- Revision
- 244711
- Author
- [email protected]
- Date
- 2019-04-26 16:32:35 -0700 (Fri, 26 Apr 2019)
Log Message
[JSC] linkPolymorphicCall now does GC
https://bugs.webkit.org/show_bug.cgi?id=197306
Reviewed by Saam Barati.
JSTests:
* stress/link-polymorphic-call-can-gc.js: Added.
(module):
(instance):
Source/_javascript_Core:
Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
Tools:
The test is sensitive to allocations and even adding $vm makes it non-reproducible.
To add this test, we add `runWithoutBaseOption`.
* Scripts/run-jsc-stress-tests:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (244710 => 244711)
--- trunk/JSTests/ChangeLog 2019-04-26 23:22:35 UTC (rev 244710)
+++ trunk/JSTests/ChangeLog 2019-04-26 23:32:35 UTC (rev 244711)
@@ -1,3 +1,14 @@
+2019-04-25 Yusuke Suzuki <[email protected]>
+
+ [JSC] linkPolymorphicCall now does GC
+ https://bugs.webkit.org/show_bug.cgi?id=197306
+
+ Reviewed by Saam Barati.
+
+ * stress/link-polymorphic-call-can-gc.js: Added.
+ (module):
+ (instance):
+
2019-04-26 Robin Morisset <[email protected]>
All prototypes should call didBecomePrototype()
Added: trunk/JSTests/stress/link-polymorphic-call-can-gc.js (0 => 244711)
--- trunk/JSTests/stress/link-polymorphic-call-can-gc.js (rev 0)
+++ trunk/JSTests/stress/link-polymorphic-call-can-gc.js 2019-04-26 23:32:35 UTC (rev 244711)
@@ -0,0 +1,65 @@
+//@ skip if !$jitTests
+//@ skip if !$isFTLPlatform
+//@ runWithoutBaseOption("default", "--slowPathAllocsBetweenGCs=10", "--jitPolicyScale=0", "--useConcurrentJIT=0", "--validateExceptionChecks=1")
+'use strict';
+let o = {
+ x0: ()=>0,
+ x1: ()=>0,
+ x2: ()=>0,
+};
+
+function module(bytes) {
+ let buffer = new ArrayBuffer(bytes.length);
+ let view = new Uint8Array(buffer);
+ for (let i = 0; i < bytes.length; ++i) {
+ view[i] = bytes.charCodeAt(i);
+ }
+ return new WebAssembly.Module(buffer);
+}
+
+function instance(bytes, imports = {o}) {
+ return new WebAssembly.Instance(module(bytes), imports);
+}
+
+function call(instance_, name) {
+ return instance_.exports[name]();
+}
+
+function exports(name, instance_) {
+ return { [name]: instance_.exports };
+}
+
+function run(action) {
+ action();
+}
+
+function fn1() {
+}
+function fn1() {
+}
+function fn1() {
+}
+function fn1() {
+}
+function fn1() {
+}
+function fn1() {
+}
+function fn1() {
+}
+function fn1() {
+}
+
+try {
+ (function f() {
+ f();
+ }());
+} catch (e) {
+}
+
+let $1 = instance('\0asm\x01\0\0\0\x01\x91\x80\x80\x80\0\x04`\0\0`\0\x01\x7F`\0\x01}`\x01\x7F\x01\x7F\x03\x87\x80\x80\x80\0\x06\0\x01\x01\x02\x03\x01\x05\x84\x80\x80\x80\0\x01\x01\x01\x01\x07ë\x80\x80\x80\0\x06\x0Fzero_everything\0\0\x12test_store_to_load\0\x01\x13test_redundant_load\0\x02\x0Ftest_dead_store\0\x03\x06malloc\0\x04\x0Fmalloc_aliasing\0\x05\n\xBD\x81\x80\x80\0\x06\x9E\x80\x80\x80\0\0A\0A\x006\x02\0A\x04A\x006\x02\0A\bA\x006\x02\0A\fA\x006\x02\0\x0B\x98\x80\x80\x80\0\0A\bA\x006\x02\0A\x05C\0\0\0\x808\x02\0A\b(\x02\0\x0B\xA2\x80\x80\x80\0\x01\x02\x7FA\b(\x02\0!\0A\x05A\x80\x80\x80\x80x6\x02\0A\b(\x02\0!\x01 \0 \x01j\x0B\x9F\x80\x80\x80\0\x01\x01}A\bA\xA3Æ\x8C\x99\x026\x02\0A\x0B*\x02\0!\0A\bA\x006\x02\0 \0\x0B\x84\x80\x80\x80\0\0A\x10\x0B\xA3\x80\x80\x80\0\x01\x02\x7FA\x04\x10\x04!\0A\x04\x10\x04!\x01 \0A*6\x02\0 \x01A+6\x02\0 \0(\x02\0\x0B');
+
+call($1, 'zero_everything');
+run(() => call($1, 'zero_everything', []));
+run(() => call(instance('\0asm\x01\0\0\0\x01\x88\x80\x80\x80\0\x02`\0\0`\0\x01}\x02\x96\x80\x80\x80\0\x01\x02$1\x0Ftest_dead_store\0\x01\x03\x82\x80\x80\x80\0\x01\0\x07\x87\x80\x80\x80\0\x01\x03run\0\x01\n\x9A\x80\x80\x80\0\x01\x94\x80\x80\x80\0\0\x02@\x10\0\xBCC#\0\0\0\xBCFE\r\0\x0F\x0B\0\x0B', exports('$1', $1)), 'run', []));
+run(() => call($1, 'malloc_aliasing', []));
Modified: trunk/Source/_javascript_Core/ChangeLog (244710 => 244711)
--- trunk/Source/_javascript_Core/ChangeLog 2019-04-26 23:22:35 UTC (rev 244710)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-04-26 23:32:35 UTC (rev 244711)
@@ -1,3 +1,19 @@
+2019-04-25 Yusuke Suzuki <[email protected]>
+
+ [JSC] linkPolymorphicCall now does GC
+ https://bugs.webkit.org/show_bug.cgi?id=197306
+
+ Reviewed by Saam Barati.
+
+ Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
+ But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
+ does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
+ We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
+ caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
+
+ * jit/Repatch.cpp:
+ (JSC::linkPolymorphicCall):
+
2019-04-26 Robin Morisset <[email protected]>
All prototypes should call didBecomePrototype()
Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (244710 => 244711)
--- trunk/Source/_javascript_Core/jit/Repatch.cpp 2019-04-26 23:22:35 UTC (rev 244710)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2019-04-26 23:32:35 UTC (rev 244711)
@@ -955,6 +955,13 @@
ExecState* exec, CallLinkInfo& callLinkInfo, CallVariant newVariant)
{
RELEASE_ASSERT(callLinkInfo.allowStubs());
+
+ CallFrame* callerFrame = exec->callerFrame();
+ VM& vm = callerFrame->vm();
+
+ // During execution of linkPolymorphicCall, we strongly assume that we never do GC.
+ // GC jettisons CodeBlocks, changes CallLinkInfo etc. and breaks assumption done before and after this call.
+ DeferGCForAWhile deferGCForAWhile(vm.heap);
if (!newVariant) {
linkVirtualFor(exec, callLinkInfo);
@@ -961,13 +968,10 @@
return;
}
- CallFrame* callerFrame = exec->callerFrame();
-
// Our caller must be have a cell for a callee. When calling
// this from Wasm, we ensure the callee is a cell.
ASSERT(callerFrame->callee().isCell());
- VM& vm = callerFrame->vm();
CodeBlock* callerCodeBlock = callerFrame->codeBlock();
bool isWebAssembly = isWebAssemblyToJSCallee(callerFrame->callee().asCell());
Modified: trunk/Tools/ChangeLog (244710 => 244711)
--- trunk/Tools/ChangeLog 2019-04-26 23:22:35 UTC (rev 244710)
+++ trunk/Tools/ChangeLog 2019-04-26 23:32:35 UTC (rev 244711)
@@ -1,3 +1,15 @@
+2019-04-25 Yusuke Suzuki <[email protected]>
+
+ [JSC] linkPolymorphicCall now does GC
+ https://bugs.webkit.org/show_bug.cgi?id=197306
+
+ Reviewed by Saam Barati.
+
+ The test is sensitive to allocations and even adding $vm makes it non-reproducible.
+ To add this test, we add `runWithoutBaseOption`.
+
+ * Scripts/run-jsc-stress-tests:
+
2019-04-26 Alexey Proskuryakov <[email protected]>
Update inactive reviewers' status to 'contributor'.
Modified: trunk/Tools/Scripts/run-jsc-stress-tests (244710 => 244711)
--- trunk/Tools/Scripts/run-jsc-stress-tests 2019-04-26 23:22:35 UTC (rev 244710)
+++ trunk/Tools/Scripts/run-jsc-stress-tests 2019-04-26 23:32:35 UTC (rev 244711)
@@ -616,10 +616,18 @@
addRunCommand(kind, [pathToVM.to_s] + BASE_OPTIONS + $testSpecificRequiredOptions + options + [$benchmark.to_s], outputHandler, simpleErrorHandler)
end
+def runWithOutputHandlerWithoutBaseOption(kind, outputHandler, *options)
+ addRunCommand(kind, [pathToVM.to_s] + $testSpecificRequiredOptions + options + [$benchmark.to_s], outputHandler, simpleErrorHandler)
+end
+
def run(kind, *options)
runWithOutputHandler(kind, silentOutputHandler, *options)
end
+def runWithoutBaseOption(kind, *options)
+ runWithOutputHandlerWithoutBaseOption(kind, silentOutputHandler, *options)
+end
+
def runNoFTL(*optionalTestSpecificOptions)
run("no-ftl", *optionalTestSpecificOptions)
end
