Title: [289877] trunk
- Revision
- 289877
- Author
- [email protected]
- Date
- 2022-02-15 22:12:08 -0800 (Tue, 15 Feb 2022)
Log Message
Defer TerminationsExceptions while in operationMaterializeObjectInOSR.
https://bugs.webkit.org/show_bug.cgi?id=236686
rdar://81337114
Reviewed by Saam Barati.
JSTests:
These tests are identical except that they are customized with different watchdog
timeout periods for a Debug / Release build. This is a necessary condition in
order for the test to manifest this issue if the code is regressed.
* stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js: Added.
* stress/termination-exception-in-operationMaterializeObjectInOSR-release.js: Added.
Source/_javascript_Core:
operationMaterializeObjectInOSR expects to always succeed. It is difficult (and
not worth the effort) to make it be able to handle interruptions by the
TerminationException. Since operationMaterializeObjectInOSR is guaranteed to
finish running in some finite time, it is reasonable to just defer handling a
pending TerminationException until the function returns.
* ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (289876 => 289877)
--- trunk/JSTests/ChangeLog 2022-02-16 05:27:04 UTC (rev 289876)
+++ trunk/JSTests/ChangeLog 2022-02-16 06:12:08 UTC (rev 289877)
@@ -1,3 +1,18 @@
+2022-02-15 Mark Lam <[email protected]>
+
+ Defer TerminationsExceptions while in operationMaterializeObjectInOSR.
+ https://bugs.webkit.org/show_bug.cgi?id=236686
+ rdar://81337114
+
+ Reviewed by Saam Barati.
+
+ These tests are identical except that they are customized with different watchdog
+ timeout periods for a Debug / Release build. This is a necessary condition in
+ order for the test to manifest this issue if the code is regressed.
+
+ * stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js: Added.
+ * stress/termination-exception-in-operationMaterializeObjectInOSR-release.js: Added.
+
2022-02-15 Xan Lopez <[email protected]>
[JSC] Reduce iterations for getter-richards.js on MIPS
Added: trunk/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js (0 => 289877)
--- trunk/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js (rev 0)
+++ trunk/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js 2022-02-16 06:12:08 UTC (rev 289877)
@@ -0,0 +1,22 @@
+//@ skip if $buildType == "release"
+//@ runDefault("--watchdog=100", "--watchdog-exception-ok")
+
+function baz(c) {
+ if (c) {
+ $vm.haveABadTime();
+ }
+}
+noInline(baz);
+
+function bar() {}
+
+function foo(c, ...args) {
+ let args2 = [...args];
+ baz(c);
+ bar.apply(undefined, args2);
+}
+
+for (let i = 0; i < 70000; i++) {
+ foo(false, 0);
+}
+foo(true, 0);
Added: trunk/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-release.js (0 => 289877)
--- trunk/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-release.js (rev 0)
+++ trunk/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-release.js 2022-02-16 06:12:08 UTC (rev 289877)
@@ -0,0 +1,22 @@
+//@ skip if $buildType == "debug"
+//@ runDefault("--watchdog=4", "--watchdog-exception-ok")
+
+function baz(c) {
+ if (c) {
+ $vm.haveABadTime();
+ }
+}
+noInline(baz);
+
+function bar() {}
+
+function foo(c, ...args) {
+ let args2 = [...args];
+ baz(c);
+ bar.apply(undefined, args2);
+}
+
+for (let i = 0; i < 70000; i++) {
+ foo(false, 0);
+}
+foo(true, 0);
Modified: trunk/Source/_javascript_Core/ChangeLog (289876 => 289877)
--- trunk/Source/_javascript_Core/ChangeLog 2022-02-16 05:27:04 UTC (rev 289876)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-02-16 06:12:08 UTC (rev 289877)
@@ -1,5 +1,22 @@
2022-02-15 Mark Lam <[email protected]>
+ Defer TerminationsExceptions while in operationMaterializeObjectInOSR.
+ https://bugs.webkit.org/show_bug.cgi?id=236686
+ rdar://81337114
+
+ Reviewed by Saam Barati.
+
+ operationMaterializeObjectInOSR expects to always succeed. It is difficult (and
+ not worth the effort) to make it be able to handle interruptions by the
+ TerminationException. Since operationMaterializeObjectInOSR is guaranteed to
+ finish running in some finite time, it is reasonable to just defer handling a
+ pending TerminationException until the function returns.
+
+ * ftl/FTLOperations.cpp:
+ (JSC::FTL::JSC_DEFINE_JIT_OPERATION):
+
+2022-02-15 Mark Lam <[email protected]>
+
Make HeapType an enum class.
https://bugs.webkit.org/show_bug.cgi?id=236667
<rdar://problem/88984607>
Modified: trunk/Source/_javascript_Core/ftl/FTLOperations.cpp (289876 => 289877)
--- trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-02-16 05:27:04 UTC (rev 289876)
+++ trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-02-16 06:12:08 UTC (rev 289877)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -47,6 +47,7 @@
#include "JSMapIterator.h"
#include "JSSetIterator.h"
#include "RegExpObject.h"
+#include "VMTrapsInlines.h"
#include <wtf/Assertions.h>
IGNORE_WARNINGS_BEGIN("frame-address")
@@ -189,6 +190,10 @@
CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+ // It's too hairy to handle TerminationExceptions during OSR object materialization.
+ // Let's just wait until after.
+ DeferTermination deferTermination(vm);
+
// We cannot GC. We've got pointers in evil places.
DeferGCForAWhile deferGC(vm);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
