[webkit-changes] [231034] trunk

[rmorisset]

Title: [231034] trunk

Revision

231034

Author

rmoris...@apple.com

Date

2018-04-25 16:32:58 -0700 (Wed, 25 Apr 2018)

Log Message

In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=184773
<rdar://problem/37773612>

Reviewed by Filip Pizlo.

JSTests:

This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
so I decided to add it to the stress tests nonetheless.

* stress/create-rest-while-having-a-bad-time.js: Added.
(f):
(g):
(h):

Source/_javascript_Core:

We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
• trunk/Source/_javascript_Core/runtime/JSGlobalObject.h

Added Paths

• trunk/JSTests/stress/create-rest-while-having-a-bad-time.js

Diff

Modified: trunk/JSTests/ChangeLog (231033 => 231034)

--- trunk/JSTests/ChangeLog	2018-04-25 23:24:47 UTC (rev 231033)
+++ trunk/JSTests/ChangeLog	2018-04-25 23:32:58 UTC (rev 231034)
@@ -1,3 +1,19 @@
+2018-04-25  Robin Morisset  <rmoris...@apple.com>
+
+        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=184773
+        <rdar://problem/37773612>
+
+        Reviewed by Filip Pizlo.
+
+        This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
+        so I decided to add it to the stress tests nonetheless.
+
+        * stress/create-rest-while-having-a-bad-time.js: Added.
+        (f):
+        (g):
+        (h):
+
 2018-04-25  Keith Miller  <keith_mil...@apple.com>
 
         Add missing scope release to functionProtoFuncToString

Added: trunk/JSTests/stress/create-rest-while-having-a-bad-time.js (0 => 231034)

--- trunk/JSTests/stress/create-rest-while-having-a-bad-time.js	                        (rev 0)
+++ trunk/JSTests/stress/create-rest-while-having-a-bad-time.js	2018-04-25 23:32:58 UTC (rev 231034)
@@ -0,0 +1,16 @@
+"use strict";
+function f(...v) {
+  return g(v);
+}
+function g() {
+  return h();
+}
+function h() {
+}
+
+for (let i = 0; i < 10000; ++i) {
+  f(0);
+  f(0, 0);
+}
+
+Object.defineProperty(Array.prototype, "42", {});

Modified: trunk/Source/_javascript_Core/ChangeLog (231033 => 231034)

--- trunk/Source/_javascript_Core/ChangeLog	2018-04-25 23:24:47 UTC (rev 231033)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-04-25 23:32:58 UTC (rev 231034)
@@ -1,3 +1,20 @@
+2018-04-25  Robin Morisset  <rmoris...@apple.com>
+
+        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=184773
+        <rdar://problem/37773612>
+
+        Reviewed by Filip Pizlo.
+
+        We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
+        arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
+        This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
+        We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
+        This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+
 2018-04-25  Mark Lam  <mark....@apple.com>
 
         Push the definition of PtrTag down to the WTF layer.

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (231033 => 231034)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-04-25 23:24:47 UTC (rev 231033)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-04-25 23:32:58 UTC (rev 231034)
@@ -5281,7 +5281,7 @@
             LValue arrayLength = lowInt32(m_node->child1());
             LBasicBlock loopStart = m_out.newBlock();
             JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
-            RegisteredStructure structure = m_graph.registerStructure(globalObject->restParameterStructure());
+            RegisteredStructure structure = m_graph.registerStructure(globalObject->originalRestParameterStructure());
             ArrayValues arrayValues = allocateUninitializedContiguousJSArray(arrayLength, structure);
             LValue array = arrayValues.array;
             LValue butterfly = arrayValues.butterfly;

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (231033 => 231034)

--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h	2018-04-25 23:24:47 UTC (rev 231033)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h	2018-04-25 23:32:58 UTC (rev 231034)
@@ -676,6 +676,7 @@
     Structure* callableProxyObjectStructure() const { return m_callableProxyObjectStructure.get(); }
     Structure* proxyRevokeStructure() const { return m_proxyRevokeStructure.get(); }
     Structure* restParameterStructure() const { return arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous); }
+    Structure* originalRestParameterStructure() const { return originalArrayStructureForIndexingType(ArrayWithContiguous); }
 #if ENABLE(WEBASSEMBLY)
     Structure* webAssemblyModuleRecordStructure() const { return m_webAssemblyModuleRecordStructure.get(); }
     Structure* webAssemblyFunctionStructure() const { return m_webAssemblyFunctionStructure.get(); }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes