Bug 1692972 - Add DoubleValue masking for LBox/LBoxFloatingPoint. r=iain, a=jcristau
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 10 Mar 2021 12:10:20 +0000
changeset 635501 b129bba6435893f21dbcfd8a761fd3eb858dfba3
parent 635500 8bc93ab4e46177d2dd79797a85ea0c72dd8e8f14
child 635502 abd0bcf458abfe36539ce0915558ff0d890445ab
push id15200
push userjcristau@mozilla.com
push dateThu, 11 Mar 2021 11:02:52 +0000
treeherdermozilla-beta@2d0356d7e720 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersiain, jcristau
bugs1692972
milestone87.0
Bug 1692972 - Add DoubleValue masking for LBox/LBoxFloatingPoint. r=iain, a=jcristau Differential Revision: https://phabricator.services.mozilla.com/D107042
js/src/jit/x64/CodeGenerator-x64.cpp
js/src/jit/x86/CodeGenerator-x86.cpp
js/src/jit/x86/LIR-x86.h
js/src/jit/x86/Lowering-x86.cpp
--- a/js/src/jit/x64/CodeGenerator-x64.cpp
+++ b/js/src/jit/x64/CodeGenerator-x64.cpp
@@ -57,16 +57,23 @@ void CodeGenerator::visitValue(LValue* v
   masm.moveValue(value->value(), result);
 }
 
 void CodeGenerator::visitBox(LBox* box) {
   const LAllocation* in = box->getOperand(0);
   ValueOperand result = ToOutValue(box);
 
   masm.moveValue(TypedOrValueRegister(box->type(), ToAnyRegister(in)), result);
+
+  if (JitOptions.spectreValueMasking && IsFloatingPointType(box->type())) {
+    ScratchRegisterScope scratch(masm);
+    masm.movePtr(ImmWord(JSVAL_SHIFTED_TAG_MAX_DOUBLE), scratch);
+    masm.cmpPtrMovePtr(Assembler::Below, scratch, result.valueReg(), scratch,
+                       result.valueReg());
+  }
 }
 
 void CodeGenerator::visitUnbox(LUnbox* unbox) {
   MUnbox* mir = unbox->mir();
 
   Register result = ToRegister(unbox->output());
 
   if (mir->fallible()) {
--- a/js/src/jit/x86/CodeGenerator-x86.cpp
+++ b/js/src/jit/x86/CodeGenerator-x86.cpp
@@ -88,16 +88,23 @@ void CodeGenerator::visitBox(LBox* box) 
   masm.mov(ImmWord(MIRTypeToTag(box->type())), ToRegister(type));
 }
 
 void CodeGenerator::visitBoxFloatingPoint(LBoxFloatingPoint* box) {
   const AnyRegister in = ToAnyRegister(box->getOperand(0));
   const ValueOperand out = ToOutValue(box);
 
   masm.moveValue(TypedOrValueRegister(box->type(), in), out);
+
+  if (JitOptions.spectreValueMasking) {
+    Register scratch = ToRegister(box->spectreTemp());
+    masm.move32(Imm32(JSVAL_TAG_CLEAR), scratch);
+    masm.cmp32Move32(Assembler::Below, scratch, out.typeReg(), scratch,
+                     out.typeReg());
+  }
 }
 
 void CodeGenerator::visitUnbox(LUnbox* unbox) {
   // Note that for unbox, the type and payload indexes are switched on the
   // inputs.
   Operand type = ToOperand(unbox->type());
   Operand payload = ToOperand(unbox->payload());
   Register output = ToRegister(unbox->output());
--- a/js/src/jit/x86/LIR-x86.h
+++ b/js/src/jit/x86/LIR-x86.h
@@ -5,30 +5,33 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef jit_x86_LIR_x86_h
 #define jit_x86_LIR_x86_h
 
 namespace js {
 namespace jit {
 
-class LBoxFloatingPoint : public LInstructionHelper<2, 1, 1> {
+class LBoxFloatingPoint : public LInstructionHelper<2, 1, 2> {
   MIRType type_;
 
  public:
   LIR_HEADER(BoxFloatingPoint);
 
   LBoxFloatingPoint(const LAllocation& in, const LDefinition& temp,
-                    MIRType type)
+                    const LDefinition& spectreTemp, MIRType type)
       : LInstructionHelper(classOpcode), type_(type) {
     MOZ_ASSERT(IsFloatingPointType(type));
     setOperand(0, in);
     setTemp(0, temp);
+    setTemp(1, spectreTemp);
   }
 
+  const LDefinition* spectreTemp() { return getTemp(1); }
+
   MIRType type() const { return type_; }
   const char* extraName() const { return StringFromMIRType(type_); }
 };
 
 class LUnbox : public LInstructionHelper<1, 2, 0> {
  public:
   LIR_HEADER(Unbox);
 
--- a/js/src/jit/x86/Lowering-x86.cpp
+++ b/js/src/jit/x86/Lowering-x86.cpp
@@ -40,18 +40,21 @@ LAllocation LIRGeneratorX86::useByteOpRe
 
 LDefinition LIRGeneratorX86::tempByteOpRegister() { return tempFixed(eax); }
 
 void LIRGenerator::visitBox(MBox* box) {
   MDefinition* inner = box->getOperand(0);
 
   // If the box wrapped a double, it needs a new register.
   if (IsFloatingPointType(inner->type())) {
-    defineBox(new (alloc()) LBoxFloatingPoint(
-                  useRegisterAtStart(inner), tempCopy(inner, 0), inner->type()),
+    LDefinition spectreTemp =
+        JitOptions.spectreValueMasking ? temp() : LDefinition::BogusTemp();
+    defineBox(new (alloc()) LBoxFloatingPoint(useRegisterAtStart(inner),
+                                              tempCopy(inner, 0), spectreTemp,
+                                              inner->type()),
               box);
     return;
   }
 
   if (box->canEmitAtUses()) {
     emitAtUses(box);
     return;
   }