Changeset 262475 in webkit

Timestamp:

Jun 2, 2020, 9:47:30 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Enhance DoesGC verification to print more useful info when verification fails.
​https://bugs.webkit.org/show_bug.cgi?id=212680

Reviewed by Yusuke Suzuki.

When DoesGC verification fails, the first step of debugging it would be to find
out what and which DFG node resulted in the failed verification. In pre-existing
code, all we get is an assertion failure.

This patch makes it so that the verifier will dump useful info. Here's an example:

Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]

[0] frame 0x7ffee8285660 {

name:
sourceURL:
isInlinedFrame: false
callee: 0x1135f6820
returnPC: 0x50ce61248ae6
callerFrame: 0x7ffee82856f0
rawLocationBits: 5 0x5
codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]

hasCodeOrigins: true
callSiteIndex: 5 of 13
jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00
line: 1
column: 60

EntryFrame: 0x7ffee8285860

}
[1] frame 0x7ffee82856f0 {

name:
sourceURL: date-format-xparb.js
isInlinedFrame: false
callee: 0x1135f65a0
returnPC: 0x50ce61227e99
callerFrame: 0x7ffee8285770
rawLocationBits: 4 0x4
codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)]

hasCodeOrigins: true
callSiteIndex: 4 of 12
jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960
line: 26
column: 22

EntryFrame: 0x7ffee8285860

}
[2] frame 0x7ffee8285770 {

name:
sourceURL: date-format-xparb.js
isInlinedFrame: false
callee: 0x1135f64e0
returnPC: 0x108058eb1
callerFrame: 0x7ffee82857e0
rawLocationBits: 1001 0x3e9
codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149]

bc#1001 of 1149
line: 417
column: 38

EntryFrame: 0x7ffee8285860

}
[3] frame 0x7ffee82857e0 {

name: global code
sourceURL: date-format-xparb.js
isInlinedFrame: false
callee: 0x1130f97b8
returnPC: 0x108039043
callerFrame: 0x0
rawLocationBits: 23 0x17
codeBlock: 0x1135bc000 <global>#CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81]

bc#23 of 81
line: 425
column: 3

EntryFrame: 0x7ffee8285860

}

ASSERTION FAILED: expectDoesGC()

The error message now comes with the node index, NodeType, codeBlock which this
failure was found in, and the JS call stack that led to the failure.

Changes made:

1. Introduced a DoesGCCheck value that is used to encode some of the above data.

Previously, we only recorded whether doesGC() returns true or false for the
Node. Now, we record the nodeIndex and nodeOp as well.

Note that we also set DoesGC expectations for OSR exits. So, DoesGCCheck
includes Special cases for those.

2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64. Also added a test for this new emitter in testmasm.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::store64):

• assembler/MacroAssemblerX86_64.h:

(JSC::MacroAssemblerX86_64::store64):

• assembler/testmasm.cpp:

(JSC::testStore64Imm64AddressPointer):
(JSC::run):

• dfg/DFGDoesGCCheck.cpp: Added.

(JSC::DFG::DoesGCCheck::verifyCanGC):

• dfg/DFGDoesGCCheck.h: Added.

(JSC::DFG::DoesGCCheck::DoesGCCheck):
(JSC::DFG::DoesGCCheck::encode):
(JSC::DFG::DoesGCCheck::set):
(JSC::DFG::DoesGCCheck::expectDoesGC):
(JSC::DFG::DoesGCCheck::special):
(JSC::DFG::DoesGCCheck::nodeIndex):
(JSC::DFG::DoesGCCheck::nodeOp):
(JSC::DFG::DoesGCCheck::isSpecial):
(JSC::DFG::DoesGCCheck::specialIndex):
(JSC::DFG::DoesGCCheck::bits):

• dfg/DFGGraph.cpp:
• dfg/DFGOSRExit.cpp:

(JSC::DFG::operationCompileOSRExit):
(JSC::DFG::OSRExit::compileExit):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):
(JSC::FTL::operationCompileFTLOSRExit):

• heap/CompleteSubspace.cpp:

(JSC::CompleteSubspace::tryAllocateSlow):
(JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual):

• heap/CompleteSubspaceInlines.h:

(JSC::CompleteSubspace::allocateNonVirtual):

• heap/DeferGC.h:

(JSC::DeferGC::~DeferGC):

• heap/GCDeferralContextInlines.h:

(JSC::GCDeferralContext::~GCDeferralContext):

• heap/Heap.cpp:

(JSC::Heap::collectNow):
(JSC::Heap::collectAsync):
(JSC::Heap::collectSync):
(JSC::Heap::stopIfNecessarySlow):
(JSC::Heap::collectIfNecessaryOrDefer):

• heap/Heap.h:

(JSC::Heap::addressOfDoesGC):
(JSC::Heap::setDoesGCExpectation):
(JSC::Heap::verifyCanGC):
(JSC::Heap::expectDoesGC const): Deleted.
(JSC::Heap::setExpectDoesGC): Deleted.
(JSC::Heap::addressOfExpectDoesGC): Deleted.

• heap/HeapInlines.h:

(JSC::Heap::acquireAccess):
(JSC::Heap::stopIfNecessary):

• heap/LocalAllocatorInlines.h:

(JSC::LocalAllocator::allocate):

• heap/PreciseAllocation.cpp:

(JSC::PreciseAllocation::tryCreate):
(JSC::PreciseAllocation::createForLowerTier):

• runtime/JSString.h:

(JSC::jsSingleCharacterString):
(JSC::JSString::toAtomString const):
(JSC::JSString::toExistingAtomString const):
(JSC::JSString::value const):
(JSC::JSString::tryGetValue const):
(JSC::JSRopeString::unsafeView const):
(JSC::JSRopeString::viewWithUnderlyingString const):
(JSC::JSString::unsafeView const):

• runtime/RegExpMatchesArray.h:

(JSC::createRegExpMatchesArray):

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Sources.txt (modified) (1 diff)
• assembler/MacroAssemblerARM64.h (modified) (1 diff)
• assembler/MacroAssemblerX86_64.h (modified) (1 diff)
• assembler/testmasm.cpp (modified) (2 diffs)
• dfg/DFGDoesGCCheck.cpp (added)
• dfg/DFGDoesGCCheck.h (added)
• dfg/DFGGraph.cpp (modified) (1 diff)
• dfg/DFGOSRExit.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• ftl/FTLOSRExitCompiler.cpp (modified) (2 diffs)
• heap/CompleteSubspace.cpp (modified) (3 diffs)
• heap/CompleteSubspaceInlines.h (modified) (2 diffs)
• heap/DeferGC.h (modified) (2 diffs)
• heap/GCDeferralContextInlines.h (modified) (2 diffs)
• heap/Heap.cpp (modified) (7 diffs)
• heap/Heap.h (modified) (4 diffs)
• heap/HeapInlines.h (modified) (2 diffs)
• heap/LocalAllocatorInlines.h (modified) (1 diff)
• heap/PreciseAllocation.cpp (modified) (2 diffs)
• runtime/JSString.h (modified) (8 diffs)
• runtime/RegExpMatchesArray.h (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -565 +565 @@
     dfg/DFGCommon.h
     dfg/DFGCompilationMode.h
+    dfg/DFGDoesGCCheck.h
     dfg/DFGMinifiedID.h
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-06-02  Mark Lam  <mark.lam@apple.com>
+
+        Enhance DoesGC verification to print more useful info when verification fails.
+        https://bugs.webkit.org/show_bug.cgi?id=212680
+
+        Reviewed by Yusuke Suzuki.
+
+        When DoesGC verification fails, the first step of debugging it would be to find
+        out what and which DFG node resulted in the failed verification.  In pre-existing
+        code, all we get is an assertion failure.
+
+        This patch makes it so that the verifier will dump useful info.  Here's an example:
+
+            Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]
+                [0] frame 0x7ffee8285660 {
+                  name: 
+                  sourceURL: 
+                  isInlinedFrame: false
+                  callee: 0x1135f6820
+                  returnPC: 0x50ce61248ae6
+                  callerFrame: 0x7ffee82856f0
+                  rawLocationBits: 5 0x5
+                  codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)]
+                    hasCodeOrigins: true
+                    callSiteIndex: 5 of 13
+                    jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00
+                    line: 1
+                    column: 60
+                  EntryFrame: 0x7ffee8285860
+                }
+                [1] frame 0x7ffee82856f0 {
+                  name: 
+                  sourceURL: date-format-xparb.js
+                  isInlinedFrame: false
+                  callee: 0x1135f65a0
+                  returnPC: 0x50ce61227e99
+                  callerFrame: 0x7ffee8285770
+                  rawLocationBits: 4 0x4
+                  codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)]
+                    hasCodeOrigins: true
+                    callSiteIndex: 4 of 12
+                    jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960
+                    line: 26
+                    column: 22
+                  EntryFrame: 0x7ffee8285860
+                }
+                [2] frame 0x7ffee8285770 {
+                  name: 
+                  sourceURL: date-format-xparb.js
+                  isInlinedFrame: false
+                  callee: 0x1135f64e0
+                  returnPC: 0x108058eb1
+                  callerFrame: 0x7ffee82857e0
+                  rawLocationBits: 1001 0x3e9
+                  codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149]
+                    bc#1001 of 1149
+                    line: 417
+                    column: 38
+                  EntryFrame: 0x7ffee8285860
+                }
+                [3] frame 0x7ffee82857e0 {
+                  name: global code
+                  sourceURL: date-format-xparb.js
+                  isInlinedFrame: false
+                  callee: 0x1130f97b8
+                  returnPC: 0x108039043
+                  callerFrame: 0x0
+                  rawLocationBits: 23 0x17
+                  codeBlock: 0x1135bc000 <global>#CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81]
+                    bc#23 of 81
+                    line: 425
+                    column: 3
+                  EntryFrame: 0x7ffee8285860
+                }
+
+            ASSERTION FAILED: expectDoesGC()
+
+        The error message now comes with the node index, NodeType, codeBlock which this
+        failure was found in, and the JS call stack that led to the failure.
+
+        Changes made:
+
+        1. Introduced a DoesGCCheck value that is used to encode some of the above data.
+
+           Previously, we only recorded whether doesGC() returns true or false for the
+           Node.  Now, we record the nodeIndex and nodeOp as well.
+
+           Note that we also set DoesGC expectations for OSR exits.  So, DoesGCCheck
+           includes Special cases for those.
+
+        2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64.
+           Also added a test for this new emitter in testmasm.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::store64):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::store64):
+        * assembler/testmasm.cpp:
+        (JSC::testStore64Imm64AddressPointer):
+        (JSC::run):
+        * dfg/DFGDoesGCCheck.cpp: Added.
+        (JSC::DFG::DoesGCCheck::verifyCanGC):
+        * dfg/DFGDoesGCCheck.h: Added.
+        (JSC::DFG::DoesGCCheck::DoesGCCheck):
+        (JSC::DFG::DoesGCCheck::encode):
+        (JSC::DFG::DoesGCCheck::set):
+        (JSC::DFG::DoesGCCheck::expectDoesGC):
+        (JSC::DFG::DoesGCCheck::special):
+        (JSC::DFG::DoesGCCheck::nodeIndex):
+        (JSC::DFG::DoesGCCheck::nodeOp):
+        (JSC::DFG::DoesGCCheck::isSpecial):
+        (JSC::DFG::DoesGCCheck::specialIndex):
+        (JSC::DFG::DoesGCCheck::bits):
+        * dfg/DFGGraph.cpp:
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::operationCompileOSRExit):
+        (JSC::DFG::OSRExit::compileExit):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        (JSC::FTL::operationCompileFTLOSRExit):
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual):
+        * heap/CompleteSubspaceInlines.h:
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        * heap/DeferGC.h:
+        (JSC::DeferGC::~DeferGC):
+        * heap/GCDeferralContextInlines.h:
+        (JSC::GCDeferralContext::~GCDeferralContext):
+        * heap/Heap.cpp:
+        (JSC::Heap::collectNow):
+        (JSC::Heap::collectAsync):
+        (JSC::Heap::collectSync):
+        (JSC::Heap::stopIfNecessarySlow):
+        (JSC::Heap::collectIfNecessaryOrDefer):
+        * heap/Heap.h:
+        (JSC::Heap::addressOfDoesGC):
+        (JSC::Heap::setDoesGCExpectation):
+        (JSC::Heap::verifyCanGC):
+        (JSC::Heap::expectDoesGC const): Deleted.
+        (JSC::Heap::setExpectDoesGC): Deleted.
+        (JSC::Heap::addressOfExpectDoesGC): Deleted.
+        * heap/HeapInlines.h:
+        (JSC::Heap::acquireAccess):
+        (JSC::Heap::stopIfNecessary):
+        * heap/LocalAllocatorInlines.h:
+        (JSC::LocalAllocator::allocate):
+        * heap/PreciseAllocation.cpp:
+        (JSC::PreciseAllocation::tryCreate):
+        (JSC::PreciseAllocation::createForLowerTier):
+        * runtime/JSString.h:
+        (JSC::jsSingleCharacterString):
+        (JSC::JSString::toAtomString const):
+        (JSC::JSString::toExistingAtomString const):
+        (JSC::JSString::value const):
+        (JSC::JSString::tryGetValue const):
+        (JSC::JSRopeString::unsafeView const):
+        (JSC::JSRopeString::viewWithUnderlyingString const):
+        (JSC::JSString::unsafeView const):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::createRegExpMatchesArray):
+
 2020-06-02  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1937 +1937 @@
                 FEB58C15187B8B160098EF0B /* ErrorHandlingScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FEB58C13187B8B160098EF0B /* ErrorHandlingScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FEC160322339E9F900A04CB8 /* CellSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FEC160312339E9F900A04CB8 /* CellSize.h */; };
+                FEC3A3A1248735CA00395B54 /* DFGDoesGCCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = FEC3A3A0248735BC00395B54 /* DFGDoesGCCheck.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FEC5797323105B5100BCA83F /* VMInspectorInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FEC5797223105B4800BCA83F /* VMInspectorInlines.h */; };
                 FEC5797623105F4E00BCA83F /* Integrity.h in Headers */ = {isa = PBXBuildFile; fileRef = FEC5797523105F4300BCA83F /* Integrity.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -5233 +5234 @@
                 FEB58C13187B8B160098EF0B /* ErrorHandlingScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ErrorHandlingScope.h; sourceTree = "<group>"; };
                 FEC160312339E9F900A04CB8 /* CellSize.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CellSize.h; sourceTree = "<group>"; };
+                FEC3A39F248735BC00395B54 /* DFGDoesGCCheck.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = DFGDoesGCCheck.cpp; path = dfg/DFGDoesGCCheck.cpp; sourceTree = "<group>"; };
+                FEC3A3A0248735BC00395B54 /* DFGDoesGCCheck.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = DFGDoesGCCheck.h; path = dfg/DFGDoesGCCheck.h; sourceTree = "<group>"; };
                 FEC5797223105B4800BCA83F /* VMInspectorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMInspectorInlines.h; sourceTree = "<group>"; };
                 FEC5797423105F4200BCA83F /* Integrity.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Integrity.cpp; sourceTree = "<group>"; };
@@ -7897 +7900 @@
                                 0F5A1271192D9FDF008764A3 /* DFGDoesGC.cpp */,
                                 0F5A1272192D9FDF008764A3 /* DFGDoesGC.h */,
+                                FEC3A39F248735BC00395B54 /* DFGDoesGCCheck.cpp */,
+                                FEC3A3A0248735BC00395B54 /* DFGDoesGCCheck.h */,
                                 0FD81AD0154FB4EB00983E72 /* DFGDominators.h */,
                                 0F1E3A441534CBAD000F9456 /* DFGDoubleFormatState.h */,
@@ -10197 +10202 @@
                                 0FE050281AA9095600D33B33 /* ScopedArguments.h in Headers */,
                                 0FE050291AA9095600D33B33 /* ScopedArgumentsTable.h in Headers */,
+                                FEC3A3A1248735CA00395B54 /* DFGDoesGCCheck.h in Headers */,
                                 0FE0502B1AA9095600D33B33 /* ScopeOffset.h in Headers */,
                                 0F24E55217EE274900ABB217 /* ScratchRegisterAllocator.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -348 +348 @@
 dfg/DFGDisassembler.cpp
 dfg/DFGDoesGC.cpp
+dfg/DFGDoesGCCheck.cpp
 dfg/DFGDriver.cpp
 dfg/DFGEdge.cpp

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

@@ -1460 +1460 @@
     }
 
+    void store64(TrustedImm64 imm, const void* address)
+    {
+        if (!imm.m_value) {
+            store64(ARM64Registers::zr, address);
+            return;
+        }
+
+        moveToCachedReg(imm, dataMemoryTempRegister());
+        store64(dataTempRegister, address);
+    }
+
     void store64(TrustedImm32 imm, ImplicitAddress address)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h

@@ -978 +978 @@
     }
 
+    void store64(TrustedImm64 imm, void* address)
+    {
+        if (CAN_SIGN_EXTEND_32_64(imm.m_value)) {
+            auto addressReg = scratchRegister();
+            move(TrustedImmPtr(address), addressReg);
+            store64(TrustedImm32(static_cast<int32_t>(imm.m_value)), addressReg);
+            return;
+        }
+
+        auto src = scratchRegister();
+        move(imm, src);
+        swap(src, X86Registers::eax);
+        m_assembler.movq_EAXm(address);
+        swap(src, X86Registers::eax);
+    }
+
     void store64(TrustedImm64 imm, ImplicitAddress address)
     {

trunk/Source/JavaScriptCore/assembler/testmasm.cpp

@@ -659 +659 @@
     testCountTrailingZeros64Impl(wordCanBeZero);
 }
+
+void testStore64Imm64AddressPointer()
+{
+    auto doTest = [] (int64_t value) {
+        int64_t dest;
+        void* destAddress = &dest;
+
+        auto test = compile([=] (CCallHelpers& jit) {
+            emitFunctionPrologue(jit);
+            jit.store64(CCallHelpers::TrustedImm64(value), destAddress);
+            emitFunctionEpilogue(jit);
+            jit.ret();
+        });
+
+        invoke<size_t>(test);
+        CHECK_EQ(dest, value);
+    };
+    
+    for (auto value : int64Operands())
+        doTest(value);
+
+    doTest(0x98765555AAAA4321);
+    doTest(0xAAAA432198765555);
+}
+
 #endif // CPU(X86_64) || CPU(ARM64)
 
@@ -2500 +2525 @@
     RUN(testCountTrailingZeros64());
     RUN(testCountTrailingZeros64WithoutNullCheck());
+    RUN(testStore64Imm64AddressPointer());
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -63 +63 @@
 
 // Creates an array of stringized names.
-static const char* dfgOpNames[] = {
+const char* dfgOpNames[] = {
 #define STRINGIZE_DFG_OP_ENUM(opcode, flags) #opcode ,
     FOR_EACH_DFG_OP(STRINGIZE_DFG_OP_ENUM)

trunk/Source/JavaScriptCore/dfg/DFGOSRExit.cpp

@@ -147 +147 @@
         // We're about to exit optimized code. So, there's no longer any optimized
         // code running that expects no GC.
-        vm.heap.setExpectDoesGC(true);
+        vm.heap.setDoesGCExpectation(true, DoesGCCheck::Special::DFGOSRExit);
     }
 
@@ -556 +556 @@
         // materialization below (see emitRestoreArguments()).
 
-        // Even though we set Heap::m_expectDoesGC in compileOSRExit(), we also need
+        // Even though we set Heap::m_doesGC in compileOSRExit(), we also need
         // to set it here because compileOSRExit() is only called on the first time
         // we exit from this site, but all subsequent exits will take this compiled
         // ramp without calling compileOSRExit() first.
-        jit.store8(CCallHelpers::TrustedImm32(true), vm.heap.addressOfExpectDoesGC());
+        jit.store64(CCallHelpers::TrustedImm64(DoesGCCheck::encode(true, DoesGCCheck::Special::DFGOSRExit)), vm.heap.addressOfDoesGC());
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2139 +2139 @@
     if (validateDFGDoesGC) {
         bool expectDoesGC = doesGC(m_jit.graph(), node);
-        m_jit.store8(TrustedImm32(expectDoesGC), vm().heap.addressOfExpectDoesGC());
+        m_jit.store64(TrustedImm64(DoesGCCheck::encode(expectDoesGC, node->index(), node->op())), vm().heap.addressOfDoesGC());
     }
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -705 +705 @@
         if (validateDFGDoesGC) {
             bool expectDoesGC = doesGC(m_graph, m_node);
-            m_out.store(m_out.constBool(expectDoesGC), m_out.absolute(vm().heap.addressOfExpectDoesGC()));
+            m_out.store(m_out.constInt64(DoesGCCheck::encode(expectDoesGC, m_node->index(), m_node->op())), m_out.absolute(vm().heap.addressOfDoesGC()));
         }
 

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -212 +212 @@
         // materialization below.
 
-        // Even though we set Heap::m_expectDoesGC in compileFTLOSRExit(), we also need
+        // Even though we set Heap::m_doesGC in compileFTLOSRExit(), we also need
         // to set it here because compileFTLOSRExit() is only called on the first time
         // we exit from this site, but all subsequent exits will take this compiled
         // ramp without calling compileFTLOSRExit() first.
-        jit.store8(CCallHelpers::TrustedImm32(true), vm.heap.addressOfExpectDoesGC());
+        jit.store64(CCallHelpers::TrustedImm64(DoesGCCheck::encode(true, DoesGCCheck::Special::FTLOSRExit)), vm.heap.addressOfDoesGC());
     }
 
@@ -549 +549 @@
         // We're about to exit optimized code. So, there's no longer any optimized
         // code running that expects no GC.
-        vm.heap.setExpectDoesGC(true);
+        vm.heap.setDoesGCExpectation(true, DoesGCCheck::Special::FTLOSRExit);
     }
 

trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -121 +121 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm.heap.expectDoesGC());
+        vm.heap.verifyCanGC();
 
     sanitizeStackForVM(vm);
@@ -157 +157 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm.heap.expectDoesGC());
+        vm.heap.verifyCanGC();
 
     // The following conditions are met in Butterfly for example.

trunk/Source/JavaScriptCore/heap/CompleteSubspaceInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm.heap.expectDoesGC());
+        vm.heap.verifyCanGC();
 
     if (Allocator allocator = allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists))

trunk/Source/JavaScriptCore/heap/DeferGC.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -46 +46 @@
     {
         if (validateDFGDoesGC)
-            RELEASE_ASSERT(m_heap.expectDoesGC());
+            m_heap.verifyCanGC();
         m_heap.decrementDeferralDepthAndGCIfNeeded();
     }

trunk/Source/JavaScriptCore/heap/GCDeferralContextInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39 +39 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(m_heap.expectDoesGC());
+        m_heap.verifyCanGC();
 
     if (UNLIKELY(m_shouldGC))

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
@@ -1065 +1065 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     switch (synchronousness) {
@@ -1098 +1098 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     if (!m_isSafeToCollect)
@@ -1122 +1122 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     if (!m_isSafeToCollect)
@@ -1785 +1785 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     while (stopIfNecessarySlow(m_worldState.load())) { }
@@ -1800 +1800 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     RELEASE_ASSERT(oldState & hasAccessBit);
@@ -2602 +2602 @@
     ASSERT(deferralContext || isDeferred() || !DisallowGC::isInEffectOnCurrentThread());
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     if (!m_isSafeToCollect)

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -26 +26 @@
 #include "CollectionScope.h"
 #include "CollectorPhase.h"
+#include "DFGDoesGCCheck.h"
 #include "DeleteAllCodeEffort.h"
 #include "GCConductor.h"
@@ -304 +305 @@
 
 #if ENABLE(DFG_DOES_GC_VALIDATION)
-    bool expectDoesGC() const { return m_expectDoesGC; }
-    void setExpectDoesGC(bool value) { m_expectDoesGC = value; }
-    bool* addressOfExpectDoesGC() { return &m_expectDoesGC; }
+    DoesGCCheck* addressOfDoesGC() { return &m_doesGC; }
+    void setDoesGCExpectation(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp) { m_doesGC.set(expectDoesGC, nodeIndex, nodeOp); }
+    void setDoesGCExpectation(bool expectDoesGC, DoesGCCheck::Special special) { m_doesGC.set(expectDoesGC, special); }
+    void verifyCanGC() { m_doesGC.verifyCanGC(vm()); }
 #else
-    bool expectDoesGC() const { UNREACHABLE_FOR_PLATFORM(); return true; }
-    void setExpectDoesGC(bool) { UNREACHABLE_FOR_PLATFORM(); }
-    bool* addressOfExpectDoesGC() { UNREACHABLE_FOR_PLATFORM(); return nullptr; }
+    DoesGCCheck* addressOfDoesGC() { UNREACHABLE_FOR_PLATFORM(); return nullptr; }
+    void setDoesGCExpectation(bool, unsigned, unsigned) { }
+    void setDoesGCExpectation(bool, DoesGCCheck::Special) { }
+    void verifyCanGC() { }
 #endif
 
@@ -607 +610 @@
     Lock m_raceMarkStackLock;
 #if ENABLE(DFG_DOES_GC_VALIDATION)
-    bool m_expectDoesGC { true };
+    DoesGCCheck m_doesGC;
 #endif
 

trunk/Source/JavaScriptCore/heap/HeapInlines.h

@@ -237 +237 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     if (m_worldState.compareExchangeWeak(0, hasAccessBit))
@@ -264 +264 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(expectDoesGC());
+        verifyCanGC();
 
     if (mayNeedToStop())

trunk/Source/JavaScriptCore/heap/LocalAllocatorInlines.h

@@ -34 +34 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(heap.expectDoesGC());
+        heap.verifyCanGC();
     return m_freeList.allocate(
         [&] () -> HeapCell* {

trunk/Source/JavaScriptCore/heap/PreciseAllocation.cpp

@@ -44 +44 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(heap.expectDoesGC());
+        heap.verifyCanGC();
 
     size_t adjustedAlignmentAllocationSize = headerSize() + size + halfAlignment;
@@ -124 +124 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(heap.expectDoesGC());
+        heap.verifyCanGC();
 
     size_t adjustedAlignmentAllocationSize = headerSize() + size + halfAlignment;

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -734 +734 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm.heap.expectDoesGC());
+        vm.heap.verifyCanGC();
     if (c <= maxSingleCharacterString)
         return vm.smallStrings.singleCharacterString(c);
@@ -764 +764 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm().heap.expectDoesGC());
+        vm().heap.verifyCanGC();
     if (isRope())
         return static_cast<const JSRopeString*>(this)->resolveRopeToAtomString(globalObject);
@@ -773 +773 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm().heap.expectDoesGC());
+        vm().heap.verifyCanGC();
     if (isRope())
         return static_cast<const JSRopeString*>(this)->resolveRopeToExistingAtomString(globalObject);
@@ -784 +784 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm().heap.expectDoesGC());
+        vm().heap.verifyCanGC();
     if (isRope())
         return static_cast<const JSRopeString*>(this)->resolveRope(globalObject);
@@ -794 +794 @@
     if (allocationAllowed) {
         if (validateDFGDoesGC)
-            RELEASE_ASSERT(vm().heap.expectDoesGC());
+            vm().heap.verifyCanGC();
         if (isRope()) {
             // Pass nullptr for the JSGlobalObject so that resolveRope does not throw in the event of an OOM error.
@@ -984 +984 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm().heap.expectDoesGC());
+        vm().heap.verifyCanGC();
     if (isSubstring()) {
         auto& base = substringBase()->valueInternal();
@@ -997 +997 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm().heap.expectDoesGC());
+        vm().heap.verifyCanGC();
     if (isSubstring()) {
         auto& base = substringBase()->valueInternal();
@@ -1011 +1011 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm().heap.expectDoesGC());
+        vm().heap.verifyCanGC();
     if (isRope())
         return static_cast<const JSRopeString*>(this)->unsafeView(globalObject);

trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h

@@ -65 +65 @@
 {
     if (validateDFGDoesGC)
-        RELEASE_ASSERT(vm.heap.expectDoesGC());
+        vm.heap.verifyCanGC();
 
     Vector<int, 32> subpatternResults;