Changeset 289877 in webkit

Timestamp:

Feb 15, 2022, 10:12:08 PM (3 years ago)

Author:

mark.lam@apple.com

Message:

Defer TerminationsExceptions while in operationMaterializeObjectInOSR.
​https://bugs.webkit.org/show_bug.cgi?id=236686
rdar://81337114

Reviewed by Saam Barati.

JSTests:

These tests are identical except that they are customized with different watchdog
timeout periods for a Debug / Release build. This is a necessary condition in
order for the test to manifest this issue if the code is regressed.

• stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js: Added.
• stress/termination-exception-in-operationMaterializeObjectInOSR-release.js: Added.

Source/JavaScriptCore:

operationMaterializeObjectInOSR expects to always succeed. It is difficult (and
not worth the effort) to make it be able to handle interruptions by the
TerminationException. Since operationMaterializeObjectInOSR is guaranteed to
finish running in some finite time, it is reasonable to just defer handling a
pending TerminationException until the function returns.

• ftl/FTLOperations.cpp:

(JSC::FTL::JSC_DEFINE_JIT_OPERATION):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js (added)
• JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR-release.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOperations.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2022-02-15  Mark Lam  <mark.lam@apple.com>
+
+        Defer TerminationsExceptions while in operationMaterializeObjectInOSR.
+        https://bugs.webkit.org/show_bug.cgi?id=236686
+        rdar://81337114
+
+        Reviewed by Saam Barati.
+
+        These tests are identical except that they are customized with different watchdog
+        timeout periods for a Debug / Release build.  This is a necessary condition in
+        order for the test to manifest this issue if the code is regressed.
+
+        * stress/termination-exception-in-operationMaterializeObjectInOSR-debug.js: Added.
+        * stress/termination-exception-in-operationMaterializeObjectInOSR-release.js: Added.
+
 2022-02-15  Xan Lopez  <xan@igalia.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2022-02-15  Mark Lam  <mark.lam@apple.com>
+
+        Defer TerminationsExceptions while in operationMaterializeObjectInOSR.
+        https://bugs.webkit.org/show_bug.cgi?id=236686
+        rdar://81337114
+
+        Reviewed by Saam Barati.
+
+        operationMaterializeObjectInOSR expects to always succeed.  It is difficult (and
+        not worth the effort) to make it be able to handle interruptions by the
+        TerminationException.  Since operationMaterializeObjectInOSR is guaranteed to
+        finish running in some finite time, it is reasonable to just defer handling a
+        pending TerminationException until the function returns.
+
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::JSC_DEFINE_JIT_OPERATION):
+
 2022-02-15  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48 +48 @@
 #include "JSSetIterator.h"
 #include "RegExpObject.h"
+#include "VMTrapsInlines.h"
 #include <wtf/Assertions.h>
 
@@ -189 +190 @@
     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    // It's too hairy to handle TerminationExceptions during OSR object materialization.
+    // Let's just wait until after.
+    DeferTermination deferTermination(vm);
 
     // We cannot GC. We've got pointers in evil places.