[webkit-changes] [264330] trunk

[sbarati]

Title: [264330] trunk

Revision

264330

Author

sbar...@apple.com

Date

2020-07-13 20:53:27 -0700 (Mon, 13 Jul 2020)

Log Message

returnEarlyFromInfiniteLoopsForFuzzing and validateDoesGC may fail when used together in the FTL
https://bugs.webkit.org/show_bug.cgi?id=214289
<rdar://problem/65272138>

Reviewed by Keith Miller.

JSTests:

* stress/validate-does-gc-with-return-early-from-infinite-loop.js: Added.

Source/_javascript_Core:

Because the patchpoint we use for returnEarlyFromInfiniteLoopsForFuzzing doesn't
read or write any heap ranges, B3 move memory ops around it. In particular, it
might move the validate DoesGC store above it. In the FTL, we should make returnEarlyFromInfiniteLoopsForFuzzing
mimic what Return does for validating DoesGC.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Added Paths

• trunk/JSTests/stress/validate-does-gc-with-return-early-from-infinite-loop.js

Diff

Modified: trunk/JSTests/ChangeLog (264329 => 264330)

--- trunk/JSTests/ChangeLog	2020-07-14 03:44:08 UTC (rev 264329)
+++ trunk/JSTests/ChangeLog	2020-07-14 03:53:27 UTC (rev 264330)
@@ -1,3 +1,13 @@
+2020-07-13  Saam Barati  <sbar...@apple.com>
+
+        returnEarlyFromInfiniteLoopsForFuzzing and validateDoesGC may fail when used together in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=214289
+        <rdar://problem/65272138>
+
+        Reviewed by Keith Miller.
+
+        * stress/validate-does-gc-with-return-early-from-infinite-loop.js: Added.
+
 2020-07-13  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] IntlLocale::initializeLocale should have scope.release

Added: trunk/JSTests/stress/validate-does-gc-with-return-early-from-infinite-loop.js (0 => 264330)

--- trunk/JSTests/stress/validate-does-gc-with-return-early-from-infinite-loop.js	                        (rev 0)
+++ trunk/JSTests/stress/validate-does-gc-with-return-early-from-infinite-loop.js	2020-07-14 03:53:27 UTC (rev 264330)
@@ -0,0 +1,4 @@
+//@ skip if $architecture != "arm64" and $architecture != "x86-64"
+//@ runDefault("--returnEarlyFromInfiniteLoopsForFuzzing=true", "--earlyReturnFromInfiniteLoopsLimit=1000000", "--useConcurrentJIT=false", "--validateDoesGC=true")
+
+while(1){} while(1){}

Modified: trunk/Source/_javascript_Core/ChangeLog (264329 => 264330)

--- trunk/Source/_javascript_Core/ChangeLog	2020-07-14 03:44:08 UTC (rev 264329)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-07-14 03:53:27 UTC (rev 264330)
@@ -1,3 +1,21 @@
+2020-07-13  Saam Barati  <sbar...@apple.com>
+
+        returnEarlyFromInfiniteLoopsForFuzzing and validateDoesGC may fail when used together in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=214289
+        <rdar://problem/65272138>
+
+        Reviewed by Keith Miller.
+
+        Because the patchpoint we use for returnEarlyFromInfiniteLoopsForFuzzing doesn't
+        read or write any heap ranges, B3 move memory ops around it. In particular, it
+        might move the validate DoesGC store above it. In the FTL, we should make returnEarlyFromInfiniteLoopsForFuzzing
+        mimic what Return does for validating DoesGC.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
+
 2020-07-13  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] IntlLocale::initializeLocale should have scope.release

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (264329 => 264330)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-07-14 03:44:08 UTC (rev 264329)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-07-14 03:53:27 UTC (rev 264330)
@@ -14712,13 +14712,14 @@
 
         BytecodeIndex bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex.offset()).ptr();
-        uint64_t* ptr = vm().getLoopHintExecutionCounter(instruction);
+        VM* vm = &this->vm();
+        uint64_t* ptr = vm->getLoopHintExecutionCounter(instruction);
 
         PatchpointValue* patchpoint = m_out.patchpoint(Void);
         patchpoint->effects = Effects::none();
         patchpoint->effects.exitsSideways = true;
         patchpoint->effects.writesLocalState = true;
-        patchpoint->setGenerator([ptr] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+        patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
             auto restore = [&] {
                 jit.popToRestore(GPRInfo::regT2);
                 jit.popToRestore(GPRInfo::regT1);
@@ -14734,6 +14735,13 @@
             jit.load64(CCallHelpers::Address(GPRInfo::regT0), GPRInfo::regT1);
             auto skipEarlyReturn = jit.branch64(CCallHelpers::Below, GPRInfo::regT1, GPRInfo::regT2);
 
+            if constexpr (validateDFGDoesGC) {
+                if (Options::validateDoesGC()) {
+                    // We need to mock what a Return does: claims to GC.
+                    jit.move(CCallHelpers::TrustedImmPtr(vm->heap.addressOfDoesGC()), GPRInfo::regT0);
+                    jit.store32(CCallHelpers::TrustedImm32(DoesGCCheck::encode(true, DoesGCCheck::Special::Uninitialized)), CCallHelpers::Address(GPRInfo::regT0));
+                }
+            }
             restore();
             jit.move(CCallHelpers::TrustedImm64(JSValue::encode(jsUndefined())), GPRInfo::returnValueGPR);
             params.code().emitEpilogue(jit); 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes