Title: [244865] trunk
- Revision
- 244865
- Author
- [email protected]
- Date
- 2019-05-01 20:10:43 -0700 (Wed, 01 May 2019)
Log Message
Baseline JIT should do argument value profiling after checking for stack overflow
https://bugs.webkit.org/show_bug.cgi?id=197052
<rdar://problem/50009602>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
Source/_javascript_Core:
Otherwise, we may do value profiling without running a write barrier, which
is against the rules of how we do value profiling.
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (244864 => 244865)
--- trunk/JSTests/ChangeLog 2019-05-02 02:40:44 UTC (rev 244864)
+++ trunk/JSTests/ChangeLog 2019-05-02 03:10:43 UTC (rev 244865)
@@ -1,3 +1,13 @@
+2019-05-01 Saam barati <[email protected]>
+
+ Baseline JIT should do argument value profiling after checking for stack overflow
+ https://bugs.webkit.org/show_bug.cgi?id=197052
+ <rdar://problem/50009602>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
+
2019-05-01 Yusuke Suzuki <[email protected]>
[JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
Added: trunk/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js (0 => 244865)
--- trunk/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js (rev 0)
+++ trunk/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js 2019-05-02 03:10:43 UTC (rev 244865)
@@ -0,0 +1,41 @@
+//@ runDefault("--useConcurrentJIT=0", "--thresholdForJITAfterWarmUp=10", "--slowPathAllocsBetweenGCs=10", "--useConcurrentGC=0")
+
+function fullGC() {
+ for (var i = 0; i < 10; i++) {
+ new Float64Array(0x1000000);
+ }
+}
+
+function outer() {
+ function f() {
+ try {
+ const r = f();
+ } catch(e) {
+ const o = Object();
+ function inner(a1, a2, a3) {
+ try {
+ const r1 = new Uint32Array();
+ const r2 = r1.values();
+ } catch(e2) {
+ }
+ }
+ const result = inner();
+ }
+ }
+
+ f();
+
+ function edenGC() {
+ for (let i = 0; i < 100; i++) {
+ const floatArray = new Float64Array(0x10000);
+ }
+ }
+ edenGC();
+}
+
+for (let i = 0; i < 100; i++) {
+ const result = outer();
+}
+
+fullGC();
+
Modified: trunk/Source/_javascript_Core/ChangeLog (244864 => 244865)
--- trunk/Source/_javascript_Core/ChangeLog 2019-05-02 02:40:44 UTC (rev 244864)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-05-02 03:10:43 UTC (rev 244865)
@@ -1,3 +1,17 @@
+2019-05-01 Saam barati <[email protected]>
+
+ Baseline JIT should do argument value profiling after checking for stack overflow
+ https://bugs.webkit.org/show_bug.cgi?id=197052
+ <rdar://problem/50009602>
+
+ Reviewed by Yusuke Suzuki.
+
+ Otherwise, we may do value profiling without running a write barrier, which
+ is against the rules of how we do value profiling.
+
+ * jit/JIT.cpp:
+ (JSC::JIT::compileWithoutLinking):
+
2019-05-01 Yusuke Suzuki <[email protected]>
[JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (244864 => 244865)
--- trunk/Source/_javascript_Core/jit/JIT.cpp 2019-05-02 02:40:44 UTC (rev 244864)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp 2019-05-02 03:10:43 UTC (rev 244865)
@@ -681,6 +681,22 @@
sampleInstruction(m_codeBlock->instructions().begin());
#endif
+ int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
+ unsigned maxFrameSize = -frameTopOffset;
+ addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
+ JumpList stackOverflow;
+ if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
+ stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
+ stackOverflow.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfSoftStackLimit()), regT1));
+
+ move(regT1, stackPointerRegister);
+ checkStackPointerAlignment();
+ if (Options::zeroStackFrame())
+ clearStackFrame(callFrameRegister, stackPointerRegister, regT0, maxFrameSize);
+
+ emitSaveCalleeSaves();
+ emitMaterializeTagCheckRegisters();
+
if (m_codeBlock->codeType() == FunctionCode) {
ASSERT(m_bytecodeOffset == std::numeric_limits<unsigned>::max());
if (shouldEmitProfiling()) {
@@ -700,22 +716,6 @@
}
}
}
-
- int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
- unsigned maxFrameSize = -frameTopOffset;
- addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
- JumpList stackOverflow;
- if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
- stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
- stackOverflow.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfSoftStackLimit()), regT1));
-
- move(regT1, stackPointerRegister);
- checkStackPointerAlignment();
- if (Options::zeroStackFrame())
- clearStackFrame(callFrameRegister, stackPointerRegister, regT0, maxFrameSize);
-
- emitSaveCalleeSaves();
- emitMaterializeTagCheckRegisters();
RELEASE_ASSERT(!JITCode::isJIT(m_codeBlock->jitType()));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
