1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/jit/x86/Trampoline-x86.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,861 @@
1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
1.5 + * vim: set ts=8 sts=4 et sw=4 tw=99:
1.6 + * This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +#include "jscompartment.h"
1.11 +
1.12 +#include "assembler/assembler/MacroAssembler.h"
1.13 +#include "jit/Bailouts.h"
1.14 +#include "jit/BaselineJIT.h"
1.15 +#include "jit/IonFrames.h"
1.16 +#include "jit/IonLinker.h"
1.17 +#include "jit/IonSpewer.h"
1.18 +#include "jit/JitCompartment.h"
1.19 +#ifdef JS_ION_PERF
1.20 +# include "jit/PerfSpewer.h"
1.21 +#endif
1.22 +#include "jit/VMFunctions.h"
1.23 +#include "jit/x86/BaselineHelpers-x86.h"
1.24 +
1.25 +#include "jsscriptinlines.h"
1.26 +
1.27 +#include "jit/ExecutionMode-inl.h"
1.28 +
1.29 +using namespace js;
1.30 +using namespace js::jit;
1.31 +
1.32 +// All registers to save and restore. This includes the stack pointer, since we
1.33 +// use the ability to reference register values on the stack by index.
1.34 +static const RegisterSet AllRegs =
1.35 + RegisterSet(GeneralRegisterSet(Registers::AllMask),
1.36 + FloatRegisterSet(FloatRegisters::AllMask));
1.37 +
1.38 +enum EnterJitEbpArgumentOffset {
1.39 + ARG_JITCODE = 2 * sizeof(void *),
1.40 + ARG_ARGC = 3 * sizeof(void *),
1.41 + ARG_ARGV = 4 * sizeof(void *),
1.42 + ARG_STACKFRAME = 5 * sizeof(void *),
1.43 + ARG_CALLEETOKEN = 6 * sizeof(void *),
1.44 + ARG_SCOPECHAIN = 7 * sizeof(void *),
1.45 + ARG_STACKVALUES = 8 * sizeof(void *),
1.46 + ARG_RESULT = 9 * sizeof(void *)
1.47 +};
1.48 +
1.49 +/*
1.50 + * Generates a trampoline for a C++ function with the EnterJitCode signature,
1.51 + * using the standard cdecl calling convention.
1.52 + */
1.53 +JitCode *
1.54 +JitRuntime::generateEnterJIT(JSContext *cx, EnterJitType type)
1.55 +{
1.56 + MacroAssembler masm(cx);
1.57 +
1.58 + // Save old stack frame pointer, set new stack frame pointer.
1.59 + masm.push(ebp);
1.60 + masm.movl(esp, ebp);
1.61 +
1.62 + // Save non-volatile registers. These must be saved by the trampoline,
1.63 + // rather than the JIT'd code, because they are scanned by the conservative
1.64 + // scanner.
1.65 + masm.push(ebx);
1.66 + masm.push(esi);
1.67 + masm.push(edi);
1.68 +
1.69 + // Push the EnterJIT sps mark.
1.70 + masm.spsMarkJit(&cx->runtime()->spsProfiler, ebp, ebx);
1.71 +
1.72 + // Keep track of the stack which has to be unwound after returning from the
1.73 + // compiled function.
1.74 + masm.movl(esp, esi);
1.75 +
1.76 + // eax <- 8*argc, eax is now the offset betwen argv and the last
1.77 + masm.loadPtr(Address(ebp, ARG_ARGC), eax);
1.78 + masm.shll(Imm32(3), eax);
1.79 +
1.80 + // We need to ensure that the stack is aligned on a 12-byte boundary, so
1.81 + // inside the JIT function the stack is 16-byte aligned. Our stack right
1.82 + // now might not be aligned on some platforms (win32, gcc) so we factor
1.83 + // this possibility in, and simulate what the new stack address would be.
1.84 + // +argc * 8 for arguments
1.85 + // +4 for pushing alignment
1.86 + // +4 for pushing the callee token
1.87 + // +4 for pushing the return address
1.88 + masm.movl(esp, ecx);
1.89 + masm.subl(eax, ecx);
1.90 + masm.subl(Imm32(4 * 3), ecx);
1.91 +
1.92 + // ecx = ecx & 15, holds alignment.
1.93 + masm.andl(Imm32(15), ecx);
1.94 + masm.subl(ecx, esp);
1.95 +
1.96 + /***************************************************************
1.97 + Loop over argv vector, push arguments onto stack in reverse order
1.98 + ***************************************************************/
1.99 +
1.100 + // ebx = argv --argv pointer is in ebp + 16
1.101 + masm.loadPtr(Address(ebp, ARG_ARGV), ebx);
1.102 +
1.103 + // eax = argv[8(argc)] --eax now points one value past the last argument
1.104 + masm.addl(ebx, eax);
1.105 +
1.106 + // while (eax > ebx) --while still looping through arguments
1.107 + {
1.108 + Label header, footer;
1.109 + masm.bind(&header);
1.110 +
1.111 + masm.cmpl(eax, ebx);
1.112 + masm.j(Assembler::BelowOrEqual, &footer);
1.113 +
1.114 + // eax -= 8 --move to previous argument
1.115 + masm.subl(Imm32(8), eax);
1.116 +
1.117 + // Push what eax points to on stack, a Value is 2 words
1.118 + masm.push(Operand(eax, 4));
1.119 + masm.push(Operand(eax, 0));
1.120 +
1.121 + masm.jmp(&header);
1.122 + masm.bind(&footer);
1.123 + }
1.124 +
1.125 +
1.126 + // Push the number of actual arguments. |result| is used to store the
1.127 + // actual number of arguments without adding an extra argument to the enter
1.128 + // JIT.
1.129 + masm.mov(Operand(ebp, ARG_RESULT), eax);
1.130 + masm.unboxInt32(Address(eax, 0x0), eax);
1.131 + masm.push(eax);
1.132 +
1.133 + // Push the callee token.
1.134 + masm.push(Operand(ebp, ARG_CALLEETOKEN));
1.135 +
1.136 + // Load the InterpreterFrame address into the OsrFrameReg.
1.137 + // This address is also used for setting the constructing bit on all paths.
1.138 + masm.loadPtr(Address(ebp, ARG_STACKFRAME), OsrFrameReg);
1.139 +
1.140 + /*****************************************************************
1.141 + Push the number of bytes we've pushed so far on the stack and call
1.142 + *****************************************************************/
1.143 + // Create a frame descriptor.
1.144 + masm.subl(esp, esi);
1.145 + masm.makeFrameDescriptor(esi, JitFrame_Entry);
1.146 + masm.push(esi);
1.147 +
1.148 + CodeLabel returnLabel;
1.149 + if (type == EnterJitBaseline) {
1.150 + // Handle OSR.
1.151 + GeneralRegisterSet regs(GeneralRegisterSet::All());
1.152 + regs.take(JSReturnOperand);
1.153 + regs.takeUnchecked(OsrFrameReg);
1.154 + regs.take(ebp);
1.155 + regs.take(ReturnReg);
1.156 +
1.157 + Register scratch = regs.takeAny();
1.158 +
1.159 + Label notOsr;
1.160 + masm.branchTestPtr(Assembler::Zero, OsrFrameReg, OsrFrameReg, ¬Osr);
1.161 +
1.162 + Register numStackValues = regs.takeAny();
1.163 + masm.loadPtr(Address(ebp, ARG_STACKVALUES), numStackValues);
1.164 +
1.165 + Register jitcode = regs.takeAny();
1.166 + masm.loadPtr(Address(ebp, ARG_JITCODE), jitcode);
1.167 +
1.168 + // Push return address, previous frame pointer.
1.169 + masm.mov(returnLabel.dest(), scratch);
1.170 + masm.push(scratch);
1.171 + masm.push(ebp);
1.172 +
1.173 + // Reserve frame.
1.174 + Register framePtr = ebp;
1.175 + masm.subPtr(Imm32(BaselineFrame::Size()), esp);
1.176 + masm.mov(esp, framePtr);
1.177 +
1.178 +#ifdef XP_WIN
1.179 + // Can't push large frames blindly on windows. Touch frame memory incrementally.
1.180 + masm.mov(numStackValues, scratch);
1.181 + masm.shll(Imm32(3), scratch);
1.182 + masm.subPtr(scratch, framePtr);
1.183 + {
1.184 + masm.movePtr(esp, scratch);
1.185 + masm.subPtr(Imm32(WINDOWS_BIG_FRAME_TOUCH_INCREMENT), scratch);
1.186 +
1.187 + Label touchFrameLoop;
1.188 + Label touchFrameLoopEnd;
1.189 + masm.bind(&touchFrameLoop);
1.190 + masm.branchPtr(Assembler::Below, scratch, framePtr, &touchFrameLoopEnd);
1.191 + masm.store32(Imm32(0), Address(scratch, 0));
1.192 + masm.subPtr(Imm32(WINDOWS_BIG_FRAME_TOUCH_INCREMENT), scratch);
1.193 + masm.jump(&touchFrameLoop);
1.194 + masm.bind(&touchFrameLoopEnd);
1.195 + }
1.196 + masm.mov(esp, framePtr);
1.197 +#endif
1.198 +
1.199 + // Reserve space for locals and stack values.
1.200 + masm.mov(numStackValues, scratch);
1.201 + masm.shll(Imm32(3), scratch);
1.202 + masm.subPtr(scratch, esp);
1.203 +
1.204 + // Enter exit frame.
1.205 + masm.addPtr(Imm32(BaselineFrame::Size() + BaselineFrame::FramePointerOffset), scratch);
1.206 + masm.makeFrameDescriptor(scratch, JitFrame_BaselineJS);
1.207 + masm.push(scratch);
1.208 + masm.push(Imm32(0)); // Fake return address.
1.209 + masm.enterFakeExitFrame();
1.210 +
1.211 + masm.push(framePtr);
1.212 + masm.push(jitcode);
1.213 +
1.214 + masm.setupUnalignedABICall(3, scratch);
1.215 + masm.passABIArg(framePtr); // BaselineFrame
1.216 + masm.passABIArg(OsrFrameReg); // InterpreterFrame
1.217 + masm.passABIArg(numStackValues);
1.218 + masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, jit::InitBaselineFrameForOsr));
1.219 +
1.220 + masm.pop(jitcode);
1.221 + masm.pop(framePtr);
1.222 +
1.223 + JS_ASSERT(jitcode != ReturnReg);
1.224 +
1.225 + Label error;
1.226 + masm.addPtr(Imm32(IonExitFrameLayout::SizeWithFooter()), esp);
1.227 + masm.addPtr(Imm32(BaselineFrame::Size()), framePtr);
1.228 + masm.branchIfFalseBool(ReturnReg, &error);
1.229 +
1.230 + masm.jump(jitcode);
1.231 +
1.232 + // OOM: load error value, discard return address and previous frame
1.233 + // pointer and return.
1.234 + masm.bind(&error);
1.235 + masm.mov(framePtr, esp);
1.236 + masm.addPtr(Imm32(2 * sizeof(uintptr_t)), esp);
1.237 + masm.moveValue(MagicValue(JS_ION_ERROR), JSReturnOperand);
1.238 + masm.mov(returnLabel.dest(), scratch);
1.239 + masm.jump(scratch);
1.240 +
1.241 + masm.bind(¬Osr);
1.242 + masm.loadPtr(Address(ebp, ARG_SCOPECHAIN), R1.scratchReg());
1.243 + }
1.244 +
1.245 + /***************************************************************
1.246 + Call passed-in code, get return value and fill in the
1.247 + passed in return value pointer
1.248 + ***************************************************************/
1.249 + masm.call(Operand(ebp, ARG_JITCODE));
1.250 +
1.251 + if (type == EnterJitBaseline) {
1.252 + // Baseline OSR will return here.
1.253 + masm.bind(returnLabel.src());
1.254 + if (!masm.addCodeLabel(returnLabel))
1.255 + return nullptr;
1.256 + }
1.257 +
1.258 + // Pop arguments off the stack.
1.259 + // eax <- 8*argc (size of all arguments we pushed on the stack)
1.260 + masm.pop(eax);
1.261 + masm.shrl(Imm32(FRAMESIZE_SHIFT), eax); // Unmark EntryFrame.
1.262 + masm.addl(eax, esp);
1.263 +
1.264 + // |ebp| could have been clobbered by the inner function.
1.265 + // Grab the address for the Value result from the argument stack.
1.266 + // +24 ... arguments ...
1.267 + // +20 <return>
1.268 + // +16 ebp <- original %ebp pointing here.
1.269 + // +12 ebx
1.270 + // +8 esi
1.271 + // +4 edi
1.272 + // +0 hasSPSFrame
1.273 + masm.loadPtr(Address(esp, ARG_RESULT + 4 * sizeof(void *)), eax);
1.274 + masm.storeValue(JSReturnOperand, Operand(eax, 0));
1.275 +
1.276 + /**************************************************************
1.277 + Return stack and registers to correct state
1.278 + **************************************************************/
1.279 + // Unwind the sps mark.
1.280 + masm.spsUnmarkJit(&cx->runtime()->spsProfiler, ebx);
1.281 +
1.282 + // Restore non-volatile registers
1.283 + masm.pop(edi);
1.284 + masm.pop(esi);
1.285 + masm.pop(ebx);
1.286 +
1.287 + // Restore old stack frame pointer
1.288 + masm.pop(ebp);
1.289 + masm.ret();
1.290 +
1.291 + Linker linker(masm);
1.292 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.293 +
1.294 +#ifdef JS_ION_PERF
1.295 + writePerfSpewerJitCodeProfile(code, "EnterJIT");
1.296 +#endif
1.297 +
1.298 + return code;
1.299 +}
1.300 +
1.301 +JitCode *
1.302 +JitRuntime::generateInvalidator(JSContext *cx)
1.303 +{
1.304 + AutoIonContextAlloc aica(cx);
1.305 + MacroAssembler masm(cx);
1.306 +
1.307 + // We do the minimum amount of work in assembly and shunt the rest
1.308 + // off to InvalidationBailout. Assembly does:
1.309 + //
1.310 + // - Pop the return address from the invalidation epilogue call.
1.311 + // - Push the machine state onto the stack.
1.312 + // - Call the InvalidationBailout routine with the stack pointer.
1.313 + // - Now that the frame has been bailed out, convert the invalidated
1.314 + // frame into an exit frame.
1.315 + // - Do the normal check-return-code-and-thunk-to-the-interpreter dance.
1.316 +
1.317 + masm.addl(Imm32(sizeof(uintptr_t)), esp);
1.318 +
1.319 + // Push registers such that we can access them from [base + code].
1.320 + masm.PushRegsInMask(AllRegs);
1.321 +
1.322 + masm.movl(esp, eax); // Argument to jit::InvalidationBailout.
1.323 +
1.324 + // Make space for InvalidationBailout's frameSize outparam.
1.325 + masm.reserveStack(sizeof(size_t));
1.326 + masm.movl(esp, ebx);
1.327 +
1.328 + // Make space for InvalidationBailout's bailoutInfo outparam.
1.329 + masm.reserveStack(sizeof(void *));
1.330 + masm.movl(esp, ecx);
1.331 +
1.332 + masm.setupUnalignedABICall(3, edx);
1.333 + masm.passABIArg(eax);
1.334 + masm.passABIArg(ebx);
1.335 + masm.passABIArg(ecx);
1.336 + masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, InvalidationBailout));
1.337 +
1.338 + masm.pop(ecx); // Get bailoutInfo outparam.
1.339 + masm.pop(ebx); // Get the frameSize outparam.
1.340 +
1.341 + // Pop the machine state and the dead frame.
1.342 + masm.lea(Operand(esp, ebx, TimesOne, sizeof(InvalidationBailoutStack)), esp);
1.343 +
1.344 + // Jump to shared bailout tail. The BailoutInfo pointer has to be in ecx.
1.345 + JitCode *bailoutTail = cx->runtime()->jitRuntime()->getBailoutTail();
1.346 + masm.jmp(bailoutTail);
1.347 +
1.348 + Linker linker(masm);
1.349 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.350 + IonSpew(IonSpew_Invalidate, " invalidation thunk created at %p", (void *) code->raw());
1.351 +
1.352 +#ifdef JS_ION_PERF
1.353 + writePerfSpewerJitCodeProfile(code, "Invalidator");
1.354 +#endif
1.355 +
1.356 + return code;
1.357 +}
1.358 +
1.359 +JitCode *
1.360 +JitRuntime::generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut)
1.361 +{
1.362 + MacroAssembler masm(cx);
1.363 +
1.364 + // ArgumentsRectifierReg contains the |nargs| pushed onto the current frame.
1.365 + // Including |this|, there are (|nargs| + 1) arguments to copy.
1.366 + JS_ASSERT(ArgumentsRectifierReg == esi);
1.367 +
1.368 + // Load the number of |undefined|s to push into %ecx.
1.369 + masm.loadPtr(Address(esp, IonRectifierFrameLayout::offsetOfCalleeToken()), eax);
1.370 + masm.movzwl(Operand(eax, JSFunction::offsetOfNargs()), ecx);
1.371 + masm.subl(esi, ecx);
1.372 +
1.373 + // Copy the number of actual arguments.
1.374 + masm.loadPtr(Address(esp, IonRectifierFrameLayout::offsetOfNumActualArgs()), edx);
1.375 +
1.376 + masm.moveValue(UndefinedValue(), ebx, edi);
1.377 +
1.378 + // NOTE: The fact that x86 ArgumentsRectifier saves the FramePointer is relied upon
1.379 + // by the baseline bailout code. If this changes, fix that code! See
1.380 + // BaselineJIT.cpp/BaselineStackBuilder::calculatePrevFramePtr, and
1.381 + // BaselineJIT.cpp/InitFromBailout. Check for the |#if defined(JS_CODEGEN_X86)| portions.
1.382 + masm.push(FramePointer);
1.383 + masm.movl(esp, FramePointer); // Save %esp.
1.384 +
1.385 + // Push undefined.
1.386 + {
1.387 + Label undefLoopTop;
1.388 + masm.bind(&undefLoopTop);
1.389 +
1.390 + masm.push(ebx); // type(undefined);
1.391 + masm.push(edi); // payload(undefined);
1.392 + masm.subl(Imm32(1), ecx);
1.393 + masm.j(Assembler::NonZero, &undefLoopTop);
1.394 + }
1.395 +
1.396 + // Get the topmost argument. We did a push of %ebp earlier, so be sure to
1.397 + // account for this in the offset
1.398 + BaseIndex b = BaseIndex(FramePointer, esi, TimesEight,
1.399 + sizeof(IonRectifierFrameLayout) + sizeof(void*));
1.400 + masm.lea(Operand(b), ecx);
1.401 +
1.402 + // Push arguments, |nargs| + 1 times (to include |this|).
1.403 + masm.addl(Imm32(1), esi);
1.404 + {
1.405 + Label copyLoopTop;
1.406 +
1.407 + masm.bind(©LoopTop);
1.408 + masm.push(Operand(ecx, sizeof(Value)/2));
1.409 + masm.push(Operand(ecx, 0x0));
1.410 + masm.subl(Imm32(sizeof(Value)), ecx);
1.411 + masm.subl(Imm32(1), esi);
1.412 + masm.j(Assembler::NonZero, ©LoopTop);
1.413 + }
1.414 +
1.415 + // Construct descriptor, accounting for pushed frame pointer above
1.416 + masm.lea(Operand(FramePointer, sizeof(void*)), ebx);
1.417 + masm.subl(esp, ebx);
1.418 + masm.makeFrameDescriptor(ebx, JitFrame_Rectifier);
1.419 +
1.420 + // Construct IonJSFrameLayout.
1.421 + masm.push(edx); // number of actual arguments
1.422 + masm.push(eax); // callee token
1.423 + masm.push(ebx); // descriptor
1.424 +
1.425 + // Call the target function.
1.426 + // Note that this assumes the function is JITted.
1.427 + masm.loadPtr(Address(eax, JSFunction::offsetOfNativeOrScript()), eax);
1.428 + masm.loadBaselineOrIonRaw(eax, eax, mode, nullptr);
1.429 + masm.call(eax);
1.430 + uint32_t returnOffset = masm.currentOffset();
1.431 +
1.432 + // Remove the rectifier frame.
1.433 + masm.pop(ebx); // ebx <- descriptor with FrameType.
1.434 + masm.shrl(Imm32(FRAMESIZE_SHIFT), ebx); // ebx <- descriptor.
1.435 + masm.pop(edi); // Discard calleeToken.
1.436 + masm.pop(edi); // Discard number of actual arguments.
1.437 +
1.438 + // Discard pushed arguments, but not the pushed frame pointer.
1.439 + BaseIndex unwind = BaseIndex(esp, ebx, TimesOne, -int32_t(sizeof(void*)));
1.440 + masm.lea(Operand(unwind), esp);
1.441 +
1.442 + masm.pop(FramePointer);
1.443 + masm.ret();
1.444 +
1.445 + Linker linker(masm);
1.446 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.447 +
1.448 +#ifdef JS_ION_PERF
1.449 + writePerfSpewerJitCodeProfile(code, "ArgumentsRectifier");
1.450 +#endif
1.451 +
1.452 + CodeOffsetLabel returnLabel(returnOffset);
1.453 + returnLabel.fixup(&masm);
1.454 + if (returnAddrOut)
1.455 + *returnAddrOut = (void *) (code->raw() + returnLabel.offset());
1.456 + return code;
1.457 +}
1.458 +
1.459 +static void
1.460 +GenerateBailoutThunk(JSContext *cx, MacroAssembler &masm, uint32_t frameClass)
1.461 +{
1.462 + // Push registers such that we can access them from [base + code].
1.463 + masm.PushRegsInMask(AllRegs);
1.464 +
1.465 + // Push the bailout table number.
1.466 + masm.push(Imm32(frameClass));
1.467 +
1.468 + // The current stack pointer is the first argument to jit::Bailout.
1.469 + masm.movl(esp, eax);
1.470 +
1.471 + // Make space for Bailout's baioutInfo outparam.
1.472 + masm.reserveStack(sizeof(void *));
1.473 + masm.movl(esp, ebx);
1.474 +
1.475 + // Call the bailout function. This will correct the size of the bailout.
1.476 + masm.setupUnalignedABICall(2, ecx);
1.477 + masm.passABIArg(eax);
1.478 + masm.passABIArg(ebx);
1.479 + masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, Bailout));
1.480 +
1.481 + masm.pop(ecx); // Get bailoutInfo outparam.
1.482 +
1.483 + // Common size of stuff we've pushed.
1.484 + const uint32_t BailoutDataSize = sizeof(void *) + // frameClass
1.485 + sizeof(double) * FloatRegisters::Total +
1.486 + sizeof(void *) * Registers::Total;
1.487 +
1.488 + // Remove both the bailout frame and the topmost Ion frame's stack.
1.489 + if (frameClass == NO_FRAME_SIZE_CLASS_ID) {
1.490 + // We want the frameSize. Stack is:
1.491 + // ... frame ...
1.492 + // snapshotOffset
1.493 + // frameSize
1.494 + // ... bailoutFrame ...
1.495 + masm.addl(Imm32(BailoutDataSize), esp);
1.496 + masm.pop(ebx);
1.497 + masm.addl(Imm32(sizeof(uint32_t)), esp);
1.498 + masm.addl(ebx, esp);
1.499 + } else {
1.500 + // Stack is:
1.501 + // ... frame ...
1.502 + // bailoutId
1.503 + // ... bailoutFrame ...
1.504 + uint32_t frameSize = FrameSizeClass::FromClass(frameClass).frameSize();
1.505 + masm.addl(Imm32(BailoutDataSize + sizeof(void *) + frameSize), esp);
1.506 + }
1.507 +
1.508 + // Jump to shared bailout tail. The BailoutInfo pointer has to be in ecx.
1.509 + JitCode *bailoutTail = cx->runtime()->jitRuntime()->getBailoutTail();
1.510 + masm.jmp(bailoutTail);
1.511 +}
1.512 +
1.513 +JitCode *
1.514 +JitRuntime::generateBailoutTable(JSContext *cx, uint32_t frameClass)
1.515 +{
1.516 + MacroAssembler masm;
1.517 +
1.518 + Label bailout;
1.519 + for (size_t i = 0; i < BAILOUT_TABLE_SIZE; i++)
1.520 + masm.call(&bailout);
1.521 + masm.bind(&bailout);
1.522 +
1.523 + GenerateBailoutThunk(cx, masm, frameClass);
1.524 +
1.525 + Linker linker(masm);
1.526 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.527 +
1.528 +#ifdef JS_ION_PERF
1.529 + writePerfSpewerJitCodeProfile(code, "BailoutHandler");
1.530 +#endif
1.531 +
1.532 + return code;
1.533 +}
1.534 +
1.535 +JitCode *
1.536 +JitRuntime::generateBailoutHandler(JSContext *cx)
1.537 +{
1.538 + MacroAssembler masm;
1.539 +
1.540 + GenerateBailoutThunk(cx, masm, NO_FRAME_SIZE_CLASS_ID);
1.541 +
1.542 + Linker linker(masm);
1.543 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.544 +
1.545 +#ifdef JS_ION_PERF
1.546 + writePerfSpewerJitCodeProfile(code, "BailoutHandler");
1.547 +#endif
1.548 +
1.549 + return code;
1.550 +}
1.551 +
1.552 +JitCode *
1.553 +JitRuntime::generateVMWrapper(JSContext *cx, const VMFunction &f)
1.554 +{
1.555 + JS_ASSERT(!StackKeptAligned);
1.556 + JS_ASSERT(functionWrappers_);
1.557 + JS_ASSERT(functionWrappers_->initialized());
1.558 + VMWrapperMap::AddPtr p = functionWrappers_->lookupForAdd(&f);
1.559 + if (p)
1.560 + return p->value();
1.561 +
1.562 + // Generate a separated code for the wrapper.
1.563 + MacroAssembler masm;
1.564 +
1.565 + // Avoid conflicts with argument registers while discarding the result after
1.566 + // the function call.
1.567 + GeneralRegisterSet regs = GeneralRegisterSet(Register::Codes::WrapperMask);
1.568 +
1.569 + // Wrapper register set is a superset of Volatile register set.
1.570 + JS_STATIC_ASSERT((Register::Codes::VolatileMask & ~Register::Codes::WrapperMask) == 0);
1.571 +
1.572 + // The context is the first argument.
1.573 + Register cxreg = regs.takeAny();
1.574 +
1.575 + // Stack is:
1.576 + // ... frame ...
1.577 + // +8 [args]
1.578 + // +4 descriptor
1.579 + // +0 returnAddress
1.580 + //
1.581 + // We're aligned to an exit frame, so link it up.
1.582 + masm.enterExitFrameAndLoadContext(&f, cxreg, regs.getAny(), f.executionMode);
1.583 +
1.584 + // Save the current stack pointer as the base for copying arguments.
1.585 + Register argsBase = InvalidReg;
1.586 + if (f.explicitArgs) {
1.587 + argsBase = regs.takeAny();
1.588 + masm.lea(Operand(esp, IonExitFrameLayout::SizeWithFooter()), argsBase);
1.589 + }
1.590 +
1.591 + // Reserve space for the outparameter.
1.592 + Register outReg = InvalidReg;
1.593 + switch (f.outParam) {
1.594 + case Type_Value:
1.595 + outReg = regs.takeAny();
1.596 + masm.Push(UndefinedValue());
1.597 + masm.movl(esp, outReg);
1.598 + break;
1.599 +
1.600 + case Type_Handle:
1.601 + outReg = regs.takeAny();
1.602 + masm.PushEmptyRooted(f.outParamRootType);
1.603 + masm.movl(esp, outReg);
1.604 + break;
1.605 +
1.606 + case Type_Int32:
1.607 + case Type_Pointer:
1.608 + case Type_Bool:
1.609 + outReg = regs.takeAny();
1.610 + masm.reserveStack(sizeof(int32_t));
1.611 + masm.movl(esp, outReg);
1.612 + break;
1.613 +
1.614 + case Type_Double:
1.615 + outReg = regs.takeAny();
1.616 + masm.reserveStack(sizeof(double));
1.617 + masm.movl(esp, outReg);
1.618 + break;
1.619 +
1.620 + default:
1.621 + JS_ASSERT(f.outParam == Type_Void);
1.622 + break;
1.623 + }
1.624 +
1.625 + masm.setupUnalignedABICall(f.argc(), regs.getAny());
1.626 + masm.passABIArg(cxreg);
1.627 +
1.628 + size_t argDisp = 0;
1.629 +
1.630 + // Copy arguments.
1.631 + for (uint32_t explicitArg = 0; explicitArg < f.explicitArgs; explicitArg++) {
1.632 + MoveOperand from;
1.633 + switch (f.argProperties(explicitArg)) {
1.634 + case VMFunction::WordByValue:
1.635 + masm.passABIArg(MoveOperand(argsBase, argDisp), MoveOp::GENERAL);
1.636 + argDisp += sizeof(void *);
1.637 + break;
1.638 + case VMFunction::DoubleByValue:
1.639 + // We don't pass doubles in float registers on x86, so no need
1.640 + // to check for argPassedInFloatReg.
1.641 + masm.passABIArg(MoveOperand(argsBase, argDisp), MoveOp::GENERAL);
1.642 + argDisp += sizeof(void *);
1.643 + masm.passABIArg(MoveOperand(argsBase, argDisp), MoveOp::GENERAL);
1.644 + argDisp += sizeof(void *);
1.645 + break;
1.646 + case VMFunction::WordByRef:
1.647 + masm.passABIArg(MoveOperand(argsBase, argDisp, MoveOperand::EFFECTIVE_ADDRESS),
1.648 + MoveOp::GENERAL);
1.649 + argDisp += sizeof(void *);
1.650 + break;
1.651 + case VMFunction::DoubleByRef:
1.652 + masm.passABIArg(MoveOperand(argsBase, argDisp, MoveOperand::EFFECTIVE_ADDRESS),
1.653 + MoveOp::GENERAL);
1.654 + argDisp += 2 * sizeof(void *);
1.655 + break;
1.656 + }
1.657 + }
1.658 +
1.659 + // Copy the implicit outparam, if any.
1.660 + if (outReg != InvalidReg)
1.661 + masm.passABIArg(outReg);
1.662 +
1.663 + masm.callWithABI(f.wrapped);
1.664 +
1.665 + // Test for failure.
1.666 + switch (f.failType()) {
1.667 + case Type_Object:
1.668 + masm.branchTestPtr(Assembler::Zero, eax, eax, masm.failureLabel(f.executionMode));
1.669 + break;
1.670 + case Type_Bool:
1.671 + masm.testb(eax, eax);
1.672 + masm.j(Assembler::Zero, masm.failureLabel(f.executionMode));
1.673 + break;
1.674 + default:
1.675 + MOZ_ASSUME_UNREACHABLE("unknown failure kind");
1.676 + }
1.677 +
1.678 + // Load the outparam and free any allocated stack.
1.679 + switch (f.outParam) {
1.680 + case Type_Handle:
1.681 + masm.popRooted(f.outParamRootType, ReturnReg, JSReturnOperand);
1.682 + break;
1.683 +
1.684 + case Type_Value:
1.685 + masm.Pop(JSReturnOperand);
1.686 + break;
1.687 +
1.688 + case Type_Int32:
1.689 + case Type_Pointer:
1.690 + masm.Pop(ReturnReg);
1.691 + break;
1.692 +
1.693 + case Type_Bool:
1.694 + masm.Pop(ReturnReg);
1.695 + masm.movzbl(ReturnReg, ReturnReg);
1.696 + break;
1.697 +
1.698 + case Type_Double:
1.699 + if (cx->runtime()->jitSupportsFloatingPoint)
1.700 + masm.Pop(ReturnFloatReg);
1.701 + else
1.702 + masm.assumeUnreachable("Unable to pop to float reg, with no FP support.");
1.703 + break;
1.704 +
1.705 + default:
1.706 + JS_ASSERT(f.outParam == Type_Void);
1.707 + break;
1.708 + }
1.709 + masm.leaveExitFrame();
1.710 + masm.retn(Imm32(sizeof(IonExitFrameLayout) +
1.711 + f.explicitStackSlots() * sizeof(void *) +
1.712 + f.extraValuesToPop * sizeof(Value)));
1.713 +
1.714 + Linker linker(masm);
1.715 + JitCode *wrapper = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.716 + if (!wrapper)
1.717 + return nullptr;
1.718 +
1.719 +#ifdef JS_ION_PERF
1.720 + writePerfSpewerJitCodeProfile(wrapper, "VMWrapper");
1.721 +#endif
1.722 +
1.723 + // linker.newCode may trigger a GC and sweep functionWrappers_ so we have to
1.724 + // use relookupOrAdd instead of add.
1.725 + if (!functionWrappers_->relookupOrAdd(p, &f, wrapper))
1.726 + return nullptr;
1.727 +
1.728 + return wrapper;
1.729 +}
1.730 +
1.731 +JitCode *
1.732 +JitRuntime::generatePreBarrier(JSContext *cx, MIRType type)
1.733 +{
1.734 + MacroAssembler masm;
1.735 +
1.736 + RegisterSet save;
1.737 + if (cx->runtime()->jitSupportsFloatingPoint) {
1.738 + save = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),
1.739 + FloatRegisterSet(FloatRegisters::VolatileMask));
1.740 + } else {
1.741 + save = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),
1.742 + FloatRegisterSet());
1.743 + }
1.744 + masm.PushRegsInMask(save);
1.745 +
1.746 + JS_ASSERT(PreBarrierReg == edx);
1.747 + masm.movl(ImmPtr(cx->runtime()), ecx);
1.748 +
1.749 + masm.setupUnalignedABICall(2, eax);
1.750 + masm.passABIArg(ecx);
1.751 + masm.passABIArg(edx);
1.752 +
1.753 + if (type == MIRType_Value) {
1.754 + masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, MarkValueFromIon));
1.755 + } else {
1.756 + JS_ASSERT(type == MIRType_Shape);
1.757 + masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, MarkShapeFromIon));
1.758 + }
1.759 +
1.760 + masm.PopRegsInMask(save);
1.761 + masm.ret();
1.762 +
1.763 + Linker linker(masm);
1.764 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.765 +
1.766 +#ifdef JS_ION_PERF
1.767 + writePerfSpewerJitCodeProfile(code, "PreBarrier");
1.768 +#endif
1.769 +
1.770 + return code;
1.771 +}
1.772 +
1.773 +typedef bool (*HandleDebugTrapFn)(JSContext *, BaselineFrame *, uint8_t *, bool *);
1.774 +static const VMFunction HandleDebugTrapInfo = FunctionInfo<HandleDebugTrapFn>(HandleDebugTrap);
1.775 +
1.776 +JitCode *
1.777 +JitRuntime::generateDebugTrapHandler(JSContext *cx)
1.778 +{
1.779 + MacroAssembler masm;
1.780 +
1.781 + Register scratch1 = eax;
1.782 + Register scratch2 = ecx;
1.783 + Register scratch3 = edx;
1.784 +
1.785 + // Load the return address in scratch1.
1.786 + masm.loadPtr(Address(esp, 0), scratch1);
1.787 +
1.788 + // Load BaselineFrame pointer in scratch2.
1.789 + masm.mov(ebp, scratch2);
1.790 + masm.subPtr(Imm32(BaselineFrame::Size()), scratch2);
1.791 +
1.792 + // Enter a stub frame and call the HandleDebugTrap VM function. Ensure
1.793 + // the stub frame has a nullptr ICStub pointer, since this pointer is
1.794 + // marked during GC.
1.795 + masm.movePtr(ImmPtr(nullptr), BaselineStubReg);
1.796 + EmitEnterStubFrame(masm, scratch3);
1.797 +
1.798 + JitCode *code = cx->runtime()->jitRuntime()->getVMWrapper(HandleDebugTrapInfo);
1.799 + if (!code)
1.800 + return nullptr;
1.801 +
1.802 + masm.push(scratch1);
1.803 + masm.push(scratch2);
1.804 + EmitCallVM(code, masm);
1.805 +
1.806 + EmitLeaveStubFrame(masm);
1.807 +
1.808 + // If the stub returns |true|, we have to perform a forced return
1.809 + // (return from the JS frame). If the stub returns |false|, just return
1.810 + // from the trap stub so that execution continues at the current pc.
1.811 + Label forcedReturn;
1.812 + masm.branchTest32(Assembler::NonZero, ReturnReg, ReturnReg, &forcedReturn);
1.813 + masm.ret();
1.814 +
1.815 + masm.bind(&forcedReturn);
1.816 + masm.loadValue(Address(ebp, BaselineFrame::reverseOffsetOfReturnValue()),
1.817 + JSReturnOperand);
1.818 + masm.mov(ebp, esp);
1.819 + masm.pop(ebp);
1.820 + masm.ret();
1.821 +
1.822 + Linker linker(masm);
1.823 + JitCode *codeDbg = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.824 +
1.825 +#ifdef JS_ION_PERF
1.826 + writePerfSpewerJitCodeProfile(codeDbg, "DebugTrapHandler");
1.827 +#endif
1.828 +
1.829 + return codeDbg;
1.830 +}
1.831 +
1.832 +JitCode *
1.833 +JitRuntime::generateExceptionTailStub(JSContext *cx)
1.834 +{
1.835 + MacroAssembler masm;
1.836 +
1.837 + masm.handleFailureWithHandlerTail();
1.838 +
1.839 + Linker linker(masm);
1.840 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.841 +
1.842 +#ifdef JS_ION_PERF
1.843 + writePerfSpewerJitCodeProfile(code, "ExceptionTailStub");
1.844 +#endif
1.845 +
1.846 + return code;
1.847 +}
1.848 +
1.849 +JitCode *
1.850 +JitRuntime::generateBailoutTailStub(JSContext *cx)
1.851 +{
1.852 + MacroAssembler masm;
1.853 +
1.854 + masm.generateBailoutTail(edx, ecx);
1.855 +
1.856 + Linker linker(masm);
1.857 + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
1.858 +
1.859 +#ifdef JS_ION_PERF
1.860 + writePerfSpewerJitCodeProfile(code, "BailoutTailStub");
1.861 +#endif
1.862 +
1.863 + return code;
1.864 +}
