Bug 238176

Summary: [JSC] Use Data CallIC in unlinked DFG
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
ews-feeder: commit-queue-
Patch
none
Patch
none
Patch
none
Patch saam: review+

Description Yusuke Suzuki 2022-03-21 17:51:00 PDT 
[JSC] Use Data CallIC in unlinked DFG
Comment 1 Yusuke Suzuki 2022-03-21 17:51:16 PDT 
Created attachment 455309 [details]
Patch
Comment 2 Yusuke Suzuki 2022-03-23 15:07:30 PDT 
Created attachment 455566 [details]
Patch
Comment 3 Yusuke Suzuki 2022-03-23 18:10:37 PDT 
Created attachment 455590 [details]
Patch
Comment 4 Yusuke Suzuki 2022-03-23 18:51:02 PDT 
Created attachment 455595 [details]
Patch
Comment 5 Yusuke Suzuki 2022-03-24 03:33:14 PDT 
Created attachment 455630 [details]
Patch
Comment 6 Yusuke Suzuki 2022-03-24 14:36:31 PDT 
Created attachment 455685 [details]
Patch
Comment 7 Yusuke Suzuki 2022-03-24 17:12:55 PDT 
Created attachment 455709 [details]
Patch
Comment 8 Saam Barati 2022-03-24 18:51:51 PDT 
Comment on attachment 455709 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=455709&action=review

r=me with comments

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:836
> +                GPRTemporary callLinkInfoTemp(this, JITCompiler::selectScratchGPR(calleeGPR, GPRInfo::regT0));

This looks wrong to me. I think we want this GPRTemporary to stay around longer than the scope of this if statement, otherwise we might reuse this register.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:889
> +            GPRTemporary callLinkInfoTemp(this, JITCompiler::selectScratchGPR(calleeGPR, GPRInfo::regT0));

This looks wrong to me. I think we want this GPRTemporary to stay around longer than the scope of this if statement, otherwise we might reuse this register.
Comment 9 Yusuke Suzuki 2022-03-24 23:13:34 PDT 
Comment on attachment 455709 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=455709&action=review

>> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:836
>> +                GPRTemporary callLinkInfoTemp(this, JITCompiler::selectScratchGPR(calleeGPR, GPRInfo::regT0));
> 
> This looks wrong to me. I think we want this GPRTemporary to stay around longer than the scope of this if statement, otherwise we might reuse this register.

Discussed with Saam. This is intentional one to allocate non-callee-save register from DFG register bank.

>> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:889
>> +            GPRTemporary callLinkInfoTemp(this, JITCompiler::selectScratchGPR(calleeGPR, GPRInfo::regT0));
> 
> This looks wrong to me. I think we want this GPRTemporary to stay around longer than the scope of this if statement, otherwise we might reuse this register.

Ditto.
Comment 10 Yusuke Suzuki 2022-03-25 12:09:00 PDT 
Committed r291875 (248877@trunk): <https://commits.webkit.org/248877@trunk>
Comment 11 Radar WebKit Bug Importer 2022-03-25 12:09:16 PDT 
<rdar://problem/90850205>