Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 78a8cf3ed7b1a0ee2b5d99dfae28943e6a2b270e
https://github.com/WebKit/WebKit/commit/78a8cf3ed7b1a0ee2b5d99dfae28943e6a2b270e
Author: Yusuke Suzuki <[email protected]>
Date: 2025-05-27 (Tue, 27 May 2025)
Changed paths:
A JSTests/stress/make-rope-overflow-nested-catch.js
A JSTests/stress/make-rope-overflow-nested.js
M Source/JavaScriptCore/bytecode/ExitKind.h
M Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
M Source/JavaScriptCore/dfg/DFGJITCompiler.h
M Source/JavaScriptCore/dfg/DFGOSRExit.cpp
M Source/JavaScriptCore/dfg/DFGOSRExitBase.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/ftl/FTLOSRExit.cpp
M Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp
M Source/JavaScriptCore/jit/JITOperations.cpp
M Source/JavaScriptCore/jit/JITOperations.h
M Source/JavaScriptCore/jit/JITThunks.h
M Source/JavaScriptCore/jit/ThunkGenerators.cpp
M Source/JavaScriptCore/jit/ThunkGenerators.h
Log Message:
-----------
[JSC] Further enhance DFG mayExit validation
https://bugs.webkit.org/show_bug.cgi?id=293529
rdar://151966700
Reviewed by Yijia Huang.
This patch extends DFG mayExit validation further and fixes some of
existing code.
1. When mayExit says ExitsForException, we should generate OSR exits
only for exception checks. We should not generate any other OSR
exits.
2. MakeRope should use ExitsForException. But it uses normal OSR exits
for OOM check. We should have special OSR exit
"WillThrowOutOfMemoryError", and use it instead. It generates OSR
exit which throws out of memory error in the middle of OSR exit.
3. MaterializeNewArrayWithConstantSize should not do Int32 speculation
check for children after the first speculations. We should ensure
that children have Int32Use and first speculate sequence should be
enough for these type checks.
* Source/JavaScriptCore/bytecode/ExitKind.h:
* Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit): Deleted.
* Source/JavaScriptCore/dfg/DFGJITCompiler.h:
* Source/JavaScriptCore/dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* Source/JavaScriptCore/dfg/DFGOSRExitBase.h:
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::exceptionCheck):
(JSC::DFG::SpeculativeJIT::recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded):
(JSC::DFG::SpeculativeJIT::speculationCheckOutOfMemory):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
* Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
Canonical link: https://commits.webkit.org/295441@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
