Changeset 132143 in webkit

Timestamp:

Oct 22, 2012 3:09:58 PM (12 years ago)

Author:

mark.lam@apple.com

Message:

Change stack recursion checks to be based on stack availability.
​https://bugs.webkit.org/show_bug.cgi?id=99872.

Reviewed by Filip Pizlo and Geoffrey Garen.

Source/JavaScriptCore:

• Remove m_reentryDepth, ThreadStackType which are now obsolete.
• Replaced the reentryDepth checks with a StackBounds check.
• Added the Interpreter::StackPolicy class to compute a reasonable stack capacity requirement given the native stack that the interpreter is executing on at that time.
• Reserved an amount of JSStack space for the use of error handling and enable its use (using Interpreter::ErrorHandlingMode) when we're about to throw or report an exception.
• Interpreter::StackPolicy also allows more native stack space to be used when in ErrorHandlingMode. This is needed in the case of native stack overflows.
• Fixed the parser so that it throws a StackOverflowError instead of a SyntaxError when it encounters a stack overflow.

• API/JSContextRef.cpp:

(JSContextGroupCreate):
(JSGlobalContextCreateInGroup):

• JavaScriptCore.order:
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
• interpreter/Interpreter.cpp:

(JSC::Interpreter::ErrorHandlingMode::ErrorHandlingMode):
(JSC):
(JSC::Interpreter::ErrorHandlingMode::~ErrorHandlingMode):
(JSC::Interpreter::StackPolicy::StackPolicy):
(JSC::Interpreter::Interpreter):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):

• interpreter/Interpreter.h:

(JSC):
(Interpreter):
(ErrorHandlingMode):
(StackPolicy):
(JSC::Interpreter::StackPolicy::requiredCapacity):

• interpreter/JSStack.cpp:

(JSC):
(JSC::JSStack::JSStack):
(JSC::JSStack::growSlowCase):
(JSC::JSStack::enableErrorStackReserve):
(JSC::JSStack::disableErrorStackReserve):

• interpreter/JSStack.h:

(JSStack):
(JSC::JSStack::reservationEnd):
(JSC):

• jsc.cpp:

(jscmain):

• parser/Parser.cpp:

(JSC::::Parser):

• parser/Parser.h:

(Parser):
(JSC::::parse):

• runtime/ExceptionHelpers.cpp:

(JSC::throwStackOverflowError):

• runtime/JSGlobalData.cpp:

(JSC::JSGlobalData::JSGlobalData):
(JSC::JSGlobalData::createContextGroup):
(JSC::JSGlobalData::create):
(JSC::JSGlobalData::createLeaked):
(JSC::JSGlobalData::sharedInstance):

• runtime/JSGlobalData.h:

(JSC):
(JSGlobalData):

• runtime/StringRecursionChecker.h:

(JSC::StringRecursionChecker::performCheck):

• testRegExp.cpp:

(realMain):

Source/WebCore:

Removed the use of ThreadStackType. Enabled the reserved JSStack space
for error processing before doing work in reportException().

• bindings/js/JSDOMBinding.cpp:

(WebCore::reportException):

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::commonJSGlobalData):

• bindings/js/WorkerScriptController.cpp:

(WebCore::WorkerScriptController::WorkerScriptController):

LayoutTests:

Updated test baseline.

• fast/js/global-recursion-on-full-stack-expected.txt:
• fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/global-recursion-on-full-stack-expected.txt (modified) (1 diff)
• LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/API/JSContextRef.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.order (modified) (4 diffs)
• Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def (modified) (3 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (18 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.h (modified) (4 diffs)
• Source/JavaScriptCore/interpreter/JSStack.cpp (modified) (4 diffs)
• Source/JavaScriptCore/interpreter/JSStack.h (modified) (2 diffs)
• Source/JavaScriptCore/jsc.cpp (modified) (1 diff)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/parser/Parser.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ExceptionHelpers.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalData.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGlobalData.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/StringRecursionChecker.h (modified) (2 diffs)
• Source/JavaScriptCore/testRegExp.cpp (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMBinding.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/WorkerScriptController.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-10-22  Mark Lam  <mark.lam@apple.com>
+
+        Change stack recursion checks to be based on stack availability.
+        https://bugs.webkit.org/show_bug.cgi?id=99872.
+
+        Reviewed by Filip Pizlo and Geoffrey Garen.
+
+        Updated test baseline.
+
+        * fast/js/global-recursion-on-full-stack-expected.txt:
+        * fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt:
+
 2012-10-22  Andreas Kling  <kling@webkit.org>
 

trunk/LayoutTests/fast/js/global-recursion-on-full-stack-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: 
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
 This tests global code recursion when the JS stack is full.
 PASS: Entering global code with a full JS stack did not crash, and did not allow continued recursion.

trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: 
-CONSOLE MESSAGE: 
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
 This tests that having infinite recursion in XMLHttpRequest event handler does not crash. 
 PASS

trunk/Source/JavaScriptCore/API/JSContextRef.cpp

@@ -55 +55 @@
 {
     initializeThreading();
-    return toRef(JSGlobalData::createContextGroup(ThreadStackTypeSmall).leakRef());
+    return toRef(JSGlobalData::createContextGroup().leakRef());
 }
 
@@ -90 +90 @@
     initializeThreading();
 
-    RefPtr<JSGlobalData> globalData = group ? PassRefPtr<JSGlobalData>(toJS(group)) : JSGlobalData::createContextGroup(ThreadStackTypeSmall);
+    RefPtr<JSGlobalData> globalData = group ? PassRefPtr<JSGlobalData>(toJS(group)) : JSGlobalData::createContextGroup();
 
     APIEntryShim entryShim(globalData.get(), false);

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-10-22  Mark Lam  <mark.lam@apple.com>
+
+        Change stack recursion checks to be based on stack availability.
+        https://bugs.webkit.org/show_bug.cgi?id=99872.
+
+        Reviewed by Filip Pizlo and Geoffrey Garen.
+
+        - Remove m_reentryDepth, ThreadStackType which are now obsolete.
+        - Replaced the reentryDepth checks with a StackBounds check.
+        - Added the Interpreter::StackPolicy class to compute a reasonable
+          stack capacity requirement given the native stack that the
+          interpreter is executing on at that time.
+        - Reserved an amount of JSStack space for the use of error handling
+          and enable its use (using Interpreter::ErrorHandlingMode) when
+          we're about to throw or report an exception.
+        - Interpreter::StackPolicy also allows more native stack space
+          to be used when in ErrorHandlingMode. This is needed in the case
+          of native stack overflows.
+        - Fixed the parser so that it throws a StackOverflowError instead of
+          a SyntaxError when it encounters a stack overflow.
+
+        * API/JSContextRef.cpp:
+        (JSContextGroupCreate):
+        (JSGlobalContextCreateInGroup):
+        * JavaScriptCore.order:
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::ErrorHandlingMode::ErrorHandlingMode):
+        (JSC):
+        (JSC::Interpreter::ErrorHandlingMode::~ErrorHandlingMode):
+        (JSC::Interpreter::StackPolicy::StackPolicy):
+        (JSC::Interpreter::Interpreter):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::prepareForRepeatCall):
+        * interpreter/Interpreter.h:
+        (JSC):
+        (Interpreter):
+        (ErrorHandlingMode):
+        (StackPolicy):
+        (JSC::Interpreter::StackPolicy::requiredCapacity):
+        * interpreter/JSStack.cpp:
+        (JSC):
+        (JSC::JSStack::JSStack):
+        (JSC::JSStack::growSlowCase):
+        (JSC::JSStack::enableErrorStackReserve):
+        (JSC::JSStack::disableErrorStackReserve):
+        * interpreter/JSStack.h:
+        (JSStack):
+        (JSC::JSStack::reservationEnd):
+        (JSC):
+        * jsc.cpp:
+        (jscmain):
+        * parser/Parser.cpp:
+        (JSC::::Parser):
+        * parser/Parser.h:
+        (Parser):
+        (JSC::::parse):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::throwStackOverflowError):
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::JSGlobalData):
+        (JSC::JSGlobalData::createContextGroup):
+        (JSC::JSGlobalData::create):
+        (JSC::JSGlobalData::createLeaked):
+        (JSC::JSGlobalData::sharedInstance):
+        * runtime/JSGlobalData.h:
+        (JSC):
+        (JSGlobalData):
+        * runtime/StringRecursionChecker.h:
+        (JSC::StringRecursionChecker::performCheck):
+        * testRegExp.cpp:
+        (realMain):
+
 2012-10-20  Martin Robinson  <mrobinson@igalia.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.order

@@ -121 +121 @@
 __ZN3JSCL17createJSLockCountEv
 __ZN3JSC12JSGlobalData14sharedInstanceEv
-__ZN3JSC12JSGlobalDataC2ENS0_14GlobalDataTypeENS_15ThreadStackTypeE
+__ZN3JSC12JSGlobalDataC2ENS0_14GlobalDataTypeENS_8HeapTypeE
 __ZN3JSC21createIdentifierTableEv
 __ZN3JSC17CommonIdentifiersC1EPNS_12JSGlobalDataE
@@ -441 +441 @@
 __ZN3WTF10StringImpl11reverseFindEPS0_j
 __ZN3WTF17equalIgnoringCaseEPNS_10StringImplES1_
-__ZN3JSC12JSGlobalData12createLeakedENS_15ThreadStackTypeE
+__ZN3JSC12JSGlobalData12createLeakedENS_8HeapTypeE
 __ZN3JSC24JSObjectWithGlobalObjectC2ERNS_12JSGlobalDataEPNS_14JSGlobalObjectEPNS_9StructureE
 __ZN3JSC8evaluateEPNS_9ExecStateEPNS_14ScopeChainNodeERKNS_10SourceCodeENS_7JSValueE
@@ -1708 +1708 @@
 __ZN3JSCL21arrayProtoFuncReverseEPNS_9ExecStateE
 __ZN3JSC17ProgramExecutable13visitChildrenERNS_9MarkStackE
-__ZN3JSC12JSGlobalData18createContextGroupENS_15ThreadStackTypeE
+__ZN3JSC12JSGlobalData18createContextGroupENS_8HeapTypeE
 __ZN3JSC12JSGlobalData22clearBuiltinStructuresEv
 __ZN3JSC4Heap7destroyEv
@@ -1843 +1843 @@
 __ZN3JSC8JSObject15unwrappedObjectEv
 __ZN3JSC11createErrorEPNS_9ExecStateERKNS_7UStringE
-__ZN3JSC12JSGlobalData6createENS_15ThreadStackTypeE
+__ZN3JSC12JSGlobalData6createENS_8HeapTypeE
 __ZN3JSC8JSObject17putDirectFunctionEPNS_9ExecStateEPNS_10JSFunctionEj
 __ZN3JSC12JSGlobalData13startSamplingEv

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

@@ -11 +11 @@
     ??0DropAllLocks@JSLock@JSC@@QAE@PAVJSGlobalData@2@@Z
     ??0DynamicGlobalObjectScope@JSC@@QAE@AAVJSGlobalData@1@PAVJSGlobalObject@1@@Z 
+    ??0ErrorHandlingMode@Interpreter@JSC@@QAE@PAVExecState@2@@Z
+    ??1ErrorHandlingMode@Interpreter@JSC@@QAE@XZ
     ??0InternalFunction@JSC@@IAE@PAVJSGlobalObject@1@PAVStructure@1@@Z
     ??0JSGlobalObject@JSC@@IAE@AAVJSGlobalData@1@PAVStructure@1@PBUGlobalObjectMethodTable@1@@Z
@@ -119 +121 @@
     ?copyBackingStore@JSObject@JSC@@SAXPAVJSCell@2@AAVCopyVisitor@2@@Z
     ?create@JSFunction@JSC@@SAPAV12@PAVExecState@2@PAVJSGlobalObject@2@HABVString@WTF@@P6I_J0@ZW4Intrinsic@2@3@Z
-    ?create@JSGlobalData@JSC@@SA?AV?$PassRefPtr@VJSGlobalData@JSC@@@WTF@@W4ThreadStackType@2@W4HeapType@2@@Z
+    ?create@JSGlobalData@JSC@@SA?AV?$PassRefPtr@VJSGlobalData@JSC@@@WTF@@W4HeapType@2@@Z
     ?create@OpaqueJSString@@SA?AV?$PassRefPtr@UOpaqueJSString@@@WTF@@ABVString@3@@Z
     ?create@RegExp@JSC@@SAPAV12@AAVJSGlobalData@2@ABVString@WTF@@W4RegExpFlags@2@@Z
@@ -125 +127 @@
     ?createError@JSC@@YAPAVJSObject@1@PAVExecState@1@ABVString@WTF@@@Z
     ?createInterruptedExecutionException@JSC@@YAPAVJSObject@1@PAVJSGlobalData@1@@Z
-    ?createLeaked@JSGlobalData@JSC@@SA?AV?$PassRefPtr@VJSGlobalData@JSC@@@WTF@@W4ThreadStackType@2@W4HeapType@2@@Z
+    ?createLeaked@JSGlobalData@JSC@@SA?AV?$PassRefPtr@VJSGlobalData@JSC@@@WTF@@W4HeapType@2@@Z
     ?createNotEnoughArgumentsError@JSC@@YAPAVJSObject@1@PAVExecState@1@@Z
     ?createRangeError@JSC@@YAPAVJSObject@1@PAVExecState@1@ABVString@WTF@@@Z

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -68 +68 @@
 #include <wtf/StackStats.h>
 #include <wtf/Threading.h>
+#include <wtf/WTFThreadData.h>
 #include <wtf/text/StringBuilder.h>
 
@@ -79 +80 @@
 
 namespace JSC {
+
+Interpreter::ErrorHandlingMode::ErrorHandlingMode(ExecState *exec)
+    : m_interpreter(*exec->interpreter())
+{
+    if (!m_interpreter.m_errorHandlingModeReentry)
+        m_interpreter.stack().enableErrorStackReserve();
+    m_interpreter.m_errorHandlingModeReentry++;
+}
+
+Interpreter::ErrorHandlingMode::~ErrorHandlingMode()
+{
+    m_interpreter.m_errorHandlingModeReentry--;
+    ASSERT(m_interpreter.m_errorHandlingModeReentry >= 0);
+    if (!m_interpreter.m_errorHandlingModeReentry)
+        m_interpreter.stack().disableErrorStackReserve();
+}
+
+
+// The Interpreter::StackPolicy class is used to compute a stack capacity
+// requirement to ensure that we have enough room on the native stack for:
+// 1. the max cummulative stack used by the interpreter and all code
+//    paths sub of it up till leaf functions.
+// 2. the max cummulative stack used by the interpreter before it reaches
+//    the next checkpoint (execute...() function) in the interpreter.
+// 
+// The interpreter can be run on different threads and hence, different
+// native stacks (with different sizes) before exiting out of the first
+// frame. Hence, the required capacity needs to be re-computed on every
+// entry into the interpreter.
+//
+// Currently the requiredStack is computed based on a policy. See comments
+// in StackPolicy::StackPolicy() for details.
+
+Interpreter::StackPolicy::StackPolicy(Interpreter& interpreter, const StackBounds& stack)
+    : m_interpreter(interpreter)
+{
+    int size = stack.size();
+
+    const int DEFAULT_REQUIRED_STACK = 1024 * 1024;
+    const int DEFAULT_MINIMUM_USEABLE_STACK = 128 * 1024;
+    const int DEFAULT_ERROR_MODE_REQUIRED_STACK = 32 * 1024;
+
+    // Here's the policy in a nutshell:
+    //
+    // 1. If we have a large stack, let JS use as much stack as possible
+    //    but require that we have at least DEFAULT_REQUIRED_STACK capacity
+    //    remaining on the stack:
+    //
+    //    stack grows this way -->   
+    //    ---------------------------------------------------------
+    //    |         ... | <-- DEFAULT_REQUIRED_STACK --> | ...
+    //    ---------------------------------------------------------
+    //    ^             ^
+    //    start         current sp
+    //
+    // 2. In event that we're re-entering the interpreter to handle
+    //    exceptions (in error mode), we'll be a little more generous and
+    //    require less stack capacity for the interpreter to be re-entered.
+    //
+    //    This is needed because we may have just detected an eminent stack
+    //    overflow based on the normally computed required stack capacity.
+    //    However, the normal required capacity far exceeds what is needed
+    //    for exception handling work. Hence, in error mode, we only require
+    //    DEFAULT_ERROR_MODE_REQUIRED_STACK capacity.
+    //
+    //    stack grows this way -->   
+    //    -----------------------------------------------------------------
+    //    |         ... | <-- DEFAULT_ERROR_MODE_REQUIRED_STACK --> | ...
+    //    -----------------------------------------------------------------
+    //    ^             ^
+    //    start         current sp
+    //
+    //    This smaller requried capacity also means that we won't re-trigger
+    //    a stack overflow for processing the exception caused by the original
+    //    StackOverflowError.
+    //
+    // 3. If the stack is not large enough, give JS at least a minimum
+    //    amount of useable stack:
+    //
+    //    stack grows this way -->   
+    //    --------------------------------------------------------------------
+    //    | <-- DEFAULT_MINIMUM_USEABLE_STACK --> | <-- requiredCapacity --> |
+    //    --------------------------------------------------------------------
+    //    ^             ^
+    //    start         current sp
+    //
+    //    The minimum useable capacity is DEFAULT_MINIMUM_USEABLE_STACK.
+    //    In this case, the requiredCapacity is whatever is left of the
+    //    total stack capacity after we have give JS its minimum stack
+    //    i.e. requiredCapcity can even be 0 if there's not enough stack.
+
+
+    // Policy 1: Normal mode: required = DEFAULT_REQUIRED_STACK.
+    // Policy 2: Erro mode: required = DEFAULT_ERROR_MODE_REQUIRED_STACK.
+    int requiredCapacity = !m_interpreter.m_errorHandlingModeReentry ?
+        DEFAULT_REQUIRED_STACK : DEFAULT_ERROR_MODE_REQUIRED_STACK;
+
+    int useableStack = size - requiredCapacity;
+
+    // Policy 3: Ensure the useable stack is not too small:
+    if (useableStack < DEFAULT_MINIMUM_USEABLE_STACK)
+        useableStack = DEFAULT_MINIMUM_USEABLE_STACK;
+
+    // Sanity check: Make sure we do not use more space than the stack's
+    // total capacity:
+    if (useableStack > size)
+        useableStack = size;
+
+    // Re-compute the requiredCapacity based on the adjusted useable stack
+    // size:
+    // interpreter stack checks:
+    requiredCapacity = size - useableStack;
+    ASSERT((requiredCapacity >= 0) && (requiredCapacity < size));
+
+    m_requiredCapacity = requiredCapacity;    
+}
+
 
 static CallFrame* getCallerInfo(JSGlobalData*, CallFrame*, int& lineNumber, unsigned& bytecodeOffset);
@@ -248 +366 @@
 Interpreter::Interpreter()
     : m_sampleEntryDepth(0)
-    , m_reentryDepth(0)
+    , m_errorHandlingModeReentry(0)
 #if !ASSERT_DISABLED
     , m_initialized(false)
@@ -755 +873 @@
 
     StackStats::CheckPoint stackCheckPoint;
-    if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
+    const StackBounds& nativeStack = wtfThreadData().stack();
+    StackPolicy policy(*this, nativeStack);
+    if (!nativeStack.isSafeToRecurse(policy.requiredCapacity()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -891 +1011 @@
         SamplingTool::CallRecord callRecord(m_sampler.get());
 
-        m_reentryDepth++;
 #if ENABLE(LLINT_C_LOOP)
         result = LLInt::CLoop::execute(newCallFrame, llint_program_prologue);
@@ -897 +1016 @@
         result = program->generatedJITCode().execute(&m_stack, newCallFrame, scope->globalData());
 #endif // ENABLE(JIT)
-
-        m_reentryDepth--;
     }
 
@@ -918 +1035 @@
 
     StackStats::CheckPoint stackCheckPoint;
-    if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
+    const StackBounds& nativeStack = wtfThreadData().stack();
+    StackPolicy policy(*this, nativeStack);
+    if (!nativeStack.isSafeToRecurse(policy.requiredCapacity()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -963 +1082 @@
             SamplingTool::CallRecord callRecord(m_sampler.get());
 
-            m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
             result = LLInt::CLoop::execute(newCallFrame, llint_function_for_call_prologue);
@@ -969 +1087 @@
             result = callData.js.functionExecutable->generatedJITCodeForCall().execute(&m_stack, newCallFrame, callDataScope->globalData());
 #endif // ENABLE(JIT)
-
-            m_reentryDepth--;
         }
 
@@ -1014 +1130 @@
 
     StackStats::CheckPoint stackCheckPoint;
-    if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
+    const StackBounds& nativeStack = wtfThreadData().stack();
+    StackPolicy policy(*this, nativeStack);
+    if (!nativeStack.isSafeToRecurse(policy.requiredCapacity()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -1058 +1176 @@
             SamplingTool::CallRecord callRecord(m_sampler.get());
 
-            m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
             result = LLInt::CLoop::execute(newCallFrame, llint_function_for_construct_prologue);
@@ -1064 +1181 @@
             result = constructData.js.functionExecutable->generatedJITCodeForConstruct().execute(&m_stack, newCallFrame, constructDataScope->globalData());
 #endif // ENABLE(JIT)
-            m_reentryDepth--;
         }
 
@@ -1112 +1228 @@
 
     StackStats::CheckPoint stackCheckPoint;
-    if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth) {
+    const StackBounds& nativeStack = wtfThreadData().stack();
+    StackPolicy policy(*this, nativeStack);
+    if (!nativeStack.isSafeToRecurse(policy.requiredCapacity())) {
         throwStackOverflowError(callFrame);
         return CallFrameClosure();
@@ -1165 +1283 @@
         SamplingTool::CallRecord callRecord(m_sampler.get());
         
-        m_reentryDepth++;  
 #if ENABLE(LLINT_C_LOOP)
         result = LLInt::CLoop::execute(closure.newCallFrame, llint_function_for_call_prologue);
@@ -1171 +1288 @@
         result = closure.functionExecutable->generatedJITCodeForCall().execute(&m_stack, closure.newCallFrame, closure.globalData);
 #endif // ENABLE(JIT)
-        m_reentryDepth--;
     }
 
@@ -1198 +1314 @@
 
     StackStats::CheckPoint stackCheckPoint;
-    if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth)
+    const StackBounds& nativeStack = wtfThreadData().stack();
+    StackPolicy policy(*this, nativeStack);
+    if (!nativeStack.isSafeToRecurse(policy.requiredCapacity()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -1259 +1377 @@
     {
         SamplingTool::CallRecord callRecord(m_sampler.get());
-
-        m_reentryDepth++;
         
 #if ENABLE(LLINT_C_LOOP)
@@ -1267 +1383 @@
         result = eval->generatedJITCode().execute(&m_stack, newCallFrame, scope->globalData());
 #endif // ENABLE(JIT)
-        m_reentryDepth--;
     }
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -171 +171 @@
     };
 
-    // We use a smaller reentrancy limit on iPhone because of the high amount of
-    // stack space required on the web thread.
-#if PLATFORM(IOS)
-    enum { MaxLargeThreadReentryDepth = 64, MaxSmallThreadReentryDepth = 16 };
-#else
-    enum { MaxLargeThreadReentryDepth = 256, MaxSmallThreadReentryDepth = 16 };
-#endif // PLATFORM(IOS)
-
     class Interpreter {
         WTF_MAKE_FAST_ALLOCATED;
@@ -184 +176 @@
         friend class LLIntOffsetsExtractor;
         friend class JIT;
+
     public:
+        class ErrorHandlingMode {
+        public:
+            JS_EXPORT_PRIVATE ErrorHandlingMode(ExecState*);
+            JS_EXPORT_PRIVATE ~ErrorHandlingMode();
+        private:
+            Interpreter& m_interpreter;
+        };
+
         Interpreter();
         ~Interpreter();
@@ -242 +243 @@
 
     private:
+        class StackPolicy {
+        public:
+            StackPolicy(Interpreter&, const StackBounds&);
+            inline size_t requiredCapacity() { return m_requiredCapacity; }
+
+        private:
+            Interpreter& m_interpreter;
+            size_t m_requiredCapacity;
+        };
+
         enum ExecutionFlag { Normal, InitializeAndReturn };
 
@@ -262 +273 @@
         OwnPtr<SamplingTool> m_sampler;
 
-        int m_reentryDepth;
-
         JSStack m_stack;
+        int m_errorHandlingModeReentry;
         
 #if ENABLE(COMPUTED_GOTO_OPCODES) && ENABLE(LLINT)

trunk/Source/JavaScriptCore/interpreter/JSStack.cpp

@@ -42 +42 @@
     return staticMutex;
 }    
-    
+
+JSStack::JSStack(size_t capacity)
+    : m_end(0)
+{
+    ASSERT(capacity && isPageAligned(capacity));
+
+    m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), commitSize), OSAllocator::JSVMStackPages);
+    m_end = static_cast<Register*>(m_reservation.base());
+    m_commitEnd = static_cast<Register*>(m_reservation.base());
+
+    disableErrorStackReserve();
+}
+
 JSStack::~JSStack()
 {
@@ -53 +65 @@
 bool JSStack::growSlowCase(Register* newEnd)
 {
+    // If we have already committed enough memory to satisfy this request,
+    // just update the end pointer and return.
     if (newEnd <= m_commitEnd) {
         m_end = newEnd;
@@ -58 +72 @@
     }
 
+    // Compute the chunk size of additional memory to commit, and see if we
+    // have it is still within our budget. If not, we'll fail to grow and
+    // return false.
     long delta = roundUpAllocationSize(reinterpret_cast<char*>(newEnd) - reinterpret_cast<char*>(m_commitEnd), commitSize);
-    if (reinterpret_cast<char*>(m_commitEnd) + delta > static_cast<char*>(m_reservation.base()) + m_reservation.size())
+    if (reinterpret_cast<char*>(m_commitEnd) + delta > reinterpret_cast<char*>(m_useableEnd))
         return false;
 
+    // Otherwise, the growth is still within our budget. Go ahead and commit
+    // it and return true.
     m_reservation.commit(m_commitEnd, delta);
     addToCommittedByteCount(delta);
@@ -105 +124 @@
 }
 
+void JSStack::enableErrorStackReserve()
+{
+    m_useableEnd = reservationEnd();
+}
+
+void JSStack::disableErrorStackReserve()
+{
+    char* useableEnd = reinterpret_cast<char*>(reservationEnd()) - commitSize;
+    m_useableEnd = reinterpret_cast<Register*>(useableEnd);
+
+    // By the time we get here, we are guaranteed to be destructing the last
+    // Interpreter::ErrorHandlingMode that enabled this reserve in the first
+    // place. That means the stack space beyond m_useableEnd before we
+    // enabled the reserve was not previously in use. Hence, it is safe to
+    // shrink back to that m_useableEnd.
+    if (m_end > m_useableEnd)
+        shrink(m_useableEnd);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/interpreter/JSStack.h

@@ -83 +83 @@
         }
 
+        void enableErrorStackReserve();
+        void disableErrorStackReserve();
+
     private:
         friend class LLIntOffsetsExtractor;
+
+        Register* reservationEnd() const
+        {
+            char* base = static_cast<char*>(m_reservation.base());
+            char* reservationEnd = base + m_reservation.size();
+            return reinterpret_cast<Register*>(reservationEnd);
+        }
 
         bool growSlowCase(Register*);
@@ -91 +101 @@
         Register* m_end;
         Register* m_commitEnd;
+        Register* m_useableEnd;
         PageReservation m_reservation;
     };
-
-    inline JSStack::JSStack(size_t capacity)
-        : m_end(0)
-    {
-        ASSERT(capacity && isPageAligned(capacity));
-
-        m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), commitSize), OSAllocator::JSVMStackPages);
-        m_end = static_cast<Register*>(m_reservation.base());
-        m_commitEnd = static_cast<Register*>(m_reservation.base());
-    }
 
     inline void JSStack::shrink(Register* newEnd)

trunk/Source/JavaScriptCore/jsc.cpp

@@ -747 +747 @@
     // comes first.
     CommandLine options(argc, argv);
-    RefPtr<JSGlobalData> globalData = JSGlobalData::create(ThreadStackTypeLarge, LargeHeap);
+    RefPtr<JSGlobalData> globalData = JSGlobalData::create(LargeHeap);
     JSLockHolder lock(globalData.get());
     int result;

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -40 +40 @@
 #define failWithMessage(msg) do { if (!m_error) updateErrorMessage(msg); return 0; } while (0)
 #define failWithNameAndMessage(before, name, after) do { if (!m_error) updateErrorWithNameAndMessage(before, name, after); return 0; } while (0)
+#define failWithStackOverflow() do { m_error = true; m_hasStackOverflow = true; return 0; } while (0)
 #define failIfFalse(cond) do { if (!(cond)) fail(); } while (0)
 #define failIfFalseWithMessage(cond, msg) do { if (!(cond)) failWithMessage(msg); } while (0)
@@ -55 +56 @@
 #define consumeOrFailWithFlags(tokenType, flags) do { if (!consume(tokenType, flags)) failWithToken(tokenType); } while (0)
 #define matchOrFail(tokenType) do { if (!match(tokenType)) failWithToken(tokenType); } while (0)
-#define failIfStackOverflow() do { failIfFalseWithMessage(canRecurse(), "Code nested too deeply."); } while (0)
+#define failIfStackOverflow() do { if (!canRecurse()) failWithStackOverflow(); } while (0)
 
 using namespace std;
@@ -66 +67 @@
     , m_source(&source)
     , m_stack(wtfThreadData().stack())
+    , m_hasStackOverflow(false)
     , m_error(false)
     , m_errorMessage("Parse error")

trunk/Source/JavaScriptCore/parser/Parser.h

@@ -897 +897 @@
     
     StackBounds m_stack;
+    bool m_hasStackOverflow;
     bool m_error;
     String m_errorMessage;
@@ -988 +989 @@
         // code we assume that it was a syntax error since running out of stack is much less
         // likely, and we are currently unable to distinguish between the two cases.
-        if (isFunctionBodyNode(static_cast<ParsedNode*>(0)))
+        if (isFunctionBodyNode(static_cast<ParsedNode*>(0)) || m_hasStackOverflow)
             *exception = createStackOverflowError(lexicalGlobalObject);
         else if (isEvalNode<ParsedNode>())

trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp

@@ -164 +164 @@
 JSObject* throwStackOverflowError(ExecState* exec)
 {
+    Interpreter::ErrorHandlingMode mode(exec);
     return throwError(exec, createStackOverflowError(exec));
 }

trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -131 +131 @@
 #endif // ENABLE(!ASSEMBLER)
 
-JSGlobalData::JSGlobalData(GlobalDataType globalDataType, ThreadStackType threadStackType, HeapType heapType)
+JSGlobalData::JSGlobalData(GlobalDataType globalDataType, HeapType heapType)
     :
 #if ENABLE(ASSEMBLER)
@@ -172 +172 @@
     , dynamicGlobalObject(0)
     , cachedUTCOffset(std::numeric_limits<double>::quiet_NaN())
-    , maxReentryDepth(threadStackType == ThreadStackTypeSmall ? MaxSmallThreadReentryDepth : MaxLargeThreadReentryDepth)
     , m_enabledProfiler(0)
     , m_regExpCache(new RegExpCache(this))
@@ -311 +310 @@
 }
 
-PassRefPtr<JSGlobalData> JSGlobalData::createContextGroup(ThreadStackType type, HeapType heapType)
-{
-    return adoptRef(new JSGlobalData(APIContextGroup, type, heapType));
-}
-
-PassRefPtr<JSGlobalData> JSGlobalData::create(ThreadStackType type, HeapType heapType)
-{
-    return adoptRef(new JSGlobalData(Default, type, heapType));
-}
-
-PassRefPtr<JSGlobalData> JSGlobalData::createLeaked(ThreadStackType type, HeapType heapType)
-{
-    return create(type, heapType);
+PassRefPtr<JSGlobalData> JSGlobalData::createContextGroup(HeapType heapType)
+{
+    return adoptRef(new JSGlobalData(APIContextGroup, heapType));
+}
+
+PassRefPtr<JSGlobalData> JSGlobalData::create(HeapType heapType)
+{
+    return adoptRef(new JSGlobalData(Default, heapType));
+}
+
+PassRefPtr<JSGlobalData> JSGlobalData::createLeaked(HeapType heapType)
+{
+    return create(heapType);
 }
 
@@ -336 +335 @@
     JSGlobalData*& instance = sharedInstanceInternal();
     if (!instance) {
-        instance = adoptRef(new JSGlobalData(APIShared, ThreadStackTypeSmall, SmallHeap)).leakRef();
+        instance = adoptRef(new JSGlobalData(APIShared, SmallHeap)).leakRef();
         instance->makeUsableFromMultipleThreads();
     }

trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

@@ -105 +105 @@
     };
 
-    enum ThreadStackType {
-        ThreadStackTypeLarge,
-        ThreadStackTypeSmall
-    };
-
 #if ENABLE(DFG_JIT)
     class ConservativeRoots;
@@ -165 +160 @@
         JS_EXPORT_PRIVATE static JSGlobalData& sharedInstance();
 
-        JS_EXPORT_PRIVATE static PassRefPtr<JSGlobalData> create(ThreadStackType, HeapType = SmallHeap);
-        JS_EXPORT_PRIVATE static PassRefPtr<JSGlobalData> createLeaked(ThreadStackType, HeapType = SmallHeap);
-        static PassRefPtr<JSGlobalData> createContextGroup(ThreadStackType, HeapType = SmallHeap);
+        JS_EXPORT_PRIVATE static PassRefPtr<JSGlobalData> create(HeapType = SmallHeap);
+        JS_EXPORT_PRIVATE static PassRefPtr<JSGlobalData> createLeaked(HeapType = SmallHeap);
+        static PassRefPtr<JSGlobalData> createContextGroup(HeapType = SmallHeap);
         JS_EXPORT_PRIVATE ~JSGlobalData();
 
@@ -346 +341 @@
         String cachedDateString;
         double cachedDateStringValue;
-
-        int maxReentryDepth;
 
         Profiler* m_enabledProfiler;
@@ -448 +441 @@
         friend class LLIntOffsetsExtractor;
         
-        JSGlobalData(GlobalDataType, ThreadStackType, HeapType);
+        JSGlobalData(GlobalDataType, HeapType);
         static JSGlobalData*& sharedInstanceInternal();
         void createNativeThunk();

trunk/Source/JavaScriptCore/runtime/StringRecursionChecker.h

@@ -23 +23 @@
 #include "Interpreter.h"
 #include <wtf/StackStats.h>
+#include <wtf/WTFThreadData.h>
 
 namespace JSC {
@@ -49 +50 @@
 inline JSValue StringRecursionChecker::performCheck()
 {
-    int size = m_exec->globalData().stringRecursionCheckVisitedObjects.size();
-    if (size >= MaxSmallThreadReentryDepth && size >= m_exec->globalData().maxReentryDepth)
+    const StackBounds& nativeStack = wtfThreadData().stack();
+    if (!nativeStack.isSafeToRecurse())
         return throwStackOverflowError();
     bool alreadyVisited = !m_exec->globalData().stringRecursionCheckVisitedObjects.add(m_thisObject).isNewEntry;

trunk/Source/JavaScriptCore/testRegExp.cpp

@@ -499 +499 @@
 int realMain(int argc, char** argv)
 {
-    RefPtr<JSGlobalData> globalData = JSGlobalData::create(ThreadStackTypeLarge, LargeHeap);
+    RefPtr<JSGlobalData> globalData = JSGlobalData::create(LargeHeap);
     JSLockHolder lock(globalData.get());
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-10-22  Mark Lam  <mark.lam@apple.com>
+
+        Change stack recursion checks to be based on stack availability.
+        https://bugs.webkit.org/show_bug.cgi?id=99872.
+
+        Reviewed by Filip Pizlo and Geoffrey Garen.
+
+        Removed the use of ThreadStackType. Enabled the reserved JSStack space
+        for error processing before doing work in reportException().
+
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::reportException):
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::commonJSGlobalData):
+        * bindings/js/WorkerScriptController.cpp:
+        (WebCore::WorkerScriptController::WorkerScriptController):
+
 2012-10-22  Andreas Kling  <kling@webkit.org>
 

trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp

@@ -32 +32 @@
 #include "JSExceptionBase.h"
 #include "ScriptCallStack.h"
+#include <interpreter/Interpreter.h>
 #include <runtime/DateInstance.h>
 #include <runtime/Error.h>
@@ -150 +151 @@
         return;
 
+    Interpreter::ErrorHandlingMode mode(exec);
     String errorMessage = exception.toString(exec)->value(exec);
     JSObject* exceptionObject = exception.toObject(exec);

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -182 +182 @@
     if (!globalData) {
         ScriptController::initializeThreading();
-        globalData = JSGlobalData::createLeaked(ThreadStackTypeLarge, LargeHeap).leakRef();
+        globalData = JSGlobalData::createLeaked(LargeHeap).leakRef();
         globalData->timeoutChecker.setTimeoutInterval(10000); // 10 seconds
 #ifndef NDEBUG

trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp

@@ -56 +56 @@
 
 WorkerScriptController::WorkerScriptController(WorkerContext* workerContext)
-    : m_globalData(JSGlobalData::create(ThreadStackTypeSmall))
+    : m_globalData(JSGlobalData::create())
     , m_workerContext(workerContext)
     , m_workerContextWrapper(*m_globalData)