- Revision
- 208819
- Author
- [email protected]
- Date
- 2016-11-16 15:18:11 -0800 (Wed, 16 Nov 2016)
Log Message
ExceptionFuzz functions should use its client's ThrowScope.
https://bugs.webkit.org/show_bug.cgi?id=164834
Reviewed by Geoffrey Garen.
This is because ExceptionFuzz's purpose is to throw exceptions from its client at
exception check sites. Using the client's ThrowScope solves 2 problems:
1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
mis-attributed to ExceptionFuzz when it should be attributed to its client.
2. One way exception scope verification works is by having ThrowScopes assert
that there are no unchecked simulated exceptions when the ThrowScope is
instantiated. However, ExceptionFuzz necessarily works by inserting
doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
and an exception check. If we declare a ThrowScope in ExceptionFuzz's code,
we will be instantiating the ThrowScope between the point where a simulated
throw occurs and where the needed exception check can occur. Hence, having
ExceptionFuzz instantiate its own ThrowScope will fail exception scope
verification every time.
Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
already exists in every slow path function instead of creating a new one.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
* runtime/CommonSlowPaths.cpp:
* runtime/ExceptionFuzz.cpp:
(JSC::doExceptionFuzzing):
* runtime/ExceptionFuzz.h:
(JSC::doExceptionFuzzingIfEnabled):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (208818 => 208819)
--- trunk/Source/_javascript_Core/ChangeLog 2016-11-16 23:17:26 UTC (rev 208818)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-11-16 23:18:11 UTC (rev 208819)
@@ -1,3 +1,39 @@
+2016-11-16 Mark Lam <[email protected]>
+
+ ExceptionFuzz functions should use its client's ThrowScope.
+ https://bugs.webkit.org/show_bug.cgi?id=164834
+
+ Reviewed by Geoffrey Garen.
+
+ This is because ExceptionFuzz's purpose is to throw exceptions from its client at
+ exception check sites. Using the client's ThrowScope solves 2 problems:
+
+ 1. If ExceptionFuzz instantiates its own ThrowScope, the simulated throw will be
+ mis-attributed to ExceptionFuzz when it should be attributed to its client.
+
+ 2. One way exception scope verification works is by having ThrowScopes assert
+ that there are no unchecked simulated exceptions when the ThrowScope is
+ instantiated. However, ExceptionFuzz necessarily works by inserting
+ doExceptionFuzzingIfEnabled() in between a ThrowScope that simulated a throw
+ and an exception check. If we declare a ThrowScope in ExceptionFuzz's code,
+ we will be instantiating the ThrowScope between the point where a simulated
+ throw occurs and where the needed exception check can occur. Hence, having
+ ExceptionFuzz instantiate its own ThrowScope will fail exception scope
+ verification every time.
+
+ Changing ExceptionFuzz to use its client's ThrowScope resolves both problems.
+
+ Also fixed the THROW() macro in CommonSlowPaths.cpp to use the ThrowScope that
+ already exists in every slow path function instead of creating a new one.
+
+ * jit/JITOperations.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ * runtime/CommonSlowPaths.cpp:
+ * runtime/ExceptionFuzz.cpp:
+ (JSC::doExceptionFuzzing):
+ * runtime/ExceptionFuzz.h:
+ (JSC::doExceptionFuzzingIfEnabled):
+
2016-11-16 Filip Pizlo <[email protected]>
Slight Octane regression from concurrent GC's eager object zero-fill
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (208818 => 208819)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2016-11-16 23:17:26 UTC (rev 208818)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2016-11-16 23:18:11 UTC (rev 208819)
@@ -2271,9 +2271,11 @@
{
VM* vm = &exec->vm();
NativeCallFrameTracer tracer(vm, exec);
+ auto scope = DECLARE_THROW_SCOPE(*vm);
+ UNUSED_PARAM(scope);
#if COMPILER(GCC_OR_CLANG)
void* returnPC = __builtin_return_address(0);
- doExceptionFuzzing(exec, "JITOperations", returnPC);
+ doExceptionFuzzing(exec, scope, "JITOperations", returnPC);
#endif // COMPILER(GCC_OR_CLANG)
}
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (208818 => 208819)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2016-11-16 23:17:26 UTC (rev 208818)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2016-11-16 23:18:11 UTC (rev 208819)
@@ -108,7 +108,7 @@
} while (false)
#define LLINT_CHECK_EXCEPTION() do { \
- doExceptionFuzzingIfEnabled(exec, "LLIntSlowPaths", pc); \
+ doExceptionFuzzingIfEnabled(exec, throwScope, "LLIntSlowPaths", pc); \
if (UNLIKELY(throwScope.exception())) { \
pc = returnToThrow(exec); \
LLINT_END_IMPL(); \
@@ -169,7 +169,7 @@
#define LLINT_CALL_CHECK_EXCEPTION(exec, execCallee) do { \
ExecState* __cce_exec = (exec); \
ExecState* __cce_execCallee = (execCallee); \
- doExceptionFuzzingIfEnabled(__cce_exec, "LLIntSlowPaths/call", nullptr); \
+ doExceptionFuzzingIfEnabled(__cce_exec, throwScope, "LLIntSlowPaths/call", nullptr); \
if (UNLIKELY(throwScope.exception())) \
LLINT_CALL_END_IMPL(0, callToThrow(__cce_execCallee)); \
} while (false)
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (208818 => 208819)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2016-11-16 23:17:26 UTC (rev 208818)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2016-11-16 23:18:11 UTC (rev 208819)
@@ -96,14 +96,13 @@
#define END_IMPL() RETURN_TWO(pc, exec)
#define THROW(exceptionToThrow) do { \
- auto scope = DECLARE_THROW_SCOPE(vm); \
- throwException(exec, scope, exceptionToThrow); \
+ throwException(exec, throwScope, exceptionToThrow); \
RETURN_TO_THROW(exec, pc); \
END_IMPL(); \
} while (false)
#define CHECK_EXCEPTION() do { \
- doExceptionFuzzingIfEnabled(exec, "CommonSlowPaths", pc); \
+ doExceptionFuzzingIfEnabled(exec, throwScope, "CommonSlowPaths", pc); \
if (UNLIKELY(throwScope.exception())) { \
RETURN_TO_THROW(exec, pc); \
END_IMPL(); \
Modified: trunk/Source/_javascript_Core/runtime/ExceptionFuzz.cpp (208818 => 208819)
--- trunk/Source/_javascript_Core/runtime/ExceptionFuzz.cpp 2016-11-16 23:17:26 UTC (rev 208818)
+++ trunk/Source/_javascript_Core/runtime/ExceptionFuzz.cpp 2016-11-16 23:18:11 UTC (rev 208819)
@@ -36,10 +36,9 @@
unsigned numberOfExceptionFuzzChecks() { return s_numberOfExceptionFuzzChecks; }
// Call this only if you know that exception fuzzing is enabled.
-void doExceptionFuzzing(ExecState* exec, const char* where, void* returnPC)
+void doExceptionFuzzing(ExecState* exec, ThrowScope& scope, const char* where, void* returnPC)
{
- VM& vm = exec->vm();
- auto scope = DECLARE_THROW_SCOPE(vm);
+ VM& vm = scope.vm();
ASSERT(Options::useExceptionFuzz());
DeferGCForAWhile deferGC(vm.heap);
Modified: trunk/Source/_javascript_Core/runtime/ExceptionFuzz.h (208818 => 208819)
--- trunk/Source/_javascript_Core/runtime/ExceptionFuzz.h 2016-11-16 23:17:26 UTC (rev 208818)
+++ trunk/Source/_javascript_Core/runtime/ExceptionFuzz.h 2016-11-16 23:18:11 UTC (rev 208819)
@@ -30,16 +30,17 @@
namespace JSC {
class ExecState;
+class ThrowScope;
// Call this only if you know that exception fuzzing is enabled.
-void doExceptionFuzzing(ExecState* exec, const char* where, void* returnPC);
+void doExceptionFuzzing(ExecState*, ThrowScope&, const char* where, void* returnPC);
// This is what you should call if you don't know if fuzzing is enabled.
-ALWAYS_INLINE void doExceptionFuzzingIfEnabled(ExecState* exec, const char* where, void* returnPC)
+ALWAYS_INLINE void doExceptionFuzzingIfEnabled(ExecState* exec, ThrowScope& scope, const char* where, void* returnPC)
{
if (LIKELY(!Options::useExceptionFuzz()))
return;
- doExceptionFuzzing(exec, where, returnPC);
+ doExceptionFuzzing(exec, scope, where, returnPC);
}
} // namespace JSC
