[webkit-changes] [271592] trunk

[ysuzuki]

Title: [271592] trunk

Revision

271592

Author

ysuz...@apple.com

Date

2021-01-18 16:07:56 -0800 (Mon, 18 Jan 2021)

Log Message

[JSC] earlyReturnFromInfiniteLoopsLimit should check all caller functions when emitting
https://bugs.webkit.org/show_bug.cgi?id=220700
<rdar://problem/71229150>

Reviewed by Mark Lam.

JSTests:

* stress/early-return-from-builtin.js: Added.
(let.o.get value):
(let.iter.Symbol.iterator):
* stress/early-return-from-builtin2.js: Added.
(foo):

Source/_javascript_Core:

earlyReturnFromInfiniteLoopsLimit does not return when the function is builtin. But this does not consider about the case that
the caller is inlining and the caller is builtin. Since this returns from entire DFG / FTL functions, we should check any of
callers are not builtin functions too.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Added Paths

• trunk/JSTests/stress/early-return-from-builtin.js
• trunk/JSTests/stress/early-return-from-builtin2.js

Diff

Modified: trunk/JSTests/ChangeLog (271591 => 271592)

--- trunk/JSTests/ChangeLog	2021-01-19 00:06:24 UTC (rev 271591)
+++ trunk/JSTests/ChangeLog	2021-01-19 00:07:56 UTC (rev 271592)
@@ -1,5 +1,19 @@
 2021-01-18  Yusuke Suzuki  <ysuz...@apple.com>
 
+        [JSC] earlyReturnFromInfiniteLoopsLimit should check all caller functions when emitting
+        https://bugs.webkit.org/show_bug.cgi?id=220700
+        <rdar://problem/71229150>
+
+        Reviewed by Mark Lam.
+
+        * stress/early-return-from-builtin.js: Added.
+        (let.o.get value):
+        (let.iter.Symbol.iterator):
+        * stress/early-return-from-builtin2.js: Added.
+        (foo):
+
+2021-01-18  Yusuke Suzuki  <ysuz...@apple.com>
+
         [JSC] Add another tests for r271571 part 2
         https://bugs.webkit.org/show_bug.cgi?id=220702
         <rdar://problem/71365255>

Added: trunk/JSTests/stress/early-return-from-builtin.js (0 => 271592)

--- trunk/JSTests/stress/early-return-from-builtin.js	                        (rev 0)
+++ trunk/JSTests/stress/early-return-from-builtin.js	2021-01-19 00:07:56 UTC (rev 271592)
@@ -0,0 +1,21 @@
+//@ skip if $architecture != "arm64" and $architecture != "x86-64"
+//@ runDefault("--earlyReturnFromInfiniteLoopsLimit=10", "--returnEarlyFromInfiniteLoopsForFuzzing=1", "--watchdog=1000", "--watchdog-exception-ok")
+
+let o = {
+  get value() {
+    for (let i=0; i<1; i++) {}
+  }
+};
+
+
+let iter = {
+  [Symbol.iterator]() {
+    return {
+      next() {
+        return o;
+      }
+    }
+  }
+};
+
+[...iter];

Added: trunk/JSTests/stress/early-return-from-builtin2.js (0 => 271592)

--- trunk/JSTests/stress/early-return-from-builtin2.js	                        (rev 0)
+++ trunk/JSTests/stress/early-return-from-builtin2.js	2021-01-19 00:07:56 UTC (rev 271592)
@@ -0,0 +1,11 @@
+//@ skip if $architecture != "arm64" and $architecture != "x86-64"
+//@ runDefault("--returnEarlyFromInfiniteLoopsForFuzzing=1", "--earlyReturnFromInfiniteLoopsLimit=1000", "--jitPolicyScale=0", "--maximumFunctionForCallInlineCandidateBytecodeCost=1000", "--useConcurrentJIT=0", "--useFTLJIT=0")
+const a = [null, 0, 0, 0, 0, 0, 0];
+
+function foo() {
+  for (let i=0; i<10; i++) {}
+}
+
+for (let i=0; i<10000; i++) {
+  a.sort(foo);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (271591 => 271592)

--- trunk/Source/_javascript_Core/ChangeLog	2021-01-19 00:06:24 UTC (rev 271591)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-01-19 00:07:56 UTC (rev 271592)
@@ -1,3 +1,20 @@
+2021-01-18  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] earlyReturnFromInfiniteLoopsLimit should check all caller functions when emitting
+        https://bugs.webkit.org/show_bug.cgi?id=220700
+        <rdar://problem/71229150>
+
+        Reviewed by Mark Lam.
+
+        earlyReturnFromInfiniteLoopsLimit does not return when the function is builtin. But this does not consider about the case that
+        the caller is inlining and the caller is builtin. Since this returns from entire DFG / FTL functions, we should check any of
+        callers are not builtin functions too.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint):
+
 2021-01-18  Mark Lam  <mark....@apple.com>
 
         [AppleWin 32bit] LLInt C Loop: LowLevelInterpreter.cpp(90,7): error C2653: 'WebConfig': is not a class or namespace name

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (271591 => 271592)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2021-01-19 00:06:24 UTC (rev 271591)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2021-01-19 00:07:56 UTC (rev 271592)
@@ -5071,8 +5071,14 @@
 
     case LoopHint:
         if (UNLIKELY(Options::returnEarlyFromInfiniteLoopsForFuzzing())) {
-            CodeBlock* baselineCodeBlock = m_jit.graph().baselineCodeBlockFor(node->origin.semantic);
-            if (baselineCodeBlock->loopHintsAreEligibleForFuzzingEarlyReturn()) {
+            bool emitEarlyReturn = true;
+            node->origin.semantic.walkUpInlineStack([&](CodeOrigin origin) {
+                CodeBlock* baselineCodeBlock = m_jit.graph().baselineCodeBlockFor(origin);
+                if (!baselineCodeBlock->loopHintsAreEligibleForFuzzingEarlyReturn())
+                    emitEarlyReturn = false;
+            });
+            if (emitEarlyReturn) {
+                CodeBlock* baselineCodeBlock = m_jit.graph().baselineCodeBlockFor(node->origin.semantic);
                 BytecodeIndex bytecodeIndex = node->origin.semantic.bytecodeIndex();
                 const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex.offset()).ptr();
 

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (271591 => 271592)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2021-01-19 00:06:24 UTC (rev 271591)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2021-01-19 00:07:56 UTC (rev 271592)
@@ -15037,10 +15037,16 @@
         if (LIKELY(!Options::returnEarlyFromInfiniteLoopsForFuzzing()))
             return;
 
-        CodeBlock* baselineCodeBlock = m_graph.baselineCodeBlockFor(m_origin.semantic);
-        if (!baselineCodeBlock->loopHintsAreEligibleForFuzzingEarlyReturn())
+        bool emitEarlyReturn = true;
+        m_origin.semantic.walkUpInlineStack([&](CodeOrigin origin) {
+            CodeBlock* baselineCodeBlock = m_graph.baselineCodeBlockFor(origin);
+            if (!baselineCodeBlock->loopHintsAreEligibleForFuzzingEarlyReturn())
+                emitEarlyReturn = false;
+        });
+        if (!emitEarlyReturn)
             return;
 
+        CodeBlock* baselineCodeBlock = m_graph.baselineCodeBlockFor(m_origin.semantic);
         BytecodeIndex bytecodeIndex = m_origin.semantic.bytecodeIndex();
         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex.offset()).ptr();
         VM* vm = &this->vm();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes