[webkit-changes] [WebKit/WebKit] 19d608: [JSC] Add validateDFGMayExit option

Fri, 23 May 2025 10:05:57 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 19d608654011c5e19dd82cdb3e5a4a57844d0d99
      
https://github.com/WebKit/WebKit/commit/19d608654011c5e19dd82cdb3e5a4a57844d0d99
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-05-23 (Fri, 23 May 2025)

  Changed paths:
    M Source/JavaScriptCore/assembler/AbortReason.h
    M Source/JavaScriptCore/bytecode/Watchpoint.h
    M Source/JavaScriptCore/dfg/DFGJITCompiler.h
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h

  Log Message:
  -----------
  [JSC] Add validateDFGMayExit option
https://bugs.webkit.org/show_bug.cgi?id=291404
rdar://149039530

Reviewed by Yijia Huang.

This patch adds a new option `validateDFGMayExit` which asserts we are
not generating OSR exit code when mayExit says `DoesNotExit`.
The concept is simple: whenever we generate OSR exit code, the node
should not say `DoesNotExit`. But we need to handle several things.

1. If the entire execution is already terminated, we may emit OSR exit
   while this node itself says `DoesNotExit`. But this is false-positive
   since we will not reach here in that case. So we check the current
   status via m_state.isValid() / m_compileOkay.
2. Currently FTL lazySlowPath has an issue that it always generates
   exception OSR exit while operation does not throw an error, and causes
   false-positive failures. So right now, we changed FTL compileNotifyWrite
   to just use vmCall with `rarely` branch. I think this is overall better
   given that generating a new code on the main thread is costly on ARM64.
   So we may want to just use this pattern in all code instead of lazySlowPath
   eventually, but for now, we are just changing compileNotifyWrite.
3. We had some false-positive, like, StringOrStringObject is correctly
   implemented, but it can emit OSR exit even if the input is String or
   StringObject, and as a result, we get false-positive error while this
   path is never taken. We use FTL_TYPE_CHECK / DFG_TYPE_CHECK with
   passthrough types to fix this.

* Source/JavaScriptCore/assembler/AbortReason.h:
* Source/JavaScriptCore/bytecode/Watchpoint.h:
(JSC::WatchpointSet::addressOfState): Deleted.
(JSC::WatchpointSet::addressOfSetIsNotEmpty): Deleted.
* Source/JavaScriptCore/dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendOSRExit): Deleted.
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculationCheck):
(JSC::DFG::SpeculativeJIT::terminateUnreachableNode):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32): Deleted.
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): Deleted.
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble): Deleted.
(JSC::DFG::SpeculativeJIT::fillSpeculateCell): Deleted.
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): Deleted.
(JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 
Deleted.
(JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther): Deleted.
(JSC::DFG::SpeculativeJIT::compileToBoolean): Deleted.
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): Deleted.
(JSC::DFG::SpeculativeJIT::emitBranch): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compile): Deleted.
(JSC::DFG::SpeculativeJIT::moveTrueTo): Deleted.
(JSC::DFG::SpeculativeJIT::moveFalseTo): Deleted.
(JSC::DFG::SpeculativeJIT::blessBoolean): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithRandom): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByValWithThis): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateClonedArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetById): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByIdFlush): Deleted.
(JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted.
(JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileInById): Deleted.
(JSC::DFG::SpeculativeJIT::compileInByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasPrivate): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasPrivateName): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasPrivateBrand): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPrivateNameByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPrivateNameById): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutPrivateName): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutPrivateNameById): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckPrivateBrand): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetPrivateBrand): Deleted.
(JSC::DFG::SpeculativeJIT::compileInstanceOfForCells): Deleted.
(JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByIdFlush): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutById): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByIdDirect): Deleted.
(JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
(JSC::DFG::SpeculativeJIT::speculateInt32): Deleted.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
* Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
(JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/runtime/Options.cpp:
(JSC::Options::setAllJITCodeValidations):
* Source/JavaScriptCore/runtime/OptionsList.h:

Canonical link: https://commits.webkit.org/295348@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to