Changeset 275797 in webkit

Timestamp:

Apr 10, 2021 9:12:19 AM (3 years ago)

Author:

mark.lam@apple.com

Message:

Enable VMTraps checks in RETURN_IF_EXCEPTION.
​https://bugs.webkit.org/show_bug.cgi?id=224078
rdar://75037057

Reviewed by Keith Miller.

JSTests:

• stress/watchdog-fire-while-in-forEachInIterable.js: Added.

Source/JavaScriptCore:

In pre-existing code, termination of a VM's execution can already be requested
asynchronously (with respect to the mutator thread). For example, sources of such
a request can be a watchdog timer firing, or a request to stop execution issued
from a main web thread to a worker thread.

This request is made by firing the VMTraps::NeedTermination event on VMTraps.
Firing the event here only means setting a flag to indicate the presence of the
request. We still have to wait till the mutator thread reaches one of the
pre-designated polling check points to call VMTraps::handleTraps() in order to
service the request. As a result of this need to wait for a polling check point,
if the mutator is executing in a long running C++ loop, then a termination request
may not be serviced for a long time.

However, we observed that a lot of our C++ loops already have RETURN_IF_EXCEPTION
checks. Hence, if we can check VMTraps::needHandling() there, we can service the
VMTraps events more frequently even in a lot of C++ loops, and get a better response.

Full details of what this patch changes:

1. Shorten some type and methods names in the VMTraps class to make code easier to read e.g. EventType => Event, needTrapHandling => needHandling.

2. Remove the VMTraps::Mask class. Mask was introduced so that we can express a concatenation of multiple VMTraps events to form a bit mask in a simple way. In the end, it isn't flexible enough but makes the code more complicated than necessary. It is now replaced by the simpler solution of using macros to define the Events as bit fields. Having Events as bit fields intrinsically make them easy to concatenate (bitwise or) or filter (bitwise and).

Also removed the unused VMTraps::Error class.

3. Make VMTraps::BitField a uint32_t. There was always unused padding in VMTraps to allow for this. So, we'll just extend it to a full 32-bit to make it easier to add more events in the future for other uses.

4. Add NeedExceptionHandling as a VMTrap::Event.

5. Make VMTraps::m_trapBits Atomic. This makes it easier to set and clear the NeedExceptionHandling bit from the mutator without a lock.

6. RETURN_IF_EXCEPTION now checks VMTraps::m_trapBits (via VMTraps::needHandling()) instead of checking VM::m_exception. If the VMTraps::m_trapBits is non-null, the macro will call VM:hasExceptionsAfterHandlingTraps() to service VMTraps events as appropriate before returning whether an exception is being thrown. The result of VM:hasExceptionsAfterHandlingTraps() will determine if RETURN_IF_EXCEPTION returns or not.

VM:hasExceptionsAfterHandlingTraps() is intentionally designed to take a minimum
of arguments (just the VM as this pointer). This is because RETURN_IF_EXCEPTION
is called from many places, and we would like to minimize code size bloating
from this change.

7. Simplify paramaters of VMTraps::handleTraps().

NeedDebuggerBreak's callFrame argument was always vm.topCallFrame anyway.
So, the patch makes it explicit, and removes the callFrame parameter.

NeedWatchdogCheck's globalObject argument should have always been
vm.entryScope->globalObject(), and we can remove the globalObject parameter.

Before this, we pass in whichever globalObject was convenient to grab hold of.
However, the idea of the watchdog is to time out the current script executing
on the stack. Hence, it makes sense to identify thay script by the globalObject
in use at VM entry.

So far, the only clients that uses the watchdog mechanism only operates in
scenarios with only one globalObject anyway. So this formalization to use
VMEntryScope's globalObject does not change the expected behavior.

8. Make the execution of termination more robust. Before reading this, please read the description of the Events in VMTraps.h first, especially the section on NeedTermination.

Here's the life cycle of a termination:

1. a client requests termination of the current execution stack by calling VM::notifyNeedTermination(). notifyNeedTermination() does 2 things:

1. fire the NeedTermination event on VMTraps.

1. set the VM::m_terminationInProgress flag.

2. Firing the NeedTermination event on VMTraps means setting the NeedTermination bit on VMTraps::m_trapBits. This bit will be polled by the mutator thread later at various designated points (including RETURN_IF_EXCEPTION, which we added in this patch).

Once the mutator sees the NeedTermination bit is set, it will clear the bit
and throw the TerminationException (see VMTraps::handleTraps()). This is
unless the mutator thread is currently in a DeferTermination scope (see (8)
below). If in a DeferTermination scope, then it will not throw the
TerminationException.

Since the NeedTermination bit is cleared, the VM will no longer call
VMTraps::handleTraps() to service the event. If the mutator thread is in
a DeferTermination scope, then on exiting the scope (at scope destruction),
the scope will see that VM::m_terminationInProgress is set, and throw the
deferred TerminationException then.

3. The TerminationException will trigger unwinding out of the current stack until we get to the outermost VMEntryScope.

4. At the the outermost VMEntryScope, we will clear VM::m_terminationInProgress if the NeedTermination bit in VMtraps::m_trapBits is cleared.

If the NeedTermination bit is set, then that means we haven't thrown the
TerminationException yet. Currently, clients expect that we must throw the
TerminationException if NeedTermination was requested (again, read comments
at the top of VMTraps.h).

If the NeedTermination bit is set, we'll leave VM::m_terminationInProgress
set until the next time we re-enter the VM and exit to the outermost
VMEntryScope.

5. The purpose of VM::m_terminationInProgress is to provide a summary of the fact that the VM is in a state of trying to terminate the current stack.

Note that this state is first indicated by the NeedTermination bit being set
in VMTraps::m_trapBits. Then, in VMTraps::handleTraps(), the state is
handed of with the NeedTermination bit being cleared, and the
TerminationException being thrown.

While the VM is in this termination state, we need to prevent new DFG/FTL
JIT code from being compiled and run. The reason is the firing of the
NeedTermination event has invalidated DFG/FTL code on the stack, thereby
allowing their baseline / LLInt versions which have VMTraps polling checks
to run. We don't want to compile new DFG / FTL code and possibly get stuck
in loops in there before the termination is complete.

In operationOptimize(), we check if VM::m_terminationInProgress is set, and
prevent new DFG (and therefore FTL) code from being compiled if needed.
Note: it is easier to check a single flag, VM::m_terminationInProgress,
then to check both if the NeedTermination bit is set or if the
TerminationException is being being thrown.

9. One complication of being able to service VMTraps in RETURN_IF_EXCEPTION checks is that some of our code (usually for lengthier initializations and bootstrapping) currently does not handle exceptions well, e.g. JSGlobalObject::init(). They rely on the code crashing if an exception is thrown while still initializing.

However, for a worker thread, a TerminationException (requested by the main
thread) may arrive before the initialization is complete. This can lead to
crashes because part of the initialization may be aborted in the presence of
an exception, while other parts still expect everything prior to have been
initialized correctly. For resource exhaustion cases (which is abnormal), it
is OK to crash. For the TerminationException (which can be part of normal
operation), we should not be crashing.

To work around this, we introduce a DeferTermination RAII scope object that we
deploy in this type of initialization code. With the scope in effect,

1. if a TerminationException arrives but hasn't been thrown yet, it will be deferred till the scope ends before being thrown.
2. if a TerminationException has already been thrown, the scope will stash the exception, clear it from the VM so that the initialization code can run to completion, and then re-throw the exception when the scope ends.

Currently, we only need to use the DeferTermination scope in a few places
where we know that initialization code will only run for a short period of time.

DeferTermination should not be used for code that can block waiting on an
external event for a long time. Obviously, doing so will prevent the VM
termination mechanism from working.

10. Replaced llint_slow_path_check_if_exception_is_uncatchable_and_notify_profiler

and operationCheckIfExceptionIsUncatchableAndNotifyProfiler with
llint_slow_path_retrieve_and_clear_exception_if_catchable and
operationRetrieveAndClearExceptionIfCatchable.

The 2 runtime functions doesn't actually do anything to notify a profiler.
So, we drop that part of the name.

After returning from these runtime functions respectively, the previous LLInt
and JIT code, which calls these runtimes functions, would go on to load
VM::m_exception, and then store a nullptr there to clear it. This is wasteful.

This patch changes the runtime function to clear and return the Exception
instead. As a result, the calling LLInt and JIT code is simplified a bit.

Note also that clearing an exception now also entails clearing the
NeedExceptionHandling bit in VMTraps::m_trapBits in an atomic way. The above
change makes it easy to do this clearing with C++ code.

11. Fix ScriptFunctionCall::call() to handle exceptions correctly. Previously,

it had one case where it propagates an exception, while another eats it.
Change this function to eat the exception in both cases. This is approproiate
because ScriptFunctionCall is only used to execute some Inspector instrumentation
calls. It doesn't make sense to propagate the exception back to user code.

12. Fix the lazy initialization of JSGlobalObject::m_defaultCollator to be able to

handle the TerminationException.

13. Not related to TerminationException, but this patch also fixes

MarkedArgumentBuffer::expandCapacity() to use Gigacage::tryMalloc() instead of
Gigacage::malloc(). This is needed as one of the fixes to make the
accompanying test case work.

This patch increases code size by 320K (144K for JSC, 176K for WebCore) measured
on x86_64.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::branchTest32):

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::branchTest32):

• assembler/MacroAssemblerMIPS.h:

(JSC::MacroAssemblerMIPS::branchTest32):

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::branchTest32):

• bindings/ScriptFunctionCall.cpp:

(Deprecated::ScriptFunctionCall::call):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCheckTraps):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):

• interpreter/InterpreterInlines.h:

(JSC::Interpreter::execute):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_check_traps):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_catch):

• jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):

• jit/JITOperations.h:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/ArgList.cpp:

(JSC::MarkedArgumentBuffer::expandCapacity):

• runtime/DeferTermination.h: Added.

(JSC::DeferTermination::DeferTermination):
(JSC::DeferTermination::~DeferTermination):

• runtime/ExceptionScope.h:

(JSC::ExceptionScope::exception const):
(JSC::ExceptionScope::exception): Deleted.

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::finishCreation):

• runtime/LazyPropertyInlines.h:

(JSC::ElementType>::callFunc):

• runtime/StringPrototype.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

• runtime/VM.cpp:

(JSC::VM::hasExceptionsAfterHandlingTraps):
(JSC::VM::clearException):
(JSC::VM::setException):
(JSC::VM::throwTerminationException):
(JSC::VM::throwException):

• runtime/VM.h:

(JSC::VM::terminationInProgress const):
(JSC::VM::setTerminationInProgress):
(JSC::VM::notifyNeedTermination):
(JSC::VM::DeferExceptionScope::DeferExceptionScope):
(JSC::VM::DeferExceptionScope::~DeferExceptionScope):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::needTrapHandling): Deleted.
(JSC::VM::needTrapHandlingAddress): Deleted.
(JSC::VM::setException): Deleted.
(JSC::VM::clearException): Deleted.

• runtime/VMEntryScope.cpp:

(JSC::VMEntryScope::~VMEntryScope):

• runtime/VMTraps.cpp:

(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
(JSC::VMTraps::takeTopPriorityTrap):
(JSC::VMTraps::deferTermination):
(JSC::VMTraps::undoDeferTermination):

• runtime/VMTraps.h:

(JSC::VMTraps::onlyContainsAsyncEvents):
(JSC::VMTraps::needHandling const):
(JSC::VMTraps::trapBitsAddress):
(JSC::VMTraps::isDeferringTermination const):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::hasTrapBit):
(JSC::VMTraps::clearTrapBit):
(JSC::VMTraps::setTrapBit):
(JSC::VMTraps::Mask::Mask): Deleted.
(JSC::VMTraps::Mask::allEventTypes): Deleted.
(JSC::VMTraps::Mask::bits const): Deleted.
(JSC::VMTraps::Mask::init): Deleted.
(JSC::VMTraps::interruptingTraps): Deleted.
(JSC::VMTraps::needTrapHandling): Deleted.
(JSC::VMTraps::needTrapHandlingAddress): Deleted.
(JSC::VMTraps::hasTrapForEvent): Deleted.
(JSC::VMTraps::setTrapForEvent): Deleted.
(JSC::VMTraps::clearTrapForEvent): Deleted.

Source/WebCore:

1. Add DeferTermination in WorkerOrWorkletScriptController::initScript(). This allows us to avoid having to make all exception checking in WorkerOrWorkletScriptController::initScript() very thorough and complete. Currently, they aren't.

2. Fix WorkerOrWorkletScriptController::evaluate() to handle the TerminationException.

3. Fix JSEventListener::handleEvent() to handle the TerminationException correctly. Previously, in one case, it was checking scope.exception() for the exception, but the exception has already been taken out of there.

• bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::handleEvent):

• workers/WorkerOrWorkletScriptController.cpp:

(WebCore::WorkerOrWorkletScriptController::evaluate):
(WebCore::WorkerOrWorkletScriptController::initScript):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/watchdog-fire-while-in-forEachInIterable.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/assembler/MacroAssemblerARM64.h (modified) (2 diffs)
• Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h (modified) (2 diffs)
• Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h (modified) (2 diffs)
• Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h (modified) (2 diffs)
• Source/JavaScriptCore/bindings/ScriptFunctionCall.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (5 diffs)
• Source/JavaScriptCore/interpreter/InterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (2 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (3 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.h (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ArgList.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/DeferTermination.h (added)
• Source/JavaScriptCore/runtime/ExceptionScope.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/LazyPropertyInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringPrototype.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/VMEntryScope.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/VMTraps.cpp (modified) (7 diffs)
• Source/JavaScriptCore/runtime/VMTraps.h (modified) (5 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSEventListener.cpp (modified) (4 diffs)
• Source/WebCore/workers/WorkerOrWorkletScriptController.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-04-10  Mark Lam  <mark.lam@apple.com>
+
+        Enable VMTraps checks in RETURN_IF_EXCEPTION.
+        https://bugs.webkit.org/show_bug.cgi?id=224078
+        rdar://75037057
+
+        Reviewed by Keith Miller.
+
+        * stress/watchdog-fire-while-in-forEachInIterable.js: Added.
+
 2021-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -877 +877 @@
     runtime/DateInstance.h
     runtime/DateInstanceCache.h
+    runtime/DeferTermination.h
     runtime/DeferredWorkTimer.h
     runtime/DefinePropertyAttributes.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-04-10  Mark Lam  <mark.lam@apple.com>
+
+        Enable VMTraps checks in RETURN_IF_EXCEPTION.
+        https://bugs.webkit.org/show_bug.cgi?id=224078
+        rdar://75037057
+
+        Reviewed by Keith Miller.
+
+        In pre-existing code, termination of a VM's execution can already be requested
+        asynchronously (with respect to the mutator thread).  For example, sources of such
+        a request can be a watchdog timer firing, or a request to stop execution issued
+        from a main web thread to a worker thread.
+
+        This request is made by firing the VMTraps::NeedTermination event on VMTraps.
+        Firing the event here only means setting a flag to indicate the presence of the
+        request.  We still have to wait till the mutator thread reaches one of the
+        pre-designated polling check points to call VMTraps::handleTraps() in order to
+        service the request.  As a result of this need to wait for a polling check point,
+        if the mutator is executing in a long running C++ loop, then a termination request
+        may not be serviced for a long time.
+
+        However, we observed that a lot of our C++ loops already have RETURN_IF_EXCEPTION
+        checks.  Hence, if we can check VMTraps::needHandling() there, we can service the
+        VMTraps events more frequently even in a lot of C++ loops, and get a better response.
+
+        Full details of what this patch changes:
+
+        1. Shorten some type and methods names in the VMTraps class to make code easier to
+           read e.g. EventType => Event, needTrapHandling => needHandling.
+
+        2. Remove the VMTraps::Mask class.  Mask was introduced so that we can express a
+           concatenation of multiple VMTraps events to form a bit mask in a simple way.
+           In the end, it isn't flexible enough but makes the code more complicated than
+           necessary.  It is now replaced by the simpler solution of using macros to define
+           the Events as bit fields.  Having Events as bit fields intrinsically make them
+           easy to concatenate (bitwise or) or filter (bitwise and).
+
+           Also removed the unused VMTraps::Error class.
+
+        3. Make VMTraps::BitField a uint32_t.  There was always unused padding in VMTraps
+           to allow for this.  So, we'll just extend it to a full 32-bit to make it easier
+           to add more events in the future for other uses.
+
+        4. Add NeedExceptionHandling as a VMTrap::Event.
+
+        5. Make VMTraps::m_trapBits Atomic.  This makes it easier to set and clear the
+           NeedExceptionHandling bit from the mutator without a lock.
+
+        6. RETURN_IF_EXCEPTION now checks VMTraps::m_trapBits (via VMTraps::needHandling())
+           instead of checking VM::m_exception.  If the VMTraps::m_trapBits is non-null,
+           the macro will call VM:hasExceptionsAfterHandlingTraps() to service VMTraps
+           events as appropriate before returning whether an exception is being thrown.
+           The result of VM:hasExceptionsAfterHandlingTraps() will determine if
+           RETURN_IF_EXCEPTION returns or not.
+
+           VM:hasExceptionsAfterHandlingTraps() is intentionally designed to take a minimum
+           of arguments (just the VM as this pointer).  This is because RETURN_IF_EXCEPTION
+           is called from many places, and we would like to minimize code size bloating
+           from this change.
+
+        7. Simplify paramaters of VMTraps::handleTraps().
+
+           NeedDebuggerBreak's callFrame argument was always vm.topCallFrame anyway.
+           So, the patch makes it explicit, and removes the callFrame parameter.
+
+           NeedWatchdogCheck's globalObject argument should have always been
+           vm.entryScope->globalObject(), and we can remove the globalObject parameter.
+
+           Before this, we pass in whichever globalObject was convenient to grab hold of.
+           However, the idea of the watchdog is to time out the current script executing
+           on the stack.  Hence, it makes sense to identify thay script by the globalObject
+           in use at VM entry.
+
+           So far, the only clients that uses the watchdog mechanism only operates in
+           scenarios with only one globalObject anyway.  So this formalization to use
+           VMEntryScope's globalObject does not change the expected behavior.
+
+        8. Make the execution of termination more robust.  Before reading this, please
+           read the description of the Events in VMTraps.h first, especially the section
+           on NeedTermination.
+
+           Here's the life cycle of a termination:
+
+           a. a client requests termination of the current execution stack by calling
+              VM::notifyNeedTermination().  notifyNeedTermination() does 2 things:
+
+               i. fire the NeedTermination event on VMTraps.
+              ii. set the VM::m_terminationInProgress flag.
+
+           b. Firing the NeedTermination event on VMTraps means setting the NeedTermination
+              bit on VMTraps::m_trapBits.  This bit will be polled by the mutator thread
+              later at various designated points (including RETURN_IF_EXCEPTION, which we
+              added in this patch).
+
+              Once the mutator sees the NeedTermination bit is set, it will clear the bit
+              and throw the TerminationException (see VMTraps::handleTraps()).  This is
+              unless the mutator thread is currently in a DeferTermination scope (see (8)
+              below).  If in a DeferTermination scope, then it will not throw the
+              TerminationException.
+
+              Since the NeedTermination bit is cleared, the VM will no longer call
+              VMTraps::handleTraps() to service the event.  If the mutator thread is in
+              a DeferTermination scope, then on exiting the scope (at scope destruction),
+              the scope will see that VM::m_terminationInProgress is set, and throw the
+              deferred TerminationException then.
+
+           c. The TerminationException will trigger unwinding out of the current stack
+              until we get to the outermost VMEntryScope.
+
+           d. At the the outermost VMEntryScope, we will clear VM::m_terminationInProgress
+              if the NeedTermination bit in VMtraps::m_trapBits is cleared.
+
+              If the NeedTermination bit is set, then that means we haven't thrown the
+              TerminationException yet.  Currently, clients expect that we must throw the
+              TerminationException if NeedTermination was requested (again, read comments
+              at the top of VMTraps.h).
+
+              If the NeedTermination bit is set, we'll leave VM::m_terminationInProgress
+              set until the next time we re-enter the VM and exit to the outermost
+              VMEntryScope.
+
+           e. The purpose of VM::m_terminationInProgress is to provide a summary of the
+              fact that the VM is in a state of trying to terminate the current stack.
+
+              Note that this state is first indicated by the NeedTermination bit being set
+              in VMTraps::m_trapBits.  Then, in VMTraps::handleTraps(), the state is
+              handed of with the NeedTermination bit being cleared, and the
+              TerminationException being thrown.
+
+              While the VM is in this termination state, we need to prevent new DFG/FTL
+              JIT code from being compiled and run.  The reason is the firing of the
+              NeedTermination event has invalidated DFG/FTL code on the stack, thereby
+              allowing their baseline / LLInt versions which have VMTraps polling checks
+              to run.  We don't want to compile new DFG / FTL code and possibly get stuck
+              in loops in there before the termination is complete.
+
+              In operationOptimize(), we check if VM::m_terminationInProgress is set, and
+              prevent new DFG (and therefore FTL) code from being compiled if needed.
+              Note: it is easier to check a single flag, VM::m_terminationInProgress,
+              then to check both if the NeedTermination bit is set or if the
+              TerminationException is being being thrown.
+
+        9. One complication of being able to service VMTraps in RETURN_IF_EXCEPTION checks
+           is that some of our code (usually for lengthier initializations and bootstrapping)
+           currently does not handle exceptions well, e.g. JSGlobalObject::init().  They
+           rely on the code crashing if an exception is thrown while still initializing.
+
+           However, for a worker thread, a TerminationException (requested by the main
+           thread) may arrive before the initialization is complete.  This can lead to
+           crashes because part of the initialization may be aborted in the presence of
+           an exception, while other parts still expect everything prior to have been
+           initialized correctly.  For resource exhaustion cases (which is abnormal), it
+           is OK to crash.  For the TerminationException (which can be part of normal
+           operation), we should not be crashing.
+
+           To work around this, we introduce a DeferTermination RAII scope object that we
+           deploy in this type of initialization code.  With the scope in effect,
+
+           a. if a TerminationException arrives but hasn't been thrown yet, it will be
+              deferred till the scope ends before being thrown.
+           b. if a TerminationException has already been thrown, the scope will stash
+              the exception, clear it from the VM so that the initialization code can
+              run to completion, and then re-throw the exception when the scope ends.
+
+           Currently, we only need to use the DeferTermination scope in a few places
+           where we know that initialization code will only run for a short period of time.
+
+           DeferTermination should not be used for code that can block waiting on an
+           external event for a long time.  Obviously, doing so will prevent the VM
+           termination mechanism from working.
+
+       10. Replaced llint_slow_path_check_if_exception_is_uncatchable_and_notify_profiler
+           and operationCheckIfExceptionIsUncatchableAndNotifyProfiler with
+           llint_slow_path_retrieve_and_clear_exception_if_catchable and
+           operationRetrieveAndClearExceptionIfCatchable.
+
+           The 2 runtime functions doesn't actually do anything to notify a profiler.
+           So, we drop that part of the name.
+
+           After returning from these runtime functions respectively, the previous LLInt
+           and JIT code, which calls these runtimes functions, would go on to load
+           VM::m_exception, and then store a nullptr there to clear it.  This is wasteful.
+
+           This patch changes the runtime function to clear and return the Exception
+           instead.  As a result, the calling LLInt and JIT code is simplified a bit.
+
+           Note also that clearing an exception now also entails clearing the
+           NeedExceptionHandling bit in VMTraps::m_trapBits in an atomic way.  The above
+           change makes it easy to do this clearing with C++ code.
+
+       11. Fix ScriptFunctionCall::call() to handle exceptions correctly.  Previously,
+           it had one case where it propagates an exception, while another eats it.
+           Change this function to eat the exception in both cases.  This is approproiate
+           because ScriptFunctionCall is only used to execute some Inspector instrumentation
+           calls.  It doesn't make sense to propagate the exception back to user code.
+
+       12. Fix the lazy initialization of JSGlobalObject::m_defaultCollator to be able to
+           handle the TerminationException.
+
+       13. Not related to TerminationException, but this patch also fixes
+           MarkedArgumentBuffer::expandCapacity() to use Gigacage::tryMalloc() instead of
+           Gigacage::malloc().  This is needed as one of the fixes to make the
+           accompanying test case work.
+
+        This patch increases code size by 320K (144K for JSC, 176K for WebCore) measured
+        on x86_64.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::branchTest32):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::branchTest32):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchTest32):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::branchTest32):
+        * bindings/ScriptFunctionCall.cpp:
+        (Deprecated::ScriptFunctionCall::call):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeModuleProgram):
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::execute):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_check_traps):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOperations.cpp:
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::expandCapacity):
+        * runtime/DeferTermination.h: Added.
+        (JSC::DeferTermination::DeferTermination):
+        (JSC::DeferTermination::~DeferTermination):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::exception const):
+        (JSC::ExceptionScope::exception): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::finishCreation):
+        * runtime/LazyPropertyInlines.h:
+        (JSC::ElementType>::callFunc):
+        * runtime/StringPrototype.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/VM.cpp:
+        (JSC::VM::hasExceptionsAfterHandlingTraps):
+        (JSC::VM::clearException):
+        (JSC::VM::setException):
+        (JSC::VM::throwTerminationException):
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::terminationInProgress const):
+        (JSC::VM::setTerminationInProgress):
+        (JSC::VM::notifyNeedTermination):
+        (JSC::VM::DeferExceptionScope::DeferExceptionScope):
+        (JSC::VM::DeferExceptionScope::~DeferExceptionScope):
+        (JSC::VM::handleTraps): Deleted.
+        (JSC::VM::needTrapHandling): Deleted.
+        (JSC::VM::needTrapHandlingAddress): Deleted.
+        (JSC::VM::setException): Deleted.
+        (JSC::VM::clearException): Deleted.
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::~VMEntryScope):
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        (JSC::VMTraps::fireTrap):
+        (JSC::VMTraps::handleTraps):
+        (JSC::VMTraps::takeTopPriorityTrap):
+        (JSC::VMTraps::deferTermination):
+        (JSC::VMTraps::undoDeferTermination):
+        * runtime/VMTraps.h:
+        (JSC::VMTraps::onlyContainsAsyncEvents):
+        (JSC::VMTraps::needHandling const):
+        (JSC::VMTraps::trapBitsAddress):
+        (JSC::VMTraps::isDeferringTermination const):
+        (JSC::VMTraps::notifyGrabAllLocks):
+        (JSC::VMTraps::hasTrapBit):
+        (JSC::VMTraps::clearTrapBit):
+        (JSC::VMTraps::setTrapBit):
+        (JSC::VMTraps::Mask::Mask): Deleted.
+        (JSC::VMTraps::Mask::allEventTypes): Deleted.
+        (JSC::VMTraps::Mask::bits const): Deleted.
+        (JSC::VMTraps::Mask::init): Deleted.
+        (JSC::VMTraps::interruptingTraps): Deleted.
+        (JSC::VMTraps::needTrapHandling): Deleted.
+        (JSC::VMTraps::needTrapHandlingAddress): Deleted.
+        (JSC::VMTraps::hasTrapForEvent): Deleted.
+        (JSC::VMTraps::setTrapForEvent): Deleted.
+        (JSC::VMTraps::clearTrapForEvent): Deleted.
+
 2021-04-09  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1993 +1993 @@
                 FE99B2491C24C3D300C82159 /* JITNegGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = FE99B2481C24B6D300C82159 /* JITNegGenerator.h */; };
                 FE9F3FB92613C7890069E89F /* ResourceExhaustion.h in Headers */ = {isa = PBXBuildFile; fileRef = FE9F3FB82613C7880069E89F /* ResourceExhaustion.h */; };
+                FE9F3FC826163CA90069E89F /* DeferTermination.h in Headers */ = {isa = PBXBuildFile; fileRef = FE9F3FC626163CA90069E89F /* DeferTermination.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FEA08620182B7A0400F6D851 /* Breakpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = FEA0861E182B7A0400F6D851 /* Breakpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FEA08621182B7A0400F6D851 /* DebuggerPrimitives.h in Headers */ = {isa = PBXBuildFile; fileRef = FEA0861F182B7A0400F6D851 /* DebuggerPrimitives.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -5364 +5365 @@
                 FE9F3FB82613C7880069E89F /* ResourceExhaustion.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ResourceExhaustion.h; sourceTree = "<group>"; };
                 FE9F3FBA2613C87C0069E89F /* ResourceExhaustion.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = ResourceExhaustion.cpp; sourceTree = "<group>"; };
+                FE9F3FC626163CA90069E89F /* DeferTermination.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DeferTermination.h; sourceTree = "<group>"; };
                 FEA0861E182B7A0400F6D851 /* Breakpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Breakpoint.h; sourceTree = "<group>"; };
                 FEA0861F182B7A0400F6D851 /* DebuggerPrimitives.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DebuggerPrimitives.h; sourceTree = "<group>"; };
@@ -7287 +7289 @@
                                 BCD203470E17135E002C7E82 /* DatePrototype.cpp */,
                                 BCD203480E17135E002C7E82 /* DatePrototype.h */,
+                                FE9F3FC626163CA90069E89F /* DeferTermination.h */,
                                 534638761E71E06E00F12AC1 /* DeferredWorkTimer.cpp */,
                                 534638741E70DDEC00F12AC1 /* DeferredWorkTimer.h */,
@@ -9664 +9667 @@
                                 0FC20CB61852E2C600C9E954 /* DFGStrengthReductionPhase.h in Headers */,
                                 0F63947815DCE34B006A597C /* DFGStructureAbstractValue.h in Headers */,
+                                FE9F3FC826163CA90069E89F /* DeferTermination.h in Headers */,
                                 0F50AF3C193E8B3900674EE8 /* DFGStructureClobberState.h in Headers */,
                                 0F2FCCFF18A60070001A27F8 /* DFGThreadData.h in Headers */,

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2943 +2943 @@
     }
 
+    Jump branchTest32(ResultCondition cond, AbsoluteAddress address, TrustedImm32 mask = TrustedImm32(-1))
+    {
+        move(TrustedImmPtr(address.m_ptr), getCachedMemoryTempRegisterIDAndInvalidate());
+        load32(Address(memoryTempRegister), memoryTempRegister);
+        return branchTest32(cond, memoryTempRegister, mask);
+    }
+
     Jump branchTest64(ResultCondition cond, RegisterID reg, RegisterID mask)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2021 Apple Inc. All rights reserved.
  * Copyright (C) 2010 University of Szeged
  *
@@ -1690 +1690 @@
     }
 
+    Jump branchTest32(ResultCondition cond, AbsoluteAddress address, TrustedImm32 mask = TrustedImm32(-1))
+    {
+        // use addressTempRegister incase the branchTest32 we call uses dataTempRegister. :-/
+        move(TrustedImmPtr(address.m_ptr), addressTempRegister);
+        load32(Address(addressTempRegister), addressTempRegister);
+        return branchTest32(cond, addressTempRegister, mask);
+    }
+
     Jump branchTest8(ResultCondition cond, BaseIndex address, TrustedImm32 mask = TrustedImm32(-1))
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
  * Copyright (C) 2010 MIPS Technologies, Inc. All rights reserved.
  *
@@ -1962 +1962 @@
     {
         load32(address, dataTempRegister);
+        return branchTest32(cond, dataTempRegister, mask);
+    }
+
+    Jump branchTest32(ResultCondition cond, AbsoluteAddress address, TrustedImm32 mask = TrustedImm32(-1))
+    {
+        load32(address.m_ptr, dataTempRegister);
         return branchTest32(cond, dataTempRegister, mask);
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2712 +2712 @@
             m_assembler.testl_i32m(mask.m_value, address.offset, address.base, address.index, address.scale);
         return Jump(m_assembler.jCC(x86Condition(cond)));
+    }
+    
+    Jump branchTest32(ResultCondition cond, AbsoluteAddress address, TrustedImm32 mask = TrustedImm32(-1))
+    {
+        move(TrustedImmPtr(address.m_ptr), scratchRegister());
+        return branchTest32(cond, Address(scratchRegister()), mask);
     }
     

trunk/Source/JavaScriptCore/bindings/ScriptFunctionCall.cpp

@@ -109 +109 @@
     VM& vm = m_globalObject->vm();
     JSLockHolder lock(vm);
-    auto scope = DECLARE_THROW_SCOPE(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    auto makeExceptionResult = [&] (Exception* exception) -> Expected<JSValue, NakedPtr<Exception>> {
+        // Do not treat a terminated execution exception as having an exception. Just treat it as an empty result.
+        if (!vm.isTerminationException(exception))
+            return makeUnexpected(exception);
+        return { };
+    };
 
     JSValue function = thisObject->get(m_globalObject, Identifier::fromString(vm, m_name));
-    if (UNLIKELY(scope.exception()))
-        return makeUnexpected(scope.exception());
+    Exception* exception = scope.exception();
+    if (UNLIKELY(exception)) {
+        scope.clearException();
+        return makeExceptionResult(exception);
+    }
 
     auto callData = getCallData(vm, function);
@@ -120 +130 @@
 
     JSValue result;
-    NakedPtr<Exception> exception;
+    NakedPtr<Exception> uncaughtException;
     if (m_callHandler)
-        result = m_callHandler(m_globalObject, function, callData, thisObject, m_arguments, exception);
+        result = m_callHandler(m_globalObject, function, callData, thisObject, m_arguments, uncaughtException);
     else
-        result = JSC::call(m_globalObject, function, callData, thisObject, m_arguments, exception);
+        result = JSC::call(m_globalObject, function, callData, thisObject, m_arguments, uncaughtException);
 
-    if (exception) {
-        // Do not treat a terminated execution exception as having an exception. Just treat it as an empty result.
-        if (!vm.isTerminationException(exception))
-            return makeUnexpected(exception);
-        return { };
-    }
+    if (uncaughtException)
+        return makeExceptionResult(uncaughtException);
 
     return result;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2223 +2223 @@
     GPRReg unusedGPR = unused.gpr();
 
-    JITCompiler::Jump needTrapHandling = m_jit.branchTest8(JITCompiler::NonZero,
-        JITCompiler::AbsoluteAddress(m_jit.vm().needTrapHandlingAddress()));
+    JITCompiler::Jump needTrapHandling = m_jit.branchTest32(JITCompiler::NonZero,
+        JITCompiler::AbsoluteAddress(m_jit.vm().traps().trapBitsAddress()),
+        TrustedImm32(VMTraps::AsyncEvents));
 
     addSlowPathGenerator(slowPathCall(needTrapHandling, this, operationHandleTraps, unusedGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic))));

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -13401 +13401 @@
         LBasicBlock continuation = m_out.newBlock();
         
-        LValue state = m_out.load8ZeroExt32(m_out.absolute(vm().needTrapHandlingAddress()));
-        m_out.branch(m_out.isZero32(state),
+        LValue trapBits = m_out.load32(m_out.absolute(vm().traps().trapBitsAddress()));
+        m_out.branch(m_out.testIsZero32(trapBits, m_out.constInt32(VMTraps::AsyncEvents)),
             usually(continuation), rarely(needTrapHandling));
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -802 +802 @@
         return checkedReturn(throwException(globalObject, throwScope, error));
 
-    constexpr auto trapsMask = VMTraps::interruptingTraps();
-    if (UNLIKELY(vm.needTrapHandling(trapsMask))) {
-        vm.handleTraps(globalObject, vm.topCallFrame, trapsMask);
-        RETURN_IF_EXCEPTION(throwScope, throwScope.exception());
+    if (UNLIKELY(vm.traps().needHandling(VMTraps::NonDebuggerAsyncEvents))) {
+        if (vm.hasExceptionsAfterHandlingTraps())
+            return throwScope.exception();
     }
 
@@ -869 +868 @@
         return checkedReturn(throwStackOverflowError(globalObject, throwScope));
 
-    constexpr auto trapsMask = VMTraps::interruptingTraps();
-    if (UNLIKELY(vm.needTrapHandling(trapsMask))) {
-        vm.handleTraps(globalObject, vm.topCallFrame, trapsMask);
-        RETURN_IF_EXCEPTION(throwScope, throwScope.exception());
+    if (UNLIKELY(vm.traps().needHandling(VMTraps::NonDebuggerAsyncEvents))) {
+        if (vm.hasExceptionsAfterHandlingTraps())
+            return throwScope.exception();
     }
 
@@ -948 +946 @@
     }
 
-    constexpr auto trapsMask = VMTraps::interruptingTraps();
-    if (UNLIKELY(vm.needTrapHandling(trapsMask))) {
-        vm.handleTraps(globalObject, vm.topCallFrame, trapsMask);
-        RETURN_IF_EXCEPTION(throwScope, nullptr);
+    if (UNLIKELY(vm.traps().needHandling(VMTraps::NonDebuggerAsyncEvents))) {
+        if (vm.hasExceptionsAfterHandlingTraps())
+            return nullptr;
     }
 
@@ -1063 +1060 @@
     }
 
-    constexpr auto trapsMask = VMTraps::interruptingTraps();
-    if (UNLIKELY(vm.needTrapHandling(trapsMask))) {
-        vm.handleTraps(globalObject, vm.topCallFrame, trapsMask);
-        RETURN_IF_EXCEPTION(throwScope, throwScope.exception());
+    if (UNLIKELY(vm.traps().needHandling(VMTraps::NonDebuggerAsyncEvents))) {
+        if (vm.hasExceptionsAfterHandlingTraps())
+            return throwScope.exception();
     }
 
@@ -1221 +1217 @@
         return checkedReturn(throwStackOverflowError(globalObject, throwScope));
 
-    constexpr auto trapsMask = VMTraps::interruptingTraps();
-    if (UNLIKELY(vm.needTrapHandling(trapsMask))) {
-        vm.handleTraps(globalObject, vm.topCallFrame, trapsMask);
-        RETURN_IF_EXCEPTION(throwScope, throwScope.exception());
+    if (UNLIKELY(vm.traps().needHandling(VMTraps::NonDebuggerAsyncEvents))) {
+        if (vm.hasExceptionsAfterHandlingTraps())
+            return throwScope.exception();
     }
 

trunk/Source/JavaScriptCore/interpreter/InterpreterInlines.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>
- * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -81 +81 @@
     StackStats::CheckPoint stackCheckPoint;
 
-    constexpr auto trapsMask = VMTraps::interruptingTraps();
-    if (UNLIKELY(vm.needTrapHandling(trapsMask))) {
-        vm.handleTraps(closure.protoCallFrame->globalObject, closure.oldCallFrame, trapsMask);
-        RETURN_IF_EXCEPTION(throwScope, throwScope.exception());
+    if (UNLIKELY(vm.traps().needHandling(VMTraps::NonDebuggerAsyncEvents))) {
+        ASSERT(vm.topCallFrame == closure.oldCallFrame);
+        if (vm.hasExceptionsAfterHandlingTraps())
+            return throwScope.exception();
     }
 

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -843 +843 @@
     addPtr(TrustedImm32(stackPointerOffsetFor(codeBlock()) * sizeof(Register)), callFrameRegister, stackPointerRegister);
 
-    callOperationNoExceptionCheck(operationCheckIfExceptionIsUncatchableAndNotifyProfiler, TrustedImmPtr(&vm()));
-    Jump isCatchableException = branchTest32(Zero, returnValueGPR);
+    callOperationNoExceptionCheck(operationRetrieveAndClearExceptionIfCatchable, TrustedImmPtr(&vm()));
+    Jump isCatchableException = branchTest32(NonZero, returnValueGPR);
     jumpToExceptionHandler(vm());
     isCatchableException.link(this);
 
-    move(TrustedImmPtr(m_vm), regT3);
-    load64(Address(regT3, VM::exceptionOffset()), regT0);
-    store64(TrustedImm64(JSValue::encode(JSValue())), Address(regT3, VM::exceptionOffset()));
+    move(returnValueGPR, regT0);
     emitPutVirtualRegister(bytecode.m_exception);
 
@@ -1219 +1217 @@
 void JIT::emit_op_check_traps(const Instruction*)
 {
-    addSlowCase(branchTest8(NonZero, AbsoluteAddress(m_vm->needTrapHandlingAddress())));
+    addSlowCase(branchTest32(NonZero, AbsoluteAddress(m_vm->traps().trapBitsAddress()), TrustedImm32(VMTraps::AsyncEvents)));
 }
 

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -932 +932 @@
     addPtr(TrustedImm32(stackPointerOffsetFor(codeBlock()) * sizeof(Register)), callFrameRegister, stackPointerRegister);
 
-    callOperationNoExceptionCheck(operationCheckIfExceptionIsUncatchableAndNotifyProfiler, TrustedImmPtr(&vm()));
-    Jump isCatchableException = branchTest32(Zero, returnValueGPR);
+    callOperationNoExceptionCheck(operationRetrieveAndClearExceptionIfCatchable, TrustedImmPtr(&vm()));
+    Jump isCatchableException = branchTest32(NonZero, returnValueGPR);
     jumpToExceptionHandler(vm());
     isCatchableException.link(this);
 
-    move(TrustedImmPtr(m_vm), regT3);
-
     // Now store the exception returned by operationThrow.
-    load32(Address(regT3, VM::exceptionOffset()), regT2);
+    move(returnValueGPR, regT2);
     move(TrustedImm32(JSValue::CellTag), regT1);
-
-    store32(TrustedImm32(0), Address(regT3, VM::exceptionOffset()));
 
     emitStore(bytecode.m_exception, regT1, regT2);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1766 +1766 @@
     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    ASSERT(vm.needTrapHandling());
-    vm.handleTraps(globalObject, callFrame);
+    ASSERT(vm.traps().needHandling(VMTraps::AsyncEvents));
+    vm.traps().handleTraps(VMTraps::AsyncEvents);
     return nullptr;
 }
@@ -1842 +1842 @@
     }
     
+    if (UNLIKELY(vm.terminationInProgress())) {
+        // If termination of the current stack of execution is in progress,
+        // then we need to hold off on optimized compiles so that termination
+        // checks will be called, and we can unwind out of the current stack.
+        CODEBLOCK_LOG_EVENT(codeBlock, "delayOptimizeToDFG", ("Terminating current execution"));
+        updateAllPredictionsAndOptimizeAfterWarmUp(codeBlock);
+        return encodeResult(nullptr, nullptr);
+    }
+
     Debugger* debugger = codeBlock->globalObject()->debugger();
     if (UNLIKELY(debugger && (debugger->isStepping() || codeBlock->baselineAlternative()->hasDebuggerRequests()))) {
@@ -3512 +3521 @@
 }
 
-JSC_DEFINE_JIT_OPERATION(operationCheckIfExceptionIsUncatchableAndNotifyProfiler, int32_t, (VM* vmPointer))
+JSC_DEFINE_JIT_OPERATION(operationRetrieveAndClearExceptionIfCatchable, JSCell*, (VM* vmPointer))
 {
     VM& vm = *vmPointer;
@@ -3520 +3529 @@
     RELEASE_ASSERT(!!scope.exception());
 
-    if (vm.isTerminationException(scope.exception())) {
+    Exception* exception = scope.exception();
+    if (vm.isTerminationException(exception)) {
         genericUnwind(vm, callFrame);
-        return 1;
-    }
-    return 0;
+        return nullptr;
+    }
+
+    // We want to clear the exception here rather than in the catch prologue
+    // JIT code because clearing it also entails clearing a bit in an Atomic
+    // bit field in VMTraps.
+    scope.clearException();
+    return exception;
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -296 +296 @@
 JSC_DECLARE_JIT_OPERATION(operationExceptionFuzzWithCallFrame, void, (VM*));
 
-JSC_DECLARE_JIT_OPERATION(operationCheckIfExceptionIsUncatchableAndNotifyProfiler, int32_t, (VM*));
+JSC_DECLARE_JIT_OPERATION(operationRetrieveAndClearExceptionIfCatchable, JSCell*, (VM*));
 JSC_DECLARE_JIT_OPERATION(operationInstanceOfCustom, size_t, (JSGlobalObject*, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance));
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -2082 +2082 @@
 {
     LLINT_BEGIN_NO_SET_PC();
-    ASSERT(vm.needTrapHandling());
-    vm.handleTraps(globalObject, callFrame);
+    ASSERT(vm.traps().needHandling(VMTraps::AsyncEvents));
+    vm.traps().handleTraps(VMTraps::AsyncEvents);
     UNUSED_PARAM(pc);
     LLINT_RETURN_TWO(throwScope.exception(), globalObject);
@@ -2183 +2183 @@
 }
 
-LLINT_SLOW_PATH_DECL(slow_path_check_if_exception_is_uncatchable_and_notify_profiler)
+LLINT_SLOW_PATH_DECL(slow_path_retrieve_and_clear_exception_if_catchable)
 {
     LLINT_BEGIN();
@@ -2189 +2189 @@
     RELEASE_ASSERT(!!throwScope.exception());
 
-    if (vm.isTerminationException(throwScope.exception()))
-        LLINT_RETURN_TWO(pc, bitwise_cast<void*>(static_cast<uintptr_t>(1)));
-    LLINT_RETURN_TWO(pc, nullptr);
+    Exception* exception = throwScope.exception();
+    if (vm.isTerminationException(exception))
+        LLINT_RETURN_TWO(pc, nullptr);
+
+    // We want to clear the exception here rather than in the catch prologue
+    // JIT code because clearing it also entails clearing a bit in an Atomic
+    // bit field in VMTraps.
+    throwScope.clearException();
+    LLINT_RETURN_TWO(pc, exception);
 }
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -138 +138 @@
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_from_scope);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_to_scope);
-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_check_if_exception_is_uncatchable_and_notify_profiler);
+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_retrieve_and_clear_exception_if_catchable);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_profile_catch);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_log_shadow_chicken_prologue);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -1 @@
-# Copyright (C) 2011-2020 Apple Inc. All rights reserved.
+# Copyright (C) 2011-2021 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -266 +266 @@
 const NoPtrTag = constexpr NoPtrTag
  
+# VMTraps data
+const VMTrapsAsyncEvents = constexpr VMTraps::AsyncEvents
 
 # Some register conventions.
@@ -2194 +2196 @@
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_vm[t1], t1
-    loadb VM::m_traps+VMTraps::m_needTrapHandling[t1], t0
+    loadi VM::m_traps+VMTraps::m_trapBits[t1], t0
+    andi VMTrapsAsyncEvents, t0
     btpnz t0, .handleTraps
 .afterHandlingTraps:

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1 @@
-# Copyright (C) 2011-2020 Apple Inc. All rights reserved.
+# Copyright (C) 2011-2021 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -2216 +2216 @@
     subp PB, PC
 
-    callSlowPath(_llint_slow_path_check_if_exception_is_uncatchable_and_notify_profiler)
-    bpeq r1, 0, .isCatchableException
+    callSlowPath(_llint_slow_path_retrieve_and_clear_exception_if_catchable)
+    bpneq r1, 0, .isCatchableException
     jmp _llint_throw_from_slow_path_trampoline
 
 .isCatchableException:
-    loadp CodeBlock[cfr], t3
-    loadp CodeBlock::m_vm[t3], t3
-
-    loadp VM::m_exception[t3], t0
-    storep 0, VM::m_exception[t3]
+    move r1, t0
     get(size, OpCatch, m_exception, t2)
     storei t0, PayloadOffset[cfr, t2, 8]

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1 @@
-# Copyright (C) 2011-2020 Apple Inc. All rights reserved.
+# Copyright (C) 2011-2021 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -2367 +2367 @@
     subp PB, PC
 
-    callSlowPath(_llint_slow_path_check_if_exception_is_uncatchable_and_notify_profiler)
-    bpeq r1, 0, .isCatchableException
+    callSlowPath(_llint_slow_path_retrieve_and_clear_exception_if_catchable)
+    bpneq r1, 0, .isCatchableException
     jmp _llint_throw_from_slow_path_trampoline
 
 .isCatchableException:
-    loadp CodeBlock[cfr], t3
-    loadp CodeBlock::m_vm[t3], t3
-
-    loadp VM::m_exception[t3], t0
-    storep 0, VM::m_exception[t3]
+    move r1, t0
     get(size, OpCatch, m_exception, t2)
     storeq t0, [cfr, t2, 8]

trunk/Source/JavaScriptCore/runtime/ArgList.cpp

@@ -91 +91 @@
     if (UNLIKELY(checkedSize.hasOverflowed()))
         return this->overflowed();
-    EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::malloc(Gigacage::JSValue, checkedSize.unsafeGet()));
+    EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize.unsafeGet()));
+    if (!newBuffer)
+        return this->overflowed();
     for (int i = 0; i < m_size; ++i) {
         newBuffer[i] = m_buffer[i];

trunk/Source/JavaScriptCore/runtime/ExceptionScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -51 +51 @@
     VM& vm() const { return m_vm; }
     unsigned recursionDepth() const { return m_recursionDepth; }
-    Exception* exception() { return m_vm.exception(); }
+    Exception* exception() const { return m_vm.exception(); }
 
     ALWAYS_INLINE void assertNoException() { RELEASE_ASSERT_WITH_MESSAGE(!exception(), "%s", unexpectedExceptionMessage().data()); }
@@ -85 +85 @@
 public:
     ALWAYS_INLINE VM& vm() const { return m_vm; }
-    ALWAYS_INLINE Exception* exception() { return m_vm.exception(); }
+    ALWAYS_INLINE Exception* exception() const { return m_vm.exception(); }
 
     ALWAYS_INLINE void assertNoException() { ASSERT(!exception()); }
@@ -105 +105 @@
 
 #define RETURN_IF_EXCEPTION(scope__, value__) do { \
-        if (UNLIKELY((scope__).exception())) \
-            return value__; \
+        JSC::VM& vm = (scope__).vm(); \
+        ASSERT(!!(scope__).exception() == vm.traps().needHandling(JSC::VMTraps::NeedExceptionHandling)); \
+        if (UNLIKELY(vm.traps().needHandling(JSC::VMTraps::NonDebuggerEvents))) { \
+            if (vm.hasExceptionsAfterHandlingTraps()) \
+                return value__; \
+        } \
     } while (false)
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -60 +60 @@
 #include "Debugger.h"
 #include "DebuggerScope.h"
+#include "DeferTermination.h"
 #include "DirectArguments.h"
 #include "ErrorConstructor.h"
@@ -1110 +1111 @@
             JSGlobalObject* globalObject = jsCast<JSGlobalObject*>(init.owner);
             VM& vm = init.vm;
-            auto scope = DECLARE_CATCH_SCOPE(vm);
+            auto scope = DECLARE_THROW_SCOPE(vm);
             IntlCollator* collator = IntlCollator::create(vm, globalObject->collatorStructure());
             collator->initializeCollator(globalObject, jsUndefined(), jsUndefined());
-            scope.releaseAssertNoException();
+            RETURN_IF_EXCEPTION(scope, void());
             init.set(collator);
         });
@@ -2404 +2405 @@
 void JSGlobalObject::finishCreation(VM& vm)
 {
+    DeferTermination deferTermination(vm);
     Base::finishCreation(vm);
     structure(vm)->setGlobalObject(vm, this);
@@ -2414 +2416 @@
 void JSGlobalObject::finishCreation(VM& vm, JSObject* thisValue)
 {
+    DeferTermination deferTermination(vm);
     Base::finishCreation(vm);
     structure(vm)->setGlobalObject(vm, this);

trunk/Source/JavaScriptCore/runtime/LazyPropertyInlines.h

@@ -98 +98 @@
     initializer.property.m_pointer |= initializingTag;
     callStatelessLambda<void, Func>(initializer);
+    if (UNLIKELY(initializer.property.m_pointer & initializingTag)) {
+        VM& vm = initializer.vm;
+        Exception* exception = vm.exceptionForInspection();
+        RELEASE_ASSERT(exception && vm.isTerminationException(exception));
+        RELEASE_ASSERT(initializer.property.m_pointer & lazyTag);
+        return nullptr;
+    }
     RELEASE_ASSERT(!(initializer.property.m_pointer & lazyTag));
-    RELEASE_ASSERT(!(initializer.property.m_pointer & initializingTag));
     return bitwise_cast<ElementType*>(initializer.property.m_pointer);
 }

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004-2020 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2021 Apple Inc. All rights reserved.
  *  Copyright (C) 2009 Torch Mobile, Inc.
  *  Copyright (C) 2015 Jordan Harband (ljharb@gmail.com)
@@ -1540 +1540 @@
         collator = IntlCollator::create(vm, globalObject->collatorStructure());
         collator->initializeCollator(globalObject, locales, options);
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    }
+    }
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     RELEASE_AND_RETURN(scope, JSValue::encode(collator->compareStrings(globalObject, string, that)));
 }

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -959 +959 @@
 }
 
+bool VM::hasExceptionsAfterHandlingTraps()
+{
+    if (UNLIKELY(traps().needHandling(VMTraps::NonDebuggerAsyncEvents)))
+        m_traps.handleTraps(VMTraps::NonDebuggerAsyncEvents);
+    return exception();
+}
+
+void VM::clearException()
+{
+#if ENABLE(EXCEPTION_SCOPE_VERIFICATION)
+    m_needExceptionCheck = false;
+    m_nativeStackTraceOfLastThrow = nullptr;
+    m_throwingThread = nullptr;
+#endif
+    m_exception = nullptr;
+    traps().clearTrapBit(VMTraps::NeedExceptionHandling);
+}
+
+void VM::setException(Exception* exception)
+{
+    m_exception = exception;
+    m_lastException = exception;
+    if (exception)
+        traps().setTrapBit(VMTraps::NeedExceptionHandling);
+}
+
 void VM::throwTerminationException()
 {
+    ASSERT(!m_traps.isDeferringTermination());
     setException(terminationException());
 }
@@ -966 +993 @@
 Exception* VM::throwException(JSGlobalObject* globalObject, Exception* exceptionToThrow)
 {
+    // The TerminationException should never be overridden.
+    if (m_exception && isTerminationException(m_exception))
+        return m_exception;
+
     // The TerminationException is not like ordinary exceptions that should be
     // reported to the debugger. The fact that the TerminationException uses the

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -338 +338 @@
     WeakRandom& random() { return m_random; }
     Integrity::Random& integrityRandom() { return m_integrityRandom; }
+
+    bool terminationInProgress() const { return m_terminationInProgress; }
+    void setTerminationInProgress(bool value) { m_terminationInProgress = value; }
 
     JS_EXPORT_PRIVATE Exception* ensureTerminationException();
@@ -1086 +1089 @@
     VMTraps& traps() { return m_traps; }
 
-    void handleTraps(JSGlobalObject* globalObject, CallFrame* callFrame, VMTraps::Mask mask = VMTraps::Mask::allEventTypes()) { m_traps.handleTraps(globalObject, callFrame, mask); }
-
-    bool needTrapHandling() { return m_traps.needTrapHandling(); }
-    bool needTrapHandling(VMTraps::Mask mask) { return m_traps.needTrapHandling(mask); }
-    void* needTrapHandlingAddress() { return m_traps.needTrapHandlingAddress(); }
+    JS_EXPORT_PRIVATE bool hasExceptionsAfterHandlingTraps();
 
     // These may be called concurrently from another thread.
     void notifyNeedDebuggerBreak() { m_traps.fireTrap(VMTraps::NeedDebuggerBreak); }
     void notifyNeedShellTimeoutCheck() { m_traps.fireTrap(VMTraps::NeedShellTimeoutCheck); }
-    void notifyNeedTermination() { m_traps.fireTrap(VMTraps::NeedTermination); }
+    void notifyNeedTermination()
+    {
+        setTerminationInProgress(true);
+        m_traps.fireTrap(VMTraps::NeedTermination);
+    }
     void notifyNeedWatchdogCheck() { m_traps.fireTrap(VMTraps::NeedWatchdogCheck); }
 
@@ -1113 +1116 @@
     public:
         DeferExceptionScope(VM& vm)
-            : m_savedException(vm.m_exception, nullptr)
+            : m_vm(vm)
+            , m_exceptionWasSet(vm.m_exception)
+            , m_savedException(vm.m_exception, nullptr)
             , m_savedLastException(vm.m_lastException, nullptr)
         {
+            if (m_exceptionWasSet)
+                m_vm.traps().clearTrapBit(VMTraps::NeedExceptionHandling);
         }
 
+        ~DeferExceptionScope()
+        {
+            if (m_exceptionWasSet)
+                m_vm.traps().setTrapBit(VMTraps::NeedExceptionHandling);
+        }
+
     private:
+        VM& m_vm;
+        bool m_exceptionWasSet;
         SetForScope<Exception*> m_savedException;
         SetForScope<Exception*> m_savedLastException;
@@ -1146 +1161 @@
     }
 
-    void setException(Exception* exception)
-    {
-        m_exception = exception;
-        m_lastException = exception;
-    }
     Exception* exception() const
     {
@@ -1158 +1168 @@
         return m_exception;
     }
-    void clearException()
-    {
-#if ENABLE(EXCEPTION_SCOPE_VERIFICATION)
-        m_needExceptionCheck = false;
-        m_nativeStackTraceOfLastThrow = nullptr;
-        m_throwingThread = nullptr;
-#endif
-        m_exception = nullptr;
-    }
+
+    JS_EXPORT_PRIVATE void clearException();
+    JS_EXPORT_PRIVATE void setException(Exception*);
 
 #if ENABLE(C_LOOP)
@@ -1255 +1259 @@
     uintptr_t m_currentWeakRefVersion { 0 };
 
+    bool m_terminationInProgress { false };
+
     Lock m_loopHintExecutionCountLock;
     HashMap<const Instruction*, std::pair<unsigned, std::unique_ptr<uint64_t>>> m_loopHintExecutionCounts;

trunk/Source/JavaScriptCore/runtime/VMEntryScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -101 +101 @@
         listener();
 
+    // If the trap bit is still set at this point, then it means that VMTraps::handleTraps()
+    // has not yet been called for this termination request. As a result, we've not thrown a
+    // TerminationException yet. Some client code relies on detecting the presence of the
+    // TerminationException in order to signal that a termination was requested. As a result,
+    // we want to stay in the TerminationInProgress state until VMTraps::handleTraps() (which
+    // clears the trap bit) gets called, and the TerminationException gets thrown.
+    //
+    // Note: perhaps there's a better way for the client to know that a termination was
+    // requested (after all, the request came from the client). However, this is how the
+    // client code currently works. Changing that will take some significant effort to hunt
+    // down all the places in client code that currently rely on this behavior.
+    if (!m_vm.traps().needHandling(VMTraps::NeedTermination))
+        m_vm.setTerminationInProgress(false);
     m_vm.clearScratchBuffers();
 }

trunk/Source/JavaScriptCore/runtime/VMTraps.cpp

@@ -146 +146 @@
             return; // Let the SignalSender try again later.
 
-        if (!needTrapHandling()) {
+        if (!needHandling(VMTraps::AsyncEvents)) {
             // Too late. Someone else already handled the trap.
             return;
@@ -253 +253 @@
             return PollResult::Stop;
 
-        if (!traps().needTrapHandling())
+        if (!traps().needHandling(VMTraps::AsyncEvents))
             return PollResult::Wait;
 
@@ -323 +323 @@
 }
 
-void VMTraps::fireTrap(VMTraps::EventType eventType)
+void VMTraps::fireTrap(VMTraps::Event event)
 {
     ASSERT(!vm().currentThreadIsHoldingAPILock());
+    ASSERT(onlyContainsAsyncEvents(event));
     {
         auto locker = holdLock(*m_lock);
         ASSERT(!m_isShuttingDown);
-        setTrapForEvent(locker, eventType);
+        setTrapBit(event);
         m_needToInvalidatedCodeBlocks = true;
     }
@@ -346 +347 @@
 }
 
-void VMTraps::handleTraps(JSGlobalObject* globalObject, CallFrame* callFrame, VMTraps::Mask mask)
+void VMTraps::handleTraps(VMTraps::BitField mask)
 {
     VM& vm = this->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
+    ASSERT(onlyContainsAsyncEvents(mask));
+    ASSERT(needHandling(mask));
+
+    if (isDeferringTermination())
+        mask &= ~NeedTermination;
 
     {
@@ -360 +366 @@
     }
 
-    ASSERT(needTrapHandling(mask));
-    while (needTrapHandling(mask)) {
-        auto eventType = takeTopPriorityTrap(mask);
-        switch (eventType) {
+    while (needHandling(mask)) {
+        auto event = takeTopPriorityTrap(mask);
+        switch (event) {
         case NeedDebuggerBreak:
             dataLog("VM ", RawPointer(&vm), " on pid ", getCurrentProcessID(), " received NeedDebuggerBreak trap\n");
-            invalidateCodeBlocksOnStack(callFrame);
+            invalidateCodeBlocksOnStack(vm.topCallFrame);
             break;
 
@@ -376 +381 @@
         case NeedWatchdogCheck:
             ASSERT(vm.watchdog());
-            if (LIKELY(!vm.watchdog()->shouldTerminate(globalObject)))
+            ASSERT(vm.entryScope->globalObject());
+            if (LIKELY(!vm.watchdog()->shouldTerminate(vm.entryScope->globalObject())))
                 continue;
+            vm.setTerminationInProgress(true);
             FALLTHROUGH;
 
         case NeedTermination:
-            RELEASE_AND_RETURN(scope, vm.throwTerminationException());
-
+            ASSERT(vm.terminationInProgress());
+            scope.release();
+            if (!isDeferringTermination())
+                vm.throwTerminationException();
+            return;
+
+        case NeedExceptionHandling:
         default:
             RELEASE_ASSERT_NOT_REACHED();
@@ -389 +401 @@
 }
 
-auto VMTraps::takeTopPriorityTrap(VMTraps::Mask mask) -> EventType
+auto VMTraps::takeTopPriorityTrap(VMTraps::BitField mask) -> Event
 {
     auto locker = holdLock(*m_lock);
-    for (int i = 0; i < NumberOfEventTypes; ++i) {
-        EventType eventType = static_cast<EventType>(i);
-        if (hasTrapForEvent(locker, eventType, mask)) {
-            clearTrapForEvent(locker, eventType);
-            return eventType;
-        }
-    }
-    return Invalid;
+
+    // Note: the EventBitShift is already sorted in highest to lowest priority
+    // i.e. a bit shift of 0 is highest priority, etc.
+    for (int i = 0; i < NumberOfEvents; ++i) {
+        Event event = static_cast<Event>(1 << i);
+        if (hasTrapBit(event, mask)) {
+            clearTrapBit(event);
+            return event;
+        }
+    }
+    return NoEvent;
+}
+
+void VMTraps::deferTermination()
+{
+    auto locker = holdLock(*m_lock);
+    m_deferTerminationCount++;
+    ASSERT(m_deferTerminationCount < UINT_MAX);
+
+    VM& vm = this->vm();
+    Exception* pendingException = vm.exception();
+    if (pendingException && vm.isTerminationException(pendingException)) {
+        vm.clearException();
+        m_suspendedTerminationException = true;
+    }
+}
+
+void VMTraps::undoDeferTermination()
+{
+    auto locker = holdLock(*m_lock);
+    ASSERT(m_deferTerminationCount > 0);
+    if (--m_deferTerminationCount == 0) {
+        VM& vm = this->vm();
+        if (m_suspendedTerminationException || vm.terminationInProgress())
+            vm.setException(vm.terminationException());
+    }
 }
 

trunk/Source/JavaScriptCore/runtime/VMTraps.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42 +42 @@
 
 class VMTraps {
-    typedef uint8_t BitField;
 public:
-    enum class Error {
-        None,
-        LockUnavailable,
-        NotJITCode
+    using BitField = uint32_t;
+    static constexpr size_t bitsInBitField = sizeof(BitField) * CHAR_BIT;
+
+    // The following are the type of VMTrap events / signals that can be fired.
+    // This list should be sorted in servicing priority order from highest to
+    // lowest.
+    //
+    // The currently imlemented events are (in highest to lowest priority):
+    //
+    //  NeedShellTimeoutCheck
+    //  - Only used by the jsc shell to check if we need to force a hard shutdown.
+    //  - This event may fire more than once before the jsc shell forces the
+    //    shutdown (see NeedWatchdogCheck's discussion of CPU time for why
+    //    this may be).
+    //
+    //  NeedTermination
+    //  - Used to request the termination of execution of the "current" stack.
+    //    Note: "Termination" here simply means we terminate whatever is currently
+    //    executing on the stack. It does not mean termination of the VM, and hence,
+    //    is not permanent. Permanent VM termination mechanisms (like stopping the
+    //    request to stop a woker thread) may use this Event to terminate the
+    //    "current" stack, but it needs to do some additional work to prevent
+    //    re-entry into the VM.
+    //
+    //  - The mechanism for achieving this stack termination is by throwing the
+    //    uncatchable TerminationException that piggy back on the VM's exception
+    //    handling machinery to the unwind stack. The TerminationException is
+    //    uncatchable in the sense that the VM will refuse to let JS code's
+    //    catch handlers catch the exception. C++ code in the VM (that calls into
+    //    JS) needs to do exception checks, and make sure to propagate the
+    //    exception if it is the TerminationException.
+    //
+    //  - Again, the termination request is not permanent. Once the VM unwinds out
+    //    of the "current" execution state on the stack, the client may choose to
+    //    clear the exception, and re-enter the VM to executing JS code again.
+    //    See NeedWatchdogCheck below on why the VM watchdog needs this ability
+    //    to re-enter the VM after terminating the current stack.
+    //
+    //  - Many clients enter the VM via APIs that return an uncaught exception
+    //    in a NakedPointer<Exception>&. Those APIs would automatically clear
+    //    the uncaught TerminationException and return it via the
+    //    NakedPointer<Exception>&. Hence, the VM is ready for re-entry upon
+    //    returning to the client.
+    //
+    //  - In the above notes, "current" (as in "current" stack) is in quotes because
+    //    NeedTermination needs to guarantee that the TerminationException has
+    //    been thrown in response to this event. If the event fires just before
+    //    the VM exits and the TerminationException was not thrown yet, then we'll
+    //    keep the NeedTermination trap bit set for the next VM entry. In this case,
+    //    the termination will actual happen on the next stack of execution.
+    //
+    //    This behavior is needed because some clients rely on seeing an uncaught
+    //    TerminationException to know that a termination has been requested.
+    //    Technically, there are better ways for the client to know about the
+    //    termination request (after all, the termination is initiated by the
+    //    client). However, this is how some current client code works. So, we need
+    //    to retain this behavior until we can change all the clients that rely on
+    //    it.
+    //
+    //  NeedWatchdogCheck
+    //  - Used to request a check as to whether the watchdog timer has expired.
+    //    Note: the watchdog timeout is logically measured in CPU time. However,
+    //    the real timer implementation (that fires this NeedWatchdogCheck event)
+    //    has to operate on wall clock time. Hence, NeedWatchdogCheck firing does not
+    //    necessarily mean that the watchdog timeout has expired, and we can expect
+    //    to see NeedWatchdogCheck firing more than once for a single watchdog
+    //    timeout.
+    //
+    //  - The watchdog mechanism has the option to request termination of the
+    //    the current execution stack on watchdog timeout (see
+    //    Watchdog::shouldTerminate()). If termination is requested, it will
+    //    be executed via the same mechanism as NeedTermination (see how the
+    //    NeedWatchdogCheck case can fall through to the NeedTermination case in
+    //    VMTraps::handleTraps()).
+    //
+    //  - The watchdog timing out is not permanent i.e. after terminating the
+    //    current stack, the client may choose to re-enter the VM to execute more
+    //    JS. For example, a client may use the watchdog to ensure that an untrusted
+    //    3rd party script (that it runs) does not get trapped in an infinite loop.
+    //    If so, the watchdog timeout can terminate that script. After terminating
+    //    that bad script, the client may choose to allow other 3rd party scripts
+    //    to execute, or even allow more tries on the current one that timed out.
+    //    Hence, the timeout and termination must not be permanent.
+    //
+    //    This is why termination via the NeedTermination event is not permanent,
+    //    but only terminates the "current" stack.
+    //
+    //  NeedDebuggerBreak
+    //  - Services asynchronous debugger break requests.
+    //
+    //  NeedExceptionHandling
+    //  - Unlike the other events (which are asynchronous to the mutator thread),
+    //    NeedExceptionHandling is set when the mutator thread throws a JS exception
+    //    and cleared when the exception is handled / caught.
+    //
+    //  - The reason why NeedExceptionHandling is a bit on VMTraps as well is so
+    //    that we can piggy back on all the RETURN_IF_EXCEPTION checks in C++ code
+    //    to service VMTraps as well. Having the NeedExceptionHandling event as
+    //    part of VMTraps allows RETURN_IF_EXCEPTION to optimally only do a single
+    //    check to determine if the VM possibly has a pending exception to handle,
+    //    as well as if there are asynchronous VMTraps events to handle.
+
+#define FOR_EACH_VMTRAPS_EVENTS(v) \
+    v(NeedShellTimeoutCheck) \
+    v(NeedTermination) \
+    v(NeedWatchdogCheck) \
+    v(NeedDebuggerBreak) \
+    v(NeedExceptionHandling)
+
+#define DECLARE_VMTRAPS_EVENT_BIT_SHIFT(event__)  event__##BitShift,
+    enum EventBitShift {
+        FOR_EACH_VMTRAPS_EVENTS(DECLARE_VMTRAPS_EVENT_BIT_SHIFT)
+        NumberOfEvents, // This entry must be last in this list.
     };
-
-    enum EventType {
-        // Sorted in servicing priority order from highest to lowest.
-        NeedDebuggerBreak,
-        NeedShellTimeoutCheck,
-        NeedTermination,
-        NeedWatchdogCheck,
-        NumberOfEventTypes, // This entry must be last in this list.
-        Invalid
-    };
-
-    class Mask {
-    public:
-        enum AllEventTypes { AllEventTypesTag };
-        constexpr Mask(AllEventTypes)
-            : m_mask(std::numeric_limits<BitField>::max())
-        { }
-        static constexpr Mask allEventTypes() { return Mask(AllEventTypesTag); }
-
-        constexpr Mask(const Mask&) = default;
-        constexpr Mask(Mask&&) = default;
-
-        template<typename... Arguments>
-        constexpr Mask(Arguments... args)
-            : m_mask(0)
-        {
-            init(args...);
-        }
-
-        BitField bits() const { return m_mask; }
-
-    private:
-        template<typename... Arguments>
-        constexpr void init(EventType eventType, Arguments... args)
-        {
-            ASSERT(eventType < NumberOfEventTypes);
-            m_mask |= (1 << eventType);
-            init(args...);
-        }
-
-        constexpr void init() { }
-
-        BitField m_mask;
-    };
-
-    static constexpr Mask interruptingTraps() { return Mask(NeedShellTimeoutCheck, NeedTermination, NeedWatchdogCheck); }
+#undef DECLARE_VMTRAPS_EVENT_BIT_SHIFT
+
+    using Event = BitField;
+
+#define DECLARE_VMTRAPS_EVENT(event__) \
+    static_assert(event__##BitShift < bitsInBitField); \
+    static constexpr Event event__ = (1 << event__##BitShift);
+    FOR_EACH_VMTRAPS_EVENTS(DECLARE_VMTRAPS_EVENT)
+#undef DECLARE_VMTRAPS_EVENT
+
+#undef FOR_EACH_VMTRAPS_EVENTS
+
+    static constexpr Event NoEvent = 0;
+
+    static_assert(NumberOfEvents <= bitsInBitField);
+    static constexpr BitField AllEvents = (1ull << NumberOfEvents) - 1;
+    static constexpr BitField AsyncEvents = AllEvents & ~NeedExceptionHandling;
+    static constexpr BitField NonDebuggerEvents = AllEvents & ~NeedDebuggerBreak;
+    static constexpr BitField NonDebuggerAsyncEvents = AsyncEvents & ~NeedDebuggerBreak;
+
+    static constexpr bool onlyContainsAsyncEvents(BitField events)
+    {
+        return (AsyncEvents & events) && !(~AsyncEvents & events);
+    }
 
     ~VMTraps();
@@ -103 +189 @@
     void willDestroyVM();
 
-    bool needTrapHandling() { return m_needTrapHandling; }
-    bool needTrapHandling(Mask mask) { return m_needTrapHandling & mask.bits(); }
-    void* needTrapHandlingAddress() { return &m_needTrapHandling; }
+    bool needHandling(BitField mask) const { return m_trapBits.loadRelaxed() & mask; }
+    void* trapBitsAddress() { return &m_trapBits; }
+
+    bool isDeferringTermination() const { return m_deferTerminationCount; }
+    JS_EXPORT_PRIVATE void deferTermination();
+    JS_EXPORT_PRIVATE void undoDeferTermination();
 
     void notifyGrabAllLocks()
     {
-        if (needTrapHandling())
+        if (needHandling(AsyncEvents))
             invalidateCodeBlocksOnStack();
     }
 
-    JS_EXPORT_PRIVATE void fireTrap(EventType);
-
-    void handleTraps(JSGlobalObject*, CallFrame*, VMTraps::Mask);
+    bool hasTrapBit(Event event, BitField mask)
+    {
+        BitField maskedBits = event & mask;
+        return m_trapBits.loadRelaxed() & maskedBits;
+    }
+    void clearTrapBit(Event event) { m_trapBits.exchangeAnd(~event); }
+    void setTrapBit(Event event)
+    {
+        ASSERT((event & ~AllEvents) == 0);
+        m_trapBits.exchangeOr(event);
+    }
+
+    JS_EXPORT_PRIVATE void fireTrap(Event);
+    void handleTraps(BitField mask = AsyncEvents);
 
     void tryInstallTrapBreakpoints(struct SignalContext&, StackBounds);
@@ -122 +222 @@
     VM& vm() const;
 
-    bool hasTrapForEvent(Locker<Lock>&, EventType eventType, Mask mask)
-    {
-        ASSERT(eventType < NumberOfEventTypes);
-        return (m_trapsBitField & mask.bits() & (1 << eventType));
-    }
-    void setTrapForEvent(Locker<Lock>&, EventType eventType)
-    {
-        ASSERT(eventType < NumberOfEventTypes);
-        m_trapsBitField |= (1 << eventType);
-    }
-    void clearTrapForEvent(Locker<Lock>&, EventType eventType)
-    {
-        ASSERT(eventType < NumberOfEventTypes);
-        m_trapsBitField &= ~(1 << eventType);
-    }
-
-    EventType takeTopPriorityTrap(Mask);
+    Event takeTopPriorityTrap(BitField mask);
 
 #if ENABLE(SIGNAL_BASED_VM_TRAPS)
@@ -155 +239 @@
 #endif
 
+    static constexpr BitField NeedExceptionHandlingMask = ~(1 << NeedExceptionHandling);
+
     Box<Lock> m_lock;
     Ref<AutomaticThreadCondition> m_condition;
-    union {
-        BitField m_needTrapHandling { 0 };
-        BitField m_trapsBitField;
-    };
+    Atomic<BitField> m_trapBits { 0 };
     bool m_needToInvalidatedCodeBlocks { false };
     bool m_isShuttingDown { false };
+    bool m_suspendedTerminationException { false };
+    unsigned m_deferTerminationCount { 0 };
 
 #if ENABLE(SIGNAL_BASED_VM_TRAPS)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-04-10  Mark Lam  <mark.lam@apple.com>
+
+        Enable VMTraps checks in RETURN_IF_EXCEPTION.
+        https://bugs.webkit.org/show_bug.cgi?id=224078
+        rdar://75037057
+
+        Reviewed by Keith Miller.
+
+        1. Add DeferTermination in WorkerOrWorkletScriptController::initScript().
+           This allows us to avoid having to make all exception checking in
+           WorkerOrWorkletScriptController::initScript() very thorough and complete.
+           Currently, they aren't.
+
+        2. Fix WorkerOrWorkletScriptController::evaluate() to handle the TerminationException.
+
+        3. Fix JSEventListener::handleEvent() to handle the TerminationException correctly.
+           Previously, in one case, it was checking scope.exception() for the exception,
+           but the exception has already been taken out of there.
+
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::handleEvent):
+        * workers/WorkerOrWorkletScriptController.cpp:
+        (WebCore::WorkerOrWorkletScriptController::evaluate):
+        (WebCore::WorkerOrWorkletScriptController::initScript):
+
 2021-04-10  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/bindings/js/JSEventListener.cpp

@@ -183 +183 @@
 
     JSValue thisValue = handleEventFunction == jsFunction ? toJS(lexicalGlobalObject, globalObject, event.currentTarget()) : jsFunction;
-    NakedPtr<JSC::Exception> exception;
-    JSValue retval = JSExecState::profiledCall(lexicalGlobalObject, JSC::ProfilingReason::Other, handleEventFunction, callData, thisValue, args, exception);
+    NakedPtr<JSC::Exception> uncaughtException;
+    JSValue retval = JSExecState::profiledCall(lexicalGlobalObject, JSC::ProfilingReason::Other, handleEventFunction, callData, thisValue, args, uncaughtException);
 
     InspectorInstrumentation::didCallFunction(&scriptExecutionContext);
@@ -191 +191 @@
         jsFunctionWindow->setCurrentEvent(savedEvent.get());
 
-    auto handleExceptionIfNeeded = [&] () -> bool {
+    auto handleExceptionIfNeeded = [&] (JSC::Exception* exception) -> bool {
         if (is<WorkerGlobalScope>(scriptExecutionContext)) {
             auto& scriptController = *downcast<WorkerGlobalScope>(scriptExecutionContext).script();
-            bool terminatorCausedException = (scope.exception() && vm.isTerminationException(scope.exception()));
+            bool terminatorCausedException = (exception && vm.isTerminationException(exception));
             if (terminatorCausedException || scriptController.isTerminatingExecution())
                 scriptController.forbidExecution();
@@ -207 +207 @@
     };
 
-    if (handleExceptionIfNeeded())
+    if (handleExceptionIfNeeded(uncaughtException))
         return;
 
@@ -222 +222 @@
             String resultStr = convert<IDLNullable<IDLDOMString>>(*lexicalGlobalObject, retval);
             if (UNLIKELY(scope.exception())) {
-                exception = scope.exception();
-                if (handleExceptionIfNeeded())
+                if (handleExceptionIfNeeded(scope.exception()))
                     return;
             }

trunk/Source/WebCore/workers/WorkerOrWorkletScriptController.cpp

@@ -45 +45 @@
 #include "WorkerScriptFetcher.h"
 #include <JavaScriptCore/Completion.h>
+#include <JavaScriptCore/DeferTermination.h>
 #include <JavaScriptCore/DeferredWorkTimer.h>
 #include <JavaScriptCore/Exception.h>
@@ -203 +204 @@
         return;
 
-    NakedPtr<JSC::Exception> exception;
-    evaluate(sourceCode, exception, returnedExceptionMessage);
-    if (exception) {
-        JSLockHolder lock(vm());
-        reportException(m_globalScopeWrapper.get(), exception);
+    VM& vm = this->vm();
+    NakedPtr<JSC::Exception> uncaughtException;
+    evaluate(sourceCode, uncaughtException, returnedExceptionMessage);
+    if ((uncaughtException && vm.isTerminationException(uncaughtException)) || isTerminatingExecution()) {
+        forbidExecution();
+        return;
+    }
+    if (uncaughtException) {
+        JSLockHolder lock(vm);
+        reportException(m_globalScopeWrapper.get(), uncaughtException);
     }
 }
@@ -518 +524 @@
 void WorkerOrWorkletScriptController::initScript()
 {
+    ASSERT(m_vm.get());
+    JSC::DeferTermination deferTermination(*m_vm.get());
+
     if (is<DedicatedWorkerGlobalScope>(m_globalScope)) {
         initScriptWithSubclass<JSDedicatedWorkerGlobalScopePrototype, JSDedicatedWorkerGlobalScope, DedicatedWorkerGlobalScope>();