Title: [209847] trunk/Source/_javascript_Core
- Revision
- 209847
- Author
- [email protected]
- Date
- 2016-12-14 17:41:53 -0800 (Wed, 14 Dec 2016)
Log Message
The stress GC bot crashes in _javascript_Core beneath ShadowChicken::update and Inspector::jsToInspectorValue
https://bugs.webkit.org/show_bug.cgi?id=165871
Reviewed by Mark Lam.
This fixes two issues with the VM watch dog timer firing in a worker.
The first issue has to do with bytecode ordering. Prior to this change, the first few opcodes
generated when the watch dog is enabled are:
op_enter
op_watchdog
op_get_scope
When the watchdog fires, the function will get an exception at op_watchdog. In processing that exception,
we'll try to update the ShadowChicken shadow stack. That update assumes that if there is a scope
VirtualRegister allocated, then the slot contains a valid JSScope. With the current bytecode ordering,
this is not true at op_watchdog as op_enter will put JSUndefined in the scope slot. It isn't until the
op_get_scope gets processed that we'll have a valid scope in the slot. The fix for this issue is to
ensure that op_get_scope happens before the op_watchdog.
The second issue is that ScriptFunctionCall::call() will not tell its caller that a terminated
execution exception happened. Instead call() returns an empty JSValue. InjectedScript::wrapCallFrames()
wasn't checking for an empty JSValue, but was passing it to another function. Added a short circuit
return when call returns an empty JSValue.
Added <https://bugs.webkit.org/show_bug.cgi?id=165875> to fix other callers of ScriptFunctionCall::call()
to check for an empty JSValue return value.
Also tracked with <rdar://problem/29671015>.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitEnter):
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::wrapCallFrames):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (209846 => 209847)
--- trunk/Source/_javascript_Core/ChangeLog 2016-12-15 01:25:16 UTC (rev 209846)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-12-15 01:41:53 UTC (rev 209847)
@@ -1,3 +1,39 @@
+2016-12-14 Michael Saboff <[email protected]>
+
+ The stress GC bot crashes in _javascript_Core beneath ShadowChicken::update and Inspector::jsToInspectorValue
+ https://bugs.webkit.org/show_bug.cgi?id=165871
+
+ Reviewed by Mark Lam.
+
+ This fixes two issues with the VM watch dog timer firing in a worker.
+
+ The first issue has to do with bytecode ordering. Prior to this change, the first few opcodes
+ generated when the watch dog is enabled are:
+ op_enter
+ op_watchdog
+ op_get_scope
+ When the watchdog fires, the function will get an exception at op_watchdog. In processing that exception,
+ we'll try to update the ShadowChicken shadow stack. That update assumes that if there is a scope
+ VirtualRegister allocated, then the slot contains a valid JSScope. With the current bytecode ordering,
+ this is not true at op_watchdog as op_enter will put JSUndefined in the scope slot. It isn't until the
+ op_get_scope gets processed that we'll have a valid scope in the slot. The fix for this issue is to
+ ensure that op_get_scope happens before the op_watchdog.
+
+ The second issue is that ScriptFunctionCall::call() will not tell its caller that a terminated
+ execution exception happened. Instead call() returns an empty JSValue. InjectedScript::wrapCallFrames()
+ wasn't checking for an empty JSValue, but was passing it to another function. Added a short circuit
+ return when call returns an empty JSValue.
+
+ Added <https://bugs.webkit.org/show_bug.cgi?id=165875> to fix other callers of ScriptFunctionCall::call()
+ to check for an empty JSValue return value.
+ Also tracked with <rdar://problem/29671015>.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::emitEnter):
+ * inspector/InjectedScript.cpp:
+ (Inspector::InjectedScript::wrapCallFrames):
+
2016-12-14 Filip Pizlo <[email protected]>
DirectTailCall implementation needs to tell the shuffler what to put into the ArgumentCount explicitly
Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (209846 => 209847)
--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2016-12-15 01:25:16 UTC (rev 209846)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2016-12-15 01:41:53 UTC (rev 209847)
@@ -197,6 +197,8 @@
allocateAndEmitScope();
+ emitWatchdog();
+
const FunctionStack& functionStack = programNode->functionStack();
for (size_t i = 0; i < functionStack.size(); ++i) {
@@ -330,6 +332,8 @@
allocateAndEmitScope();
+ emitWatchdog();
+
if (functionNameIsInScope(functionNode->ident(), functionNode->functionMode())) {
ASSERT(parseMode != SourceParseMode::GeneratorBodyMode);
ASSERT(!isAsyncFunctionBodyParseMode(parseMode));
@@ -756,6 +760,8 @@
allocateAndEmitScope();
+ emitWatchdog();
+
const DeclarationStacks::FunctionStack& functionStack = evalNode->functionStack();
for (size_t i = 0; i < functionStack.size(); ++i)
m_codeBlock->addFunctionDecl(makeFunction(functionStack[i]));
@@ -839,6 +845,8 @@
allocateAndEmitScope();
+ emitWatchdog();
+
m_calleeRegister.setIndex(CallFrameSlot::callee);
m_codeBlock->setNumParameters(1); // Allocate space for "this"
@@ -1249,7 +1257,6 @@
void BytecodeGenerator::emitEnter()
{
emitOpcode(op_enter);
- emitWatchdog();
}
void BytecodeGenerator::emitLoopHint()
Modified: trunk/Source/_javascript_Core/inspector/InjectedScript.cpp (209846 => 209847)
--- trunk/Source/_javascript_Core/inspector/InjectedScript.cpp 2016-12-15 01:25:16 UTC (rev 209846)
+++ trunk/Source/_javascript_Core/inspector/InjectedScript.cpp 2016-12-15 01:41:53 UTC (rev 209847)
@@ -219,6 +219,8 @@
bool hadException = false;
auto callFramesValue = callFunctionWithEvalEnabled(function, hadException);
+ if (!callFramesValue)
+ return Array<Inspector::Protocol::Debugger::CallFrame>::create();
ASSERT(!hadException);
RefPtr<InspectorValue> result = toInspectorValue(*scriptState(), callFramesValue);
if (result->type() == InspectorValue::Type::Array)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
