[webkit-changes] [262064] trunk

[keith_miller]

Title: [262064] trunk

Revision

262064

Author

keith_mil...@apple.com

Date

2020-05-22 11:01:21 -0700 (Fri, 22 May 2020)

Log Message

Checkpoint inlined call return handler needs an exception check when dispatching
https://bugs.webkit.org/show_bug.cgi?id=212104

Reviewed by Yusuke Suzuki.

JSTests:

* stress/for-of-done-getter-osr-exits-inlined-to-value-getter-with-exception.js: Added.
(let.d.get done):
(let.d.get value):
(foo):
(catch):

Source/_javascript_Core:

* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::dispatchToNextInstruction):
(JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call):
(JSC::LLInt::slow_path_checkpoint_osr_exit):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp

Added Paths

• trunk/JSTests/stress/for-of-done-getter-osr-exits-inlined-to-value-getter-with-exception.js

Diff

Modified: trunk/JSTests/ChangeLog (262063 => 262064)

--- trunk/JSTests/ChangeLog	2020-05-22 17:35:43 UTC (rev 262063)
+++ trunk/JSTests/ChangeLog	2020-05-22 18:01:21 UTC (rev 262064)
@@ -1,3 +1,16 @@
+2020-05-22  Keith Miller  <keith_mil...@apple.com>
+
+        Checkpoint inlined call return handler needs an exception check when dispatching
+        https://bugs.webkit.org/show_bug.cgi?id=212104
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/for-of-done-getter-osr-exits-inlined-to-value-getter-with-exception.js: Added.
+        (let.d.get done):
+        (let.d.get value):
+        (foo):
+        (catch):
+
 2020-05-21  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Use @isUndefinedOrNull instead of abstract equality with null

Added: trunk/JSTests/stress/for-of-done-getter-osr-exits-inlined-to-value-getter-with-exception.js (0 => 262064)

--- trunk/JSTests/stress/for-of-done-getter-osr-exits-inlined-to-value-getter-with-exception.js	                        (rev 0)
+++ trunk/JSTests/stress/for-of-done-getter-osr-exits-inlined-to-value-getter-with-exception.js	2020-05-22 18:01:21 UTC (rev 262064)
@@ -0,0 +1,41 @@
+let i = 10000;
+let e;
+let d = {
+    get done() {
+        let result = !(--i);
+        if (i % 5000 == 0)
+            OSRExit();
+        return result;
+    },
+
+    get value() {
+        if (i % 5000 == 0)
+            throw e = new Error();
+        return i;
+    }
+};
+
+let x = {
+    next: ()=>d
+}
+
+let iter = {};
+iter[Symbol.iterator] = ()=>x;
+
+function foo() {
+    for (let x of iter) {
+        if (x !== --oldI)
+            throw new Error();
+    }
+}
+
+let oldI = i;
+try {
+    foo();
+} catch (error) {
+    if (e !== error)
+        throw error
+}
+
+if (!e)
+    throw new Error();

Modified: trunk/Source/_javascript_Core/ChangeLog (262063 => 262064)

--- trunk/Source/_javascript_Core/ChangeLog	2020-05-22 17:35:43 UTC (rev 262063)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-05-22 18:01:21 UTC (rev 262064)
@@ -1,3 +1,15 @@
+2020-05-22  Keith Miller  <keith_mil...@apple.com>
+
+        Checkpoint inlined call return handler needs an exception check when dispatching
+        https://bugs.webkit.org/show_bug.cgi?id=212104
+
+        Reviewed by Yusuke Suzuki.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::dispatchToNextInstruction):
+        (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call):
+        (JSC::LLInt::slow_path_checkpoint_osr_exit):
+
 2020-05-22  Paulo Matos  <pma...@igalia.com>
 
         Fix non-unified builds for i386 build

Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (262063 => 262064)

--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2020-05-22 17:35:43 UTC (rev 262063)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2020-05-22 18:01:21 UTC (rev 262064)
@@ -2086,9 +2086,11 @@
         valueRegister = iteratorResultObject.get(globalObject, vm.propertyNames->value);
 }
 
-inline SlowPathReturnType dispatchToNextInstruction(CodeBlock* codeBlock, InstructionStream::Ref pc)
+inline SlowPathReturnType dispatchToNextInstruction(ThrowScope& scope, CodeBlock* codeBlock, InstructionStream::Ref pc)
 {
-    RELEASE_ASSERT(!codeBlock->vm().exceptionForInspection());
+    if (scope.exception())
+        return encodeResult(returnToThrow(scope.vm()), nullptr);
+
     if (Options::forceOSRExitToLLInt() || codeBlock->jitType() == JITType::InterpreterThunk) {
         const Instruction* nextPC = pc.next().ptr();
         auto nextBytecode = LLInt::getCodePtr<JSEntryPtrTag>(*pc.next().ptr());
@@ -2110,6 +2112,7 @@
     CodeBlock* codeBlock = callFrame->codeBlock();
     VM& vm = codeBlock->vm();
     SlowPathFrameTracer tracer(vm, callFrame);
+    auto scope = DECLARE_THROW_SCOPE(vm);
 
     std::unique_ptr<CheckpointOSRExitSideState> sideState = vm.findCheckpointOSRSideState(callFrame);
     BytecodeIndex bytecodeIndex = sideState->bytecodeIndex;
@@ -2150,7 +2153,7 @@
         break;
     }
 
-    return dispatchToNextInstruction(codeBlock, pc);
+    return dispatchToNextInstruction(scope, codeBlock, pc);
 }
 
 extern "C" SlowPathReturnType slow_path_checkpoint_osr_exit(CallFrame* callFrame, EncodedJSValue /* needed for cCall2 in CLoop */)
@@ -2194,10 +2197,8 @@
         RELEASE_ASSERT_NOT_REACHED();
         break;
     }
-    if (UNLIKELY(scope.exception()))
-        return encodeResult(returnToThrow(vm), nullptr);
 
-    return dispatchToNextInstruction(codeBlock, pc);
+    return dispatchToNextInstruction(scope, codeBlock, pc);
 }
 
 extern "C" SlowPathReturnType llint_throw_stack_overflow_error(VM* vm, ProtoCallFrame* protoFrame)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes