Merge from mozilla-central.
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
* vim: set ts=4 sw=4 et tw=99:
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is Mozilla SpiderMonkey JavaScript 1.9 code, released
* May 28, 2008.
*
* The Initial Developer of the Original Code is
* Brendan Eich <brendan@mozilla.org>
*
* Contributor(s):
* Andreas Gal <gal@mozilla.com>
* Mike Shaver <shaver@mozilla.org>
* David Anderson <danderson@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either of the GNU General Public License Version 2 or later (the "GPL"),
* or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "jsstdint.h"
#include "jsbit.h" // low-level (NSPR-based) headers next
#include "jsprf.h"
#include <math.h> // standard headers next
#if defined(_MSC_VER) || defined(__MINGW32__)
#include <malloc.h>
#ifdef _MSC_VER
#define alloca _alloca
#endif
#endif
#ifdef SOLARIS
#include <alloca.h>
#endif
#include <limits.h>
#include "nanojit/nanojit.h"
#include "jsapi.h" // higher-level library and API headers
#include "jsarray.h"
#include "jsbool.h"
#include "jscntxt.h"
#include "jscompartment.h"
#include "jsdate.h"
#include "jsdbgapi.h"
#include "jsemit.h"
#include "jsfun.h"
#include "jsgc.h"
#include "jsgcmark.h"
#include "jsinterp.h"
#include "jsiter.h"
#include "jsmath.h"
#include "jsobj.h"
#include "jsopcode.h"
#include "jsregexp.h"
#include "jsscope.h"
#include "jsscript.h"
#include "jsstaticcheck.h"
#include "jstl.h"
#include "jstracer.h"
#include "jsxml.h"
#include "jstypedarray.h"
#include "jsatominlines.h"
#include "jscntxtinlines.h"
#include "jsfuninlines.h"
#include "jsinterpinlines.h"
#include "jspropertycacheinlines.h"
#include "jsobjinlines.h"
#include "jsscopeinlines.h"
#include "jsscriptinlines.h"
#include "jscntxtinlines.h"
#include "jsopcodeinlines.h"
#include "jstypedarrayinlines.h"
#include "vm/Stack-inl.h"
#ifdef JS_METHODJIT
#include "methodjit/MethodJIT.h"
#endif
#include "tracejit/Writer-inl.h"
#include "jsautooplen.h" // generated headers last
#include "imacros.c.out"
#if defined(NANOJIT_ARM) && defined(__GNUC__) && defined(AVMPLUS_LINUX)
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <string.h>
#include <elf.h>
#endif
#ifdef DEBUG
namespace js {
static const char*
getExitName(ExitType type)
{
static const char* exitNames[] =
{
#define MAKE_EXIT_STRING(x) #x,
JS_TM_EXITCODES(MAKE_EXIT_STRING)
#undef MAKE_EXIT_STRING
NULL
};
JS_ASSERT(type < TOTAL_EXIT_TYPES);
return exitNames[type];
}
}
#endif /* DEBUG */
namespace nanojit {
using namespace js;
using namespace js::gc;
using namespace js::tjit;
/*
* This macro is just like JS_NOT_REACHED but it exists in non-debug builds
* too. Its presence indicates shortcomings in jstracer's handling of some
* OOM situations:
* - OOM failures in constructors, which lack a return value to pass back a
* failure code (though it can and should be done indirectly).
* - OOM failures in the "infallible" allocators used for Nanojit.
*
* FIXME: bug 624590 is open to fix these problems.
*/
#define OUT_OF_MEMORY_ABORT(msg) JS_Assert(msg, __FILE__, __LINE__);
/* Implement embedder-specific nanojit members. */
/*
* Nanojit requires infallible allocations most of the time. We satisfy this by
* reserving some space in each allocator which is used as a fallback if
* rt->calloc_() fails. Ideally this reserve space should be big enough to allow
* for all infallible requests made to the allocator until the next OOM check
* occurs, but it turns out that's impossible to guarantee (though it should be
* unlikely). So we abort if the reserve runs out; this is better than
* allowing memory errors to occur.
*
* The space calculations are as follows... between OOM checks, each
* VMAllocator can do (ie. has been seen to do) the following maximum
* allocations on 64-bits:
*
* - dataAlloc: 31 minimum-sized chunks (MIN_CHUNK_SZB) in assm->compile()
* (though arbitrarily more could occur due to LabelStateMap additions done
* when handling labels): 62,248 bytes. This one is the most likely to
* overflow.
*
* - traceAlloc: 1 minimum-sized chunk: 2,008 bytes.
*
* - tempAlloc: 1 LIR code chunk (CHUNK_SZB) and 5 minimum-sized chunks for
* sundry small allocations: 18,048 bytes.
*
* The reserve sizes are chosen by exceeding this by a reasonable amount.
* Reserves for 32-bits are slightly more than half, because most of the
* allocated space is used to hold pointers.
*
* FIXME: Bug 624590 is open to get rid of all this.
*/
static const size_t DataReserveSize = 12500 * sizeof(uintptr_t);
static const size_t TraceReserveSize = 5000 * sizeof(uintptr_t);
static const size_t TempReserveSize = 1000 * sizeof(uintptr_t);
void*
nanojit::Allocator::allocChunk(size_t nbytes, bool fallible)
{
VMAllocator *vma = (VMAllocator*)this;
/*
* Nb: it's conceivable that request 1 might fail (in which case
* mOutOfMemory will be set) and then request 2 succeeds. The subsequent
* OOM check will still fail, which is what we want, and the success of
* request 2 makes it less likely that the reserve space will overflow.
*/
void *p = vma->mRt->calloc_(nbytes);
if (p) {
vma->mSize += nbytes;
} else {
vma->mOutOfMemory = true;
if (!fallible) {
p = (void *)vma->mReserveCurr;
vma->mReserveCurr += nbytes;
if (vma->mReserveCurr > vma->mReserveLimit)
OUT_OF_MEMORY_ABORT("nanojit::Allocator::allocChunk: out of memory");
memset(p, 0, nbytes);
vma->mSize += nbytes;
}
}
return p;
}
void
nanojit::Allocator::freeChunk(void *p) {
VMAllocator *vma = (VMAllocator*)this;
if (p < vma->mReserve || uintptr_t(p) >= vma->mReserveLimit)
UnwantedForeground::free_(p);
}
void
nanojit::Allocator::postReset() {
VMAllocator *vma = (VMAllocator*)this;
vma->mOutOfMemory = false;
vma->mSize = 0;
vma->mReserveCurr = uintptr_t(vma->mReserve);
}
int
StackFilter::getTop(LIns* guard)
{
VMSideExit* e = (VMSideExit*)guard->record()->exit;
return e->sp_adj;
}
#if defined NJ_VERBOSE
static void
formatGuardExit(InsBuf *buf, LIns *ins)
{
VMSideExit *x = (VMSideExit *)ins->record()->exit;
RefBuf b1;
if (LogController.lcbits & LC_FragProfile)
VMPI_snprintf(b1.buf, b1.len, " (GuardID=%03d)", ins->record()->profGuardID);
else
b1.buf[0] = '\0';
VMPI_snprintf(buf->buf, buf->len,
" -> exit=%p pc=%p imacpc=%p sp%+ld rp%+ld %s%s",
(void *)x,
(void *)x->pc,
(void *)x->imacpc,
(long int)x->sp_adj,
(long int)x->rp_adj,
getExitName(x->exitType),
b1.buf);
}
void
LInsPrinter::formatGuard(InsBuf *buf, LIns *ins)
{
RefBuf b1, b2;
InsBuf b3;
formatGuardExit(&b3, ins);
VMPI_snprintf(buf->buf, buf->len,
"%s: %s %s%s",
formatRef(&b1, ins),
lirNames[ins->opcode()],
ins->oprnd1() ? formatRef(&b2, ins->oprnd1()) : "",
b3.buf);
}
void
LInsPrinter::formatGuardXov(InsBuf *buf, LIns *ins)
{
RefBuf b1, b2, b3;
InsBuf b4;
formatGuardExit(&b4, ins);
VMPI_snprintf(buf->buf, buf->len,
"%s = %s %s, %s%s",
formatRef(&b1, ins),
lirNames[ins->opcode()],
formatRef(&b2, ins->oprnd1()),
formatRef(&b3, ins->oprnd2()),
b4.buf);
}
const char*
nanojit::LInsPrinter::accNames[] = {
"state", // (1 << 0) == ACCSET_STATE
"sp", // (1 << 1) == ACCSET_STACK
"rp", // (1 << 2) == ACCSET_RSTACK
"cx", // (1 << 3) == ACCSET_CX
"tm", // (1 << 4) == ACCSET_TM
"eos", // (1 << 5) == ACCSET_EOS
"alloc", // (1 << 6) == ACCSET_ALLOC
"regs", // (1 << 7) == ACCSET_FRAMEREGS
"sf", // (1 << 8) == ACCSET_STACKFRAME
"rt", // (1 << 9) == ACCSET_RUNTIME
"objclasp", // (1 << 10) == ACCSET_OBJ_CLASP
"objflags", // (1 << 11) == ACCSET_OBJ_FLAGS
"objshape", // (1 << 12) == ACCSET_OBJ_SHAPE
"objproto", // (1 << 13) == ACCSET_OBJ_PROTO
"objparent", // (1 << 14) == ACCSET_OBJ_PARENT
"objprivate", // (1 << 15) == ACCSET_OBJ_PRIVATE
"objcapacity", // (1 << 16) == ACCSET_OBJ_CAPACITY
"objslots", // (1 << 17) == ACCSET_OBJ_SLOTS
"slots", // (1 << 18) == ACCSET_SLOTS
"tarray", // (1 << 19) == ACCSET_TARRAY
"tdata", // (1 << 20) == ACCSET_TARRAY_DATA
"iter", // (1 << 21) == ACCSET_ITER
"iterprops", // (1 << 22) == ACCSET_ITER_PROPS
"str", // (1 << 23) == ACCSET_STRING
"strmchars", // (1 << 24) == ACCSET_STRING_MCHARS
"typemap", // (1 << 25) == ACCSET_TYPEMAP
"fcslots", // (1 << 26) == ACCSET_FCSLOTS
"argsdata", // (1 << 27) == ACCSET_ARGS_DATA
"seg", // (1 << 28) == ACCSET_SEG
"?!" // this entry should never be used, have it just in case
};
JS_STATIC_ASSERT(JS_ARRAY_LENGTH(nanojit::LInsPrinter::accNames) == TM_NUM_USED_ACCS + 1);
#endif
} /* namespace nanojit */
JS_DEFINE_CALLINFO_2(extern, STRING, js_IntToString, CONTEXT, INT32, 1, nanojit::ACCSET_NONE)
namespace js {
using namespace nanojit;
#if JS_HAS_XML_SUPPORT
#define RETURN_VALUE_IF_XML(val, ret) \
JS_BEGIN_MACRO \
if (!val.isPrimitive() && val.toObject().isXML()) \
RETURN_VALUE("xml detected", ret); \
JS_END_MACRO
#else
#define RETURN_IF_XML(val, ret) ((void) 0)
#endif
#define RETURN_IF_XML_A(val) RETURN_VALUE_IF_XML(val, ARECORD_STOP)
#define RETURN_IF_XML(val) RETURN_VALUE_IF_XML(val, RECORD_STOP)
JS_STATIC_ASSERT(sizeof(JSValueType) == 1);
JS_STATIC_ASSERT(offsetof(TraceNativeStorage, stack_global_buf) % 16 == 0);
/* Map to translate a type tag into a printable representation. */
#ifdef DEBUG
static char
TypeToChar(JSValueType type)
{
switch (type) {
case JSVAL_TYPE_DOUBLE: return 'D';
case JSVAL_TYPE_INT32: return 'I';
case JSVAL_TYPE_STRING: return 'S';
case JSVAL_TYPE_OBJECT: return '!';
case JSVAL_TYPE_BOOLEAN: return 'B';
case JSVAL_TYPE_NULL: return 'N';
case JSVAL_TYPE_UNDEFINED: return 'U';
case JSVAL_TYPE_MAGIC: return 'M';
case JSVAL_TYPE_FUNOBJ: return 'F';
case JSVAL_TYPE_NONFUNOBJ: return 'O';
case JSVAL_TYPE_BOXED: return '#';
case JSVAL_TYPE_STRORNULL: return 's';
case JSVAL_TYPE_OBJORNULL: return 'o';
default: return '?';
}
}
static char
ValueToTypeChar(const Value &v)
{
if (v.isInt32()) return 'I';
if (v.isDouble()) return 'D';
if (v.isString()) return 'S';
if (v.isObject()) return v.toObject().isFunction() ? 'F' : 'O';
if (v.isBoolean()) return 'B';
if (v.isNull()) return 'N';
if (v.isUndefined()) return 'U';
if (v.isMagic()) return 'M';
return '?';
}
static inline uintN
FramePCOffset(JSContext *cx, js::StackFrame* fp)
{
jsbytecode *pc = fp->pcQuadratic(cx);
return uintN(pc - fp->script()->code);
}
#endif
static inline uintN
CurrentPCOffset(JSContext *cx)
{
StackFrame *fp = cx->fp();
jsbytecode *pc = fp->hasImacropc() ? fp->imacropc() : cx->regs().pc;
return uintN(pc - fp->script()->code);
}
/* Blacklist parameters. */
/*
* Number of iterations of a loop where we start tracing. That is, we don't
* start tracing until the beginning of the HOTLOOP-th iteration.
*/
#define HOTLOOP 8
/* Attempt recording this many times before blacklisting permanently. */
#define BL_ATTEMPTS 2
/* Skip this many hits before attempting recording again, after an aborted attempt. */
#define BL_BACKOFF 32
/*
* If, after running a trace CHECK_LOOP_ITERS times, it hasn't done MIN_LOOP_ITERS
* iterations, we blacklist it.
*/
#define MIN_LOOP_ITERS 200
#define LOOP_CHECK_ITERS 10
#ifdef DEBUG
#define LOOP_COUNT_MAX 100000000
#else
#define LOOP_COUNT_MAX MIN_LOOP_ITERS
#endif
/* Number of times we wait to exit on a side exit before we try to extend the tree. */
#define HOTEXIT 1
/* Number of times we try to extend the tree along a side exit. */
#define MAXEXIT 3
/* Maximum number of peer trees allowed. */
#define MAXPEERS 9
/* Max call depths for inlining. */
#define MAX_CALLDEPTH 10
/* Max number of slots in a table-switch. */
#define MAX_TABLE_SWITCH 256
/* Max number of branches per tree. */
#define MAX_BRANCHES 32
#define CHECK_STATUS(expr) \
JS_BEGIN_MACRO \
RecordingStatus _status = (expr); \
if (_status != RECORD_CONTINUE) \
return _status; \
JS_END_MACRO
#define CHECK_STATUS_A(expr) \
JS_BEGIN_MACRO \
AbortableRecordingStatus _status = InjectStatus((expr)); \
if (_status != ARECORD_CONTINUE) \
return _status; \
JS_END_MACRO
#ifdef JS_JIT_SPEW
#define RETURN_VALUE(msg, value) \
JS_BEGIN_MACRO \
debug_only_printf(LC_TMAbort, "trace stopped: %d: %s\n", __LINE__, (msg)); \
return (value); \
JS_END_MACRO
#else
#define RETURN_VALUE(msg, value) return (value)
#endif
#define RETURN_STOP(msg) RETURN_VALUE(msg, RECORD_STOP)
#define RETURN_STOP_A(msg) RETURN_VALUE(msg, ARECORD_STOP)
#define RETURN_ERROR(msg) RETURN_VALUE(msg, RECORD_ERROR)
#define RETURN_ERROR_A(msg) RETURN_VALUE(msg, ARECORD_ERROR)
#ifdef JS_JIT_SPEW
struct __jitstats {
#define JITSTAT(x) uint64 x;
#include "jitstats.tbl"
#undef JITSTAT
} jitstats = { 0LL, };
JS_STATIC_ASSERT(sizeof(jitstats) % sizeof(uint64) == 0);
enum jitstat_ids {
#define JITSTAT(x) STAT ## x ## ID,
#include "jitstats.tbl"
#undef JITSTAT
STAT_IDS_TOTAL
};
static JSBool
jitstats_getOnTrace(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
{
*vp = BOOLEAN_TO_JSVAL(JS_ON_TRACE(cx));
return true;
}
static JSPropertySpec jitstats_props[] = {
#define JITSTAT(x) { #x, STAT ## x ## ID, JSPROP_ENUMERATE | JSPROP_READONLY | JSPROP_PERMANENT },
#include "jitstats.tbl"
#undef JITSTAT
{ "onTrace", 0, JSPROP_ENUMERATE | JSPROP_READONLY | JSPROP_PERMANENT, jitstats_getOnTrace, NULL },
{ 0 }
};
static JSBool
jitstats_getProperty(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
{
int index = -1;
if (JSID_IS_STRING(id)) {
JSAtom* str = JSID_TO_ATOM(id);
if (StringEqualsAscii(str, "HOTLOOP")) {
*vp = INT_TO_JSVAL(HOTLOOP);
return JS_TRUE;
}
if (StringEqualsAscii(str, "adaptive")) {
#ifdef JS_METHODJIT
*vp = BOOLEAN_TO_JSVAL(cx->profilingEnabled ||
(cx->methodJitEnabled &&
!cx->hasRunOption(JSOPTION_METHODJIT_ALWAYS)));
#else
*vp = BOOLEAN_TO_JSVAL(false);
#endif
return JS_TRUE;
}
}
if (JSID_IS_INT(id))
index = JSID_TO_INT(id);
uint64 result = 0;
switch (index) {
#define JITSTAT(x) case STAT ## x ## ID: result = jitstats.x; break;
#include "jitstats.tbl"
#undef JITSTAT
default:
*vp = JSVAL_VOID;
return JS_TRUE;
}
if (result < JSVAL_INT_MAX) {
*vp = INT_TO_JSVAL(jsint(result));
return JS_TRUE;
}
char retstr[64];
JS_snprintf(retstr, sizeof retstr, "%llu", result);
*vp = STRING_TO_JSVAL(JS_NewStringCopyZ(cx, retstr));
return JS_TRUE;
}
JSClass jitstats_class = {
"jitstats",
0,
JS_PropertyStub, JS_PropertyStub,
jitstats_getProperty, JS_StrictPropertyStub,
JS_EnumerateStub, JS_ResolveStub,
JS_ConvertStub, NULL,
JSCLASS_NO_OPTIONAL_MEMBERS
};
void
InitJITStatsClass(JSContext *cx, JSObject *glob)
{
JS_InitClass(cx, glob, NULL, &jitstats_class, NULL, 0,
jitstats_props, NULL, NULL, NULL);
}
#define AUDIT(x) (jitstats.x++)
#else
#define AUDIT(x) ((void)0)
#endif /* JS_JIT_SPEW */
#ifdef JS_JIT_SPEW
static void
DumpPeerStability(TraceMonitor* tm, const void* ip, JSObject* globalObj, uint32 globalShape, uint32 argc);
#endif
/*
* We really need a better way to configure the JIT. Shaver, where is
* my fancy JIT object?
*
* NB: this is raced on, if jstracer.cpp should ever be running MT.
* I think it's harmless tho.
*/
static bool did_we_check_processor_features = false;
nanojit::Config NJConfig;
/* ------ Debug logging control ------ */
/*
* All the logging control stuff lives in here. It is shared between
* all threads, but I think that's OK.
*/
LogControl LogController;
#ifdef JS_JIT_SPEW
/*
* NB: this is raced on too, if jstracer.cpp should ever be running MT.
* Also harmless.
*/
static bool did_we_set_up_debug_logging = false;
static void
InitJITLogController()
{
char *tm, *tmf;
uint32_t bits;
LogController.lcbits = 0;
tm = getenv("TRACEMONKEY");
if (tm) {
fflush(NULL);
printf(
"The environment variable $TRACEMONKEY has been replaced by $TMFLAGS.\n"
"Try 'TMFLAGS=help js -j' for a list of options.\n"
);
exit(0);
}
tmf = getenv("TMFLAGS");
if (!tmf) return;
/* Using strstr() is really a cheap hack as far as flag decoding goes. */
if (strstr(tmf, "help")) {
fflush(NULL);
printf(
"usage: TMFLAGS=option,option,option,... where options can be:\n"
"\n"
" help show this message\n"
" ------ options for jstracer & jsregexp ------\n"
" minimal ultra-minimalist output; try this first\n"
" full everything except 'treevis' and 'fragprofile'\n"
" tracer tracer lifetime (FIXME:better description)\n"
" recorder trace recording stuff (FIXME:better description)\n"
" abort show trace recording aborts\n"
" stats show trace recording stats\n"
" regexp show compilation & entry for regexps\n"
" profiler show loop profiles as they are profiled\n"
" treevis spew that tracevis/tree.py can parse\n"
" ------ options for Nanojit ------\n"
" fragprofile count entries and exits for each fragment\n"
" liveness show LIR liveness at start of reader pipeline\n"
" readlir show LIR as it enters the reader pipeline\n"
" aftersf show LIR after StackFilter\n"
" afterdce show LIR after dead code elimination\n"
" native show native code (interleaved with 'afterdce')\n"
" nativebytes show native code bytes in 'native' output\n"
" regalloc show regalloc state in 'native' output\n"
" activation show activation state in 'native' output\n"
"\n"
);
exit(0);
/*NOTREACHED*/
}
bits = 0;
/* flags for jstracer.cpp */
if (strstr(tmf, "minimal") || strstr(tmf, "full")) bits |= LC_TMMinimal;
if (strstr(tmf, "tracer") || strstr(tmf, "full")) bits |= LC_TMTracer;
if (strstr(tmf, "recorder") || strstr(tmf, "full")) bits |= LC_TMRecorder;
if (strstr(tmf, "abort") || strstr(tmf, "full")) bits |= LC_TMAbort;
if (strstr(tmf, "stats") || strstr(tmf, "full")) bits |= LC_TMStats;
if (strstr(tmf, "profiler") || strstr(tmf, "full")) bits |= LC_TMProfiler;
if (strstr(tmf, "treevis")) bits |= LC_TMTreeVis;
/* flags for nanojit */
if (strstr(tmf, "fragprofile")) bits |= LC_FragProfile;
if (strstr(tmf, "liveness") || strstr(tmf, "full")) bits |= LC_Liveness;
if (strstr(tmf, "readlir") || strstr(tmf, "full")) bits |= LC_ReadLIR;
if (strstr(tmf, "aftersf") || strstr(tmf, "full")) bits |= LC_AfterSF;
if (strstr(tmf, "afterdce") || strstr(tmf, "full")) bits |= LC_AfterDCE;
if (strstr(tmf, "native") || strstr(tmf, "full")) bits |= LC_Native;
if (strstr(tmf, "nativebytes")|| strstr(tmf, "full")) bits |= LC_Bytes;
if (strstr(tmf, "regalloc") || strstr(tmf, "full")) bits |= LC_RegAlloc;
if (strstr(tmf, "activation") || strstr(tmf, "full")) bits |= LC_Activation;
LogController.lcbits = bits;
return;
}
#endif
/* ------------------ Frag-level profiling support ------------------ */
#ifdef JS_JIT_SPEW
/*
* All the allocations done by this profile data-collection and
* display machinery, are done in TraceMonitor::profAlloc. That is
* emptied out at the end of FinishJIT. It has a lifetime from
* InitJIT to FinishJIT, which exactly matches the span
* js_FragProfiling_init to js_FragProfiling_showResults.
*/
template<class T>
static
Seq<T>* reverseInPlace(Seq<T>* seq)
{
Seq<T>* prev = NULL;
Seq<T>* curr = seq;
while (curr) {
Seq<T>* next = curr->tail;
curr->tail = prev;
prev = curr;
curr = next;
}
return prev;
}
// The number of top blocks to show in the profile
#define N_TOP_BLOCKS 50
// Contains profile info for a single guard
struct GuardPI {
uint32_t guardID; // identifying number
uint32_t count; // count.
};
struct FragPI {
uint32_t count; // entry count for this Fragment
uint32_t nStaticExits; // statically: the number of exits
size_t nCodeBytes; // statically: the number of insn bytes in the main fragment
size_t nExitBytes; // statically: the number of insn bytes in the exit paths
Seq<GuardPI>* guards; // guards, each with its own count
uint32_t largestGuardID; // that exists in .guards
};
void
FragProfiling_FragFinalizer(Fragment* f, TraceMonitor* tm)
{
// Recover profiling data from 'f', which is logically at the end
// of its useful lifetime.
if (!(LogController.lcbits & LC_FragProfile))
return;
NanoAssert(f);
// Valid profFragIDs start at 1
NanoAssert(f->profFragID >= 1);
// Should be called exactly once per Fragment. This will assert if
// you issue the same FragID to more than one Fragment.
NanoAssert(!tm->profTab->containsKey(f->profFragID));
FragPI pi = { f->profCount,
f->nStaticExits,
f->nCodeBytes,
f->nExitBytes,
NULL, 0 };
// Begin sanity check on the guards
SeqBuilder<GuardPI> guardsBuilder(*tm->profAlloc);
GuardRecord* gr;
uint32_t nGs = 0;
uint32_t sumOfDynExits = 0;
for (gr = f->guardsForFrag; gr; gr = gr->nextInFrag) {
nGs++;
// Also copy the data into our auxiliary structure.
// f->guardsForFrag is in reverse order, and so this
// copy preserves that ordering (->add adds at end).
// Valid profGuardIDs start at 1.
NanoAssert(gr->profGuardID > 0);
sumOfDynExits += gr->profCount;
GuardPI gpi = { gr->profGuardID, gr->profCount };
guardsBuilder.add(gpi);
if (gr->profGuardID > pi.largestGuardID)
pi.largestGuardID = gr->profGuardID;
}
pi.guards = guardsBuilder.get();
// And put the guard list in forwards order
pi.guards = reverseInPlace(pi.guards);
// Why is this so? Because nGs is the number of guards
// at the time the LIR was generated, whereas f->nStaticExits
// is the number of them observed by the time it makes it
// through to the assembler. It can be the case that LIR
// optimisation removes redundant guards; hence we expect
// nGs to always be the same or higher.
NanoAssert(nGs >= f->nStaticExits);
// Also we can assert that the sum of the exit counts
// can't exceed the entry count. It'd be nice to assert that
// they are exactly equal, but we can't because we don't know
// how many times we got to the end of the trace.
NanoAssert(f->profCount >= sumOfDynExits);
// End sanity check on guards
tm->profTab->put(f->profFragID, pi);
}
static void
FragProfiling_showResults(TraceMonitor* tm)
{
uint32_t topFragID[N_TOP_BLOCKS];
FragPI topPI[N_TOP_BLOCKS];
uint64_t totCount = 0, cumulCount;
uint32_t totSE = 0;
size_t totCodeB = 0, totExitB = 0;
PodArrayZero(topFragID);
PodArrayZero(topPI);
FragStatsMap::Iter iter(*tm->profTab);
while (iter.next()) {
uint32_t fragID = iter.key();
FragPI pi = iter.value();
uint32_t count = pi.count;
totCount += (uint64_t)count;
/* Find the rank for this entry, in tops */
int r = N_TOP_BLOCKS-1;
while (true) {
if (r == -1)
break;
if (topFragID[r] == 0) {
r--;
continue;
}
if (count > topPI[r].count) {
r--;
continue;
}
break;
}
r++;
NanoAssert(r >= 0 && r <= N_TOP_BLOCKS);
/* This entry should be placed at topPI[r], and entries
at higher numbered slots moved up one. */
if (r < N_TOP_BLOCKS) {
for (int s = N_TOP_BLOCKS-1; s > r; s--) {
topFragID[s] = topFragID[s-1];
topPI[s] = topPI[s-1];
}
topFragID[r] = fragID;
topPI[r] = pi;
}
}
LogController.printf(
"\n----------------- Per-fragment execution counts ------------------\n");
LogController.printf(
"\nTotal count = %llu\n\n", (unsigned long long int)totCount);
LogController.printf(
" Entry counts Entry counts ----- Static -----\n");
LogController.printf(
" ------Self------ ----Cumulative--- Exits Cbytes Xbytes FragID\n");
LogController.printf("\n");
if (totCount == 0)
totCount = 1; /* avoid division by zero */
cumulCount = 0;
int r;
for (r = 0; r < N_TOP_BLOCKS; r++) {
if (topFragID[r] == 0)
break;
cumulCount += (uint64_t)topPI[r].count;
LogController.printf("%3d: %5.2f%% %9u %6.2f%% %9llu"
" %3d %5u %5u %06u\n",
r,
(double)topPI[r].count * 100.0 / (double)totCount,
topPI[r].count,
(double)cumulCount * 100.0 / (double)totCount,
(unsigned long long int)cumulCount,
topPI[r].nStaticExits,
(unsigned int)topPI[r].nCodeBytes,
(unsigned int)topPI[r].nExitBytes,
topFragID[r]);
totSE += (uint32_t)topPI[r].nStaticExits;
totCodeB += topPI[r].nCodeBytes;
totExitB += topPI[r].nExitBytes;
}
LogController.printf("\nTotal displayed code bytes = %u, "
"exit bytes = %u\n"
"Total displayed static exits = %d\n\n",
(unsigned int)totCodeB, (unsigned int)totExitB, totSE);
LogController.printf("Analysis by exit counts\n\n");
for (r = 0; r < N_TOP_BLOCKS; r++) {
if (topFragID[r] == 0)
break;
LogController.printf("FragID=%06u, total count %u:\n", topFragID[r],
topPI[r].count);
uint32_t madeItToEnd = topPI[r].count;
uint32_t totThisFrag = topPI[r].count;
if (totThisFrag == 0)
totThisFrag = 1;
GuardPI gpi;
// visit the guards, in forward order
for (Seq<GuardPI>* guards = topPI[r].guards; guards; guards = guards->tail) {
gpi = (*guards).head;
if (gpi.count == 0)
continue;
madeItToEnd -= gpi.count;
LogController.printf(" GuardID=%03u %7u (%5.2f%%)\n",
gpi.guardID, gpi.count,
100.0 * (double)gpi.count / (double)totThisFrag);
}
LogController.printf(" Looped (%03u) %7u (%5.2f%%)\n",
topPI[r].largestGuardID+1,
madeItToEnd,
100.0 * (double)madeItToEnd / (double)totThisFrag);
NanoAssert(madeItToEnd <= topPI[r].count); // else unsigned underflow
LogController.printf("\n");
}
tm->profTab = NULL;
}
#endif
/* ----------------------------------------------------------------- */
#ifdef DEBUG
JSBool FASTCALL
PrintOnTrace(char* format, uint32 argc, double *argv)
{
union {
struct {
uint32 lo;
uint32 hi;
} i;
double d;
char *cstr;
JSObject *o;
JSString *s;
} u;
#define GET_ARG() JS_BEGIN_MACRO \
if (argi >= argc) { \
fprintf(out, "[too few args for format]"); \
break; \
} \
u.d = argv[argi++]; \
JS_END_MACRO
FILE *out = stderr;
uint32 argi = 0;
for (char *p = format; *p; ++p) {
if (*p != '%') {
putc(*p, out);
continue;
}
char ch = *++p;
if (!ch) {
fprintf(out, "[trailing %%]");
continue;
}
switch (ch) {
case 'a':
GET_ARG();
fprintf(out, "[%u:%u 0x%x:0x%x %f]", u.i.lo, u.i.hi, u.i.lo, u.i.hi, u.d);
break;
case 'd':
GET_ARG();
fprintf(out, "%d", u.i.lo);
break;
case 'u':
GET_ARG();
fprintf(out, "%u", u.i.lo);
break;
case 'x':
GET_ARG();
fprintf(out, "%x", u.i.lo);
break;
case 'f':
GET_ARG();
fprintf(out, "%f", u.d);
break;
case 'o':
GET_ARG();
js_DumpObject(u.o);
break;
case 's':
GET_ARG();
{
size_t length = u.s->length();
// protect against massive spew if u.s is a bad pointer.
if (length > 1 << 16)
length = 1 << 16;
if (u.s->isRope()) {
fprintf(out, "<rope>");
break;
}
if (u.s->isRope()) {
fprintf(out, "<rope: length %d>", (int)u.s->asRope().length());
} else {
const jschar *chars = u.s->asLinear().chars();
for (unsigned i = 0; i < length; ++i) {
jschar co = chars[i];
if (co < 128)
putc(co, out);
else if (co < 256)
fprintf(out, "\\u%02x", co);
else
fprintf(out, "\\u%04x", co);
}
}
}
break;
case 'S':
GET_ARG();
fprintf(out, "%s", u.cstr);
break;
case 'v': {
GET_ARG();
Value *v = (Value *) u.i.lo;
js_DumpValue(*v);
break;
}
default:
fprintf(out, "[invalid %%%c]", *p);
}
}
#undef GET_ARG
return JS_TRUE;
}
JS_DEFINE_CALLINFO_3(extern, BOOL, PrintOnTrace, CHARPTR, UINT32, DOUBLEPTR, 0, ACCSET_STORE_ANY)
// This version is not intended to be called directly: usually it is easier to
// use one of the other overloads.
void
TraceRecorder::tprint(const char *format, int count, nanojit::LIns *insa[])
{
size_t size = strlen(format) + 1;
char* data = (char*) traceMonitor->traceAlloc->alloc(size);
memcpy(data, format, size);
double *args = (double*) traceMonitor->traceAlloc->alloc(count * sizeof(double));
LIns* argsp_ins = w.nameImmpNonGC(args);
for (int i = 0; i < count; ++i)
w.stTprintArg(insa, argsp_ins, i);
LIns* args_ins[] = { w.nameImmpNonGC(args), w.nameImmi(count), w.nameImmpNonGC(data) };
LIns* call_ins = w.call(&PrintOnTrace_ci, args_ins);
guard(false, w.eqi0(call_ins), MISMATCH_EXIT);
}
// Generate a 'printf'-type call from trace for debugging.
void
TraceRecorder::tprint(const char *format)
{
LIns* insa[] = { NULL };
tprint(format, 0, insa);
}
void
TraceRecorder::tprint(const char *format, LIns *ins)
{
LIns* insa[] = { ins };
tprint(format, 1, insa);
}
void
TraceRecorder::tprint(const char *format, LIns *ins1, LIns *ins2)
{
LIns* insa[] = { ins1, ins2 };
tprint(format, 2, insa);
}
void
TraceRecorder::tprint(const char *format, LIns *ins1, LIns *ins2, LIns *ins3)
{
LIns* insa[] = { ins1, ins2, ins3 };
tprint(format, 3, insa);
}
void
TraceRecorder::tprint(const char *format, LIns *ins1, LIns *ins2, LIns *ins3, LIns *ins4)
{
LIns* insa[] = { ins1, ins2, ins3, ins4 };
tprint(format, 4, insa);
}
void
TraceRecorder::tprint(const char *format, LIns *ins1, LIns *ins2, LIns *ins3, LIns *ins4,
LIns *ins5)
{
LIns* insa[] = { ins1, ins2, ins3, ins4, ins5 };
tprint(format, 5, insa);
}
void
TraceRecorder::tprint(const char *format, LIns *ins1, LIns *ins2, LIns *ins3, LIns *ins4,
LIns *ins5, LIns *ins6)
{
LIns* insa[] = { ins1, ins2, ins3, ins4, ins5, ins6 };
tprint(format, 6, insa);
}
#endif
Tracker::Tracker(JSContext *cx)
: cx(cx)
{
pagelist = NULL;
}
Tracker::~Tracker()
{
clear();
}
inline jsuword
Tracker::getTrackerPageBase(const void* v) const
{
return jsuword(v) & ~TRACKER_PAGE_MASK;
}
inline jsuword
Tracker::getTrackerPageOffset(const void* v) const
{
return (jsuword(v) & TRACKER_PAGE_MASK) >> 2;
}
struct Tracker::TrackerPage*
Tracker::findTrackerPage(const void* v) const
{
jsuword base = getTrackerPageBase(v);
struct Tracker::TrackerPage* p = pagelist;
while (p) {
if (p->base == base)
return p;
p = p->next;
}
return NULL;
}
struct Tracker::TrackerPage*
Tracker::addTrackerPage(const void* v)
{
jsuword base = getTrackerPageBase(v);
struct TrackerPage* p = (struct TrackerPage*) cx->calloc_(sizeof(*p));
p->base = base;
p->next = pagelist;
pagelist = p;
return p;
}
void
Tracker::clear()
{
while (pagelist) {
TrackerPage* p = pagelist;
pagelist = pagelist->next;
cx->free_(p);
}
}
bool
Tracker::has(const void *v) const
{
return get(v) != NULL;
}
LIns*
Tracker::get(const void* v) const
{
struct Tracker::TrackerPage* p = findTrackerPage(v);
if (!p)
return NULL;
return p->map[getTrackerPageOffset(v)];
}
void
Tracker::set(const void* v, LIns* i)
{
struct Tracker::TrackerPage* p = findTrackerPage(v);
if (!p)
p = addTrackerPage(v);
p->map[getTrackerPageOffset(v)] = i;
}
static inline bool
hasInt32Repr(const Value &v)
{
if (!v.isNumber())
return false;
if (v.isInt32())
return true;
int32_t _;
return JSDOUBLE_IS_INT32(v.toDouble(), &_);
}
static inline jsint
asInt32(const Value &v)
{
JS_ASSERT(v.isNumber());
if (v.isInt32())
return v.toInt32();
#ifdef DEBUG
int32_t _;
JS_ASSERT(JSDOUBLE_IS_INT32(v.toDouble(), &_));
#endif
return jsint(v.toDouble());
}
/*
* Return JSVAL_TYPE_DOUBLE for all numbers (int and double). Split
* JSVAL_TYPE_OBJECT into JSVAL_TYPE_FUNOBJ and JSVAL_TYPE_NONFUNOBJ.
* Otherwise, just return the value's type.
*/
static inline JSValueType
getPromotedType(const Value &v)
{
if (v.isNumber())
return JSVAL_TYPE_DOUBLE;
if (v.isObject())
return v.toObject().isFunction() ? JSVAL_TYPE_FUNOBJ : JSVAL_TYPE_NONFUNOBJ;
return v.extractNonDoubleObjectTraceType();
}
/*
* Return JSVAL_TYPE_INT32 for all whole numbers that fit into signed 32-bit.
* Split JSVAL_TYPE_OBJECT into JSVAL_TYPE_FUNOBJ and JSVAL_TYPE_NONFUNOBJ.
* Otherwise, just return the value's type.
*/
static inline JSValueType
getCoercedType(const Value &v)
{
if (v.isNumber()) {
int32_t _;
return (v.isInt32() || JSDOUBLE_IS_INT32(v.toDouble(), &_))
? JSVAL_TYPE_INT32
: JSVAL_TYPE_DOUBLE;
}
if (v.isObject())
return v.toObject().isFunction() ? JSVAL_TYPE_FUNOBJ : JSVAL_TYPE_NONFUNOBJ;
return v.extractNonDoubleObjectTraceType();
}
static inline JSValueType
getFrameObjPtrTraceType(void *p, StackFrame *fp)
{
if (p == fp->addressOfScopeChain()) {
JS_ASSERT(*(JSObject **)p != NULL);
return JSVAL_TYPE_NONFUNOBJ;
}
JS_ASSERT(p == fp->addressOfArgs());
return fp->hasArgsObj() ? JSVAL_TYPE_NONFUNOBJ : JSVAL_TYPE_NULL;
}
static inline bool
isFrameObjPtrTraceType(JSValueType t)
{
return t == JSVAL_TYPE_NULL || t == JSVAL_TYPE_NONFUNOBJ;
}
/* Constant seed and accumulate step borrowed from the DJB hash. */
const uintptr_t ORACLE_MASK = ORACLE_SIZE - 1;
JS_STATIC_ASSERT((ORACLE_MASK & ORACLE_SIZE) == 0);
const uintptr_t FRAGMENT_TABLE_MASK = FRAGMENT_TABLE_SIZE - 1;
JS_STATIC_ASSERT((FRAGMENT_TABLE_MASK & FRAGMENT_TABLE_SIZE) == 0);
const uintptr_t HASH_SEED = 5381;
static inline void
HashAccum(uintptr_t& h, uintptr_t i, uintptr_t mask)
{
h = ((h << 5) + h + (mask & i)) & mask;
}
static JS_REQUIRES_STACK inline int
StackSlotHash(JSContext* cx, unsigned slot, const void* pc)
{
uintptr_t h = HASH_SEED;
HashAccum(h, uintptr_t(cx->fp()->script()), ORACLE_MASK);
HashAccum(h, uintptr_t(pc), ORACLE_MASK);
HashAccum(h, uintptr_t(slot), ORACLE_MASK);
return int(h);
}
static JS_REQUIRES_STACK inline int
GlobalSlotHash(JSContext* cx, unsigned slot)
{
uintptr_t h = HASH_SEED;
StackFrame* fp = cx->fp();
while (fp->prev())
fp = fp->prev();
HashAccum(h, uintptr_t(fp->maybeScript()), ORACLE_MASK);
HashAccum(h, uintptr_t(fp->scopeChain().getGlobal()->shape()), ORACLE_MASK);
HashAccum(h, uintptr_t(slot), ORACLE_MASK);
return int(h);
}
static inline int
PCHash(jsbytecode* pc)
{
return int(uintptr_t(pc) & ORACLE_MASK);
}
Oracle::Oracle(VMAllocator* allocator)
: _stackDontDemote(*allocator),
_globalDontDemote(*allocator),
_pcDontDemote(*allocator),
_pcSlowZeroTest(*allocator)
{
/* Grow the oracle bitsets to their (fixed) size here, once. */
_stackDontDemote.set(ORACLE_SIZE-1);
_globalDontDemote.set(ORACLE_SIZE-1);
clear();
}
/* Tell the oracle that a certain global variable should not be demoted. */
JS_REQUIRES_STACK void
Oracle::markGlobalSlotUndemotable(JSContext* cx, unsigned slot)
{
_globalDontDemote.set(GlobalSlotHash(cx, slot));
}
/* Consult with the oracle whether we shouldn't demote a certain global variable. */
JS_REQUIRES_STACK bool
Oracle::isGlobalSlotUndemotable(JSContext* cx, unsigned slot) const
{
return _globalDontDemote.get(GlobalSlotHash(cx, slot));
}
/* Tell the oracle that a certain slot at a certain stack slot should not be demoted. */
JS_REQUIRES_STACK void
Oracle::markStackSlotUndemotable(JSContext* cx, unsigned slot, const void* pc)
{
_stackDontDemote.set(StackSlotHash(cx, slot, pc));
}
JS_REQUIRES_STACK void
Oracle::markStackSlotUndemotable(JSContext* cx, unsigned slot)
{
markStackSlotUndemotable(cx, slot, cx->regs().pc);
}
/* Consult with the oracle whether we shouldn't demote a certain slot. */
JS_REQUIRES_STACK bool
Oracle::isStackSlotUndemotable(JSContext* cx, unsigned slot, const void* pc) const
{
return _stackDontDemote.get(StackSlotHash(cx, slot, pc));
}
JS_REQUIRES_STACK bool
Oracle::isStackSlotUndemotable(JSContext* cx, unsigned slot) const
{
return isStackSlotUndemotable(cx, slot, cx->regs().pc);
}
/* Tell the oracle that a certain slot at a certain bytecode location should not be demoted. */
void
Oracle::markInstructionUndemotable(jsbytecode* pc)
{
_pcDontDemote.set(PCHash(pc));
}
/* Consult with the oracle whether we shouldn't demote a certain bytecode location. */
bool
Oracle::isInstructionUndemotable(jsbytecode* pc) const
{
return _pcDontDemote.get(PCHash(pc));
}
/* Tell the oracle that the instruction at bytecode location should use a stronger (slower) test for -0. */
void
Oracle::markInstructionSlowZeroTest(jsbytecode* pc)
{
_pcSlowZeroTest.set(PCHash(pc));
}
/* Consult with the oracle whether we should use a stronger (slower) test for -0. */
bool
Oracle::isInstructionSlowZeroTest(jsbytecode* pc) const
{
return _pcSlowZeroTest.get(PCHash(pc));
}
void
Oracle::clearDemotability()
{
_stackDontDemote.resetAndAlloc();
_globalDontDemote.resetAndAlloc();
_pcDontDemote.resetAndAlloc();
_pcSlowZeroTest.resetAndAlloc();
}
JS_REQUIRES_STACK void
TraceRecorder::markSlotUndemotable(LinkableFragment* f, unsigned slot)
{
if (slot < f->nStackTypes) {
traceMonitor->oracle->markStackSlotUndemotable(cx, slot);
return;
}
uint16* gslots = f->globalSlots->data();
traceMonitor->oracle->markGlobalSlotUndemotable(cx, gslots[slot - f->nStackTypes]);
}
JS_REQUIRES_STACK void
TraceRecorder::markSlotUndemotable(LinkableFragment* f, unsigned slot, const void* pc)
{
if (slot < f->nStackTypes) {
traceMonitor->oracle->markStackSlotUndemotable(cx, slot, pc);
return;
}
uint16* gslots = f->globalSlots->data();
traceMonitor->oracle->markGlobalSlotUndemotable(cx, gslots[slot - f->nStackTypes]);
}
static JS_REQUIRES_STACK bool
IsSlotUndemotable(Oracle* oracle, JSContext* cx, LinkableFragment* f, unsigned slot, const void* ip)
{
if (slot < f->nStackTypes)
return !oracle || oracle->isStackSlotUndemotable(cx, slot, ip);
uint16* gslots = f->globalSlots->data();
return !oracle || oracle->isGlobalSlotUndemotable(cx, gslots[slot - f->nStackTypes]);
}
class FrameInfoCache
{
struct HashPolicy
{
typedef FrameInfo *Lookup;
static HashNumber hash(const FrameInfo* fi) {
size_t len = sizeof(FrameInfo) + fi->callerHeight * sizeof(JSValueType);
HashNumber h = 0;
const unsigned char *s = (const unsigned char*)fi;
for (size_t i = 0; i < len; i++, s++)
h = JS_ROTATE_LEFT32(h, 4) ^ *s;
return h;
}
static bool match(const FrameInfo* fi1, const FrameInfo* fi2) {
if (memcmp(fi1, fi2, sizeof(FrameInfo)) != 0)
return false;
return memcmp(fi1->get_typemap(), fi2->get_typemap(),
fi1->callerHeight * sizeof(JSValueType)) == 0;
}
};
typedef HashSet<FrameInfo *, HashPolicy, SystemAllocPolicy> FrameSet;
FrameSet set;
VMAllocator *allocator;
public:
FrameInfoCache(VMAllocator *allocator);
void reset() {
set.clear();
}
FrameInfo *memoize(FrameInfo *fi) {
FrameSet::AddPtr p = set.lookupForAdd(fi);
if (!p) {
FrameInfo* n = (FrameInfo*)
allocator->alloc(sizeof(FrameInfo) + fi->callerHeight * sizeof(JSValueType));
memcpy(n, fi, sizeof(FrameInfo) + fi->callerHeight * sizeof(JSValueType));
if (!set.add(p, n))
return NULL;
}
return *p;
}
};
FrameInfoCache::FrameInfoCache(VMAllocator *allocator)
: allocator(allocator)
{
if (!set.init())
OUT_OF_MEMORY_ABORT("FrameInfoCache::FrameInfoCache(): out of memory");
}
#define PC_HASH_COUNT 1024
static void
Blacklist(jsbytecode* pc)
{
AUDIT(blacklisted);
JS_ASSERT(*pc == JSOP_TRACE || *pc == JSOP_NOTRACE);
*pc = JSOP_NOTRACE;
}
static void
Unblacklist(JSScript *script, jsbytecode *pc)
{
JS_ASSERT(*pc == JSOP_NOTRACE || *pc == JSOP_TRACE);
if (*pc == JSOP_NOTRACE) {
*pc = JSOP_TRACE;
#ifdef JS_METHODJIT
/* This code takes care of unblacklisting in the method JIT. */
js::mjit::ResetTraceHint(script, pc, GET_UINT16(pc), false);
#endif
}
}
#ifdef JS_METHODJIT
static bool
IsBlacklisted(jsbytecode* pc)
{
if (*pc == JSOP_NOTRACE)
return true;
if (*pc == JSOP_CALL)
return *(pc + JSOP_CALL_LENGTH) == JSOP_NOTRACE;
return false;
}
#endif
static void
Backoff(TraceMonitor *tm, jsbytecode* pc, Fragment* tree = NULL)
{
/* N.B. This code path cannot assume the recorder is/is not alive. */
RecordAttemptMap &table = *tm->recordAttempts;
if (RecordAttemptMap::AddPtr p = table.lookupForAdd(pc)) {
if (p->value++ > (BL_ATTEMPTS * MAXPEERS)) {
p->value = 0;
Blacklist(pc);
return;
}
} else {
table.add(p, pc, 0);
}
if (tree) {
tree->hits() -= BL_BACKOFF;
/*
* In case there is no entry or no table (due to OOM) or some
* serious imbalance in the recording-attempt distribution on a
* multitree, give each tree another chance to blacklist here as
* well.
*/
if (++tree->recordAttempts > BL_ATTEMPTS)
Blacklist(pc);
}
}
static void
ResetRecordingAttempts(TraceMonitor *tm, jsbytecode* pc)
{
RecordAttemptMap &table = *tm->recordAttempts;
if (RecordAttemptMap::Ptr p = table.lookup(pc))
p->value = 0;
}
static inline size_t
FragmentHash(const void *ip, JSObject* globalObj, uint32 globalShape, uint32 argc)
{
uintptr_t h = HASH_SEED;
HashAccum(h, uintptr_t(ip), FRAGMENT_TABLE_MASK);
HashAccum(h, uintptr_t(globalObj), FRAGMENT_TABLE_MASK);
HashAccum(h, uintptr_t(globalShape), FRAGMENT_TABLE_MASK);
HashAccum(h, uintptr_t(argc), FRAGMENT_TABLE_MASK);
return size_t(h);
}
static void
RawLookupFirstPeer(TraceMonitor* tm, const void *ip, JSObject* globalObj,
uint32 globalShape, uint32 argc,
TreeFragment*& firstInBucket, TreeFragment**& prevTreeNextp)
{
size_t h = FragmentHash(ip, globalObj, globalShape, argc);
TreeFragment** ppf = &tm->vmfragments[h];
firstInBucket = *ppf;
for (; TreeFragment* pf = *ppf; ppf = &pf->next) {
if (pf->globalObj == globalObj &&
pf->globalShape == globalShape &&
pf->ip == ip &&
pf->argc == argc) {
prevTreeNextp = ppf;
return;
}
}
prevTreeNextp = ppf;
return;
}
static TreeFragment*
LookupLoop(TraceMonitor* tm, const void *ip, JSObject* globalObj,
uint32 globalShape, uint32 argc)
{
TreeFragment *_, **prevTreeNextp;
RawLookupFirstPeer(tm, ip, globalObj, globalShape, argc, _, prevTreeNextp);
return *prevTreeNextp;
}
static TreeFragment*
LookupOrAddLoop(TraceMonitor* tm, const void *ip, JSObject* globalObj,
uint32 globalShape, uint32 argc)
{
TreeFragment *firstInBucket, **prevTreeNextp;
RawLookupFirstPeer(tm, ip, globalObj, globalShape, argc, firstInBucket, prevTreeNextp);
if (TreeFragment *f = *prevTreeNextp)
return f;
verbose_only(
uint32_t profFragID = (LogController.lcbits & LC_FragProfile)
? (++(tm->lastFragID)) : 0;
)
TreeFragment* f = new (*tm->dataAlloc) TreeFragment(ip, tm->dataAlloc, tm->oracle,
globalObj, globalShape,
argc verbose_only(, profFragID));
f->root = f; /* f is the root of a new tree */
*prevTreeNextp = f; /* insert f at the end of the vmfragments bucket-list */
f->next = NULL;
f->first = f; /* initialize peer-list at f */
f->peer = NULL;
return f;
}
static TreeFragment*
AddNewPeerToPeerList(TraceMonitor* tm, TreeFragment* peer)
{
JS_ASSERT(peer);
verbose_only(
uint32_t profFragID = (LogController.lcbits & LC_FragProfile)
? (++(tm->lastFragID)) : 0;
)
TreeFragment* f = new (*tm->dataAlloc) TreeFragment(peer->ip, tm->dataAlloc, tm->oracle,
peer->globalObj, peer->globalShape,
peer->argc verbose_only(, profFragID));
f->root = f; /* f is the root of a new tree */
f->first = peer->first; /* add f to peer list */
f->peer = peer->peer;
peer->peer = f;
/* only the |first| Fragment of a peer list needs a valid |next| field */
debug_only(f->next = (TreeFragment*)0xcdcdcdcd);
return f;
}
JS_REQUIRES_STACK void
TreeFragment::initialize(JSContext* cx, SlotList *globalSlots, bool speculate)
{
this->dependentTrees.clear();
this->linkedTrees.clear();
this->globalSlots = globalSlots;
/* Capture the coerced type of each active slot in the type map. */
this->typeMap.captureTypes(cx, globalObj, *globalSlots, 0 /* callDepth */, speculate);
this->nStackTypes = this->typeMap.length() - globalSlots->length();
this->spOffsetAtEntry = cx->regs().sp - cx->fp()->base();
#ifdef DEBUG
this->treeFileName = cx->fp()->script()->filename;
this->treeLineNumber = CurrentLine(cx);
this->treePCOffset = CurrentPCOffset(cx);
#endif
this->script = cx->fp()->script();
this->gcthings.clear();
this->shapes.clear();
this->unstableExits = NULL;
this->sideExits.clear();
/* Determine the native frame layout at the entry point. */
this->nativeStackBase = (nStackTypes - (cx->regs().sp - cx->fp()->base())) *
sizeof(double);
this->maxNativeStackSlots = nStackTypes;
this->maxCallDepth = 0;
this->execs = 0;
this->iters = 0;
}
UnstableExit*
TreeFragment::removeUnstableExit(VMSideExit* exit)
{
/* Now erase this exit from the unstable exit list. */
UnstableExit** tail = &this->unstableExits;
for (UnstableExit* uexit = this->unstableExits; uexit != NULL; uexit = uexit->next) {
if (uexit->exit == exit) {
*tail = uexit->next;
return *tail;
}
tail = &uexit->next;
}
JS_NOT_REACHED("exit not in unstable exit list");
return NULL;
}
#ifdef DEBUG
static void
AssertTreeIsUnique(TraceMonitor* tm, TreeFragment* f)
{
JS_ASSERT(f->root == f);
/*
* Check for duplicate entry type maps. This is always wrong and hints at
* trace explosion since we are trying to stabilize something without
* properly connecting peer edges.
*/
for (TreeFragment* peer = LookupLoop(tm, f->ip, f->globalObj, f->globalShape, f->argc);
peer != NULL;
peer = peer->peer) {
if (!peer->code() || peer == f)
continue;
JS_ASSERT(!f->typeMap.matches(peer->typeMap));
}
}
#endif
static void
AttemptCompilation(TraceMonitor *tm, JSObject* globalObj,
JSScript* script, jsbytecode* pc, uint32 argc)
{
/* If we already permanently blacklisted the location, undo that. */
Unblacklist(script, pc);
ResetRecordingAttempts(tm, pc);
/* Breathe new life into all peer fragments at the designated loop header. */
TreeFragment* f = LookupLoop(tm, pc, globalObj, globalObj->shape(), argc);
if (!f) {
/*
* If the global object's shape changed, we can't easily find the
* corresponding loop header via a hash table lookup. In this
* we simply bail here and hope that the fragment has another
* outstanding compilation attempt. This case is extremely rare.
*/
return;
}
JS_ASSERT(f->root == f);
f = f->first;
while (f) {
JS_ASSERT(f->root == f);
--f->recordAttempts;
f->hits() = HOTLOOP;
f = f->peer;
}
}
static const CallInfo *
fcallinfo(LIns *ins)
{
return ins->isop(LIR_calld) ? ins->callInfo() : NULL;
}
/*
* StackFrame::numActualArgs is only defined for function frames. Since the
* actual arguments of the entry frame are kept on trace, argc is included in
* the tuple identifying a fragment so that two fragments for the same loop but
* recorded with different number of actual arguments are treated as two
* completely separate trees. For this particular use, we define the number of
* actuals for global and eval frames to be 0.
*/
static inline uintN
entryFrameArgc(JSContext *cx)
{
StackFrame *fp = cx->fp();
return fp->hasArgs() ? fp->numActualArgs() : 0;
}
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
VisitStackAndArgs(Visitor &visitor, StackFrame *fp, StackFrame *next, Value *stack)
{
if (JS_LIKELY(!next->hasOverflowArgs()))
return visitor.visitStackSlots(stack, next->formalArgsEnd() - stack, fp);
/*
* In the case of nactual > nformal, the formals are copied by the VM onto
* the top of the stack. We only want to mark the formals once, so we
* carefully mark only the canonical actual arguments (as defined by
* StackFrame::canonicalActualArg).
*/
uintN nactual = next->numActualArgs();
Value *actuals = next->actualArgs();
size_t nstack = (actuals - 2 /* callee,this */) - stack;
if (!visitor.visitStackSlots(stack, nstack, fp))
return false;
uintN nformal = next->numFormalArgs();
Value *formals = next->formalArgs();
if (!visitor.visitStackSlots(formals - 2, 2 + nformal, fp))
return false;
return visitor.visitStackSlots(actuals + nformal, nactual - nformal, fp);
}
/*
* Visit the values in the given StackFrame that the tracer cares about. This
* visitor function is (implicitly) the primary definition of the native stack
* area layout. There are a few other independent pieces of code that must be
* maintained to assume the same layout. They are marked like this:
*
* Duplicate native stack layout computation: see VisitFrameSlots header comment.
*/
template <typename Visitor>
static JS_REQUIRES_STACK bool
VisitFrameSlots(Visitor &visitor, JSContext *cx, unsigned depth, StackFrame *fp,
StackFrame *next)
{
JS_ASSERT_IF(!next, cx->fp() == fp);
if (depth > 0 && !VisitFrameSlots(visitor, cx, depth-1, fp->prev(), fp))
return false;
if (depth == 0) {
if (fp->isGlobalFrame()) {
visitor.setStackSlotKind("global");
Value *base = fp->slots() + fp->globalScript()->nfixed;
if (next)
return VisitStackAndArgs(visitor, fp, next, base);
return visitor.visitStackSlots(base, cx->regs().sp - base, fp);
}
if (JS_UNLIKELY(fp->isEvalFrame())) {
visitor.setStackSlotKind("eval");
if (!visitor.visitStackSlots(&fp->mutableCalleev(), 2, fp))
return false;
} else {
/*
* Only the bottom function frame must visit its arguments; for all
* other frames, arguments are visited by the prev-frame.
*/
visitor.setStackSlotKind("args");
uintN nformal = fp->numFormalArgs();
if (!visitor.visitStackSlots(fp->formalArgs() - 2, 2 + nformal, fp))
return false;
if (JS_UNLIKELY(fp->hasOverflowArgs())) {
if (!visitor.visitStackSlots(fp->actualArgs() + nformal,
fp->numActualArgs() - nformal, fp))
return false;
}
}
}
JS_ASSERT(fp->isFunctionFrame());
/*
* We keep two members of StackFrame on trace: the args obj pointer and
* the scope chain pointer. The visitor must take care not to treat these
* as js::Value-typed variables, since they are unboxed pointers.
* Moreover, StackFrame compresses the args obj pointer with nactual, so
* fp->addressOfArgs() is not really a JSObject**: the visitor must treat
* !fp->hasArgsObj() as a null args obj pointer. Hence, visitFrameObjPtr
* is only passed a void *.
*/
visitor.setStackSlotKind("arguments");
if (!visitor.visitFrameObjPtr(fp->addressOfArgs(), fp))
return false;
visitor.setStackSlotKind("scopeChain");
if (!visitor.visitFrameObjPtr(fp->addressOfScopeChain(), fp))
return false;
visitor.setStackSlotKind("slots");
if (next)
return VisitStackAndArgs(visitor, fp, next, fp->slots());
return visitor.visitStackSlots(fp->slots(), cx->regs().sp - fp->slots(), fp);
}
// Number of native frame slots used for 'special' values between args and vars.
// Currently the two values are |arguments| (args object) and |scopeChain|.
const int SPECIAL_FRAME_SLOTS = 2;
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
VisitStackSlots(Visitor &visitor, JSContext *cx, unsigned callDepth)
{
return VisitFrameSlots(visitor, cx, callDepth, cx->fp(), NULL);
}
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE void
VisitGlobalSlots(Visitor &visitor, JSContext *cx, JSObject *globalObj,
unsigned ngslots, uint16 *gslots)
{
for (unsigned n = 0; n < ngslots; ++n) {
unsigned slot = gslots[n];
visitor.visitGlobalSlot(&globalObj->getSlotRef(slot), n, slot);
}
}
class AdjustCallerTypeVisitor;
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE void
VisitGlobalSlots(Visitor &visitor, JSContext *cx, SlotList &gslots)
{
VisitGlobalSlots(visitor, cx, cx->fp()->scopeChain().getGlobal(),
gslots.length(), gslots.data());
}
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE void
VisitSlots(Visitor& visitor, JSContext* cx, JSObject* globalObj,
unsigned callDepth, unsigned ngslots, uint16* gslots)
{
if (VisitStackSlots(visitor, cx, callDepth))
VisitGlobalSlots(visitor, cx, globalObj, ngslots, gslots);
}
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE void
VisitSlots(Visitor& visitor, JSContext* cx, unsigned callDepth,
unsigned ngslots, uint16* gslots)
{
VisitSlots(visitor, cx, cx->fp()->scopeChain().getGlobal(),
callDepth, ngslots, gslots);
}
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE void
VisitSlots(Visitor &visitor, JSContext *cx, JSObject *globalObj,
unsigned callDepth, const SlotList& slots)
{
VisitSlots(visitor, cx, globalObj, callDepth, slots.length(),
slots.data());
}
template <typename Visitor>
static JS_REQUIRES_STACK JS_ALWAYS_INLINE void
VisitSlots(Visitor &visitor, JSContext *cx, unsigned callDepth,
const SlotList& slots)
{
VisitSlots(visitor, cx, cx->fp()->scopeChain().getGlobal(),
callDepth, slots.length(), slots.data());
}
class SlotVisitorBase {
#if defined JS_JIT_SPEW
protected:
char const *mStackSlotKind;
public:
SlotVisitorBase() : mStackSlotKind(NULL) {}
JS_ALWAYS_INLINE const char *stackSlotKind() { return mStackSlotKind; }
JS_ALWAYS_INLINE void setStackSlotKind(char const *k) {
mStackSlotKind = k;
}
#else
public:
JS_ALWAYS_INLINE const char *stackSlotKind() { return NULL; }
JS_ALWAYS_INLINE void setStackSlotKind(char const *k) {}
#endif
};
struct CountSlotsVisitor : public SlotVisitorBase
{
unsigned mCount;
bool mDone;
const void* mStop;
public:
JS_ALWAYS_INLINE CountSlotsVisitor(const void* stop = NULL) :
mCount(0),
mDone(false),
mStop(stop)
{}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame* fp) {
if (mDone)
return false;
if (mStop && size_t(((const Value *)mStop) - vp) < count) {
mCount += size_t(((const Value *)mStop) - vp);
mDone = true;
return false;
}
mCount += count;
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp) {
if (mDone)
return false;
if (mStop && mStop == p) {
mDone = true;
return false;
}
mCount++;
return true;
}
JS_ALWAYS_INLINE unsigned count() {
return mCount;
}
JS_ALWAYS_INLINE bool stopped() {
return mDone;
}
};
static JS_REQUIRES_STACK JS_ALWAYS_INLINE unsigned
CountStackAndArgs(StackFrame *next, Value *stack)
{
if (JS_LIKELY(!next->hasOverflowArgs()))
return (Value *)next - stack;
size_t nvals = (next->formalArgs() - 2 /* callee, this */) - stack;
JS_ASSERT(nvals == unsigned((next->actualArgs() - 2) - stack) + (2 + next->numActualArgs()));
return nvals;
}
static JS_ALWAYS_INLINE uintN
NumSlotsBeforeFixed(StackFrame *fp)
{
uintN numArgs = fp->isEvalFrame() ? 0 : Max(fp->numActualArgs(), fp->numFormalArgs());
return 2 + numArgs + SPECIAL_FRAME_SLOTS;
}
/*
* Calculate the total number of native frame slots we need from this frame all
* the way back to the entry frame, including the current stack usage.
*
* Duplicate native stack layout computation: see VisitFrameSlots header comment.
*/
JS_REQUIRES_STACK unsigned
NativeStackSlots(JSContext *cx, unsigned callDepth)
{
StackFrame *fp = cx->fp();
StackFrame *next = NULL;
unsigned slots = 0;
unsigned depth = callDepth;
for (; depth > 0; --depth, next = fp, fp = fp->prev()) {
JS_ASSERT(fp->isNonEvalFunctionFrame());
slots += SPECIAL_FRAME_SLOTS;
if (next)
slots += CountStackAndArgs(next, fp->slots());
else
slots += cx->regs().sp - fp->slots();
}
Value *start;
if (fp->isGlobalFrame()) {
start = fp->slots() + fp->globalScript()->nfixed;
} else {
start = fp->slots();
slots += NumSlotsBeforeFixed(fp);
}
if (next)
slots += CountStackAndArgs(next, start);
else
slots += cx->regs().sp - start;
#ifdef DEBUG
CountSlotsVisitor visitor;
VisitStackSlots(visitor, cx, callDepth);
JS_ASSERT(visitor.count() == slots && !visitor.stopped());
#endif
return slots;
}
class CaptureTypesVisitor : public SlotVisitorBase
{
JSContext* mCx;
JSValueType* mTypeMap;
JSValueType* mPtr;
Oracle * mOracle;
public:
JS_ALWAYS_INLINE CaptureTypesVisitor(JSContext* cx, Oracle *oracle,
JSValueType* typeMap, bool speculate)
: mCx(cx),
mTypeMap(typeMap),
mPtr(typeMap),
mOracle(speculate ? oracle : NULL)
{}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
visitGlobalSlot(Value *vp, unsigned n, unsigned slot) {
JSValueType type = getCoercedType(*vp);
if (type == JSVAL_TYPE_INT32 && (!mOracle || mOracle->isGlobalSlotUndemotable(mCx, slot)))
type = JSVAL_TYPE_DOUBLE;
JS_ASSERT(type != JSVAL_TYPE_BOXED);
debug_only_printf(LC_TMTracer,
"capture type global%d: %c\n",
n, TypeToChar(type));
*mPtr++ = type;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, int count, StackFrame* fp) {
for (int i = 0; i < count; ++i) {
JSValueType type = getCoercedType(vp[i]);
if (type == JSVAL_TYPE_INT32 && (!mOracle || mOracle->isStackSlotUndemotable(mCx, length())))
type = JSVAL_TYPE_DOUBLE;
JS_ASSERT(type != JSVAL_TYPE_BOXED);
debug_only_printf(LC_TMTracer,
"capture type %s%d: %c\n",
stackSlotKind(), i, TypeToChar(type));
*mPtr++ = type;
}
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp) {
JSValueType type = getFrameObjPtrTraceType(p, fp);
debug_only_printf(LC_TMTracer,
"capture type %s%d: %c\n",
stackSlotKind(), 0, TypeToChar(type));
*mPtr++ = type;
return true;
}
JS_ALWAYS_INLINE uintptr_t length() {
return mPtr - mTypeMap;
}
};
void
TypeMap::set(unsigned stackSlots, unsigned ngslots,
const JSValueType* stackTypeMap, const JSValueType* globalTypeMap)
{
setLength(ngslots + stackSlots);
memcpy(data(), stackTypeMap, stackSlots * sizeof(JSValueType));
memcpy(data() + stackSlots, globalTypeMap, ngslots * sizeof(JSValueType));
}
/*
* Capture the type map for the selected slots of the global object and currently pending
* stack frames.
*/
JS_REQUIRES_STACK void
TypeMap::captureTypes(JSContext* cx, JSObject* globalObj, SlotList& slots, unsigned callDepth,
bool speculate)
{
setLength(NativeStackSlots(cx, callDepth) + slots.length());
CaptureTypesVisitor visitor(cx, oracle, data(), speculate);
VisitSlots(visitor, cx, globalObj, callDepth, slots);
JS_ASSERT(visitor.length() == length());
}
JS_REQUIRES_STACK void
TypeMap::captureMissingGlobalTypes(JSContext* cx,
JSObject* globalObj, SlotList& slots, unsigned stackSlots,
bool speculate)
{
unsigned oldSlots = length() - stackSlots;
int diff = slots.length() - oldSlots;
JS_ASSERT(diff >= 0);
setLength(length() + diff);
CaptureTypesVisitor visitor(cx, oracle, data() + stackSlots + oldSlots, speculate);
VisitGlobalSlots(visitor, cx, globalObj, diff, slots.data() + oldSlots);
}
/* Compare this type map to another one and see whether they match. */
bool
TypeMap::matches(TypeMap& other) const
{
if (length() != other.length())
return false;
return !memcmp(data(), other.data(), length());
}
void
TypeMap::fromRaw(JSValueType* other, unsigned numSlots)
{
unsigned oldLength = length();
setLength(length() + numSlots);
for (unsigned i = 0; i < numSlots; i++)
get(oldLength + i) = other[i];
}
/*
* Use the provided storage area to create a new type map that contains the
* partial type map with the rest of it filled up from the complete type
* map.
*/
static void
MergeTypeMaps(JSValueType** partial, unsigned* plength, JSValueType* complete, unsigned clength, JSValueType* mem)
{
unsigned l = *plength;
JS_ASSERT(l < clength);
memcpy(mem, *partial, l * sizeof(JSValueType));
memcpy(mem + l, complete + l, (clength - l) * sizeof(JSValueType));
*partial = mem;
*plength = clength;
}
/*
* Specializes a tree to any specifically missing globals, including any
* dependent trees.
*/
static JS_REQUIRES_STACK void
SpecializeTreesToLateGlobals(JSContext* cx, TreeFragment* root, JSValueType* globalTypeMap,
unsigned numGlobalSlots)
{
for (unsigned i = root->nGlobalTypes(); i < numGlobalSlots; i++)
root->typeMap.add(globalTypeMap[i]);
JS_ASSERT(root->nGlobalTypes() == numGlobalSlots);
for (unsigned i = 0; i < root->dependentTrees.length(); i++) {
TreeFragment* tree = root->dependentTrees[i];
if (tree->code() && tree->nGlobalTypes() < numGlobalSlots)
SpecializeTreesToLateGlobals(cx, tree, globalTypeMap, numGlobalSlots);
}
for (unsigned i = 0; i < root->linkedTrees.length(); i++) {
TreeFragment* tree = root->linkedTrees[i];
if (tree->code() && tree->nGlobalTypes() < numGlobalSlots)
SpecializeTreesToLateGlobals(cx, tree, globalTypeMap, numGlobalSlots);
}
}
/* Specializes a tree to any missing globals, including any dependent trees. */
static JS_REQUIRES_STACK void
SpecializeTreesToMissingGlobals(JSContext* cx, JSObject* globalObj, TreeFragment* root)
{
/* If we already have a bunch of peer trees, try to be as generic as possible. */
size_t count = 0;
for (TreeFragment *f = root->first; f; f = f->peer, ++count);
bool speculate = count < MAXPEERS-1;
root->typeMap.captureMissingGlobalTypes(cx, globalObj, *root->globalSlots, root->nStackTypes,
speculate);
JS_ASSERT(root->globalSlots->length() == root->typeMap.length() - root->nStackTypes);
SpecializeTreesToLateGlobals(cx, root, root->globalTypeMap(), root->nGlobalTypes());
}
static void
ResetJITImpl(JSContext* cx, TraceMonitor *tm);
#ifdef MOZ_TRACEVIS
static JS_INLINE void
ResetJIT(JSContext* cx, TraceMonitor *tm, TraceVisFlushReason r)
{
LogTraceVisEvent(cx, S_RESET, r);
ResetJITImpl(cx, tm);
}
#else
# define ResetJIT(cx, tm, reason) ResetJITImpl(cx, tm)
#endif
void
FlushJITCache(JSContext *cx, TraceMonitor *tm)
{
ResetJIT(cx, tm, FR_OOM);
}
static void
TrashTree(TreeFragment* f);
JS_REQUIRES_STACK
TraceRecorder::TraceRecorder(JSContext* cx, TraceMonitor *tm,
VMSideExit* anchor, VMFragment* fragment,
unsigned stackSlots, unsigned ngslots, JSValueType* typeMap,
VMSideExit* innermost, JSScript* outerScript, jsbytecode* outerPC,
uint32 outerArgc, bool speculate)
: cx(cx),
traceMonitor(tm),
oracle(speculate ? tm->oracle : NULL),
fragment(fragment),
tree(fragment->root),
globalObj(tree->globalObj),
outerScript(outerScript),
outerPC(outerPC),
outerArgc(outerArgc),
anchor(anchor),
cx_ins(NULL),
eos_ins(NULL),
eor_ins(NULL),
loopLabel(NULL),
importTypeMap(&tempAlloc(), tm->oracle),
lirbuf(new (tempAlloc()) LirBuffer(tempAlloc())),
mark(*traceMonitor->traceAlloc),
numSideExitsBefore(tree->sideExits.length()),
tracker(cx),
nativeFrameTracker(cx),
global_slots(NULL),
callDepth(anchor ? anchor->calldepth : 0),
atoms(FrameAtomBase(cx, cx->fp())),
consts(JSScript::isValidOffset(cx->fp()->script()->constOffset)
? cx->fp()->script()->consts()->vector
: NULL),
strictModeCode_ins(NULL),
cfgMerges(&tempAlloc()),
trashSelf(false),
whichTreesToTrash(&tempAlloc()),
guardedShapeTable(cx),
initDepth(0),
hadNewInit(false),
#ifdef DEBUG
addPropShapeBefore(NULL),
#endif
rval_ins(NULL),
native_rval_ins(NULL),
newobj_ins(NULL),
pendingSpecializedNative(NULL),
pendingUnboxSlot(NULL),
pendingGuardCondition(NULL),
pendingGlobalSlotsToSet(cx),
pendingLoop(true),
generatedSpecializedNative(),
tempTypeMap(cx),
w(&tempAlloc(), lirbuf)
{
JS_ASSERT(globalObj == cx->fp()->scopeChain().getGlobal());
JS_ASSERT(globalObj->hasOwnShape());
JS_ASSERT(cx->regs().pc == (jsbytecode*)fragment->ip);
#ifdef JS_METHODJIT
if (TRACE_PROFILER(cx))
AbortProfiling(cx);
#endif
JS_ASSERT(JS_THREAD_DATA(cx)->onTraceCompartment == NULL);
JS_ASSERT(JS_THREAD_DATA(cx)->profilingCompartment == NULL);
JS_ASSERT(JS_THREAD_DATA(cx)->recordingCompartment == NULL);
JS_THREAD_DATA(cx)->recordingCompartment = cx->compartment;
#ifdef DEBUG
lirbuf->printer = new (tempAlloc()) LInsPrinter(tempAlloc(), TM_NUM_USED_ACCS);
#endif
/*
* Reset the fragment state we care about in case we got a recycled
* fragment. This includes resetting any profiling data we might have
* accumulated.
*/
fragment->lastIns = NULL;
fragment->setCode(NULL);
fragment->lirbuf = lirbuf;
verbose_only( fragment->profCount = 0; )
verbose_only( fragment->nStaticExits = 0; )
verbose_only( fragment->nCodeBytes = 0; )
verbose_only( fragment->nExitBytes = 0; )
verbose_only( fragment->guardNumberer = 1; )
verbose_only( fragment->guardsForFrag = NULL; )
verbose_only( fragment->loopLabel = NULL; )
/*
* Don't change fragment->profFragID, though. Once the identity of the
* Fragment is set up (for profiling purposes), we can't change it.
*/
if (!guardedShapeTable.init())
OUT_OF_MEMORY_ABORT("TraceRecorder::TraceRecorder: out of memory");
#ifdef JS_JIT_SPEW
debug_only_print0(LC_TMMinimal, "\n");
debug_only_printf(LC_TMMinimal, "Recording starting from %s:%u@%u (FragID=%06u)\n",
tree->treeFileName, tree->treeLineNumber, tree->treePCOffset,
fragment->profFragID);
debug_only_printf(LC_TMTracer, "globalObj=%p, shape=%d\n",
(void*)this->globalObj, this->globalObj->shape());
debug_only_printf(LC_TMTreeVis, "TREEVIS RECORD FRAG=%p ANCHOR=%p\n", (void*)fragment,
(void*)anchor);
#endif
/* This creates the LIR writer pipeline. */
w.init(&LogController, &NJConfig);
w.start();
for (int i = 0; i < NumSavedRegs; ++i)
w.paramp(i, 1);
#ifdef DEBUG
for (int i = 0; i < NumSavedRegs; ++i)
w.name(lirbuf->savedRegs[i], regNames[REGNUM(Assembler::savedRegs[i])]);
#endif
lirbuf->state = w.name(w.paramp(0, 0), "state");
if (fragment == fragment->root) {
w.comment("begin-loop");
InitConst(loopLabel) = w.label();
}
w.comment("begin-setup");
// if profiling, drop a label, so the assembler knows to put a
// frag-entry-counter increment at this point. If there's a
// loopLabel, use that; else we'll have to make a dummy label
// especially for this purpose.
verbose_only( if (LogController.lcbits & LC_FragProfile) {
LIns* entryLabel = NULL;
if (fragment == fragment->root) {
entryLabel = loopLabel;
} else {
entryLabel = w.label();
}
NanoAssert(entryLabel);
NanoAssert(!fragment->loopLabel);
fragment->loopLabel = entryLabel;
})
lirbuf->sp = w.name(w.ldpStateField(sp), "sp");
lirbuf->rp = w.name(w.ldpStateField(rp), "rp");
InitConst(cx_ins) = w.name(w.ldpStateField(cx), "cx");
InitConst(eos_ins) = w.name(w.ldpStateField(eos), "eos");
InitConst(eor_ins) = w.name(w.ldpStateField(eor), "eor");
strictModeCode_ins = w.name(w.immi(cx->fp()->script()->strictModeCode), "strict");
/* If we came from exit, we might not have enough global types. */
if (tree->globalSlots->length() > tree->nGlobalTypes())
SpecializeTreesToMissingGlobals(cx, globalObj, tree);
/* read into registers all values on the stack and all globals we know so far */
import(tree, lirbuf->sp, stackSlots, ngslots, callDepth, typeMap);
if (fragment == fragment->root) {
/*
* We poll the operation callback request flag. It is updated
* asynchronously whenever the callback is to be invoked. We can use
* w.nameImmpNonGC here as JIT-ed code is per thread and cannot
* outlive the corresponding ThreadData.
*/
w.comment("begin-interruptFlags-check");
/* FIXME: See bug 621140 for moving interruptCounter to the compartment. */
#ifdef JS_THREADSAFE
void *interrupt = (void*) &cx->runtime->interruptCounter;
#else
void *interrupt = (void*) &JS_THREAD_DATA(cx)->interruptFlags;
#endif
LIns* flagptr = w.nameImmpNonGC(interrupt);
LIns* x = w.ldiVolatile(flagptr);
guard(true, w.eqi0(x), TIMEOUT_EXIT);
w.comment("end-interruptFlags-check");
/*
* Count the number of iterations run by a trace, so that we can blacklist if
* the trace runs too few iterations to be worthwhile. Do this only if the methodjit
* is on--otherwise we must try to trace as much as possible.
*/
#ifdef JS_METHODJIT
if (cx->methodJitEnabled) {
w.comment("begin-count-loop-iterations");
LIns* counterPtr = w.nameImmpNonGC((void *) &traceMonitor->iterationCounter);
LIns* counterValue = w.ldiVolatile(counterPtr);
LIns* test = w.ltiN(counterValue, LOOP_COUNT_MAX);
LIns *branch = w.jfUnoptimizable(test);
/*
* stiVolatile() uses ACCSET_STORE_ANY; If LICM is implemented
* (bug 545406) this counter will need its own region.
*/
w.stiVolatile(w.addi(counterValue, w.immi(1)), counterPtr);
w.label(branch);
w.comment("end-count-loop-iterations");
}
#endif
}
/*
* If we are attached to a tree call guard, make sure the guard the inner
* tree exited from is what we expect it to be.
*/
if (anchor && anchor->exitType == NESTED_EXIT) {
LIns* nested_ins = w.ldpStateField(outermostTreeExitGuard);
guard(true, w.eqp(nested_ins, w.nameImmpNonGC(innermost)), NESTED_EXIT);
}
w.comment("end-setup");
}
TraceRecorder::~TraceRecorder()
{
/* Should already have been adjusted by callers before calling delete. */
JS_ASSERT(traceMonitor->recorder != this);
JS_ASSERT(JS_THREAD_DATA(cx)->profilingCompartment == NULL);
JS_ASSERT(JS_THREAD_DATA(cx)->recordingCompartment->traceMonitor() == traceMonitor);
JS_THREAD_DATA(cx)->recordingCompartment = NULL;
if (trashSelf)
TrashTree(fragment->root);
for (unsigned int i = 0; i < whichTreesToTrash.length(); i++)
TrashTree(whichTreesToTrash[i]);
/* Purge the tempAlloc used during recording. */
tempAlloc().reset();
forgetGuardedShapes();
}
inline bool
TraceMonitor::outOfMemory() const
{
return dataAlloc->outOfMemory() ||
tempAlloc->outOfMemory() ||
traceAlloc->outOfMemory();
}
void
TraceMonitor::getCodeAllocStats(size_t &total, size_t &frag_size, size_t &free_size) const
{
if (codeAlloc) {
codeAlloc->getStats(total, frag_size, free_size);
} else {
total = 0;
frag_size = 0;
free_size = 0;
}
}
size_t
TraceMonitor::getVMAllocatorsMainSize() const
{
size_t n = 0;
if (dataAlloc)
n += dataAlloc->getBytesAllocated();
if (traceAlloc)
n += traceAlloc->getBytesAllocated();
if (tempAlloc)
n += tempAlloc->getBytesAllocated();
return n;
}
size_t
TraceMonitor::getVMAllocatorsReserveSize() const
{
return dataAlloc->mReserveSize +
traceAlloc->mReserveSize +
tempAlloc->mReserveSize;
}
size_t
TraceMonitor::getTraceMonitorSize() const
{
return sizeof(TraceMonitor) + // TraceMonitor
sizeof(*storage) + // TraceNativeStorage
recordAttempts->tableSize() + // RecordAttemptMap
loopProfiles->tableSize(); // LoopProfileMap
}
/*
* This function destroys the recorder after a successful recording, possibly
* starting a suspended outer recorder.
*/
AbortableRecordingStatus
TraceRecorder::finishSuccessfully()
{
JS_ASSERT(!traceMonitor->profile);
JS_ASSERT(traceMonitor->recorder == this);
JS_ASSERT(fragment->lastIns && fragment->code());
AUDIT(traceCompleted);
mark.commit();
/* Grab local copies of members needed after destruction of |this|. */
JSContext* localcx = cx;
TraceMonitor* localtm = traceMonitor;
localtm->recorder = NULL;
cx->delete_(this);
/* Catch OOM that occurred during recording. */
if (localtm->outOfMemory() || OverfullJITCache(localcx, localtm)) {
ResetJIT(localcx, localtm, FR_OOM);
return ARECORD_ABORTED;
}
return ARECORD_COMPLETED;
}
/* This function aborts a recorder and any pending outer recorders. */
JS_REQUIRES_STACK TraceRecorder::AbortResult
TraceRecorder::finishAbort(const char* reason)
{
JS_ASSERT(!traceMonitor->profile);
JS_ASSERT(traceMonitor->recorder == this);
AUDIT(recorderAborted);
#ifdef DEBUG
debug_only_printf(LC_TMMinimal | LC_TMAbort,
"Abort recording of tree %s:%d@%d at %s:%d@%d: %s.\n",
tree->treeFileName,
tree->treeLineNumber,
tree->treePCOffset,
cx->fp()->script()->filename,
CurrentLine(cx),
CurrentPCOffset(cx),
reason);
#endif
Backoff(traceMonitor, (jsbytecode*) fragment->root->ip, fragment->root);
/*
* If this is the primary trace and we didn't succeed compiling, trash the
* tree. Otherwise, remove the VMSideExits we added while recording, which
* are about to be invalid.
*
* BIG FAT WARNING: resetting the length is only a valid strategy as long as
* there may be only one recorder active for a single TreeInfo at a time.
* Otherwise, we may be throwing away another recorder's valid side exits.
*/
if (fragment->root == fragment) {
TrashTree(fragment->toTreeFragment());
} else {
JS_ASSERT(numSideExitsBefore <= fragment->root->sideExits.length());
fragment->root->sideExits.setLength(numSideExitsBefore);
}
/* Grab local copies of members needed after destruction of |this|. */
JSContext* localcx = cx;
TraceMonitor* localtm = traceMonitor;
localtm->recorder = NULL;
cx->delete_(this);
/* Catch OOM that occurred during recording. */
if (localtm->outOfMemory() || OverfullJITCache(localcx, localtm)) {
ResetJIT(localcx, localtm, FR_OOM);
return JIT_RESET;
}
return NORMAL_ABORT;
}
inline LIns*
TraceRecorder::w_immpObjGC(JSObject* obj)
{
JS_ASSERT(obj);
tree->gcthings.addUnique(ObjectValue(*obj));
return w.immpNonGC((void*)obj);
}
inline LIns*
TraceRecorder::w_immpFunGC(JSFunction* fun)
{
JS_ASSERT(fun);
tree->gcthings.addUnique(ObjectValue(*fun));
return w.immpNonGC((void*)fun);
}
inline LIns*
TraceRecorder::w_immpStrGC(JSString* str)
{
JS_ASSERT(str);
tree->gcthings.addUnique(StringValue(str));
return w.immpNonGC((void*)str);
}
inline LIns*
TraceRecorder::w_immpShapeGC(const Shape* shape)
{
JS_ASSERT(shape);
tree->shapes.addUnique(shape);
return w.immpNonGC((void*)shape);
}
inline LIns*
TraceRecorder::w_immpIdGC(jsid id)
{
if (JSID_IS_GCTHING(id))
tree->gcthings.addUnique(IdToValue(id));
return w.immpNonGC((void*)JSID_BITS(id));
}
ptrdiff_t
TraceRecorder::nativeGlobalSlot(const Value* p) const
{
JS_ASSERT(isGlobal(p));
return ptrdiff_t(p - globalObj->slots + globalObj->numFixedSlots());
}
/* Determine the offset in the native global frame for a jsval we track. */
ptrdiff_t
TraceRecorder::nativeGlobalOffset(const Value* p) const
{
return nativeGlobalSlot(p) * sizeof(double);
}
/* Determine whether a value is a global stack slot. */
bool
TraceRecorder::isGlobal(const Value* p) const
{
return (size_t(p - globalObj->slots) < globalObj->numSlots() - globalObj->numFixedSlots());
}
bool
TraceRecorder::isVoidPtrGlobal(const void* p) const
{
return isGlobal((const Value *)p);
}
/*
* Return the offset in the native stack for the given jsval. More formally,
* |p| must be the address of a jsval that is represented in the native stack
* area. The return value is the offset, from TracerState::stackBase, in bytes,
* where the native representation of |*p| is stored. To get the offset
* relative to TracerState::sp, subtract TreeFragment::nativeStackBase.
*/
JS_REQUIRES_STACK ptrdiff_t
TraceRecorder::nativeStackOffsetImpl(const void* p) const
{
CountSlotsVisitor visitor(p);
VisitStackSlots(visitor, cx, callDepth);
size_t offset = visitor.count() * sizeof(double);
/*
* If it's not in a pending frame, it must be on the stack of the current
* frame above sp but below fp->slots() + script->nslots.
*/
if (!visitor.stopped()) {
const Value *vp = (const Value *)p;
JS_ASSERT(size_t(vp - cx->fp()->slots()) < cx->fp()->numSlots());
offset += size_t(vp - cx->regs().sp) * sizeof(double);
}
return offset;
}
JS_REQUIRES_STACK inline ptrdiff_t
TraceRecorder::nativeStackOffset(const Value* p) const
{
return nativeStackOffsetImpl(p);
}
JS_REQUIRES_STACK inline ptrdiff_t
TraceRecorder::nativeStackSlotImpl(const void* p) const
{
return nativeStackOffsetImpl(p) / sizeof(double);
}
JS_REQUIRES_STACK inline ptrdiff_t
TraceRecorder::nativeStackSlot(const Value* p) const
{
return nativeStackSlotImpl(p);
}
/*
* Return the offset, from TracerState:sp, for the given jsval. Shorthand for:
* -TreeFragment::nativeStackBase + nativeStackOffset(p).
*/
inline JS_REQUIRES_STACK ptrdiff_t
TraceRecorder::nativespOffsetImpl(const void* p) const
{
return -tree->nativeStackBase + nativeStackOffsetImpl(p);
}
inline JS_REQUIRES_STACK ptrdiff_t
TraceRecorder::nativespOffset(const Value* p) const
{
return nativespOffsetImpl(p);
}
/* Track the maximum number of native frame slots we need during execution. */
inline void
TraceRecorder::trackNativeStackUse(unsigned slots)
{
if (slots > tree->maxNativeStackSlots)
tree->maxNativeStackSlots = slots;
}
/*
* Unbox a jsval into a slot. Slots are wide enough to hold double values
* directly (instead of storing a pointer to them). We assert instead of
* type checking. The caller must ensure the types are compatible.
*/
static inline void
ValueToNative(const Value &v, JSValueType type, double* slot)
{
JS_ASSERT(type <= JSVAL_UPPER_INCL_TYPE_OF_BOXABLE_SET);
if (type > JSVAL_UPPER_INCL_TYPE_OF_NUMBER_SET)
v.unboxNonDoubleTo((uint64 *)slot);
else if (type == JSVAL_TYPE_INT32)
*(int32_t *)slot = v.isInt32() ? v.toInt32() : (int32_t)v.toDouble();
else
*(double *)slot = v.toNumber();
#ifdef DEBUG
int32_t _;
switch (type) {
case JSVAL_TYPE_NONFUNOBJ: {
JS_ASSERT(!IsFunctionObject(v));
debug_only_printf(LC_TMTracer,
"object<%p:%s> ", (void*)*(JSObject **)slot,
v.toObject().getClass()->name);
return;
}
case JSVAL_TYPE_INT32:
JS_ASSERT(v.isInt32() || (v.isDouble() && JSDOUBLE_IS_INT32(v.toDouble(), &_)));
debug_only_printf(LC_TMTracer, "int<%d> ", *(jsint *)slot);
return;
case JSVAL_TYPE_DOUBLE:
JS_ASSERT(v.isNumber());
debug_only_printf(LC_TMTracer, "double<%g> ", *(jsdouble *)slot);
return;
case JSVAL_TYPE_BOXED:
JS_NOT_REACHED("found jsval type in an entry type map");
return;
case JSVAL_TYPE_STRING:
JS_ASSERT(v.isString());
debug_only_printf(LC_TMTracer, "string<%p> ", (void*)*(JSString**)slot);
return;
case JSVAL_TYPE_NULL:
JS_ASSERT(v.isNull());
debug_only_print0(LC_TMTracer, "null ");
return;
case JSVAL_TYPE_BOOLEAN:
JS_ASSERT(v.isBoolean());
debug_only_printf(LC_TMTracer, "special<%d> ", *(JSBool*)slot);
return;
case JSVAL_TYPE_UNDEFINED:
JS_ASSERT(v.isUndefined());
debug_only_print0(LC_TMTracer, "undefined ");
return;
case JSVAL_TYPE_MAGIC:
JS_ASSERT(v.isMagic());
debug_only_print0(LC_TMTracer, "hole ");
return;
case JSVAL_TYPE_FUNOBJ: {
JS_ASSERT(IsFunctionObject(v));
JSFunction* fun = v.toObject().getFunctionPrivate();
#if defined JS_JIT_SPEW
if (LogController.lcbits & LC_TMTracer) {
char funName[40];
if (fun->atom)
JS_PutEscapedFlatString(funName, sizeof funName, fun->atom, 0);
else
strcpy(funName, "unnamed");
LogController.printf("function<%p:%s> ", (void*)*(JSObject **)slot, funName);
}
#endif
return;
}
default:
JS_NOT_REACHED("unexpected type");
break;
}
#endif
}
void
TraceMonitor::flush()
{
/* flush should only be called after all recorders have been aborted. */
JS_ASSERT(!recorder);
JS_ASSERT(!profile);
AUDIT(cacheFlushed);
// recover profiling data from expiring Fragments
verbose_only(
for (size_t i = 0; i < FRAGMENT_TABLE_SIZE; ++i) {
for (TreeFragment *f = vmfragments[i]; f; f = f->next) {
JS_ASSERT(f->root == f);
for (TreeFragment *p = f; p; p = p->peer)
FragProfiling_FragFinalizer(p, this);
}
}
)
verbose_only(
for (Seq<Fragment*>* f = branches; f; f = f->tail)
FragProfiling_FragFinalizer(f->head, this);
)
flushEpoch++;
#ifdef JS_METHODJIT
if (loopProfiles) {
for (LoopProfileMap::Enum e(*loopProfiles); !e.empty(); e.popFront()) {
jsbytecode *pc = e.front().key;
LoopProfile *prof = e.front().value;
/* This code takes care of resetting all methodjit state. */
js::mjit::ResetTraceHint(prof->entryScript, pc, GET_UINT16(pc), true);
}
}
#endif
frameCache->reset();
dataAlloc->reset();
traceAlloc->reset();
codeAlloc->reset();
tempAlloc->reset();
oracle->clear();
loopProfiles->clear();
for (size_t i = 0; i < MONITOR_N_GLOBAL_STATES; ++i) {
globalStates[i].globalShape = -1;
globalStates[i].globalSlots = new (*dataAlloc) SlotList(dataAlloc);
}
assembler = new (*dataAlloc) Assembler(*codeAlloc, *dataAlloc, *dataAlloc,
&LogController, NJConfig);
verbose_only( branches = NULL; )
PodArrayZero(vmfragments);
tracedScripts.clear();
needFlush = JS_FALSE;
}
static bool
HasUnreachableGCThings(JSContext *cx, TreeFragment *f)
{
/*
* We do not check here for dead scripts as JSScript is not a GC thing.
* Instead PurgeScriptFragments is used to remove dead script fragments.
* See bug 584860.
*/
if (IsAboutToBeFinalized(cx, f->globalObj))
return true;
Value* vp = f->gcthings.data();
for (unsigned len = f->gcthings.length(); len; --len) {
Value &v = *vp++;
JS_ASSERT(v.isMarkable());
if (IsAboutToBeFinalized(cx, v.toGCThing()))
return true;
}
const Shape** shapep = f->shapes.data();
for (unsigned len = f->shapes.length(); len; --len) {
const Shape* shape = *shapep++;
if (IsAboutToBeFinalized(cx, shape))
return true;
}
return false;
}
static bool
ContainsUnrechableGCThingImpl(JSContext *cx, TreeFragment *f)
{
if (f->visiting)
return false;
f->visiting = true;
if (!f->code())
return false;
if (HasUnreachableGCThings(cx, f))
return true;
TreeFragment** data = f->dependentTrees.data();
unsigned length = f->dependentTrees.length();
for (unsigned n = 0; n < length; ++n) {
if (ContainsUnrechableGCThingImpl(cx, data[n]))
return true;
}
data = f->linkedTrees.data();
length = f->linkedTrees.length();
for (unsigned n = 0; n < length; ++n) {
if (ContainsUnrechableGCThingImpl(cx, data[n]))
return true;
}
return false;
}
static void
ClearVisitingFlag(TreeFragment *f)
{
if (!f->visiting)
return;
f->visiting = false;
if (!f->code())
return;
TreeFragment** data = f->dependentTrees.data();
unsigned length = f->dependentTrees.length();
for (unsigned n = 0; n < length; ++n)
ClearVisitingFlag(data[n]);
data = f->linkedTrees.data();
length = f->linkedTrees.length();
for (unsigned n = 0; n < length; ++n)
ClearVisitingFlag(data[n]);
}
/*
* Recursively check if the fragment and its dependent and linked trees has
* dead GC things. As the trees can point to each other we use the visiting
* flag to detect already visited fragments. The flag is cleared after we
* walked the whole graph in the separated ClearVisitingFlag function.
*/
static bool
ContainsUnrechableGCThing(JSContext *cx, TreeFragment *f)
{
bool hasUnrechable = ContainsUnrechableGCThingImpl(cx, f);
ClearVisitingFlag(f);
return hasUnrechable;
}
void
TraceMonitor::sweep(JSContext *cx)
{
JS_ASSERT(!ontrace());
debug_only_print0(LC_TMTracer, "Purging fragments with dead things");
bool shouldAbortRecording = false;
TreeFragment *recorderTree = NULL;
if (recorder) {
recorderTree = recorder->getTree();
shouldAbortRecording = HasUnreachableGCThings(cx, recorderTree);
}
for (size_t i = 0; i < FRAGMENT_TABLE_SIZE; ++i) {
TreeFragment** fragp = &vmfragments[i];
while (TreeFragment* frag = *fragp) {
TreeFragment* peer = frag;
do {
if (peer->code() && ContainsUnrechableGCThing(cx, peer))
break;
peer = peer->peer;
} while (peer);
if (!peer) {
fragp = &frag->next;
continue;
}
debug_only_printf(LC_TMTracer,
"TreeFragment peer %p has dead gc thing."
"Disconnecting tree %p with ip %p\n",
(void *) peer, (void *) frag, frag->ip);
JS_ASSERT(frag->root == frag);
*fragp = frag->next;
do {
verbose_only( FragProfiling_FragFinalizer(frag, this); );
if (recorderTree == frag)
shouldAbortRecording = true;
TrashTree(frag);
frag = frag->peer;
} while (frag);
}
}
#ifdef DEBUG
for (size_t i = 0; i < FRAGMENT_TABLE_SIZE; ++i) {
for (TreeFragment* frag = vmfragments[i]; frag; frag = frag->next) {
TreeFragment* peer = frag;
do {
JS_ASSERT(!peer->visiting);
peer = peer->peer;
} while (peer);
}
}
#endif
if (shouldAbortRecording)
recorder->finishAbort("dead GC things");
}
void
TraceMonitor::mark(JSTracer *trc)
{
TracerState* state = tracerState;
while (state) {
if (state->nativeVp)
MarkValueRange(trc, state->nativeVpLen, state->nativeVp, "nativeVp");
state = state->prev;
}
}
/*
* Box a value from the native stack back into the Value format.
*/
static inline void
NativeToValue(JSContext* cx, Value& v, JSValueType type, double* slot)
{
if (type == JSVAL_TYPE_DOUBLE) {
v = NumberValue(*slot);
} else if (JS_LIKELY(type <= JSVAL_UPPER_INCL_TYPE_OF_BOXABLE_SET)) {
v.boxNonDoubleFrom(type, (uint64 *)slot);
} else if (type == JSVAL_TYPE_STRORNULL) {
JSString *str = *(JSString **)slot;
v = str ? StringValue(str) : NullValue();
} else if (type == JSVAL_TYPE_OBJORNULL) {
JSObject *obj = *(JSObject **)slot;
v = obj ? ObjectValue(*obj) : NullValue();
} else {
JS_ASSERT(type == JSVAL_TYPE_BOXED);
JS_STATIC_ASSERT(sizeof(Value) == sizeof(double));
v = *(Value *)slot;
}
#ifdef DEBUG
switch (type) {
case JSVAL_TYPE_NONFUNOBJ:
JS_ASSERT(!IsFunctionObject(v));
debug_only_printf(LC_TMTracer,
"object<%p:%s> ",
(void*) &v.toObject(),
v.toObject().getClass()->name);
break;
case JSVAL_TYPE_INT32:
debug_only_printf(LC_TMTracer, "int<%d> ", v.toInt32());
break;
case JSVAL_TYPE_DOUBLE:
debug_only_printf(LC_TMTracer, "double<%g> ", v.toNumber());
break;
case JSVAL_TYPE_STRING:
debug_only_printf(LC_TMTracer, "string<%p> ", (void*)v.toString());
break;
case JSVAL_TYPE_NULL:
JS_ASSERT(v.isNull());
debug_only_print0(LC_TMTracer, "null ");
break;
case JSVAL_TYPE_BOOLEAN:
debug_only_printf(LC_TMTracer, "bool<%d> ", v.toBoolean());
break;
case JSVAL_TYPE_UNDEFINED:
JS_ASSERT(v.isUndefined());
debug_only_print0(LC_TMTracer, "undefined ");
break;
case JSVAL_TYPE_MAGIC:
debug_only_printf(LC_TMTracer, "magic<%d> ", v.whyMagic());
break;
case JSVAL_TYPE_FUNOBJ:
JS_ASSERT(IsFunctionObject(v));
#if defined JS_JIT_SPEW
if (LogController.lcbits & LC_TMTracer) {
JSFunction* fun = v.toObject().getFunctionPrivate();
char funName[40];
if (fun->atom)
JS_PutEscapedFlatString(funName, sizeof funName, fun->atom, 0);
else
strcpy(funName, "unnamed");
LogController.printf("function<%p:%s> ", (void*) &v.toObject(), funName);
}
#endif
break;
case JSVAL_TYPE_STRORNULL:
debug_only_printf(LC_TMTracer, "nullablestr<%p> ", v.isNull() ? NULL : (void *)v.toString());
break;
case JSVAL_TYPE_OBJORNULL:
debug_only_printf(LC_TMTracer, "nullablestr<%p> ", v.isNull() ? NULL : (void *)&v.toObject());
break;
case JSVAL_TYPE_BOXED:
debug_only_printf(LC_TMTracer, "box<%llx> ", (long long unsigned int)v.asRawBits());
break;
default:
JS_NOT_REACHED("unexpected type");
break;
}
#endif
}
void
ExternNativeToValue(JSContext* cx, Value& v, JSValueType type, double* slot)
{
return NativeToValue(cx, v, type, slot);
}
class BuildNativeFrameVisitor : public SlotVisitorBase
{
JSContext *mCx;
JSValueType *mTypeMap;
double *mGlobal;
double *mStack;
public:
BuildNativeFrameVisitor(JSContext *cx,
JSValueType *typemap,
double *global,
double *stack) :
mCx(cx),
mTypeMap(typemap),
mGlobal(global),
mStack(stack)
{}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
visitGlobalSlot(Value *vp, unsigned n, unsigned slot) {
debug_only_printf(LC_TMTracer, "global%d: ", n);
ValueToNative(*vp, *mTypeMap++, &mGlobal[slot]);
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, int count, StackFrame* fp) {
for (int i = 0; i < count; ++i) {
debug_only_printf(LC_TMTracer, "%s%d: ", stackSlotKind(), i);
ValueToNative(*vp++, *mTypeMap++, mStack++);
}
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp) {
debug_only_printf(LC_TMTracer, "%s%d: ", stackSlotKind(), 0);
if (p == fp->addressOfScopeChain())
*(JSObject **)mStack = &fp->scopeChain();
else
*(JSObject **)mStack = fp->hasArgsObj() ? &fp->argsObj() : NULL;
#ifdef DEBUG
if (*mTypeMap == JSVAL_TYPE_NULL) {
JS_ASSERT(*(JSObject **)mStack == NULL);
debug_only_print0(LC_TMTracer, "null ");
} else {
JS_ASSERT(*mTypeMap == JSVAL_TYPE_NONFUNOBJ);
JS_ASSERT(!(*(JSObject **)p)->isFunction());
debug_only_printf(LC_TMTracer,
"object<%p:%s> ", *(void **)p,
(*(JSObject **)p)->getClass()->name);
}
#endif
mTypeMap++;
mStack++;
return true;
}
};
static JS_REQUIRES_STACK void
BuildNativeFrame(JSContext *cx, JSObject *globalObj, unsigned callDepth,
unsigned ngslots, uint16 *gslots,
JSValueType *typeMap, double *global, double *stack)
{
BuildNativeFrameVisitor visitor(cx, typeMap, global, stack);
VisitSlots(visitor, cx, globalObj, callDepth, ngslots, gslots);
debug_only_print0(LC_TMTracer, "\n");
}
class FlushNativeGlobalFrameVisitor : public SlotVisitorBase
{
JSContext *mCx;
JSValueType *mTypeMap;
double *mGlobal;
public:
FlushNativeGlobalFrameVisitor(JSContext *cx,
JSValueType *typeMap,
double *global) :
mCx(cx),
mTypeMap(typeMap),
mGlobal(global)
{}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
visitGlobalSlot(Value *vp, unsigned n, unsigned slot) {
debug_only_printf(LC_TMTracer, "global%d=", n);
JS_ASSERT(JS_THREAD_DATA(mCx)->waiveGCQuota);
NativeToValue(mCx, *vp, *mTypeMap++, &mGlobal[slot]);
}
};
class FlushNativeStackFrameVisitor : public SlotVisitorBase
{
JSContext *mCx;
const JSValueType *mInitTypeMap;
const JSValueType *mTypeMap;
double *mStack;
public:
FlushNativeStackFrameVisitor(JSContext *cx,
const JSValueType *typeMap,
double *stack) :
mCx(cx),
mInitTypeMap(typeMap),
mTypeMap(typeMap),
mStack(stack)
{}
const JSValueType* getTypeMap()
{
return mTypeMap;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame* fp) {
JS_ASSERT(JS_THREAD_DATA(mCx)->waiveGCQuota);
for (size_t i = 0; i < count; ++i) {
debug_only_printf(LC_TMTracer, "%s%u=", stackSlotKind(), unsigned(i));
NativeToValue(mCx, *vp, *mTypeMap, mStack);
vp++;
mTypeMap++;
mStack++;
}
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp) {
JS_ASSERT(JS_THREAD_DATA(mCx)->waiveGCQuota);
debug_only_printf(LC_TMTracer, "%s%u=", stackSlotKind(), 0);
JSObject *frameobj = *(JSObject **)mStack;
JS_ASSERT((frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL));
if (p == fp->addressOfArgs()) {
if (frameobj) {
JS_ASSERT_IF(fp->hasArgsObj(), frameobj == &fp->argsObj());
fp->setArgsObj(*frameobj->asArguments());
if (frameobj->isNormalArguments())
frameobj->setPrivate(fp);
else
JS_ASSERT(!frameobj->getPrivate());
debug_only_printf(LC_TMTracer,
"argsobj<%p> ",
(void *)frameobj);
} else {
JS_ASSERT(!fp->hasArgsObj());
debug_only_print0(LC_TMTracer,
"argsobj<null> ");
}
/* else, SynthesizeFrame has initialized fp->args.nactual */
} else {
JS_ASSERT(p == fp->addressOfScopeChain());
if (frameobj->isCall() &&
!frameobj->getPrivate() &&
fp->maybeCalleev().toObjectOrNull() == frameobj->getCallObjCallee())
{
JS_ASSERT(&fp->scopeChain() == StackFrame::sInvalidScopeChain);
frameobj->setPrivate(fp);
fp->setScopeChainWithOwnCallObj(*frameobj);
} else {
fp->setScopeChainNoCallObj(*frameobj);
}
debug_only_printf(LC_TMTracer,
"scopechain<%p> ",
(void *)frameobj);
}
#ifdef DEBUG
JSValueType type = *mTypeMap;
if (type == JSVAL_TYPE_NULL) {
debug_only_print0(LC_TMTracer, "null ");
} else {
JS_ASSERT(type == JSVAL_TYPE_NONFUNOBJ);
JS_ASSERT(!frameobj->isFunction());
debug_only_printf(LC_TMTracer,
"object<%p:%s> ",
*(void **)p,
frameobj->getClass()->name);
}
#endif
mTypeMap++;
mStack++;
return true;
}
};
/* Box the given native frame into a JS frame. This is infallible. */
static JS_REQUIRES_STACK void
FlushNativeGlobalFrame(JSContext *cx, JSObject *globalObj, double *global, unsigned ngslots,
uint16 *gslots, JSValueType *typemap)
{
FlushNativeGlobalFrameVisitor visitor(cx, typemap, global);
VisitGlobalSlots(visitor, cx, globalObj, ngslots, gslots);
debug_only_print0(LC_TMTracer, "\n");
}
/*
* Returns the number of values on the native stack, excluding the innermost
* frame. This walks all FrameInfos on the native frame stack and sums the
* slot usage of each frame.
*/
static int32
StackDepthFromCallStack(TracerState* state, uint32 callDepth)
{
int32 nativeStackFramePos = 0;
// Duplicate native stack layout computation: see VisitFrameSlots header comment.
for (FrameInfo** fip = state->callstackBase; fip < state->rp + callDepth; fip++)
nativeStackFramePos += (*fip)->callerHeight;
return nativeStackFramePos;
}
/*
* Generic function to read upvars on trace from slots of active frames.
* T Traits type parameter. Must provide static functions:
* interp_get(fp, slot) Read the value out of an interpreter frame.
* native_slot(argc, slot) Return the position of the desired value in the on-trace
* stack frame (with position 0 being callee).
*
* upvarLevel Static level of the function containing the upvar definition
* slot Identifies the value to get. The meaning is defined by the traits type.
* callDepth Call depth of current point relative to trace entry
*/
template<typename T>
inline JSValueType
GetUpvarOnTrace(JSContext* cx, uint32 upvarLevel, int32 slot, uint32 callDepth, double* result)
{
TracerState* state = JS_TRACE_MONITOR_ON_TRACE(cx)->tracerState;
FrameInfo** fip = state->rp + callDepth;
/*
* First search the FrameInfo call stack for an entry containing our
* upvar, namely one with level == upvarLevel. The first FrameInfo is a
* transition from the entry frame to some callee. However, it is not
* known (from looking at the FrameInfo) whether the entry frame had a
* callee. Rather than special-case this or insert more logic into the
* loop, instead just stop before that FrameInfo (i.e. |> base| instead of
* |>= base|), and let the code after the loop handle it.
*/
int32 stackOffset = StackDepthFromCallStack(state, callDepth);
while (--fip > state->callstackBase) {
FrameInfo* fi = *fip;
/*
* The loop starts aligned to the top of the stack, so move down to the first meaningful
* callee. Then read the callee directly from the frame.
*/
stackOffset -= fi->callerHeight;
JSObject* callee = *(JSObject**)(&state->stackBase[stackOffset]);
JSFunction* fun = callee->getFunctionPrivate();
uintN calleeLevel = fun->script()->staticLevel;
if (calleeLevel == upvarLevel) {
/*
* Now find the upvar's value in the native stack. stackOffset is
* the offset of the start of the activation record corresponding
* to *fip in the native stack.
*/
uint32 native_slot = T::native_slot(fi->callerArgc, slot);
*result = state->stackBase[stackOffset + native_slot];
return fi->get_typemap()[native_slot];
}
}
// Next search the trace entry frame, which is not in the FrameInfo stack.
if (state->outermostTree->script->staticLevel == upvarLevel) {
uint32 argc = state->outermostTree->argc;
uint32 native_slot = T::native_slot(argc, slot);
*result = state->stackBase[native_slot];
return state->callstackBase[0]->get_typemap()[native_slot];
}
/*
* If we did not find the upvar in the frames for the active traces,
* then we simply get the value from the interpreter state.
*/
JS_ASSERT(upvarLevel < UpvarCookie::UPVAR_LEVEL_LIMIT);
StackFrame* fp = FindUpvarFrame(cx, upvarLevel);
Value v = T::interp_get(fp, slot);
JSValueType type = getCoercedType(v);
ValueToNative(v, type, result);
return type;
}
// For this traits type, 'slot' is the argument index, which may be -2 for callee.
struct UpvarArgTraits {
static Value interp_get(StackFrame* fp, int32 slot) {
return fp->formalArg(slot);
}
static uint32 native_slot(uint32 argc, int32 slot) {
return 2 /*callee,this*/ + slot;
}
};
uint32 JS_FASTCALL
GetUpvarArgOnTrace(JSContext* cx, uint32 upvarLevel, int32 slot, uint32 callDepth, double* result)
{
return GetUpvarOnTrace<UpvarArgTraits>(cx, upvarLevel, slot, callDepth, result);
}
// For this traits type, 'slot' is an index into the local slots array.
struct UpvarVarTraits {
static Value interp_get(StackFrame* fp, int32 slot) {
return fp->slots()[slot];
}
static uint32 native_slot(uint32 argc, int32 slot) {
return 4 /*callee,this,arguments,scopeChain*/ + argc + slot;
}
};
uint32 JS_FASTCALL
GetUpvarVarOnTrace(JSContext* cx, uint32 upvarLevel, int32 slot, uint32 callDepth, double* result)
{
return GetUpvarOnTrace<UpvarVarTraits>(cx, upvarLevel, slot, callDepth, result);
}
/*
* For this traits type, 'slot' is an index into the stack area (within slots,
* after nfixed) of a frame with no function. (On trace, the top-level frame is
* the only one that can have no function.)
*/
struct UpvarStackTraits {
static Value interp_get(StackFrame* fp, int32 slot) {
return fp->slots()[slot + fp->numFixed()];
}
static uint32 native_slot(uint32 argc, int32 slot) {
/*
* Locals are not imported by the tracer when the frame has no
* function, so we do not add fp->getFixedCount().
*/
JS_ASSERT(argc == 0);
return slot;
}
};
uint32 JS_FASTCALL
GetUpvarStackOnTrace(JSContext* cx, uint32 upvarLevel, int32 slot, uint32 callDepth,
double* result)
{
return GetUpvarOnTrace<UpvarStackTraits>(cx, upvarLevel, slot, callDepth, result);
}
// Parameters needed to access a value from a closure on trace.
struct ClosureVarInfo
{
uint32 slot;
#ifdef DEBUG
uint32 callDepth;
#endif
};
/*
* Generic function to read upvars from Call objects of active heavyweight functions.
* call Callee Function object in which the upvar is accessed.
*/
template<typename T>
inline uint32
GetFromClosure(JSContext* cx, JSObject* call, const ClosureVarInfo* cv, double* result)
{
JS_ASSERT(call->isCall());
#ifdef DEBUG
TracerState* state = JS_TRACE_MONITOR_ON_TRACE(cx)->tracerState;
FrameInfo** fip = state->rp + cv->callDepth;
int32 stackOffset = StackDepthFromCallStack(state, cv->callDepth);
while (--fip > state->callstackBase) {
FrameInfo* fi = *fip;
/*
* The loop starts aligned to the top of the stack, so move down to the first meaningful
* callee. Then read the callee directly from the frame.
*/
stackOffset -= fi->callerHeight;
JSObject* callee = *(JSObject**)(&state->stackBase[stackOffset]);
if (callee == call) {
// This is not reachable as long as the tracer guards on the identity of the callee's
// parent when making a call:
//
// - We can only reach this point if we execute JSOP_LAMBDA on trace, then call the
// function created by the lambda, and then execute a JSOP_NAME on trace.
// - Each time we execute JSOP_LAMBDA we get a function with a different parent.
// - When we execute the call to the new function, we exit trace because the parent
// is different.
JS_NOT_REACHED("JSOP_NAME variable found in outer trace");
}
}
#endif
// We already guarded on trace that we aren't touching an outer tree's entry frame
VOUCH_DOES_NOT_REQUIRE_STACK();
StackFrame* fp = (StackFrame*) call->getPrivate();
JS_ASSERT(fp != cx->fp());
Value v;
if (fp) {
v = T::get_slot(fp, cv->slot);
} else {
/*
* Get the value from the object. We know we have a Call object, and
* that our slot index is fine, so don't monkey around with calling the
* property getter (which just looks in the slot) or calling
* js_GetReservedSlot. Just get the slot directly. Note the static
* asserts in jsfun.cpp which make sure Call objects use slots.
*/
JS_ASSERT(cv->slot < T::slot_count(call));
v = T::get_slot(call, cv->slot);
}
JSValueType type = getCoercedType(v);
ValueToNative(v, type, result);
return type;
}
struct ArgClosureTraits
{
// Get the right frame slots to use our slot index with.
// See also UpvarArgTraits.
static inline Value get_slot(StackFrame* fp, unsigned slot) {
JS_ASSERT(slot < fp->numFormalArgs());
return fp->formalArg(slot);
}
// Get the right object slots to use our slot index with.
static inline Value get_slot(JSObject* obj, unsigned slot) {
return obj->getSlot(slot_offset(obj) + slot);
}
// Get the offset of our object slots from the object's slots pointer.
static inline uint32 slot_offset(JSObject* obj) {
return JSObject::CALL_RESERVED_SLOTS;
}
// Get the maximum slot index of this type that should be allowed
static inline uint16 slot_count(JSObject* obj) {
return obj->getCallObjCalleeFunction()->nargs;
}
private:
ArgClosureTraits();
};
uint32 JS_FASTCALL
GetClosureArg(JSContext* cx, JSObject* callee, const ClosureVarInfo* cv, double* result)
{
return GetFromClosure<ArgClosureTraits>(cx, callee, cv, result);
}
struct VarClosureTraits
{
// See also UpvarVarTraits.
static inline Value get_slot(StackFrame* fp, unsigned slot) {
JS_ASSERT(slot < fp->fun()->script()->bindings.countVars());
return fp->slots()[slot];
}
static inline Value get_slot(JSObject* obj, unsigned slot) {
return obj->getSlot(slot_offset(obj) + slot);
}
static inline uint32 slot_offset(JSObject* obj) {
return JSObject::CALL_RESERVED_SLOTS +
obj->getCallObjCalleeFunction()->nargs;
}
static inline uint16 slot_count(JSObject* obj) {
return obj->getCallObjCalleeFunction()->script()->bindings.countVars();
}
private:
VarClosureTraits();
};
uint32 JS_FASTCALL
GetClosureVar(JSContext* cx, JSObject* callee, const ClosureVarInfo* cv, double* result)
{
return GetFromClosure<VarClosureTraits>(cx, callee, cv, result);
}
/**
* Box the given native stack frame into the virtual machine stack. This
* is infallible.
*
* @param callDepth the distance between the entry frame into our trace and
* cx->fp() when we make this call. If this is not called as a
* result of a nested exit, callDepth is 0.
* @param mp an array of JSValueType that indicate what the types of the things
* on the stack are.
* @param np pointer to the native stack. We want to copy values from here to
* the JS stack as needed.
* @return the number of things we popped off of np.
*/
static JS_REQUIRES_STACK int
FlushNativeStackFrame(JSContext* cx, unsigned callDepth, const JSValueType* mp, double* np)
{
/* Root all string and object references first (we don't need to call the GC for this). */
FlushNativeStackFrameVisitor visitor(cx, mp, np);
VisitStackSlots(visitor, cx, callDepth);
debug_only_print0(LC_TMTracer, "\n");
return visitor.getTypeMap() - mp;
}
/* Emit load instructions onto the trace that read the initial stack state. */
JS_REQUIRES_STACK void
TraceRecorder::importImpl(Address addr, const void* p, JSValueType t,
const char *prefix, uintN index, StackFrame *fp)
{
LIns* ins;
if (t == JSVAL_TYPE_INT32) { /* demoted */
JS_ASSERT(hasInt32Repr(*(const Value *)p));
/*
* Ok, we have a valid demotion attempt pending, so insert an integer
* read and promote it to double since all arithmetic operations expect
* to see doubles on entry. The first op to use this slot will emit a
* d2i cast which will cancel out the i2d we insert here.
*/
ins = w.ldi(addr);
ins = w.i2d(ins);
} else {
JS_ASSERT_IF(t != JSVAL_TYPE_BOXED && !isFrameObjPtrTraceType(t),
((const Value *)p)->isNumber() == (t == JSVAL_TYPE_DOUBLE));
if (t == JSVAL_TYPE_DOUBLE) {
ins = w.ldd(addr);
} else if (t == JSVAL_TYPE_BOOLEAN) {
ins = w.ldi(addr);
} else if (t == JSVAL_TYPE_UNDEFINED) {
ins = w.immiUndefined();
} else if (t == JSVAL_TYPE_MAGIC) {
ins = w.ldi(addr);
} else {
ins = w.ldp(addr);
}
}
checkForGlobalObjectReallocation();
tracker.set(p, ins);
#ifdef DEBUG
char name[64];
JS_ASSERT(strlen(prefix) < 11);
Vector<JSAtom *> localNames(cx);
const char* funName = NULL;
JSAutoByteString funNameBytes;
if (*prefix == 'a' || *prefix == 'v') {
JSFunction *fun = fp->fun();
Bindings &bindings = fun->script()->bindings;
if (bindings.hasLocalNames()) {
JS_ASSERT(bindings.getLocalNameArray(cx, &localNames));
}
funName = fun->atom
? js_AtomToPrintableString(cx, fun->atom, &funNameBytes)
: "<anonymous>";
}
if (!strcmp(prefix, "argv")) {
if (index < fp->numFormalArgs()) {
JSAtom *atom = localNames[index];
JSAutoByteString atomBytes;
JS_snprintf(name, sizeof name, "$%s.%s", funName,
js_AtomToPrintableString(cx, atom, &atomBytes));
} else {
JS_snprintf(name, sizeof name, "$%s.<arg%d>", funName, index);
}
} else if (!strcmp(prefix, "vars")) {
JSAtom *atom = localNames[fp->numFormalArgs() + index];
JSAutoByteString atomBytes;
JS_snprintf(name, sizeof name, "$%s.%s", funName,
js_AtomToPrintableString(cx, atom, &atomBytes));
} else {
JS_snprintf(name, sizeof name, "$%s%d", prefix, index);
}
w.name(ins, name);
debug_only_printf(LC_TMTracer, "import vp=%p name=%s type=%c\n",
p, name, TypeToChar(t));
#endif
}
JS_REQUIRES_STACK void
TraceRecorder::import(Address addr, const Value* p, JSValueType t,
const char *prefix, uintN index, StackFrame *fp)
{
return importImpl(addr, p, t, prefix, index, fp);
}
class ImportBoxedStackSlotVisitor : public SlotVisitorBase
{
TraceRecorder &mRecorder;
LIns *mBase;
ptrdiff_t mStackOffset;
JSValueType *mTypemap;
StackFrame *mFp;
public:
ImportBoxedStackSlotVisitor(TraceRecorder &recorder,
LIns *base,
ptrdiff_t stackOffset,
JSValueType *typemap) :
mRecorder(recorder),
mBase(base),
mStackOffset(stackOffset),
mTypemap(typemap)
{}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame* fp) {
for (size_t i = 0; i < count; ++i) {
if (*mTypemap == JSVAL_TYPE_BOXED) {
mRecorder.import(StackAddress(mBase, mStackOffset), vp, JSVAL_TYPE_BOXED,
"jsval", i, fp);
LIns *vp_ins = mRecorder.unbox_value(*vp,
StackAddress(mBase, mStackOffset),
mRecorder.copy(mRecorder.anchor));
mRecorder.set(vp, vp_ins);
}
vp++;
mTypemap++;
mStackOffset += sizeof(double);
}
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame *fp) {
JS_ASSERT(*mTypemap != JSVAL_TYPE_BOXED);
mTypemap++;
mStackOffset += sizeof(double);
return true;
}
};
JS_REQUIRES_STACK void
TraceRecorder::import(TreeFragment* tree, LIns* sp, unsigned stackSlots, unsigned ngslots,
unsigned callDepth, JSValueType* typeMap)
{
/*
* If we get a partial list that doesn't have all the types (i.e. recording
* from a side exit that was recorded but we added more global slots
* later), merge the missing types from the entry type map. This is safe
* because at the loop edge we verify that we have compatible types for all
* globals (entry type and loop edge type match). While a different trace
* of the tree might have had a guard with a different type map for these
* slots we just filled in here (the guard we continue from didn't know
* about them), since we didn't take that particular guard the only way we
* could have ended up here is if that other trace had at its end a
* compatible type distribution with the entry map. Since that's exactly
* what we used to fill in the types our current side exit didn't provide,
* this is always safe to do.
*/
JSValueType* globalTypeMap = typeMap + stackSlots;
unsigned length = tree->nGlobalTypes();
/*
* This is potentially the typemap of the side exit and thus shorter than
* the tree's global type map.
*/
if (ngslots < length) {
MergeTypeMaps(&globalTypeMap /* out param */, &ngslots /* out param */,
tree->globalTypeMap(), length,
(JSValueType*)alloca(sizeof(JSValueType) * length));
}
JS_ASSERT(ngslots == tree->nGlobalTypes());
/*
* Check whether there are any values on the stack we have to unbox and do
* that first before we waste any time fetching the state from the stack.
*/
ImportBoxedStackSlotVisitor boxedStackVisitor(*this, sp, -tree->nativeStackBase, typeMap);
VisitStackSlots(boxedStackVisitor, cx, callDepth);
/*
* Remember the import type map so we can lazily import later whatever
* we need.
*/
importTypeMap.set(importStackSlots = stackSlots,
importGlobalSlots = ngslots,
typeMap, globalTypeMap);
}
JS_REQUIRES_STACK bool
TraceRecorder::isValidSlot(JSObject *obj, const Shape* shape)
{
uint32 setflags = (js_CodeSpec[*cx->regs().pc].format & (JOF_SET | JOF_INCDEC | JOF_FOR));
if (setflags) {
if (!shape->hasDefaultSetter())
RETURN_VALUE("non-stub setter", false);
if (!shape->writable())
RETURN_VALUE("writing to a read-only property", false);
}
/* This check applies even when setflags == 0. */
if (setflags != JOF_SET && !shape->hasDefaultGetter()) {
JS_ASSERT(!shape->isMethod());
RETURN_VALUE("non-stub getter", false);
}
if (!obj->containsSlot(shape->slot))
RETURN_VALUE("invalid-slot obj property", false);
return true;
}
/* Lazily import a global slot if we don't already have it in the tracker. */
JS_REQUIRES_STACK void
TraceRecorder::importGlobalSlot(unsigned slot)
{
JS_ASSERT(slot == uint16(slot));
JS_ASSERT(globalObj->numSlots() <= MAX_GLOBAL_SLOTS);
const Value* vp = &globalObj->getSlot(slot);
JS_ASSERT(!known(vp));
/* Add the slot to the list of interned global slots. */
JSValueType type;
int index = tree->globalSlots->offsetOf(uint16(slot));
if (index == -1) {
type = getCoercedType(*vp);
if (type == JSVAL_TYPE_INT32 && (!oracle || oracle->isGlobalSlotUndemotable(cx, slot)))
type = JSVAL_TYPE_DOUBLE;
index = (int)tree->globalSlots->length();
tree->globalSlots->add(uint16(slot));
tree->typeMap.add(type);
SpecializeTreesToMissingGlobals(cx, globalObj, tree);
JS_ASSERT(tree->nGlobalTypes() == tree->globalSlots->length());
} else {
type = importTypeMap[importStackSlots + index];
}
import(EosAddress(eos_ins, slot * sizeof(double)), vp, type, "global", index, NULL);
}
/* Lazily import a global slot if we don't already have it in the tracker. */
JS_REQUIRES_STACK bool
TraceRecorder::lazilyImportGlobalSlot(unsigned slot)
{
if (slot != uint16(slot)) /* we use a table of 16-bit ints, bail out if that's not enough */
return false;
/*
* If the global object grows too large, alloca in ExecuteTree might fail,
* so abort tracing on global objects with unreasonably many slots.
*/
if (globalObj->numSlots() > MAX_GLOBAL_SLOTS)
return false;
const Value* vp = &globalObj->getSlot(slot);
if (known(vp))
return true; /* we already have it */
importGlobalSlot(slot);
return true;
}
/* Write back a value onto the stack or global frames. */
LIns*
TraceRecorder::writeBack(LIns* ins, LIns* base, ptrdiff_t offset, bool shouldDemoteToInt32)
{
/*
* Sink all type casts targeting the stack into the side exit by simply storing the original
* (uncasted) value. Each guard generates the side exit map based on the types of the
* last stores to every stack location, so it's safe to not perform them on-trace.
*/
JS_ASSERT(base == lirbuf->sp || base == eos_ins);
if (shouldDemoteToInt32 && IsPromotedInt32(ins))
ins = w.demoteToInt32(ins);
Address addr;
if (base == lirbuf->sp) {
addr = StackAddress(base, offset);
} else {
addr = EosAddress(base, offset);
unsigned slot = unsigned(offset / sizeof(double));
(void)pendingGlobalSlotsToSet.append(slot); /* OOM is safe. */
}
return w.st(ins, addr);
}
/* Update the tracker, then issue a write back store. */
JS_REQUIRES_STACK void
TraceRecorder::setImpl(const void* p, LIns* i, bool shouldDemoteToInt32)
{
JS_ASSERT(i != NULL);
checkForGlobalObjectReallocation();
tracker.set(p, i);
/*
* If we are writing to this location for the first time, calculate the
* offset into the native frame manually. Otherwise just look up the last
* load or store associated with the same source address (p) and use the
* same offset/base.
*/
LIns* x = nativeFrameTracker.get(p);
if (!x) {
if (isVoidPtrGlobal(p))
x = writeBack(i, eos_ins, nativeGlobalOffset((Value *)p), shouldDemoteToInt32);
else
x = writeBack(i, lirbuf->sp, nativespOffsetImpl(p), shouldDemoteToInt32);
nativeFrameTracker.set(p, x);
} else {
#if defined NANOJIT_64BIT
JS_ASSERT( x->isop(LIR_stq) || x->isop(LIR_sti) || x->isop(LIR_std));
#else
JS_ASSERT( x->isop(LIR_sti) || x->isop(LIR_std));
#endif
ptrdiff_t disp;
LIns *base = x->oprnd2();
if (base->isop(LIR_addp) && base->oprnd2()->isImmP()) {
disp = ptrdiff_t(base->oprnd2()->immP());
base = base->oprnd1();
} else {
disp = x->disp();
}
JS_ASSERT(base == lirbuf->sp || base == eos_ins);
JS_ASSERT(disp == ((base == lirbuf->sp)
? nativespOffsetImpl(p)
: nativeGlobalOffset((Value *)p)));
writeBack(i, base, disp, shouldDemoteToInt32);
}
}
JS_REQUIRES_STACK inline void
TraceRecorder::set(const Value* p, LIns* i, bool shouldDemoteToInt32)
{
return setImpl(p, i, shouldDemoteToInt32);
}
JS_REQUIRES_STACK void
TraceRecorder::setFrameObjPtr(void* p, LIns* i, bool shouldDemoteToInt32)
{
JS_ASSERT(isValidFrameObjPtr(p));
return setImpl(p, i, shouldDemoteToInt32);
}
JS_REQUIRES_STACK LIns*
TraceRecorder::attemptImport(const Value* p)
{
if (LIns* i = getFromTracker(p))
return i;
/* If the variable was not known, it could require a lazy import. */
CountSlotsVisitor countVisitor(p);
VisitStackSlots(countVisitor, cx, callDepth);
if (countVisitor.stopped() || size_t(p - cx->fp()->slots()) < cx->fp()->numSlots())
return get(p);
return NULL;
}
inline nanojit::LIns*
TraceRecorder::getFromTrackerImpl(const void* p)
{
checkForGlobalObjectReallocation();
return tracker.get(p);
}
inline nanojit::LIns*
TraceRecorder::getFromTracker(const Value* p)
{
return getFromTrackerImpl(p);
}
JS_REQUIRES_STACK LIns*
TraceRecorder::getImpl(const void *p)
{
LIns* x = getFromTrackerImpl(p);
if (x)
return x;
if (isVoidPtrGlobal(p)) {
unsigned slot = nativeGlobalSlot((const Value *)p);
JS_ASSERT(tree->globalSlots->offsetOf(uint16(slot)) != -1);
importGlobalSlot(slot);
} else {
unsigned slot = nativeStackSlotImpl(p);
JSValueType type = importTypeMap[slot];
importImpl(StackAddress(lirbuf->sp, -tree->nativeStackBase + slot * sizeof(jsdouble)),
p, type, "stack", slot, cx->fp());
}
JS_ASSERT(knownImpl(p));
return tracker.get(p);
}
JS_REQUIRES_STACK LIns*
TraceRecorder::get(const Value *p)
{
return getImpl(p);
}
#ifdef DEBUG
bool
TraceRecorder::isValidFrameObjPtr(void *p)
{
StackFrame *fp = cx->fp();
for (; fp; fp = fp->prev()) {
if (fp->addressOfScopeChain() == p || fp->addressOfArgs() == p)
return true;
}
return false;
}
#endif
JS_REQUIRES_STACK LIns*
TraceRecorder::getFrameObjPtr(void *p)
{
JS_ASSERT(isValidFrameObjPtr(p));
return getImpl(p);
}
JS_REQUIRES_STACK LIns*
TraceRecorder::addr(Value* p)
{
return isGlobal(p)
? w.addp(eos_ins, w.nameImmw(nativeGlobalOffset(p)))
: w.addp(lirbuf->sp, w.nameImmw(nativespOffset(p)));
}
JS_REQUIRES_STACK inline bool
TraceRecorder::knownImpl(const void* p)
{
checkForGlobalObjectReallocation();
return tracker.has(p);
}
JS_REQUIRES_STACK inline bool
TraceRecorder::known(const Value* vp)
{
return knownImpl(vp);
}
JS_REQUIRES_STACK inline bool
TraceRecorder::known(JSObject** p)
{
return knownImpl(p);
}
/*
* The slots of the global object are sometimes reallocated by the interpreter.
* This function check for that condition and re-maps the entries of the tracker
* accordingly.
*/
JS_REQUIRES_STACK void
TraceRecorder::checkForGlobalObjectReallocationHelper()
{
debug_only_print0(LC_TMTracer, "globalObj->slots relocated, updating tracker\n");
const Value* src = global_slots;
const Value* dst = globalObj->getRawSlots();
jsuint length = globalObj->capacity;
LIns** map = (LIns**)alloca(sizeof(LIns*) * length);
for (jsuint n = 0; n < length; ++n) {
const Value *slot = globalObj->getRawSlot(n, src);
map[n] = tracker.get(slot);
tracker.set(slot, NULL);
}
for (jsuint n = 0; n < length; ++n) {
const Value *slot = globalObj->getRawSlot(n, dst);
tracker.set(slot, map[n]);
}
global_slots = globalObj->getRawSlots();
}
/* Determine whether the current branch is a loop edge (taken or not taken). */
static JS_REQUIRES_STACK bool
IsLoopEdge(jsbytecode* pc, jsbytecode* header)
{
switch (*pc) {
case JSOP_IFEQ:
case JSOP_IFNE:
return ((pc + GET_JUMP_OFFSET(pc)) == header);
case JSOP_IFEQX:
case JSOP_IFNEX:
return ((pc + GET_JUMPX_OFFSET(pc)) == header);
default:
JS_ASSERT((*pc == JSOP_AND) || (*pc == JSOP_ANDX) ||
(*pc == JSOP_OR) || (*pc == JSOP_ORX));
}
return false;
}
class AdjustCallerGlobalTypesVisitor : public SlotVisitorBase
{
TraceRecorder &mRecorder;
JSContext *mCx;
nanojit::LirBuffer *mLirbuf;
JSValueType *mTypeMap;
public:
AdjustCallerGlobalTypesVisitor(TraceRecorder &recorder,
JSValueType *typeMap) :
mRecorder(recorder),
mCx(mRecorder.cx),
mLirbuf(mRecorder.lirbuf),
mTypeMap(typeMap)
{}
JSValueType* getTypeMap()
{
return mTypeMap;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
visitGlobalSlot(Value *vp, unsigned n, unsigned slot) {
LIns *ins = mRecorder.get(vp);
bool isPromote = IsPromotedInt32(ins);
if (isPromote && *mTypeMap == JSVAL_TYPE_DOUBLE) {
mRecorder.w.st(mRecorder.get(vp),
EosAddress(mRecorder.eos_ins, mRecorder.nativeGlobalOffset(vp)));
/*
* Aggressively undo speculation so the inner tree will compile
* if this fails.
*/
mRecorder.traceMonitor->oracle->markGlobalSlotUndemotable(mCx, slot);
}
JS_ASSERT(!(!isPromote && *mTypeMap == JSVAL_TYPE_INT32));
++mTypeMap;
}
};
class AdjustCallerStackTypesVisitor : public SlotVisitorBase
{
TraceRecorder &mRecorder;
JSContext *mCx;
nanojit::LirBuffer *mLirbuf;
unsigned mSlotnum;
JSValueType *mTypeMap;
public:
AdjustCallerStackTypesVisitor(TraceRecorder &recorder,
JSValueType *typeMap) :
mRecorder(recorder),
mCx(mRecorder.cx),
mLirbuf(mRecorder.lirbuf),
mSlotnum(0),
mTypeMap(typeMap)
{}
JSValueType* getTypeMap()
{
return mTypeMap;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame* fp) {
/* N.B. vp may actually point to a JSObject*. */
for (size_t i = 0; i < count; ++i) {
LIns *ins = mRecorder.get(vp);
bool isPromote = IsPromotedInt32(ins);
if (isPromote && *mTypeMap == JSVAL_TYPE_DOUBLE) {
mRecorder.w.st(ins, StackAddress(mLirbuf->sp, mRecorder.nativespOffset(vp)));
/*
* Aggressively undo speculation so the inner tree will compile
* if this fails.
*/
mRecorder.traceMonitor->oracle->markStackSlotUndemotable(mCx, mSlotnum);
}
JS_ASSERT(!(!isPromote && *mTypeMap == JSVAL_TYPE_INT32));
++vp;
++mTypeMap;
++mSlotnum;
}
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp) {
JS_ASSERT(*mTypeMap != JSVAL_TYPE_BOXED);
++mTypeMap;
++mSlotnum;
return true;
}
};
/*
* Promote slots if necessary to match the called tree's type map. This
* function is infallible and must only be called if we are certain that it is
* possible to reconcile the types for each slot in the inner and outer trees.
*/
JS_REQUIRES_STACK void
TraceRecorder::adjustCallerTypes(TreeFragment* f)
{
AdjustCallerGlobalTypesVisitor globalVisitor(*this, f->globalTypeMap());
VisitGlobalSlots(globalVisitor, cx, *tree->globalSlots);
AdjustCallerStackTypesVisitor stackVisitor(*this, f->stackTypeMap());
VisitStackSlots(stackVisitor, cx, 0);
JS_ASSERT(f == f->root);
}
JS_REQUIRES_STACK inline JSValueType
TraceRecorder::determineSlotType(Value* vp)
{
if (vp->isNumber()) {
LIns *i = getFromTracker(vp);
JSValueType t;
if (i) {
t = IsPromotedInt32(i) ? JSVAL_TYPE_INT32 : JSVAL_TYPE_DOUBLE;
} else if (isGlobal(vp)) {
int offset = tree->globalSlots->offsetOf(uint16(nativeGlobalSlot(vp)));
JS_ASSERT(offset != -1);
t = importTypeMap[importStackSlots + offset];
} else {
t = importTypeMap[nativeStackSlot(vp)];
}
JS_ASSERT_IF(t == JSVAL_TYPE_INT32, hasInt32Repr(*vp));
return t;
}
if (vp->isObject())
return vp->toObject().isFunction() ? JSVAL_TYPE_FUNOBJ : JSVAL_TYPE_NONFUNOBJ;
return vp->extractNonDoubleObjectTraceType();
}
class DetermineTypesVisitor : public SlotVisitorBase
{
TraceRecorder &mRecorder;
JSValueType *mTypeMap;
public:
DetermineTypesVisitor(TraceRecorder &recorder,
JSValueType *typeMap) :
mRecorder(recorder),
mTypeMap(typeMap)
{}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
visitGlobalSlot(Value *vp, unsigned n, unsigned slot) {
*mTypeMap++ = mRecorder.determineSlotType(vp);
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame* fp) {
for (size_t i = 0; i < count; ++i)
*mTypeMap++ = mRecorder.determineSlotType(vp++);
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp) {
*mTypeMap++ = getFrameObjPtrTraceType(p, fp);
return true;
}
JSValueType* getTypeMap()
{
return mTypeMap;
}
};
#if defined JS_JIT_SPEW
JS_REQUIRES_STACK static void
TreevisLogExit(JSContext* cx, VMSideExit* exit)
{
debug_only_printf(LC_TMTreeVis, "TREEVIS ADDEXIT EXIT=%p TYPE=%s FRAG=%p PC=%p FILE=\"%s\""
" LINE=%d OFFS=%d", (void*)exit, getExitName(exit->exitType),
(void*)exit->from, (void*)cx->regs().pc, cx->fp()->script()->filename,
CurrentLine(cx), CurrentPCOffset(cx));
debug_only_print0(LC_TMTreeVis, " STACK=\"");
for (unsigned i = 0; i < exit->numStackSlots; i++)
debug_only_printf(LC_TMTreeVis, "%c", TypeToChar(exit->stackTypeMap()[i]));
debug_only_print0(LC_TMTreeVis, "\" GLOBALS=\"");
for (unsigned i = 0; i < exit->numGlobalSlots; i++)
debug_only_printf(LC_TMTreeVis, "%c", TypeToChar(exit->globalTypeMap()[i]));
debug_only_print0(LC_TMTreeVis, "\"\n");
}
#endif
JS_REQUIRES_STACK VMSideExit*
TraceRecorder::snapshot(ExitType exitType)
{
StackFrame* const fp = cx->fp();
FrameRegs& regs = cx->regs();
jsbytecode* pc = regs.pc;
/*
* Check for a return-value opcode that needs to restart at the next
* instruction.
*/
const JSCodeSpec& cs = js_CodeSpec[*pc];
/*
* When calling a _FAIL native, make the snapshot's pc point to the next
* instruction after the CALL or APPLY. Even on failure, a _FAIL native
* must not be called again from the interpreter.
*/
bool resumeAfter = (pendingSpecializedNative &&
JSTN_ERRTYPE(pendingSpecializedNative) == FAIL_STATUS);
if (resumeAfter) {
JS_ASSERT(*pc == JSOP_CALL || *pc == JSOP_FUNAPPLY || *pc == JSOP_FUNCALL ||
*pc == JSOP_NEW || *pc == JSOP_SETPROP || *pc == JSOP_SETNAME);
pc += cs.length;
regs.pc = pc;
MUST_FLOW_THROUGH("restore_pc");
}
/*
* Generate the entry map for the (possibly advanced) pc and stash it in
* the trace.
*/
unsigned stackSlots = NativeStackSlots(cx, callDepth);
/*
* It's sufficient to track the native stack use here since all stores
* above the stack watermark defined by guards are killed.
*/
trackNativeStackUse(stackSlots + 1);
/* Capture the type map into a temporary location. */
unsigned ngslots = tree->globalSlots->length();
unsigned typemap_size = (stackSlots + ngslots) * sizeof(JSValueType);
/* Use the recorder-local temporary type map. */
JSValueType* typemap = NULL;
if (tempTypeMap.resize(typemap_size))
typemap = tempTypeMap.begin(); /* crash if resize() fails. */
/*
* Determine the type of a store by looking at the current type of the
* actual value the interpreter is using. For numbers we have to check what
* kind of store we used last (integer or double) to figure out what the
* side exit show reflect in its typemap.
*/
DetermineTypesVisitor detVisitor(*this, typemap);
VisitSlots(detVisitor, cx, callDepth, ngslots,
tree->globalSlots->data());
JS_ASSERT(unsigned(detVisitor.getTypeMap() - typemap) ==
ngslots + stackSlots);
/*
* If this snapshot is for a side exit that leaves a boxed Value result on
* the stack, make a note of this in the typemap. Examples include the
* builtinStatus guard after calling a _FAIL builtin, a JSFastNative, or
* GetPropertyByName; and the type guard in unbox_value after such a call
* (also at the beginning of a trace branched from such a type guard).
*/
if (pendingUnboxSlot ||
(pendingSpecializedNative && (pendingSpecializedNative->flags & JSTN_UNBOX_AFTER))) {
unsigned pos = stackSlots - 1;
if (pendingUnboxSlot == regs.sp - 2)
pos = stackSlots - 2;
typemap[pos] = JSVAL_TYPE_BOXED;
} else if (pendingSpecializedNative &&
(pendingSpecializedNative->flags & JSTN_RETURN_NULLABLE_STR)) {
typemap[stackSlots - 1] = JSVAL_TYPE_STRORNULL;
} else if (pendingSpecializedNative &&
(pendingSpecializedNative->flags & JSTN_RETURN_NULLABLE_OBJ)) {
typemap[stackSlots - 1] = JSVAL_TYPE_OBJORNULL;
}
/* Now restore the the original pc (after which early returns are ok). */
if (resumeAfter) {
MUST_FLOW_LABEL(restore_pc);
regs.pc = pc - cs.length;
} else {
/*
* If we take a snapshot on a goto, advance to the target address. This
* avoids inner trees returning on a break goto, which the outer
* recorder then would confuse with a break in the outer tree.
*/
if (*pc == JSOP_GOTO)
pc += GET_JUMP_OFFSET(pc);
else if (*pc == JSOP_GOTOX)
pc += GET_JUMPX_OFFSET(pc);
}
/*
* Check if we already have a matching side exit; if so we can return that
* side exit instead of creating a new one.
*/
VMSideExit** exits = tree->sideExits.data();
unsigned nexits = tree->sideExits.length();
if (exitType == LOOP_EXIT) {
for (unsigned n = 0; n < nexits; ++n) {
VMSideExit* e = exits[n];
if (e->pc == pc && (e->imacpc == fp->maybeImacropc()) &&
ngslots == e->numGlobalSlots &&
!memcmp(exits[n]->fullTypeMap(), typemap, typemap_size)) {
AUDIT(mergedLoopExits);
#if defined JS_JIT_SPEW
TreevisLogExit(cx, e);
#endif
return e;
}
}
}
/* We couldn't find a matching side exit, so create a new one. */
VMSideExit* exit = (VMSideExit*)
traceAlloc().alloc(sizeof(VMSideExit) + (stackSlots + ngslots) * sizeof(JSValueType));
/* Setup side exit structure. */
exit->from = fragment;
exit->calldepth = callDepth;
exit->numGlobalSlots = ngslots;
exit->numStackSlots = stackSlots;
exit->numStackSlotsBelowCurrentFrame = cx->fp()->isFunctionFrame() ?
nativeStackOffset(&cx->fp()->calleev()) / sizeof(double) :
0;
exit->exitType = exitType;
exit->pc = pc;
exit->script = fp->maybeScript();
exit->imacpc = fp->maybeImacropc();
exit->sp_adj = (stackSlots * sizeof(double)) - tree->nativeStackBase;
exit->rp_adj = exit->calldepth * sizeof(FrameInfo*);
exit->lookupFlags = js_InferFlags(cx, 0);
memcpy(exit->fullTypeMap(), typemap, typemap_size);
#if defined JS_JIT_SPEW
TreevisLogExit(cx, exit);
#endif
return exit;
}
JS_REQUIRES_STACK GuardRecord*
TraceRecorder::createGuardRecord(VMSideExit* exit)
{
#ifdef JS_JIT_SPEW
// For debug builds, place the guard records in a longer lasting
// pool. This is because the fragment profiler will look at them
// relatively late in the day, after they would have been freed,
// in some cases, had they been allocated in traceAlloc().
GuardRecord* gr = new (dataAlloc()) GuardRecord();
#else
// The standard place (for production builds).
GuardRecord* gr = new (traceAlloc()) GuardRecord();
#endif
gr->exit = exit;
exit->addGuard(gr);
// gr->profCount is calloc'd to zero
verbose_only(
gr->profGuardID = fragment->guardNumberer++;
gr->nextInFrag = fragment->guardsForFrag;
fragment->guardsForFrag = gr;
)
return gr;
}
/* Test if 'ins' is in a form that can be used as a guard/branch condition. */
static bool
isCond(LIns* ins)
{
return ins->isCmp() || ins->isImmI(0) || ins->isImmI(1);
}
/* Ensure 'ins' is in a form suitable for a guard/branch condition. */
void
TraceRecorder::ensureCond(LIns** ins, bool* cond)
{
if (!isCond(*ins)) {
*cond = !*cond;
*ins = (*ins)->isI() ? w.eqi0(*ins) : w.eqp0(*ins);
}
}
/*
* Emit a guard for condition (cond), expecting to evaluate to boolean result
* (expected) and using the supplied side exit if the condition doesn't hold.
*
* Callers shouldn't generate guards that always exit (which can occur due to
* optimization of the guard condition) because it's bad for both compile-time
* speed (all the code generated after the guard is dead) and run-time speed
* (fragment that always exit are slow). This function has two modes for
* handling an always-exit guard; which mode is used depends on the value of
* abortIfAlwaysExits:
*
* - abortIfAlwaysExits == false: This is the default mode. If the guard
* will always exit, we assert (in debug builds) as a signal that we are
* generating bad traces. (In optimized builds that lack assertions the
* guard will be generated correctly, so the code will be slow but safe.) In
* this mode, the caller is responsible for not generating an always-exit
* guard. The return value will always be RECORD_CONTINUE, so the caller
* need not check it.
*
* - abortIfAlwaysExits == true: If the guard will always exit, we abort
* recording and return RECORD_STOP; otherwise we generate the guard
* normally and return RECORD_CONTINUE. This mode can be used when the
* caller doesn't know ahead of time whether the guard will always exit. In
* this mode, the caller must check the return value.
*/
JS_REQUIRES_STACK RecordingStatus
TraceRecorder::guard(bool expected, LIns* cond, VMSideExit* exit,
bool abortIfAlwaysExits/* = false */)
{
if (exit->exitType == LOOP_EXIT)
tree->sideExits.add(exit);
JS_ASSERT(isCond(cond));
if ((cond->isImmI(0) && expected) || (cond->isImmI(1) && !expected)) {
if (abortIfAlwaysExits) {
/* The guard always exits, the caller must check for an abort. */
RETURN_STOP("Constantly false guard detected");
}
/*
* If you hit this assertion, first decide if you want recording to
* abort in the case where the guard always exits. If not, find a way
* to detect that case and avoid calling guard(). Otherwise, change
* the invocation of guard() so it passes in abortIfAlwaysExits=true,
* and have the caller check the return value, eg. using
* CHECK_STATUS(). (In optimized builds, we'll fall through to the
* insGuard() below and an always-exits guard will be inserted, which
* is correct but sub-optimal.)
*/
JS_NOT_REACHED("unexpected constantly false guard detected");
}
/*
* Nb: if the guard is never taken, no instruction will be created and
* insGuard() will return NULL. This is a good thing.
*/
GuardRecord* guardRec = createGuardRecord(exit);
expected ? w.xf(cond, guardRec) : w.xt(cond, guardRec);
return RECORD_CONTINUE;
}
/*
* Emit a guard for condition (cond), expecting to evaluate to boolean result
* (expected) and generate a side exit with type exitType to jump to if the
* condition does not hold.
*/
JS_REQUIRES_STACK RecordingStatus
TraceRecorder::guard(bool expected, LIns* cond, ExitType exitType,
bool abortIfAlwaysExits/* = false */)
{
return guard(expected, cond, snapshot(exitType), abortIfAlwaysExits);
}
JS_REQUIRES_STACK VMSideExit*
TraceRecorder::copy(VMSideExit* copy)
{
size_t typemap_size = copy->numGlobalSlots + copy->numStackSlots;
VMSideExit* exit = (VMSideExit*)
traceAlloc().alloc(sizeof(VMSideExit) + typemap_size * sizeof(JSValueType));
/* Copy side exit structure. */
memcpy(exit, copy, sizeof(VMSideExit) + typemap_size * sizeof(JSValueType));
exit->guards = NULL;
exit->from = fragment;
exit->target = NULL;
if (exit->exitType == LOOP_EXIT)
tree->sideExits.add(exit);
#if defined JS_JIT_SPEW
TreevisLogExit(cx, exit);
#endif
return exit;
}
/*
* Determine whether any context associated with the same thread as cx is
* executing native code.
*/
static inline bool
ProhibitFlush(TraceMonitor *tm)
{
return !!tm->tracerState; // don't flush if we're running a trace
}
static void
ResetJITImpl(JSContext* cx, TraceMonitor* tm)
{
if (!cx->traceJitEnabled)
return;
debug_only_print0(LC_TMTracer, "Flushing cache.\n");
if (tm->recorder) {
JS_ASSERT_NOT_ON_TRACE(cx);
AbortRecording(cx, "flush cache");
}
#if JS_METHODJIT
if (tm->profile)
AbortProfiling(cx);
#endif
if (ProhibitFlush(tm)) {
debug_only_print0(LC_TMTracer, "Deferring JIT flush due to deep bail.\n");
tm->needFlush = JS_TRUE;
return;
}
tm->flush();
}
/* Compile the current fragment. */
JS_REQUIRES_STACK AbortableRecordingStatus
TraceRecorder::compile()
{
#ifdef MOZ_TRACEVIS
TraceVisStateObj tvso(cx, S_COMPILE);
#endif
if (traceMonitor->needFlush) {
ResetJIT(cx, traceMonitor, FR_DEEP_BAIL);
return ARECORD_ABORTED;
}
if (tree->maxNativeStackSlots >= TraceNativeStorage::MAX_NATIVE_STACK_SLOTS) {
debug_only_print0(LC_TMTracer, "Blacklist: excessive stack use.\n");
Blacklist((jsbytecode*)tree->ip);
return ARECORD_STOP;
}
if (anchor)
++tree->branchCount;
if (outOfMemory())
return ARECORD_STOP;
/* :TODO: windows support */
#if defined DEBUG && !defined WIN32
/* Associate a filename and line number with the fragment. */
const char* filename = cx->fp()->script()->filename;
char* label = (char*) cx->malloc_((filename ? strlen(filename) : 7) + 16);
if (label) {
sprintf(label, "%s:%u", filename ? filename : "<stdin>", CurrentLine(cx));
lirbuf->printer->addrNameMap->addAddrRange(fragment, sizeof(Fragment), 0, label);
cx->free_(label);
}
#endif
Assembler *assm = traceMonitor->assembler;
JS_ASSERT(!assm->error());
assm->compile(fragment, tempAlloc(), /*optimize*/true verbose_only(, lirbuf->printer));
if (assm->error()) {
assm->setError(nanojit::None);
debug_only_print0(LC_TMTracer, "Blacklisted: error during compilation\n");
Blacklist((jsbytecode*)tree->ip);
return ARECORD_STOP;
}
if (outOfMemory())
return ARECORD_STOP;
ResetRecordingAttempts(traceMonitor, (jsbytecode*)fragment->ip);
ResetRecordingAttempts(traceMonitor, (jsbytecode*)tree->ip);
JS_ASSERT(!assm->error());
if (anchor)
assm->patch(anchor);
if (assm->error())
return ARECORD_STOP;
JS_ASSERT(fragment->code());
JS_ASSERT_IF(fragment == fragment->root, fragment->root == tree);
return ARECORD_CONTINUE;
}
static bool
JoinPeers(Assembler* assm, VMSideExit* exit, TreeFragment* target)
{
exit->target = target;
JS_ASSERT(!assm->error());
assm->patch(exit);
if (assm->error())
return false;
debug_only_printf(LC_TMTreeVis, "TREEVIS JOIN ANCHOR=%p FRAG=%p\n", (void*)exit, (void*)target);
if (exit->root() == target)
return true;
target->dependentTrees.addUnique(exit->root());
exit->root()->linkedTrees.addUnique(target);
return true;
}
/* Results of trying to connect an arbitrary type A with arbitrary type B */
enum TypeCheckResult
{
TypeCheck_Okay, /* Okay: same type */
TypeCheck_Promote, /* Okay: Type A needs d2i() */
TypeCheck_Demote, /* Okay: Type A needs i2d() */
TypeCheck_Undemote, /* Bad: Slot is undemotable */
TypeCheck_Bad /* Bad: incompatible types */
};
class SlotMap : public SlotVisitorBase
{
public:
struct SlotInfo
{
SlotInfo()
: vp(NULL), isPromotedInt32(false), lastCheck(TypeCheck_Bad)
{}
SlotInfo(Value* vp, bool isPromotedInt32)
: vp(vp), isPromotedInt32(isPromotedInt32), lastCheck(TypeCheck_Bad),
type(getCoercedType(*vp))
{}
SlotInfo(JSValueType t)
: vp(NULL), isPromotedInt32(false), lastCheck(TypeCheck_Bad), type(t)
{}
SlotInfo(Value* vp, JSValueType t)
: vp(vp), isPromotedInt32(t == JSVAL_TYPE_INT32), lastCheck(TypeCheck_Bad), type(t)
{}
void *vp;
bool isPromotedInt32;
TypeCheckResult lastCheck;
JSValueType type;
};
SlotMap(TraceRecorder& rec)
: mRecorder(rec),
mCx(rec.cx),
slots(NULL)
{
}
virtual ~SlotMap()
{
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
visitGlobalSlot(Value *vp, unsigned n, unsigned slot)
{
addSlot(vp);
}
JS_ALWAYS_INLINE SlotMap::SlotInfo&
operator [](unsigned i)
{
return slots[i];
}
JS_ALWAYS_INLINE SlotMap::SlotInfo&
get(unsigned i)
{
return slots[i];
}
JS_ALWAYS_INLINE unsigned
length()
{
return slots.length();
}
/**
* Possible return states:
*
* TypeConsensus_Okay: All types are compatible. Caller must go through slot list and handle
* promote/demotes.
* TypeConsensus_Bad: Types are not compatible. Individual type check results are undefined.
* TypeConsensus_Undemotes: Types would be compatible if slots were marked as undemotable
* before recording began. Caller can go through slot list and mark
* such slots as undemotable.
*/
JS_REQUIRES_STACK TypeConsensus
checkTypes(LinkableFragment* f)
{
if (length() != f->typeMap.length())
return TypeConsensus_Bad;
bool has_undemotes = false;
for (unsigned i = 0; i < length(); i++) {
TypeCheckResult result = checkType(i, f->typeMap[i]);
if (result == TypeCheck_Bad)
return TypeConsensus_Bad;
if (result == TypeCheck_Undemote)
has_undemotes = true;
slots[i].lastCheck = result;
}
if (has_undemotes)
return TypeConsensus_Undemotes;
return TypeConsensus_Okay;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
addSlot(Value* vp)
{
bool isPromotedInt32 = false;
if (vp->isNumber()) {
if (LIns* i = mRecorder.getFromTracker(vp)) {
isPromotedInt32 = IsPromotedInt32(i);
} else if (mRecorder.isGlobal(vp)) {
int offset = mRecorder.tree->globalSlots->offsetOf(uint16(mRecorder.nativeGlobalSlot(vp)));
JS_ASSERT(offset != -1);
isPromotedInt32 = mRecorder.importTypeMap[mRecorder.importStackSlots + offset] ==
JSVAL_TYPE_INT32;
} else {
isPromotedInt32 = mRecorder.importTypeMap[mRecorder.nativeStackSlot(vp)] ==
JSVAL_TYPE_INT32;
}
}
slots.add(SlotInfo(vp, isPromotedInt32));
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
addSlot(JSValueType t)
{
slots.add(SlotInfo(NULL, t));
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE void
addSlot(Value *vp, JSValueType t)
{
slots.add(SlotInfo(vp, t));
}
JS_REQUIRES_STACK void
markUndemotes()
{
for (unsigned i = 0; i < length(); i++) {
if (get(i).lastCheck == TypeCheck_Undemote)
mRecorder.markSlotUndemotable(mRecorder.tree, i);
}
}
JS_REQUIRES_STACK virtual void
adjustTypes()
{
for (unsigned i = 0; i < length(); i++)
adjustType(get(i));
}
protected:
JS_REQUIRES_STACK virtual void
adjustType(SlotInfo& info) {
JS_ASSERT(info.lastCheck != TypeCheck_Undemote && info.lastCheck != TypeCheck_Bad);
#ifdef DEBUG
if (info.lastCheck == TypeCheck_Promote) {
JS_ASSERT(info.type == JSVAL_TYPE_INT32 || info.type == JSVAL_TYPE_DOUBLE);
/*
* This should only happen if the slot has a trivial conversion, i.e.
* IsPromotedInt32() is true. We check this.
*
* Note that getFromTracker() will return NULL if the slot was
* never used, in which case we don't do the check. We could
* instead called mRecorder.get(info.vp) and always check, but
* get() has side-effects, which is not good in an assertion.
* Not checking unused slots isn't so bad.
*/
LIns* ins = mRecorder.getFromTrackerImpl(info.vp);
JS_ASSERT_IF(ins, IsPromotedInt32(ins));
} else
#endif
if (info.lastCheck == TypeCheck_Demote) {
JS_ASSERT(info.type == JSVAL_TYPE_INT32 || info.type == JSVAL_TYPE_DOUBLE);
JS_ASSERT(mRecorder.getImpl(info.vp)->isD());
/* Never demote this final i2d. */
mRecorder.setImpl(info.vp, mRecorder.getImpl(info.vp), false);
}
}
private:
TypeCheckResult
checkType(unsigned i, JSValueType t)
{
debug_only_printf(LC_TMTracer,
"checkType slot %d: interp=%c typemap=%c isNum=%d isPromotedInt32=%d\n",
i,
TypeToChar(slots[i].type),
TypeToChar(t),
slots[i].type == JSVAL_TYPE_INT32 || slots[i].type == JSVAL_TYPE_DOUBLE,
slots[i].isPromotedInt32);
switch (t) {
case JSVAL_TYPE_INT32:
if (slots[i].type != JSVAL_TYPE_INT32 && slots[i].type != JSVAL_TYPE_DOUBLE)
return TypeCheck_Bad; /* Not a number? Type mismatch. */
/* This is always a type mismatch, we can't close a double to an int. */
if (!slots[i].isPromotedInt32)
return TypeCheck_Undemote;
/* Looks good, slot is an int32, the last instruction should be promotable. */
JS_ASSERT_IF(slots[i].vp,
hasInt32Repr(*(const Value *)slots[i].vp) && slots[i].isPromotedInt32);
return slots[i].vp ? TypeCheck_Promote : TypeCheck_Okay;
case JSVAL_TYPE_DOUBLE:
if (slots[i].type != JSVAL_TYPE_INT32 && slots[i].type != JSVAL_TYPE_DOUBLE)
return TypeCheck_Bad; /* Not a number? Type mismatch. */
if (slots[i].isPromotedInt32)
return slots[i].vp ? TypeCheck_Demote : TypeCheck_Bad;
return TypeCheck_Okay;
default:
return slots[i].type == t ? TypeCheck_Okay : TypeCheck_Bad;
}
JS_NOT_REACHED("shouldn't fall through type check switch");
}
protected:
TraceRecorder& mRecorder;
JSContext* mCx;
Queue<SlotInfo> slots;
};
class DefaultSlotMap : public SlotMap
{
public:
DefaultSlotMap(TraceRecorder& tr) : SlotMap(tr)
{
}
virtual ~DefaultSlotMap()
{
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame* fp)
{
for (size_t i = 0; i < count; i++)
addSlot(&vp[i]);
return true;
}
JS_REQUIRES_STACK JS_ALWAYS_INLINE bool
visitFrameObjPtr(void* p, StackFrame* fp)
{
addSlot(getFrameObjPtrTraceType(p, fp));
return true;
}
};
JS_REQUIRES_STACK TypeConsensus
TraceRecorder::selfTypeStability(SlotMap& slotMap)
{
debug_only_printf(LC_TMTracer, "Checking type stability against self=%p\n", (void*)fragment);
TypeConsensus consensus = slotMap.checkTypes(tree);
/* Best case: loop jumps back to its own header */
if (consensus == TypeConsensus_Okay)
return TypeConsensus_Okay;
/*
* If the only thing keeping this loop from being stable is undemotions, then mark relevant
* slots as undemotable.
*/
if (consensus == TypeConsensus_Undemotes)
slotMap.markUndemotes();
return consensus;
}
JS_REQUIRES_STACK TypeConsensus
TraceRecorder::peerTypeStability(SlotMap& slotMap, const void* ip, TreeFragment** pPeer)
{
JS_ASSERT(tree->first == LookupLoop(traceMonitor, ip, tree->globalObj, tree->globalShape, tree->argc));
/* See if there are any peers that would make this stable */
bool onlyUndemotes = false;
for (TreeFragment *peer = tree->first; peer != NULL; peer = peer->peer) {
if (!peer->code() || peer == fragment)
continue;
debug_only_printf(LC_TMTracer, "Checking type stability against peer=%p\n", (void*)peer);
TypeConsensus consensus = slotMap.checkTypes(peer);
if (consensus == TypeConsensus_Okay) {
*pPeer = peer;
/*
* Return this even though there will be linkage; the trace itself is not stable.
* Caller should inspect ppeer to check for a compatible peer.
*/
return TypeConsensus_Okay;
}
if (consensus == TypeConsensus_Undemotes)
onlyUndemotes = true;
}
return onlyUndemotes ? TypeConsensus_Undemotes : TypeConsensus_Bad;
}
/*
* Complete and compile a trace and link it to the existing tree if
* appropriate. Returns ARECORD_ABORTED or ARECORD_STOP, depending on whether
* the recorder was deleted. Outparam is always set.
*/
JS_REQUIRES_STACK AbortableRecordingStatus
TraceRecorder::closeLoop()
{
VMSideExit *exit = snapshot(UNSTABLE_LOOP_EXIT);
DefaultSlotMap slotMap(*this);
VisitSlots(slotMap, cx, 0, *tree->globalSlots);
/*
* We should have arrived back at the loop header, and hence we don't want
* to be in an imacro here and the opcode should be either JSOP_TRACE or, in
* case this loop was blacklisted in the meantime, JSOP_NOTRACE.
*/
JS_ASSERT(*cx->regs().pc == JSOP_TRACE || *cx->regs().pc == JSOP_NOTRACE);
JS_ASSERT(!cx->fp()->hasImacropc());
if (callDepth != 0) {
debug_only_print0(LC_TMTracer,
"Blacklisted: stack depth mismatch, possible recursion.\n");
Blacklist((jsbytecode*)tree->ip);
trashSelf = true;
return ARECORD_STOP;
}
JS_ASSERT(exit->numStackSlots == tree->nStackTypes);
JS_ASSERT(fragment->root == tree);
JS_ASSERT(!trashSelf);
TreeFragment* peer = NULL;
TypeConsensus consensus = selfTypeStability(slotMap);
if (consensus != TypeConsensus_Okay) {
TypeConsensus peerConsensus = peerTypeStability(slotMap, tree->ip, &peer);
/* If there was a semblance of a stable peer (even if not linkable), keep the result. */
if (peerConsensus != TypeConsensus_Bad)
consensus = peerConsensus;
}
#if DEBUG
if (consensus != TypeConsensus_Okay || peer)
AUDIT(unstableLoopVariable);
#endif
/*
* This exit is indeed linkable to something now. Process any promote or
* demotes that are pending in the slot map.
*/
if (consensus == TypeConsensus_Okay)
slotMap.adjustTypes();
if (consensus != TypeConsensus_Okay || peer) {
fragment->lastIns = w.x(createGuardRecord(exit));
/* If there is a peer, there must have been an "Okay" consensus. */
JS_ASSERT_IF(peer, consensus == TypeConsensus_Okay);
/* Compile as a type-unstable loop, and hope for a connection later. */
if (!peer) {
/*
* If such a fragment does not exist, let's compile the loop ahead
* of time anyway. Later, if the loop becomes type stable, we will
* connect these two fragments together.
*/
debug_only_print0(LC_TMTracer,
"Trace has unstable loop variable with no stable peer, "
"compiling anyway.\n");
UnstableExit* uexit = new (traceAlloc()) UnstableExit;
uexit->fragment = fragment;
uexit->exit = exit;
uexit->next = tree->unstableExits;
tree->unstableExits = uexit;
} else {
JS_ASSERT(peer->code());
exit->target = peer;
debug_only_printf(LC_TMTracer,
"Joining type-unstable trace to target fragment %p.\n",
(void*)peer);
peer->dependentTrees.addUnique(tree);
tree->linkedTrees.addUnique(peer);
}
} else {
exit->exitType = LOOP_EXIT;
debug_only_printf(LC_TMTreeVis, "TREEVIS CHANGEEXIT EXIT=%p TYPE=%s\n", (void*)exit,
getExitName(LOOP_EXIT));
JS_ASSERT((fragment == fragment->root) == !!loopLabel);
if (loopLabel) {
w.j(loopLabel);
w.comment("end-loop");
w.livep(lirbuf->state);
}
exit->target = tree;
/*
* This guard is dead code. However, it must be present because it
* can keep alive values on the stack. Without it, StackFilter can
* remove some stack stores that it shouldn't. See bug 582766 comment
* 19.
*/
fragment->lastIns = w.x(createGuardRecord(exit));
}
CHECK_STATUS_A(compile());
debug_only_printf(LC_TMTreeVis, "TREEVIS CLOSELOOP EXIT=%p PEER=%p\n", (void*)exit, (void*)peer);
JS_ASSERT(LookupLoop(traceMonitor, tree->ip, tree->globalObj, tree->globalShape, tree->argc) ==
tree->first);
JS_ASSERT(tree->first);
peer = tree->first;
if (!joinEdgesToEntry(peer))
return ARECORD_STOP;
debug_only_stmt(DumpPeerStability(traceMonitor, peer->ip, peer->globalObj,
peer->globalShape, peer->argc);)
debug_only_print0(LC_TMTracer,
"updating specializations on dependent and linked trees\n");
if (tree->code())
SpecializeTreesToMissingGlobals(cx, globalObj, tree);
/*
* If this is a newly formed tree, and the outer tree has not been compiled yet, we
* should try to compile the outer tree again.
*/
if (outerPC)
AttemptCompilation(traceMonitor, globalObj, outerScript, outerPC, outerArgc);
#ifdef JS_JIT_SPEW
debug_only_printf(LC_TMMinimal,
"Recording completed at %s:%u@%u via closeLoop (FragID=%06u)\n",
cx->fp()->script()->filename,
CurrentLine(cx),
CurrentPCOffset(cx),
fragment->profFragID);
debug_only_print0(LC_TMMinimal, "\n");
#endif
return finishSuccessfully();
}
static void
FullMapFromExit(TypeMap& typeMap, VMSideExit* exit)
{
typeMap.setLength(0);
typeMap.fromRaw(exit->stackTypeMap(), exit->numStackSlots);
typeMap.fromRaw(exit->globalTypeMap(), exit->numGlobalSlots);
/* Include globals that were later specialized at the root of the tree. */
if (exit->numGlobalSlots < exit->root()->nGlobalTypes()) {
typeMap.fromRaw(exit->root()->globalTypeMap() + exit->numGlobalSlots,
exit->root()->nGlobalTypes() - exit->numGlobalSlots);
}
}
static JS_REQUIRES_STACK TypeConsensus
TypeMapLinkability(JSContext* cx, TraceMonitor *tm, const TypeMap& typeMap, TreeFragment* peer)
{
const TypeMap& peerMap = peer->typeMap;
unsigned minSlots = JS_MIN(typeMap.length(), peerMap.length());
TypeConsensus consensus = TypeConsensus_Okay;
for (unsigned i = 0; i < minSlots; i++) {
if (typeMap[i] == peerMap[i])
continue;
if (typeMap[i] == JSVAL_TYPE_INT32 && peerMap[i] == JSVAL_TYPE_DOUBLE &&
IsSlotUndemotable(tm->oracle, cx, peer, i, peer->ip)) {
consensus = TypeConsensus_Undemotes;
} else {
return TypeConsensus_Bad;
}
}
return consensus;
}
JS_REQUIRES_STACK unsigned
TraceRecorder::findUndemotesInTypemaps(const TypeMap& typeMap, LinkableFragment* f,
Queue<unsigned>& undemotes)
{
undemotes.setLength(0);
unsigned minSlots = JS_MIN(typeMap.length(), f->typeMap.length());
for (unsigned i = 0; i < minSlots; i++) {
if (typeMap[i] == JSVAL_TYPE_INT32 && f->typeMap[i] == JSVAL_TYPE_DOUBLE) {
undemotes.add(i);
} else if (typeMap[i] != f->typeMap[i]) {
return 0;
}
}
for (unsigned i = 0; i < undemotes.length(); i++)
markSlotUndemotable(f, undemotes[i]);
return undemotes.length();
}
JS_REQUIRES_STACK bool
TraceRecorder::joinEdgesToEntry(TreeFragment* peer_root)
{
if (fragment->root != fragment)
return true;
TypeMap typeMap(NULL, traceMonitor->oracle);
Queue<unsigned> undemotes(NULL);
for (TreeFragment* peer = peer_root; peer; peer = peer->peer) {
if (!peer->code())
continue;
UnstableExit* uexit = peer->unstableExits;
while (uexit != NULL) {
/* Build the full typemap for this unstable exit */
FullMapFromExit(typeMap, uexit->exit);
/* Check its compatibility against this tree */
TypeConsensus consensus = TypeMapLinkability(cx, traceMonitor, typeMap, tree);
JS_ASSERT_IF(consensus == TypeConsensus_Okay, peer != fragment);
if (consensus == TypeConsensus_Okay) {
debug_only_printf(LC_TMTracer,
"Joining type-stable trace to target exit %p->%p.\n",
(void*)uexit->fragment, (void*)uexit->exit);
/*
* See bug 531513. Before linking these trees, make sure the
* peer's dependency graph is up to date.
*/
TreeFragment* from = uexit->exit->root();
if (from->nGlobalTypes() < tree->nGlobalTypes()) {
SpecializeTreesToLateGlobals(cx, from, tree->globalTypeMap(),
tree->nGlobalTypes());
}
/* It's okay! Link together and remove the unstable exit. */
JS_ASSERT(tree == fragment);
if (!JoinPeers(traceMonitor->assembler, uexit->exit, tree))
return false;
uexit = peer->removeUnstableExit(uexit->exit);
} else {
/* Check for int32->double slots that suggest trashing. */
if (findUndemotesInTypemaps(typeMap, tree, undemotes)) {
JS_ASSERT(peer == uexit->fragment->root);
if (fragment == peer)
trashSelf = true;
else
whichTreesToTrash.addUnique(uexit->fragment->root);
break;
}
uexit = uexit->next;
}
}
}
return true;
}
JS_REQUIRES_STACK AbortableRecordingStatus
TraceRecorder::endLoop()
{
return endLoop(snapshot(LOOP_EXIT));
}
/* Emit an always-exit guard and compile the tree (used for break statements. */
JS_REQUIRES_STACK AbortableRecordingStatus
TraceRecorder::endLoop(VMSideExit* exit)
{
JS_ASSERT(fragment->root == tree);
if (callDepth != 0) {
debug_only_print0(LC_TMTracer, "Blacklisted: stack depth mismatch, possible recursion.\n");
Blacklist((jsbytecode*)tree->ip);
trashSelf = true;
return ARECORD_STOP;
}
fragment->lastIns = w.x(createGuardRecord(exit));
CHECK_STATUS_A(compile());
debug_only_printf(LC_TMTreeVis, "TREEVIS ENDLOOP EXIT=%p\n", (void*)exit);
JS_ASSERT(LookupLoop(traceMonitor, tree->ip, tree->globalObj, tree->globalShape, tree->argc) ==
tree->first);
if (!joinEdgesToEntry(tree->first))
return ARECORD_STOP;
debug_only_stmt(DumpPeerStability(traceMonitor, tree->ip, tree->globalObj,
tree->globalShape, tree->argc);)
/*
* Note: this must always be done, in case we added new globals on trace
* and haven't yet propagated those to linked and dependent trees.
*/
debug_only_print0(LC_TMTracer,
"updating specializations on dependent and linked trees\n");
if (tree->code())
SpecializeTreesToMissingGlobals(cx, globalObj, fragment->root);
/*
* If this is a newly formed tree, and the outer tree has not been compiled
* yet, we should try to compile the outer tree again.
*/
if (outerPC)
AttemptCompilation(traceMonitor, globalObj, outerScript, outerPC, outerArgc);
#ifdef JS_JIT_SPEW
debug_only_printf(LC_TMMinimal,
"Recording completed at %s:%u@%u via endLoop (FragID=%06u)\n",
cx->fp()->script()->filename,
CurrentLine(cx),
CurrentPCOffset(cx),
fragment->profFragID);
debug_only_print0(LC_TMTracer, "\n");
#endif
return finishSuccessfully();
}
/* Emit code to adjust the stack to match the inner tree's stack expectations. */
JS_REQUIRES_STACK void
TraceRecorder::prepareTreeCall(TreeFragment* inner)
{
VMSideExit* exit = snapshot(OOM_EXIT);
/*
* The inner tree expects to be called from the current frame. If the outer
* tree (this trace) is currently inside a function inlining code
* (calldepth > 0), we have to advance the native stack pointer such that
* we match what the inner trace expects to see. We move it back when we
* come out of the inner tree call.
*/
if (callDepth > 0) {
/*
* Calculate the amount we have to lift the native stack pointer by to
* compensate for any outer frames that the inner tree doesn't expect
* but the outer tree has.
*/
ptrdiff_t sp_adj = nativeStackOffset(&cx->fp()->calleev());
/* Calculate the amount we have to lift the call stack by. */
ptrdiff_t rp_adj = callDepth * sizeof(FrameInfo*);
/*
* Guard that we have enough stack space for the tree we are trying to
* call on top of the new value for sp.
*/
debug_only_printf(LC_TMTracer,
"sp_adj=%lld outer=%lld inner=%lld\n",
(long long int)sp_adj,
(long long int)tree->nativeStackBase,
(long long int)inner->nativeStackBase);
ptrdiff_t sp_offset =
- tree->nativeStackBase /* rebase sp to beginning of outer tree's stack */
+ sp_adj /* adjust for stack in outer frame inner tree can't see */
+ inner->maxNativeStackSlots * sizeof(double); /* plus the inner tree's stack */
LIns* sp_top = w.addp(lirbuf->sp, w.nameImmw(sp_offset));
guard(true, w.ltp(sp_top, eos_ins), exit);
/* Guard that we have enough call stack space. */
ptrdiff_t rp_offset = rp_adj + inner->maxCallDepth * sizeof(FrameInfo*);
LIns* rp_top = w.addp(lirbuf->rp, w.nameImmw(rp_offset));
guard(true, w.ltp(rp_top, eor_ins), exit);
sp_offset =
- tree->nativeStackBase /* rebase sp to beginning of outer tree's stack */
+ sp_adj /* adjust for stack in outer frame inner tree can't see */
+ inner->nativeStackBase; /* plus the inner tree's stack base */
/* We have enough space, so adjust sp and rp to their new level. */
w.stStateField(w.addp(lirbuf->sp, w.nameImmw(sp_offset)), sp);
w.stStateField(w.addp(lirbuf->rp, w.nameImmw(rp_adj)), rp);
}
/*
* The inner tree will probably access stack slots. So tell nanojit not to
* discard or defer stack writes before emitting the call tree code.
*
* (The ExitType of this snapshot is nugatory. The exit can't be taken.)
*/
w.xbarrier(createGuardRecord(exit));
}
class ClearSlotsVisitor : public SlotVisitorBase
{
Tracker &tracker;
public:
ClearSlotsVisitor(Tracker &tracker)
: tracker(tracker)
{}
JS_ALWAYS_INLINE bool
visitStackSlots(Value *vp, size_t count, StackFrame *) {
for (Value *vpend = vp + count; vp != vpend; ++vp)
tracker.set(vp, NULL);
return true;
}
JS_ALWAYS_INLINE bool
visitFrameObjPtr(void *p, StackFrame *) {
tracker.set(p, NULL);
return true;
}
};
static unsigned
BuildGlobalTypeMapFromInnerTree(Queue<JSValueType>& typeMap, VMSideExit* inner)
{
#if defined DEBUG
unsigned initialSlots = typeMap.length();
#endif
/* First, use the innermost exit's global typemap. */
typeMap.add(inner->globalTypeMap(), inner->numGlobalSlots);
/* Add missing global types from the innermost exit's tree. */
TreeFragment* innerFrag = inner->root();
unsigned slots = inner->numGlobalSlots;
if (slots < innerFrag->nGlobalTypes()) {
typeMap.add(innerFrag->globalTypeMap() + slots, innerFrag->nGlobalTypes() - slots);
slots = innerFrag->nGlobalTypes();
}
JS_ASSERT(typeMap.length() - initialSlots == slots);
return slots;
}
/* Record a call to an inner tree. */
JS_REQUIRES_STACK void
TraceRecorder::emitTreeCall(TreeFragment* inner, VMSideExit* exit)
{
/* Invoke the inner tree. */
LIns* args[] = { lirbuf->state }; /* reverse order */
/* Construct a call info structure for the target tree. */
CallInfo* ci = new (traceAlloc()) CallInfo();
ci->_address = uintptr_t(inner->code());
JS_ASSERT(ci->_address);
ci->_typesig = CallInfo::typeSig1(ARGTYPE_P, ARGTYPE_P);
ci->_isPure = 0;
ci->_storeAccSet = ACCSET_STORE_ANY;
ci->_abi = ABI_FASTCALL;
#ifdef DEBUG
ci->_name = "fragment";
#endif
LIns* rec = w.call(ci, args);
LIns* lr = w.ldpGuardRecordExit(rec);
LIns* nested = w.jtUnoptimizable(w.eqiN(w.ldiVMSideExitField(lr, exitType), NESTED_EXIT));
/*
* If the tree exits on a regular (non-nested) guard, keep updating lastTreeExitGuard
* with that guard. If we mismatch on a tree call guard, this will contain the last
* non-nested guard we encountered, which is the innermost loop or branch guard.
*/
w.stStateField(lr, lastTreeExitGuard);
LIns* done1 = w.j(NULL);
/*
* The tree exited on a nested guard. This only occurs once a tree call guard mismatches
* and we unwind the tree call stack. We store the first (innermost) tree call guard in state
* and we will try to grow the outer tree the failing call was in starting at that guard.
*/
w.label(nested);
LIns* done2 = w.jfUnoptimizable(w.eqp0(w.ldpStateField(lastTreeCallGuard)));
w.stStateField(lr, lastTreeCallGuard);
w.stStateField(w.addp(w.ldpStateField(rp),
w.i2p(w.lshiN(w.ldiVMSideExitField(lr, calldepth),
sizeof(void*) == 4 ? 2 : 3))),
rpAtLastTreeCall);
w.label(done1, done2);
/*
* Keep updating outermostTreeExit so that TracerState always contains the most recent
* side exit.
*/
w.stStateField(lr, outermostTreeExitGuard);
/* Read back all registers, in case the called tree changed any of them. */
#ifdef DEBUG
JSValueType* map;
size_t i;
map = exit->globalTypeMap();
for (i = 0; i < exit->numGlobalSlots; i++)
JS_ASSERT(map[i] != JSVAL_TYPE_BOXED);
map = exit->stackTypeMap();
for (i = 0; i < exit->numStackSlots; i++)
JS_ASSERT(map[i] != JSVAL_TYPE_BOXED);
#endif
/* The inner tree may modify currently-tracked upvars, so flush everything. */
ClearSlotsVisitor visitor(tracker);
VisitStackSlots(visitor, cx, callDepth);
SlotList& gslots = *tree->globalSlots;
for (unsigned i = 0; i < gslots.length(); i++) {
unsigned slot = gslots[i];
const Value* vp = &globalObj->getSlot(slot);
tracker.set(vp, NULL);
}
/* Set stack slots from the innermost frame. */
importTypeMap.setLength(NativeStackSlots(cx, callDepth));
unsigned startOfInnerFrame = importTypeMap.length() - exit->numStackSlots;
for (unsigned i = 0; i < exit->numStackSlots; i++)
importTypeMap[startOfInnerFrame + i] = exit->stackTypeMap()[i];
importStackSlots = importTypeMap.length();
JS_ASSERT(importStackSlots == NativeStackSlots(cx, callDepth));
/*
* Bug 502604 - It is illegal to extend from the outer typemap without
* first extending from the inner. Make a new typemap here.
*/
BuildGlobalTypeMapFromInnerTree(importTypeMap, exit);
importGlobalSlots = importTypeMap.length() - importStackSlots;
JS_ASSERT(importGlobalSlots == tree->globalSlots->length());
/* Restore sp and rp to their original values (we still have them in a register). */
if (callDepth > 0) {
w.stStateField(lirbuf->sp, sp);
w.stStateField(lirbuf->rp, rp);
}
/*
* Guard that we come out of the inner tree along the same side exit we came out when
* we called the inner tree at recording time.
*/
VMSideExit* nestedExit = snapshot(NESTED_EXIT);
JS_ASSERT(exit->exitType == LOOP_EXIT);
guard(true, w.eqp(lr, w.nameImmpNonGC(exit)), nestedExit);
debug_only_printf(LC_TMTreeVis, "TREEVIS TREECALL INNER=%p EXIT=%p GUARD=%p\n", (void*)inner,
(void*)nestedExit, (void*)exit);
/* Register us as a dependent tree of the inner tree. */
inner->dependentTrees.addUnique(fragment->root);
tree->linkedTrees.addUnique(inner);
}
/* Add a if/if-else control-flow merge point to the list of known merge points. */
JS_REQUIRES_STACK void
TraceRecorder::trackCfgMerges(jsbytecode* pc)
{
/* If we hit the beginning of an if/if-else, then keep track of the merge point after it. */
JS_ASSERT((*pc == JSOP_IFEQ) || (*pc == JSOP_IFEQX));
jssrcnote* sn = js_GetSrcNote(cx->fp()->script(), pc);
if (sn != NULL) {
if (SN_TYPE(sn) == SRC_IF) {
cfgMerges.add((*pc == JSOP_IFEQ)
? pc + GET_JUMP_OFFSET(pc)
: pc + GET_JUMPX_OFFSET(pc));
} else if (SN_TYPE(sn) == SRC_IF_ELSE)
cfgMerges.add(pc + js_GetSrcNoteOffset(sn, 0));
}
}
/*
* Invert the direction of the guard if this is a loop edge that is not
* taken (thin loop).
*/
JS_REQUIRES_STACK void
TraceRecorder::emitIf(jsbytecode* pc, bool cond, LIns* x)
{
ExitType exitType;
JS_ASSERT(isCond(x));
if (IsLoopEdge(pc, (jsbytecode*)tree->ip)) {
exitType = LOOP_EXIT;
/*
* If we are about to walk out of the loop, generate code for the
* inverse loop condition, pretending we recorded the case that stays
* on trace.
*/
if ((*pc == JSOP_IFEQ || *pc == JSOP_IFEQX) == cond) {
JS_ASSERT(*pc == JSOP_IFNE || *pc == JSOP_IFNEX || *pc == JSOP_IFEQ || *pc == JSOP_IFEQX);
debug_only_print0(LC_TMTracer,
"Walking out of the loop, terminating it anyway.\n");
cond = !cond;
}
/*
* Conditional guards do not have to be emitted if the condition is
* constant. We make a note whether the loop condition is true or false
* here, so we later know whether to emit a loop edge or a loop end.
*/
if (x->isImmI()) {
pendingLoop = (x->immI() == int32(cond));
return;
}
} else {
exitType = BRANCH_EXIT;
}
if (!x->isImmI())
guard(cond, x, exitType);
}
/* Emit code for a fused IFEQ/IFNE. */
JS_REQUIRES_STACK void
TraceRecorder::fuseIf(jsbytecode* pc, bool cond, LIns* x)
{
if (*pc == JSOP_IFEQ || *pc == JSOP_IFNE) {
emitIf(pc, cond, x);
if (*pc == JSOP_IFEQ)
trackCfgMerges(pc);
}
}
/* Check whether we have reached the end of the trace. */
JS_REQUIRES_STACK AbortableRecordingStatus
TraceRecorder::checkTraceEnd(jsbytecode *pc)
{
if (IsLoopEdge(pc, (jsbytecode*)tree->ip)) {
/*
* If we compile a loop, the trace should have a zero stack balance at
* the loop edge. Currently we are parked on a comparison op or
* IFNE/IFEQ, so advance pc to the loop header and adjust the stack
* pointer and pretend we have reached the loop header.
*/
if (pendingLoop) {
JS_ASSERT(!cx->fp()->hasImacropc() && (pc == cx->regs().pc || pc == cx->regs().pc + 1));
FrameRegs orig = cx->regs();
cx->regs().pc = (jsbytecode*)tree->ip;
cx->regs().sp = cx->fp()->base() + tree->spOffsetAtEntry;
JSContext* localcx = cx;
AbortableRecordingStatus ars = closeLoop();
localcx->regs() = orig;
return ars;
}
return endLoop();
}
return ARECORD_CONTINUE;
}
/*
* Check whether the shape of the global object has changed. The return value
* indicates whether the recorder is still active. If 'false', any active
* recording has been aborted and the JIT may have been reset.
*/
static JS_REQUIRES_STACK bool
CheckGlobalObjectShape(JSContext* cx, TraceMonitor* tm, JSObject* globalObj,
uint32 *shape = NULL, SlotList** slots = NULL)
{
if (tm->needFlush) {
ResetJIT(cx, tm, FR_DEEP_BAIL);
return false;
}
if (globalObj->numSlots() > MAX_GLOBAL_SLOTS) {
if (tm->recorder)
AbortRecording(cx, "too many slots in global object");
return false;
}
/*
* The global object must have a unique shape. That way, if an operand
* isn't the global at record time, a shape guard suffices to ensure
* that it isn't the global at run time.
*/
if (!globalObj->hasOwnShape()) {
if (!globalObj->globalObjectOwnShapeChange(cx)) {
debug_only_print0(LC_TMTracer,
"Can't record: failed to give globalObj a unique shape.\n");
return false;
}
}
uint32 globalShape = globalObj->shape();
if (tm->recorder) {
