Skip to site navigation (Press enter)

[webkit-changes] [181981] trunk/Source/JavaScriptCore

mark . lam Wed, 25 Mar 2015 16:15:51 -0700

Title: [181981] trunk/Source/_javascript_Core

Revision: 181981
Author: [email protected]
Date: 2015-03-25 16:15:15 -0700 (Wed, 25 Mar 2015)

Log Message

REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
<https://webkit.org/b/135719>


Reviewed by Geoffrey Garen.

This is a regression introduced in http://trac.webkit.org/changeset/169139 which
changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
update the LLINT to access it as such.

The issue has only manifested so far on the CLoop tests because those are LLINT
only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
hiding the bug in the LLINT.

* API/JSContextRef.cpp:
(createWatchdogIfNeeded):
(JSContextGroupSetExecutionTimeLimit):
(JSContextGroupClearExecutionTimeLimit):
* llint/LowLevelInterpreter.asm:

Modified Paths

trunk/Source/_javascript_Core/API/JSContextRef.cpp
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm

Diff

Modified: trunk/Source/_javascript_Core/API/JSContextRef.cpp (181980 => 181981)


--- trunk/Source/_javascript_Core/API/JSContextRef.cpp	2015-03-25 23:05:36 UTC (rev 181980)
+++ trunk/Source/_javascript_Core/API/JSContextRef.cpp	2015-03-25 23:15:15 UTC (rev 181981)
@@ -100,12 +100,23 @@
     return callback(contextRef, callbackData);
 }
 
+static void createWatchdogIfNeeded(VM& vm)
+{
+    if (!vm.watchdog) {
+        vm.watchdog = std::make_unique<Watchdog>();
+
+        // The LLINT peeks into the Watchdog object directly. In order to do that,
+        // the LLINT assumes that the internal shape of a std::unique_ptr is the
+        // same as a plain C++ pointer, and loads the address of Watchdog from it.
+        RELEASE_ASSERT(*reinterpret_cast<Watchdog**>(&vm.watchdog) == vm.watchdog.get());
+    }
+}
+
 void JSContextGroupSetExecutionTimeLimit(JSContextGroupRef group, double limit, JSShouldTerminateCallback callback, void* callbackData)
 {
     VM& vm = *toJS(group);
     JSLockHolder locker(&vm);
-    if (!vm.watchdog)
-        vm.watchdog = std::make_unique<Watchdog>();
+    createWatchdogIfNeeded(vm);
     Watchdog& watchdog = *vm.watchdog;
     if (callback) {
         void* callbackPtr = reinterpret_cast<void*>(callback);
@@ -118,8 +129,7 @@
 {
     VM& vm = *toJS(group);
     JSLockHolder locker(&vm);
-    if (!vm.watchdog)
-        vm.watchdog = std::make_unique<Watchdog>();
+    createWatchdogIfNeeded(vm);
     Watchdog& watchdog = *vm.watchdog;
     watchdog.setTimeLimit(vm, std::chrono::microseconds::max());
 }

Modified: trunk/Source/_javascript_Core/ChangeLog (181980 => 181981)


--- trunk/Source/_javascript_Core/ChangeLog	2015-03-25 23:05:36 UTC (rev 181980)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-03-25 23:15:15 UTC (rev 181981)
@@ -1,3 +1,24 @@
+2015-03-25  Mark Lam  <[email protected]>
+
+        REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
+        <https://webkit.org/b/135719>
+
+        Reviewed by Geoffrey Garen.
+
+        This is a regression introduced in http://trac.webkit.org/changeset/169139 which
+        changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
+        update the LLINT to access it as such.
+
+        The issue has only manifested so far on the CLoop tests because those are LLINT
+        only.  In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
+        hiding the bug in the LLINT.
+
+        * API/JSContextRef.cpp:
+        (createWatchdogIfNeeded):
+        (JSContextGroupSetExecutionTimeLimit):
+        (JSContextGroupClearExecutionTimeLimit):
+        * llint/LowLevelInterpreter.asm:
+
 2015-03-25  Filip Pizlo  <[email protected]>
 
         Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (181980 => 181981)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2015-03-25 23:05:36 UTC (rev 181980)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2015-03-25 23:15:15 UTC (rev 181981)
@@ -1120,12 +1120,14 @@
     traceExecution()
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_vm[t1], t1
-    loadb VM::watchdog+Watchdog::m_timerDidFire[t1], t0
-    btbnz t0, .handleWatchdogTimer
+    loadp VM::watchdog[t1], t0
+    btpnz t0, .handleWatchdogTimer
 .afterWatchdogTimerCheck:
     checkSwitchToJITForLoop()
     dispatch(1)
 .handleWatchdogTimer:
+    loadb Watchdog::m_timerDidFire[t0], t0
+    btbz t0, .afterWatchdogTimerCheck
     callWatchdogTimerHandler(.throwHandler)
     jmp .afterWatchdogTimerCheck
 .throwHandler:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes