTotalLengthInStorage()), |
| valueRegs.payloadGPR()); |
| jit.boxInt32(valueRegs.payloadGPR(), valueRegs); |
| state.succeed(); |
| return; |
| } |
| |
| case ModuleNamespaceLoad: { |
| this->as<ModuleNamespaceAccessCase>().emit(state, fallThrough); |
| return; |
| } |
| |
| case InstanceOfHit: |
| case InstanceOfMiss: |
| emitDefaultGuard(); |
| |
| fallThrough.append( |
| jit.branchPtr( |
| CCallHelpers::NotEqual, state.u.prototypeGPR, |
| CCallHelpers::TrustedImmPtr(as<InstanceOfAccessCase>().prototype()))); |
| break; |
| |
| case InstanceOfGeneric: { |
| GPRReg prototypeGPR = state.u.prototypeGPR; |
| // Legend: value = `base instanceof prototypeGPR`. |
| |
| GPRReg valueGPR = valueRegs.payloadGPR(); |
| |
| ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters); |
| allocator.lock(baseGPR); |
| allocator.lock(valueGPR); |
| allocator.lock(prototypeGPR); |
| allocator.lock(scratchGPR); |
| |
| GPRReg scratch2GPR = allocator.allocateScratchGPR(); |
| |
| if (!state.stubInfo->prototypeIsKnownObject) |
| state.failAndIgnore.append(jit.branchIfNotObject(prototypeGPR)); |
| |
| ScratchRegisterAllocator::PreservedState preservedState = |
| allocator.preserveReusedRegistersByPushing( |
| jit, |
| ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace); |
| CCallHelpers::Jump failAndIgnore; |
| |
| jit.move(baseGPR, valueGPR); |
| |
| CCallHelpers::Label loop(&jit); |
| failAndIgnore = jit.branchIfType(valueGPR, ProxyObjectType); |
| |
| jit.emitLoadStructure(vm, valueGPR, scratch2GPR, scratchGPR); |
| #if USE(JSVALUE64) |
| jit.load64(CCallHelpers::Address(scratch2GPR, Structure::prototypeOffset()), scratch2GPR); |
| CCallHelpers::Jump hasMonoProto = jit.branchTest64(CCallHelpers::NonZero, scratch2GPR); |
| jit.load64( |
| CCallHelpers::Address(valueGPR, offsetRelativeToBase(knownPolyProtoOffset)), |
| scratch2GPR); |
| hasMonoProto.link(&jit); |
| #else |
| jit.load32( |
| CCallHelpers::Address(scratch2GPR, Structure::prototypeOffset() + TagOffset), |
| scratchGPR); |
| jit.load32( |
| CCallHelpers::Address(scratch2GPR, Structure::prototypeOffset() + PayloadOffset), |
| scratch2GPR); |
| CCallHelpers::Jump hasMonoProto = jit.branch32( |
| CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImm32(JSValue::EmptyValueTag)); |
| jit.load32( |
| CCallHelpers::Address( |
| valueGPR, offsetRelativeToBase(knownPolyProtoOffset) + PayloadOffset), |
| scratch2GPR); |
| hasMonoProto.link(&jit); |
| #endif |
| jit.move(scratch2GPR, valueGPR); |
| |
| CCallHelpers::Jump isInstance = jit.branchPtr(CCallHelpers::Equal, valueGPR, prototypeGPR); |
| |
| #if USE(JSVALUE64) |
| jit.branchIfCell(JSValueRegs(valueGPR)).linkTo(loop, &jit); |
| #else |
| jit.branchTestPtr(CCallHelpers::NonZero, valueGPR).linkTo(loop, &jit); |
| #endif |
| |
| jit.boxBooleanPayload(false, valueGPR); |
| allocator.restoreReusedRegistersByPopping(jit, preservedState); |
| state.succeed(); |
| |
| isInstance.link(&jit); |
| jit.boxBooleanPayload(true, valueGPR); |
| allocator.restoreReusedRegistersByPopping(jit, preservedState); |
| state.succeed(); |
| |
| if (allocator.didReuseRegisters()) { |
| failAndIgnore.link(&jit); |
| allocator.restoreReusedRegistersByPopping(jit, preservedState); |
| state.failAndIgnore.append(jit.jump()); |
| } else |
| state.failAndIgnore.append(failAndIgnore); |
| return; |
| } |
| |
| default: |
| emitDefaultGuard(); |
| break; |
| } |
| |
| generateImpl(state); |
| } |
| |
| void AccessCase::generate(AccessGenerationState& state) |
| { |
| RELEASE_ASSERT(m_state == Committed); |
| m_state = Generated; |
| |
| generateImpl(state); |
| } |
| |
| void AccessCase::generateImpl(AccessGenerationState& state) |
| { |
| SuperSamplerScope superSamplerScope(false); |
| if (AccessCaseInternal::verbose) |
| dataLog("\n\nGenerating code for: ", *this, "\n"); |
| |
| ASSERT(m_state == Generated); // We rely on the callers setting this for us. |
| |
| CCallHelpers& jit = *state.jit; |
| VM& vm = state.m_vm; |
| CodeBlock* codeBlock = jit.codeBlock(); |
| StructureStubInfo& stubInfo = *state.stubInfo; |
| const Identifier& ident = *state.ident; |
| JSValueRegs valueRegs = state.valueRegs; |
| GPRReg baseGPR = state.baseGPR; |
| GPRReg thisGPR = state.u.thisGPR != InvalidGPRReg ? state.u.thisGPR : baseGPR; |
| GPRReg scratchGPR = state.scratchGPR; |
| |
| for (const ObjectPropertyCondition& condition : m_conditionSet) { |
| RELEASE_ASSERT(!m_polyProtoAccessChain); |
| |
| if (condition.isWatchableAssumingImpurePropertyWatchpoint(PropertyCondition::WatchabilityEffort::EnsureWatchability)) { |
| state.installWatchpoint(condition); |
| continue; |
| } |
| |
| // For now, we only allow equivalence when it's watchable. |
| RELEASE_ASSERT(condition.condition().kind() != PropertyCondition::Equivalence); |
| |
| if (!condition.structureEnsuresValidityAssumingImpurePropertyWatchpoint()) { |
| // The reason why this cannot happen is that we require that PolymorphicAccess calls |
| // AccessCase::generate() only after it has verified that |
| // AccessCase::couldStillSucceed() returned true. |
| |
| dataLog("This condition is no longer met: ", condition, "\n"); |
| RELEASE_ASSERT_NOT_REACHED(); |
| } |
| |
| // We will emit code that has a weak reference that isn't otherwise listed anywhere. |
| Structure* structure = condition.object()->structure(vm); |
| state.weakReferences.append(WriteBarrier<JSCell>(vm, codeBlock, structure)); |
| |
| jit.move(CCallHelpers::TrustedImmPtr(condition.object()), scratchGPR); |
| state.failAndRepatch.append( |
| jit.branchStructure( |
| CCallHelpers::NotEqual, |
| CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), |
| structure)); |
| } |
| |
| switch (m_type) { |
| case InHit: |
| case InMiss: |
| jit.boxBoolean(m_type == InHit, valueRegs); |
| state.succeed(); |
| return; |
| |
| case Miss: |
| jit.moveTrustedValue(jsUndefined(), valueRegs); |
| state.succeed(); |
| return; |
| |
| case InstanceOfHit: |
| case InstanceOfMiss: |
| jit.boxBooleanPayload(m_type == InstanceOfHit, valueRegs.payloadGPR()); |
| state.succeed(); |
| return; |
| |
| case Load: |
| case GetGetter: |
| case Getter: |
| case Setter: |
| case CustomValueGetter: |
| case CustomAccessorGetter: |
| case CustomValueSetter: |
| case CustomAccessorSetter: { |
| GPRReg valueRegsPayloadGPR = valueRegs.payloadGPR(); |
| |
| if (isValidOffset(m_offset)) { |
| Structure* currStructure; |
| if (!hasAlternateBase()) |
| currStructure = structure(); |
| else |
| currStructure = alternateBase()->structure(vm); |
| currStructure->startWatchingPropertyForReplacements(vm, offset()); |
| } |
| |
| GPRReg baseForGetGPR; |
| if (viaProxy()) { |
| ASSERT(m_type != CustomValueSetter || m_type != CustomAccessorSetter); // Because setters need to not trash valueRegsPayloadGPR. |
| if (m_type == Getter || m_type == Setter) |
| baseForGetGPR = scratchGPR; |
| else |
| baseForGetGPR = valueRegsPayloadGPR; |
| |
| ASSERT((m_type != Getter && m_type != Setter) || baseForGetGPR != baseGPR); |
| ASSERT(m_type != Setter || baseForGetGPR != valueRegsPayloadGPR); |
| |
| jit.loadPtr( |
| CCallHelpers::Address(baseGPR, JSProxy::targetOffset()), |
| baseForGetGPR); |
| } else |
| baseForGetGPR = baseGPR; |
| |
| GPRReg baseForAccessGPR; |
| if (m_polyProtoAccessChain) { |
| // This isn't pretty, but we know we got here via generateWithGuard, |
| // and it left the baseForAccess inside scratchGPR. We could re-derive the base, |
| // but it'd require emitting the same code to load the base twice. |
| baseForAccessGPR = scratchGPR; |
| } else { |
| if (hasAlternateBase()) { |
| jit.move( |
| CCallHelpers::TrustedImmPtr(alternateBase()), scratchGPR); |
| baseForAccessGPR = scratchGPR; |
| } else |
| baseForAccessGPR = baseForGetGPR; |
| } |
| |
| GPRReg loadedValueGPR = InvalidGPRReg; |
| if (m_type != CustomValueGetter && m_type != CustomAccessorGetter && m_type != CustomValueSetter && m_type != CustomAccessorSetter) { |
| if (m_type == Load || m_type == GetGetter) |
| loadedValueGPR = valueRegsPayloadGPR; |
| else |
| loadedValueGPR = scratchGPR; |
| |
| ASSERT((m_type != Getter && m_type != Setter) || loadedValueGPR != baseGPR); |
| ASSERT(m_type != Setter || loadedValueGPR != valueRegsPayloadGPR); |
| |
| GPRReg storageGPR; |
| if (isInlineOffset(m_offset)) |
| storageGPR = baseForAccessGPR; |
| else { |
| jit.loadPtr( |
| CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()), |
| loadedValueGPR); |
| storageGPR = loadedValueGPR; |
| } |
| |
| #if USE(JSVALUE64) |
| jit.load64( |
| CCallHelpers::Address(storageGPR, offsetRelativeToBase(m_offset)), loadedValueGPR); |
| #else |
| if (m_type == Load || m_type == GetGetter) { |
| jit.load32( |
| CCallHelpers::Address(storageGPR, offsetRelativeToBase(m_offset) + TagOffset), |
| valueRegs.tagGPR()); |
| } |
| jit.load32( |
| CCallHelpers::Address(storageGPR, offsetRelativeToBase(m_offset) + PayloadOffset), |
| loadedValueGPR); |
| #endif |
| } |
| |
| if (m_type == Load || m_type == GetGetter) { |
| state.succeed(); |
| return; |
| } |
| |
| if (m_type == CustomAccessorGetter && this->as<GetterSetterAccessCase>().domAttribute()) { |
| auto& access = this->as<GetterSetterAccessCase>(); |
| // We do not need to emit CheckDOM operation since structure check ensures |
| // that the structure of the given base value is structure()! So all we should |
| // do is performing the CheckDOM thingy in IC compiling time here. |
| if (!structure()->classInfo()->isSubClassOf(access.domAttribute()->classInfo)) { |
| state.failAndIgnore.append(jit.jump()); |
| return; |
| } |
| |
| if (Options::useDOMJIT() && access.domAttribute()->domJIT) { |
| access.emitDOMJITGetter(state, access.domAttribute()->domJIT, baseForGetGPR); |
| return; |
| } |
| } |
| |
| // Stuff for custom getters/setters. |
| CCallHelpers::Call operationCall; |
| |
| // Stuff for JS getters/setters. |
| CCallHelpers::DataLabelPtr addressOfLinkFunctionCheck; |
| CCallHelpers::Call fastPathCall; |
| CCallHelpers::Call slowPathCall; |
| |
| // This also does the necessary calculations of whether or not we're an |
| // exception handling call site. |
| AccessGenerationState::SpillState spillState = state.preserveLiveRegistersToStackForCall(); |
| |
| auto restoreLiveRegistersFromStackForCall = [&](AccessGenerationState::SpillState& spillState, bool callHasReturnValue) { |
| RegisterSet dontRestore; |
| if (callHasReturnValue) { |
| // This is the result value. We don't want to overwrite the result with what we stored to the stack. |
| // We sometimes have to store it to the stack just in case we throw an exception and need the original value. |
| dontRestore.set(valueRegs); |
| } |
| state.restoreLiveRegistersFromStackForCall(spillState, dontRestore); |
| }; |
| |
| jit.store32( |
| CCallHelpers::TrustedImm32(state.callSiteIndexForExceptionHandlingOrOriginal().bits()), |
| CCallHelpers::tagFor(static_cast<VirtualRegister>(CallFrameSlot::argumentCount))); |
| |
| if (m_type == Getter || m_type == Setter) { |
| auto& access = this->as<GetterSetterAccessCase>(); |
| ASSERT(baseGPR != loadedValueGPR); |
| ASSERT(m_type != Setter || valueRegsPayloadGPR != loadedValueGPR); |
| |
| // Create a JS call using a JS call inline cache. Assume that: |
| // |
| // - SP is aligned and represents the extent of the calling compiler's stack usage. |
| // |
| // - FP is set correctly (i.e. it points to the caller's call frame header). |
| // |
| // - SP - FP is an aligned difference. |
| // |
| // - Any byte between FP (exclusive) and SP (inclusive) could be live in the calling |
| // code. |
| // |
| // Therefore, we temporarily grow the stack for the purpose of the call and then |
| // shrink it after. |
| |
| state.setSpillStateForJSGetterSetter(spillState); |
| |
| RELEASE_ASSERT(!access.callLinkInfo()); |
| access.m_callLinkInfo = makeUnique<CallLinkInfo>(); |
| |
| // FIXME: If we generated a polymorphic call stub that jumped back to the getter |
| // stub, which then jumped back to the main code, then we'd have a reachability |
| // situation that the GC doesn't know about. The GC would ensure that the polymorphic |
| // call stub stayed alive, and it would ensure that the main code stayed alive, but |
| // it wouldn't know that the getter stub was alive. Ideally JIT stub routines would |
| // be GC objects, and then we'd be able to say that the polymorphic call stub has a |
| // reference to the getter stub. |
| // https://bugs.webkit.org/show_bug.cgi?id=148914 |
| access.callLinkInfo()->disallowStubs(); |
| |
| access.callLinkInfo()->setUpCall( |
| CallLinkInfo::Call, stubInfo.codeOrigin, loadedValueGPR); |
| |
| CCallHelpers::JumpList done; |
| |
| // There is a "this" argument. |
| unsigned numberOfParameters = 1; |
| // ... and a value argument if we're calling a setter. |
| if (m_type == Setter) |
| numberOfParameters++; |
| |
| // Get the accessor; if there ain't one then the result is jsUndefined(). |
| if (m_type == Setter) { |
| jit.loadPtr( |
| CCallHelpers::Address(loadedValueGPR, GetterSetter::offsetOfSetter()), |
| loadedValueGPR); |
| } else { |
| jit.loadPtr( |
| CCallHelpers::Address(loadedValueGPR, GetterSetter::offsetOfGetter()), |
| loadedValueGPR); |
| } |
| |
| CCallHelpers::Jump returnUndefined = jit.branchTestPtr( |
| CCallHelpers::Zero, loadedValueGPR); |
| |
| unsigned numberOfRegsForCall = CallFrame::headerSizeInRegisters + numberOfParameters; |
| unsigned numberOfBytesForCall = numberOfRegsForCall * sizeof(Register) - sizeof(CallerFrameAndPC); |
| |
| unsigned alignedNumberOfBytesForCall = |
| WTF::roundUpToMultipleOf(stackAlignmentBytes(), numberOfBytesForCall); |
| |
| jit.subPtr( |
| CCallHelpers::TrustedImm32(alignedNumberOfBytesForCall), |
| CCallHelpers::stackPointerRegister); |
| |
| CCallHelpers::Address calleeFrame = CCallHelpers::Address( |
| CCallHelpers::stackPointerRegister, |
| -static_cast<ptrdiff_t>(sizeof(CallerFrameAndPC))); |
| |
| jit.store32( |
| CCallHelpers::TrustedImm32(numberOfParameters), |
| calleeFrame.withOffset(CallFrameSlot::argumentCount * sizeof(Register) + PayloadOffset)); |
| |
| jit.storeCell( |
| loadedValueGPR, calleeFrame.withOffset(CallFrameSlot::callee * sizeof(Register))); |
| |
| jit.storeCell( |
| thisGPR, |
| calleeFrame.withOffset(virtualRegisterForArgument(0).offset() * sizeof(Register))); |
| |
| if (m_type == Setter) { |
| jit.storeValue( |
| valueRegs, |
| calleeFrame.withOffset( |
| virtualRegisterForArgument(1).offset() * sizeof(Register))); |
| } |
| |
| CCallHelpers::Jump slowCase = jit.branchPtrWithPatch( |
| CCallHelpers::NotEqual, loadedValueGPR, addressOfLinkFunctionCheck, |
| CCallHelpers::TrustedImmPtr(nullptr)); |
| |
| fastPathCall = jit.nearCall(); |
| if (m_type == Getter) |
| jit.setupResults(valueRegs); |
| done.append(jit.jump()); |
| |
| // FIXME: Revisit JSGlobalObject. |
| // https://bugs.webkit.org/show_bug.cgi?id=203204 |
| slowCase.link(&jit); |
| jit.move(loadedValueGPR, GPRInfo::regT0); |
| #if USE(JSVALUE32_64) |
| // We *always* know that the getter/setter, if non-null, is a cell. |
| jit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::regT1); |
| #endif |
| jit.move(CCallHelpers::TrustedImmPtr(access.callLinkInfo()), GPRInfo::regT2); |
| jit.move(CCallHelpers::TrustedImmPtr(state.m_globalObject), GPRInfo::regT3); |
| slowPathCall = jit.nearCall(); |
| if (m_type == Getter) |
| jit.setupResults(valueRegs); |
| done.append(jit.jump()); |
| |
| returnUndefined.link(&jit); |
| if (m_type == Getter) |
| jit.moveTrustedValue(jsUndefined(), valueRegs); |
| |
| done.link(&jit); |
| |
| jit.addPtr(CCallHelpers::TrustedImm32((codeBlock->stackPointerOffset() * sizeof(Register)) - state.preservedReusedRegisterState.numberOfBytesPreserved - spillState.numberOfStackBytesUsedForRegisterPreservation), |
| GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister); |
| bool callHasReturnValue = isGetter(); |
| restoreLiveRegistersFromStackForCall(spillState, callHasReturnValue); |
| |
| jit.addLinkTask([=, &vm] (LinkBuffer& linkBuffer) { |
| this->as<GetterSetterAccessCase>().callLinkInfo()->setCallLocations( |
| CodeLocationLabel<JSInternalPtrTag>(linkBuffer.locationOfNearCall<JSInternalPtrTag>(slowPathCall)), |
| CodeLocationLabel<JSInternalPtrTag>(linkBuffer.locationOf<JSInternalPtrTag>(addressOfLinkFunctionCheck)), |
| linkBuffer.locationOfNearCall<JSInternalPtrTag>(fastPathCall)); |
| |
| linkBuffer.link( |
| slowPathCall, |
| CodeLocationLabel<JITThunkPtrTag>(vm.getCTIStub(linkCallThunkGenerator).code())); |
| }); |
| } else { |
| ASSERT(m_type == CustomValueGetter || m_type == CustomAccessorGetter || m_type == CustomValueSetter || m_type == CustomAccessorSetter); |
| |
| // Need to make room for the C call so any of our stack spillage isn't overwritten. It's |
| // hard to track if someone did spillage or not, so we just assume that we always need |
| // to make some space here. |
| jit.makeSpaceOnStackForCCall(); |
| |
| // Check if it is a super access |
| GPRReg baseForCustomGetGPR = baseGPR != thisGPR ? thisGPR : baseForGetGPR; |
| |
| // getter: EncodedJSValue (*GetValueFunc)(JSGlobalObject*, EncodedJSValue thisValue, PropertyName); |
| // setter: void (*PutValueFunc)(JSGlobalObject*, EncodedJSValue thisObject, EncodedJSValue value); |
| // Custom values are passed the slotBase (the property holder), custom accessors are passed the thisVaule (reciever). |
| // FIXME: Remove this differences in custom values and custom accessors. |
| // https://bugs.webkit.org/show_bug.cgi?id=158014 |
| GPRReg baseForCustom = m_type == CustomValueGetter || m_type == CustomValueSetter ? baseForAccessGPR : baseForCustomGetGPR; |
| // FIXME: Revisit JSGlobalObject. |
| // https://bugs.webkit.org/show_bug.cgi?id=203204 |
| if (m_type == CustomValueGetter || m_type == CustomAccessorGetter) { |
| jit.setupArguments<PropertySlot::GetValueFunc>( |
| CCallHelpers::TrustedImmPtr(codeBlock->globalObject()), |
| CCallHelpers::CellValue(baseForCustom), |
| CCallHelpers::TrustedImmPtr(ident.impl())); |
| } else { |
| jit.setupArguments<PutPropertySlot::PutValueFunc>( |
| CCallHelpers::TrustedImmPtr(codeBlock->globalObject()), |
| CCallHelpers::CellValue(baseForCustom), |
| valueRegs); |
| } |
| jit.storePtr(GPRInfo::callFrameRegister, &vm.topCallFrame); |
| |
| operationCall = jit.call(OperationPtrTag); |
| jit.addLinkTask([=] (LinkBuffer& linkBuffer) { |
| linkBuffer.link(operationCall, this->as<GetterSetterAccessCase>().m_customAccessor); |
| }); |
| |
| if (m_type == CustomValueGetter || m_type == CustomAccessorGetter) |
| jit.setupResults(valueRegs); |
| jit.reclaimSpaceOnStackForCCall(); |
| |
| CCallHelpers::Jump noException = |
| jit.emitExceptionCheck(vm, CCallHelpers::InvertedExceptionCheck); |
| |
| state.restoreLiveRegistersFromStackForCallWithThrownException(spillState); |
| state.emitExplicitExceptionHandler(); |
| |
| noException.link(&jit); |
| bool callHasReturnValue = isGetter(); |
| restoreLiveRegistersFromStackForCall(spillState, callHasReturnValue); |
| } |
| state.succeed(); |
| return; |
| } |
| |
| case Replace: { |
| if (isInlineOffset(m_offset)) { |
| jit.storeValue( |
| valueRegs, |
| CCallHelpers::Address( |
| baseGPR, |
| JSObject::offsetOfInlineStorage() + |
| offsetInInlineStorage(m_offset) * sizeof(JSValue))); |
| } else { |
| jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); |
| jit.storeValue( |
| valueRegs, |
| CCallHelpers::Address( |
| scratchGPR, offsetInButterfly(m_offset) * sizeof(JSValue))); |
| } |
| state.succeed(); |
| return; |
| } |
| |
| case Transition: { |
| // AccessCase::transition() should have returned null if this wasn't true. |
| RELEASE_ASSERT(GPRInfo::numberOfRegisters >= 6 || !structure()->outOfLineCapacity() || structure()->outOfLineCapacity() == newStructure()->outOfLineCapacity()); |
| |
| // NOTE: This logic is duplicated in AccessCase::doesCalls(). It's important that doesCalls() knows |
| // exactly when this would make calls. |
| bool allocating = newStructure()->outOfLineCapacity() != structure()->outOfLineCapacity(); |
| bool reallocating = allocating && structure()->outOfLineCapacity(); |
| bool allocatingInline = allocating && !structure()->couldHaveIndexingHeader(); |
| |
| ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters); |
| allocator.lock(baseGPR); |
| #if USE(JSVALUE32_64) |
| allocator.lock(stubInfo.patch.baseTagGPR); |
| #endif |
| allocator.lock(valueRegs); |
| allocator.lock(scratchGPR); |
| |
| GPRReg scratchGPR2 = InvalidGPRReg; |
| GPRReg scratchGPR3 = InvalidGPRReg; |
| if (allocatingInline) { |
| scratchGPR2 = allocator.allocateScratchGPR(); |
| scratchGPR3 = allocator.allocateScratchGPR(); |
| } |
| |
| ScratchRegisterAllocator::PreservedState preservedState = |
| allocator.preserveReusedRegistersByPushing(jit, ScratchRegisterAllocator::ExtraStackSpace::SpaceForCCall); |
| |
| CCallHelpers::JumpList slowPath; |
| |
| ASSERT(structure()->transitionWatchpointSetHasBeenInvalidated()); |
| |
| if (allocating) { |
| size_t newSize = newStructure()->outOfLineCapacity() * sizeof(JSValue); |
| |
| if (allocatingInline) { |
| Allocator allocator = vm.jsValueGigacageAuxiliarySpace.allocatorFor(newSize, AllocatorForMode::AllocatorIfExists); |
| |
| jit.emitAllocate(scratchGPR, JITAllocator::constant(allocator), scratchGPR2, scratchGPR3, slowPath); |
| jit.addPtr(CCallHelpers::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR); |
| |
| size_t oldSize = structure()->outOfLineCapacity() * sizeof(JSValue); |
| ASSERT(newSize > oldSize); |
| |
| if (reallocating) { |
| // Handle the case where we are reallocating (i.e. the old structure/butterfly |
| // already had out-of-line property storage). |
| |
| jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3); |
| |
| // We have scratchGPR = new storage, scratchGPR3 = old storage, |
| // scratchGPR2 = available |
| for (size_t offset = 0; offset < oldSize; offset += sizeof(void*)) { |
| jit.loadPtr( |
| CCallHelpers::Address( |
| scratchGPR3, |
| -static_cast<ptrdiff_t>( |
| offset + sizeof(JSValue) + sizeof(void*))), |
| scratchGPR2); |
| jit.storePtr( |
| scratchGPR2, |
| CCallHelpers::Address( |
| scratchGPR, |
| -static_cast<ptrdiff_t>(offset + sizeof(JSValue) + sizeof(void*)))); |
| } |
| } |
| |
| for (size_t offset = oldSize; offset < newSize; offset += sizeof(void*)) |
| jit.storePtr(CCallHelpers::TrustedImmPtr(nullptr), CCallHelpers::Address(scratchGPR, -static_cast<ptrdiff_t>(offset + sizeof(JSValue) + sizeof(void*)))); |
| } else { |
| // Handle the case where we are allocating out-of-line using an operation. |
| RegisterSet extraRegistersToPreserve; |
| extraRegistersToPreserve.set(baseGPR); |
| extraRegistersToPreserve.set(valueRegs); |
| AccessGenerationState::SpillState spillState = state.preserveLiveRegistersToStackForCall(extraRegistersToPreserve); |
| |
| jit.store32( |
| CCallHelpers::TrustedImm32( |
| state.callSiteIndexForExceptionHandlingOrOriginal().bits()), |
| CCallHelpers::tagFor(static_cast<VirtualRegister>(CallFrameSlot::argumentCount))); |
| |
| jit.makeSpaceOnStackForCCall(); |
| |
| if (!reallocating) { |
| jit.setupArguments<decltype(operationReallocateButterflyToHavePropertyStorageWithInitialCapacity)>(CCallHelpers::TrustedImmPtr(&vm), baseGPR); |
| jit.prepareCallOperation(vm); |
| |
| CCallHelpers::Call operationCall = jit.call(OperationPtrTag); |
| jit.addLinkTask([=] (LinkBuffer& linkBuffer) { |
| linkBuffer.link( |
| operationCall, |
| FunctionPtr<OperationPtrTag>(operationReallocateButterflyToHavePropertyStorageWithInitialCapacity)); |
| }); |
| } else { |
| // Handle the case where we are reallocating (i.e. the old structure/butterfly |
| // already had out-of-line property storage). |
| jit.setupArguments<decltype(operationReallocateButterflyToGrowPropertyStorage)>(CCallHelpers::TrustedImmPtr(&vm), baseGPR, CCallHelpers::TrustedImm32(newSize / sizeof(JSValue))); |
| jit.prepareCallOperation(vm); |
| |
| CCallHelpers::Call operationCall = jit.call(OperationPtrTag); |
| jit.addLinkTask([=] (LinkBuffer& linkBuffer) { |
| linkBuffer.link( |
| operationCall, |
| FunctionPtr<OperationPtrTag>(operationReallocateButterflyToGrowPropertyStorage)); |
| }); |
| } |
| |
| jit.reclaimSpaceOnStackForCCall(); |
| jit.move(GPRInfo::returnValueGPR, scratchGPR); |
| |
| CCallHelpers::Jump noException = jit.emitExceptionCheck(vm, CCallHelpers::InvertedExceptionCheck); |
| |
| state.restoreLiveRegistersFromStackForCallWithThrownException(spillState); |
| state.emitExplicitExceptionHandler(); |
| |
| noException.link(&jit); |
| RegisterSet resultRegisterToExclude; |
| resultRegisterToExclude.set(scratchGPR); |
| state.restoreLiveRegistersFromStackForCall(spillState, resultRegisterToExclude); |
| } |
| } |
| |
| if (isInlineOffset(m_offset)) { |
| jit.storeValue( |
| valueRegs, |
| CCallHelpers::Address( |
| baseGPR, |
| JSObject::offsetOfInlineStorage() + |
| offsetInInlineStorage(m_offset) * sizeof(JSValue))); |
| } else { |
| if (!allocating) |
| jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); |
| jit.storeValue( |
| valueRegs, |
| CCallHelpers::Address(scratchGPR, offsetInButterfly(m_offset) * sizeof(JSValue))); |
| } |
| |
| if (allocatingInline) { |
| // If we were to have any indexed properties, then we would need to update the indexing mask on the base object. |
| RELEASE_ASSERT(!newStructure()->couldHaveIndexingHeader()); |
| // We set the new butterfly and the structure last. Doing it this way ensures that |
| // whatever we had done up to this point is forgotten if we choose to branch to slow |
| // path. |
| jit.nukeStructureAndStoreButterfly(vm, scratchGPR, baseGPR); |
| } |
| |
| uint32_t structureBits = bitwise_cast<uint32_t>(newStructure()->id()); |
| jit.store32( |
| CCallHelpers::TrustedImm32(structureBits), |
| CCallHelpers::Address(baseGPR, JSCell::structureIDOffset())); |
| |
| allocator.restoreReusedRegistersByPopping(jit, preservedState); |
| state.succeed(); |
| |
| // We will have a slow path if we were allocating without the help of an operation. |
| if (allocatingInline) { |
| if (allocator.didReuseRegisters()) { |
| slowPath.link(&jit); |
| allocator.restoreReusedRegistersByPopping(jit, preservedState); |
| state.failAndIgnore.append(jit.jump()); |
| } else |
| state.failAndIgnore.append(slowPath); |
| } else |
| RELEASE_ASSERT(slowPath.empty()); |
| return; |
| } |
| |
| case ArrayLength: { |
| jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); |
| jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR); |
| state.failAndIgnore.append( |
| jit.branch32(CCallHelpers::LessThan, scratchGPR, CCallHelpers::TrustedImm32(0))); |
| jit.boxInt32(scratchGPR, valueRegs); |
| state.succeed(); |
| return; |
| } |
| |
| case StringLength: { |
| jit.loadPtr(CCallHelpers::Address(baseGPR, JSString::offsetOfValue()), scratchGPR); |
| auto isRope = jit.branchIfRopeStringImpl(scratchGPR); |
| jit.load32(CCallHelpers::Address(scratchGPR, StringImpl::lengthMemoryOffset()), valueRegs.payloadGPR()); |
| auto done = jit.jump(); |
| |
| isRope.link(&jit); |
| jit.load32(CCallHelpers::Address(baseGPR, JSRopeString::offsetOfLength()), valueRegs.payloadGPR()); |
| |
| done.link(&jit); |
| jit.boxInt32(valueRegs.payloadGPR(), valueRegs); |
| state.succeed(); |
| return; |
| } |
| |
| case IntrinsicGetter: { |
| RELEASE_ASSERT(isValidOffset(offset())); |
| |
| // We need to ensure the getter value does not move from under us. Note that GetterSetters |
| // are immutable so we just need to watch the property not any value inside it. |
| Structure* currStructure; |
| if (!hasAlternateBase()) |
| currStructure = structure(); |
| else |
| currStructure = alternateBase()->structure(vm); |
| currStructure->startWatchingPropertyForReplacements(vm, offset()); |
| |
| this->as<IntrinsicGetterAccessCase>().emitIntrinsicGetter(state); |
| return; |
| } |
| |
| case DirectArgumentsLength: |
| case ScopedArgumentsLength: |
| case ModuleNamespaceLoad: |
| case InstanceOfGeneric: |
| // These need to be handled by generateWithGuard(), since the guard is part of the |
| // algorithm. We can be sure that nobody will call generate() directly for these since they |
| // are not guarded by structure checks. |
| RELEASE_ASSERT_NOT_REACHED(); |
| } |
| |
| RELEASE_ASSERT_NOT_REACHED(); |
| } |
| |
| } // namespace JSC |
| |
| #endif |