Title: [283567] trunk
- Revision
- 283567
- Author
- [email protected]
- Date
- 2021-10-05 12:20:28 -0700 (Tue, 05 Oct 2021)
Log Message
CodeBlock should not add/remove LoopHintExecutionCounters.
https://bugs.webkit.org/show_bug.cgi?id=231209
rdar://83571235
Reviewed by Saam Barati.
JSTests:
* stress/codeBlock-should-not-add-remove-loop-hint-execution-counters-due-to-cached-unlinked-baseline-code.js: Added.
Source/_javascript_Core:
This is because cached unlinked baseline JIT code would retain a pointer to those
counters. Hence, the UnlinkedCodeBlock should do the add /remove of the counters
instead.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::initializeLoopHintExecutionCounter):
(JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedCodeBlockGenerator.cpp:
(JSC::UnlinkedCodeBlockGenerator::finalize):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (283566 => 283567)
--- trunk/JSTests/ChangeLog 2021-10-05 19:12:27 UTC (rev 283566)
+++ trunk/JSTests/ChangeLog 2021-10-05 19:20:28 UTC (rev 283567)
@@ -1,3 +1,13 @@
+2021-10-05 Mark Lam <[email protected]>
+
+ CodeBlock should not add/remove LoopHintExecutionCounters.
+ https://bugs.webkit.org/show_bug.cgi?id=231209
+ rdar://83571235
+
+ Reviewed by Saam Barati.
+
+ * stress/codeBlock-should-not-add-remove-loop-hint-execution-counters-due-to-cached-unlinked-baseline-code.js: Added.
+
2021-10-05 Yusuke Suzuki <[email protected]>
[JSC] JSPropertyNameEnumerator should not have cached prototype chain since empty JSPropertyNameEnumerator is shared
Added: trunk/JSTests/stress/codeBlock-should-not-add-remove-loop-hint-execution-counters-due-to-cached-unlinked-baseline-code.js (0 => 283567)
--- trunk/JSTests/stress/codeBlock-should-not-add-remove-loop-hint-execution-counters-due-to-cached-unlinked-baseline-code.js (rev 0)
+++ trunk/JSTests/stress/codeBlock-should-not-add-remove-loop-hint-execution-counters-due-to-cached-unlinked-baseline-code.js 2021-10-05 19:20:28 UTC (rev 283567)
@@ -0,0 +1,10 @@
+//@ runDefault("--returnEarlyFromInfiniteLoopsForFuzzing=true", "--forceCodeBlockToJettisonDueToOldAge=true", "--collectContinuously=true")
+
+async function foo() {
+ for (let i = 0; i < 1000; i++);
+}
+
+for (let i = 0; i < 1000; i++) {
+ foo();
+ edenGC();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (283566 => 283567)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-05 19:12:27 UTC (rev 283566)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-05 19:20:28 UTC (rev 283567)
@@ -1,3 +1,25 @@
+2021-10-05 Mark Lam <[email protected]>
+
+ CodeBlock should not add/remove LoopHintExecutionCounters.
+ https://bugs.webkit.org/show_bug.cgi?id=231209
+ rdar://83571235
+
+ Reviewed by Saam Barati.
+
+ This is because cached unlinked baseline JIT code would retain a pointer to those
+ counters. Hence, the UnlinkedCodeBlock should do the add /remove of the counters
+ instead.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finishCreation):
+ (JSC::CodeBlock::~CodeBlock):
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedCodeBlock::initializeLoopHintExecutionCounter):
+ (JSC::UnlinkedCodeBlock::~UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ * bytecode/UnlinkedCodeBlockGenerator.cpp:
+ (JSC::UnlinkedCodeBlockGenerator::finalize):
+
2021-10-05 Kate Cheney <[email protected]>
CSP: unsafe-eval tests timing out or failing
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (283566 => 283567)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-10-05 19:12:27 UTC (rev 283566)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-10-05 19:20:28 UTC (rev 283567)
@@ -722,12 +722,6 @@
break;
}
- case op_loop_hint: {
- if (UNLIKELY(Options::returnEarlyFromInfiniteLoopsForFuzzing()))
- vm.addLoopHintExecutionCounter(instruction.ptr());
- break;
- }
-
default:
break;
}
@@ -850,13 +844,6 @@
// So, we can access member UnlinkedCodeBlock safely here. We bypass the assertion by using unvalidatedGet.
UnlinkedCodeBlock* unlinkedCodeBlock = m_unlinkedCode.unvalidatedGet();
- if (UNLIKELY(Options::returnEarlyFromInfiniteLoopsForFuzzing() && JITCode::isBaselineCode(jitType()))) {
- for (const auto& instruction : unlinkedCodeBlock->instructions()) {
- if (instruction->is<OpLoopHint>())
- vm.removeLoopHintExecutionCounter(instruction.ptr());
- }
- }
-
if (JITCode::isBaselineCode(jitType())) {
if (m_metadata) {
m_metadata->forEach<OpCatch>([&](auto& metadata) {
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp (283566 => 283567)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp 2021-10-05 19:12:27 UTC (rev 283566)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp 2021-10-05 19:20:28 UTC (rev 283567)
@@ -83,6 +83,16 @@
m_llintExecuteCounter.setNewThreshold(thresholdForJIT(Options::thresholdForJITAfterWarmUp()));
}
+void UnlinkedCodeBlock::initializeLoopHintExecutionCounter()
+{
+ ASSERT(Options::returnEarlyFromInfiniteLoopsForFuzzing());
+ VM& vm = this->vm();
+ for (const auto& instruction : instructions()) {
+ if (instruction->is<OpLoopHint>())
+ vm.addLoopHintExecutionCounter(instruction.ptr());
+ }
+}
+
template<typename Visitor>
void UnlinkedCodeBlock::visitChildrenImpl(JSCell* cell, Visitor& visitor)
{
@@ -273,6 +283,13 @@
UnlinkedCodeBlock::~UnlinkedCodeBlock()
{
+ if (UNLIKELY(Options::returnEarlyFromInfiniteLoopsForFuzzing())) {
+ VM& vm = this->vm();
+ for (const auto& instruction : instructions()) {
+ if (instruction->is<OpLoopHint>())
+ vm.removeLoopHintExecutionCounter(instruction.ptr());
+ }
+ }
}
const InstructionStream& UnlinkedCodeBlock::instructions() const
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h (283566 => 283567)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h 2021-10-05 19:12:27 UTC (rev 283566)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h 2021-10-05 19:20:28 UTC (rev 283567)
@@ -141,6 +141,8 @@
enum { CallFunction, ApplyFunction };
+ void initializeLoopHintExecutionCounter();
+
bool isConstructor() const { return m_isConstructor; }
bool usesCallEval() const { return m_usesCallEval; }
void setUsesCallEval() { m_usesCallEval = true; }
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp (283566 => 283567)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp 2021-10-05 19:12:27 UTC (rev 283566)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp 2021-10-05 19:20:28 UTC (rev 283567)
@@ -152,6 +152,9 @@
m_codeBlock->m_rareData->m_bitVectors = WTFMove(m_bitVectors);
m_codeBlock->m_rareData->m_constantIdentifierSets = WTFMove(m_constantIdentifierSets);
}
+
+ if (UNLIKELY(Options::returnEarlyFromInfiniteLoopsForFuzzing()))
+ m_codeBlock->initializeLoopHintExecutionCounter();
}
m_vm.heap.writeBarrier(m_codeBlock.get());
m_vm.heap.reportExtraMemoryAllocated(m_codeBlock->m_instructions->sizeInBytes() + m_codeBlock->m_metadata->sizeInBytes());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
