Changeset 203142 in webkit

Timestamp:

Jul 12, 2016 5:19:15 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

We should use different stack limits for stack checks from JS and host code.
​https://bugs.webkit.org/show_bug.cgi?id=159442
<rdar://problem/26889188>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

We have 2 stack reservedZoneSizes:

1. Options::softReservedZoneSize()
2. Options::reservedZoneSize()

Respectively, there are used to define 2 stack limits based on these reserved
zone sizes:

1. VM::m_softStackLimit
2. VM::m_stackLimit

Options::reservedZoneSize() is the amount of the stack space that JSC guarantees
to the VM and client host code for it's use. Host code that has well known
stack usage characteristics (i.e. doesn't call arbitrary code) may do stack
checks against the VM::m_stackLimit limit (which is computed using
Options::reservedZoneSize()).

Options::softReservedZoneSize() is a more conservative amount of reserved stack
space. This is used to compute the VM::m_softStackLimit limit. Any code that
is difficult to have its stack usage characterized (i.e. may call arbitrary code)
may need more stack space for its work. Hence, these should do stack checks
against the VM::m_softStackLimit limit.

JS code and host code that may call into JS code falls into the category of code
that may call arbitrary code. Hence, they should do stack checks against the
VM::m_softStackLimit limit.

Accordingly, the VM now provides 2 recursion check functions:

1. VM::isSafeToRecurseSoft() will do a stack check against VM::m_softStackLimit. In addition, for C Loop builds, VM::isSafeToRecurseSoft() will also check the CLoopStack against VM::m_cloopStackLimit.

2. VM::isSafeToRecurse() will do a stack check against VM::m_stackLimit.

Also added a promise-infinite-recursion-should-not-crash.js test.

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::emitNodeInTailPosition):
(JSC::BytecodeGenerator::emitNodeInConditionContext):

• interpreter/CLoopStack.cpp:

(JSC::CLoopStack::grow):

• interpreter/CLoopStack.h:

(JSC::CLoopStack::size):

• interpreter/CLoopStackInlines.h:

(JSC::CLoopStack::ensureCapacityFor):
(JSC::CLoopStack::isSafeToRecurse):
(JSC::CLoopStack::topOfFrameFor):

• interpreter/CachedCall.h:

(JSC::CachedCall::CachedCall):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• parser/Parser.cpp:
• runtime/Options.h:
• runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::getOwnPropertySlotCommon):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

• runtime/RegExp.cpp:

(JSC::RegExp::finishCreation):
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):

• runtime/StringRecursionChecker.h:

(JSC::StringRecursionChecker::performCheck):

• runtime/VM.cpp:

(JSC::VM::setStackPointerAtVMEntry):
(JSC::VM::updateSoftReservedZoneSize):
(JSC::preCommitStackMemory):
(JSC::VM::updateStackLimits):
(JSC::VM::updateStackLimit): Deleted.

• runtime/VM.h:

(JSC::VM::stackLimit):
(JSC::VM::softStackLimit):
(JSC::VM::addressOfSoftStackLimit):
(JSC::VM::setCLoopStackLimit):
(JSC::VM::isSafeToRecurse):
(JSC::VM::lastStackTop):
(JSC::VM::setException):

• runtime/VMInlines.h:

(JSC::VM::ensureStackCapacityFor):
(JSC::VM::isSafeToRecurseSoft):
(JSC::VM::shouldTriggerTermination):

• tests/stress/promise-infinite-recursion-should-not-crash.js: Added.

(testPromise):
(promiseFunc):

• yarr/YarrPattern.cpp:

Tools:

In ​http://trac.webkit.org/r203067, we limited the amount of stack that tests will
run with to keep stack overflow tests sane. Turns out, we also need to teach the
LayoutTestRelay to pass env vars over to the iOS simulator. This is needed in
order to keep the js/regress-139548.html test happy with this patch.

Also fixed up run_webkit_tests.py to explicitly pass an int size value for the
JSC_maxPerThreadStackUsage option. Otherwise, it will pass a float value.

• LayoutTestRelay/LayoutTestRelay/LTRelayController.m:

(-[LTRelayController _environmentVariables]):

• Scripts/webkitpy/layout_tests/run_webkit_tests.py:

(main):

LayoutTests:

• js/regress-141098-expected.txt:
• js/script-tests/regress-141098.js:

(testEval):
(probeAndRecurse):

• Gave all the test constants names.
• Tweaked the constants to allow the test to run in the least amount of time, and also to behave consistently across all test configurations.
• Re-enable eager tests now that the test should finish quickly.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress-141098-expected.txt (modified) (1 diff)
• LayoutTests/js/script-tests/regress-141098.js (modified) (6 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (3 diffs)
• Source/JavaScriptCore/interpreter/CLoopStack.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CLoopStack.h (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CLoopStackInlines.h (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CachedCall.h (modified) (3 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (5 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Options.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ProxyObject.cpp (modified) (15 diffs)
• Source/JavaScriptCore/runtime/RegExp.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/StringRecursionChecker.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/VMInlines.h (modified) (1 diff)
• Source/JavaScriptCore/tests/stress/promise-infinite-recursion-should-not-crash.js (added)
• Source/JavaScriptCore/yarr/YarrPattern.cpp (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/LayoutTestRelay/LayoutTestRelay/LTRelayController.m (modified) (2 diffs)
• Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-07-12  Mark Lam  <mark.lam@apple.com>
+
+        We should use different stack limits for stack checks from JS and host code.
+        https://bugs.webkit.org/show_bug.cgi?id=159442
+        <rdar://problem/26889188>
+
+        Reviewed by Geoffrey Garen.
+
+        * js/regress-141098-expected.txt:
+        * js/script-tests/regress-141098.js:
+        (testEval):
+        (probeAndRecurse):
+        - Gave all the test constants names.
+        - Tweaked the constants to allow the test to run in the least amount of time, and
+          also to behave consistently across all test configurations.
+        - Re-enable eager tests now that the test should finish quickly.
+
 2016-07-12  Dean Jackson  <dino@apple.com>
 

trunk/LayoutTests/js/regress-141098-expected.txt

@@ -5 +5 @@
 
 PASS Initial setup
+Starting 1st probeAndRecurse
 PASS Exception: RangeError: Maximum call stack size exceeded.
+Starting 2nd probeAndRecurse
 PASS Exception: RangeError: Maximum call stack size exceeded.
 PASS successfullyParsed is true

trunk/LayoutTests/js/script-tests/regress-141098.js

@@ -1 @@
-//@ noEagerNoNoLLIntTestsRunLayoutTest
+//@ noNoLLIntRunLayoutTest
 
 description("Regression test for https://webkit.org/b/141098. Make sure eval() properly handles running out of stack space. This test should run without crashing.");
@@ -6 +6 @@
 // if run in run-jsc-stress-tests with the eager settings.
 
+// countStart, countIncrement, and numberOfFramesToBackoffFromStackOverflowPoint were
+// empirically determined to be the values that will cause StackOverflowErrors to be
+// thrown where the tests expects them. If stack frame layouts change sufficiently (e.g.
+// due to JIT changes) such that this test starts failing (due to text output
+// differences), then these values will need to be rebased.
+// Under no circumstance should this test ever crash.
+let countStart = 2;
+let countIncrement = 8;
+let numberOfFramesToBackoffFromStackOverflowPoint = 50;
+
+// backoffEverything is chosen to be -1 because a negative number will never be
+// decremented to 0, and hence, will cause probeAndRecurse() to return out of every
+// frame instead of retrying the eval test.
+let backoffEverything = -1;
+
 var lastEvalString = "";
 
@@ -11 +26 @@
 {
     var result;
-    var count = 1;
+    var count = countStart;
 
     if (!maxIterations)
         var result = eval(lastEvalString);
     else {
-        for (var iter = 0; iter < maxIterations; count *= 4, iter++) {
+        for (var iter = 0; iter < maxIterations; count *= countIncrement, iter++) {
             var evalString = "\"dummy\".valueOf(";
 
@@ -36 +51 @@
 }
 
-function probeAndRecurse(depth, reuseEvalString)
+function probeAndRecurse(reuseEvalString)
 {
-    var result;
+    var framesToBackOffFromStackOverflowPoint;
 
     // Probe stack depth
     try {
-        result = probeAndRecurse(depth+1, reuseEvalString);
+        remainingFramesToBackOff = probeAndRecurse(reuseEvalString);
 
-        if (!result) {
+        if (!remainingFramesToBackOff) {
+            // We've backed off a number of frames. Now retry the eval test to see if we
+            // still overflow.
             try {
                 testEval(1);
             } catch (e) {
-                return -49;
+                // Yikes. We still overflow. Back off some more.
+                return numberOfFramesToBackoffFromStackOverflowPoint;
             }
         } else
-            return result + 1
+            return remainingFramesToBackOff - 1
     } catch (e) {
         // We exceeded stack space, now return up the stack until we can execute a simple eval.
         // Then run an eval test to exceed stack.
-        return -49;
+        return numberOfFramesToBackoffFromStackOverflowPoint;
     }
 
@@ -64 +82 @@
     }
 
-    return 1;
+    return backoffEverything;
 }
 
-// Because this test intentionlly exhausts the stack, we call testPassed() to ensure
+// Because this test intentionally exhausts the stack, we call testPassed() to ensure
 // everything we need in that path has been compiled and is available.  Otherwise we
 // might properly handle an out of stack, but run out of stack calling testPassed().
 testPassed("Initial setup");
 
-var depth = probeAndRecurse(0, false);
+debug("Starting 1st probeAndRecurse");
+probeAndRecurse(false);
 
 // Tier up the eval'ed code.
@@ -80 +99 @@
     testEval(0);
 
-probeAndRecurse(0, true);
+debug("Starting 2nd probeAndRecurse");
+probeAndRecurse(true);

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-07-12  Mark Lam  <mark.lam@apple.com>
+
+        We should use different stack limits for stack checks from JS and host code.
+        https://bugs.webkit.org/show_bug.cgi?id=159442
+        <rdar://problem/26889188>
+
+        Reviewed by Geoffrey Garen.
+
+        We have 2 stack reservedZoneSizes:
+        1. Options::softReservedZoneSize()
+        2. Options::reservedZoneSize()
+
+        Respectively, there are used to define 2 stack limits based on these reserved
+        zone sizes:
+        1. VM::m_softStackLimit
+        2. VM::m_stackLimit
+
+        Options::reservedZoneSize() is the amount of the stack space that JSC guarantees
+        to the VM and client host code for it's use.  Host code that has well known
+        stack usage characteristics (i.e. doesn't call arbitrary code) may do stack
+        checks against the VM::m_stackLimit limit (which is computed using
+        Options::reservedZoneSize()).
+
+        Options::softReservedZoneSize() is a more conservative amount of reserved stack
+        space.  This is used to compute the VM::m_softStackLimit limit.  Any code that
+        is difficult to have its stack usage characterized (i.e. may call arbitrary code)
+        may need more stack space for its work.  Hence, these should do stack checks
+        against the VM::m_softStackLimit limit.
+
+        JS code and host code that may call into JS code falls into the category of code
+        that may call arbitrary code.  Hence, they should do stack checks against the
+        VM::m_softStackLimit limit.
+
+        Accordingly, the VM now provides 2 recursion check functions:
+
+        1. VM::isSafeToRecurseSoft() will do a stack check against VM::m_softStackLimit.
+           In addition, for C Loop builds, VM::isSafeToRecurseSoft() will also
+           check the CLoopStack against VM::m_cloopStackLimit.
+
+        2. VM::isSafeToRecurse() will do a stack check against VM::m_stackLimit.
+
+        Also added a promise-infinite-recursion-should-not-crash.js test.
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::emitNodeInTailPosition):
+        (JSC::BytecodeGenerator::emitNodeInConditionContext):
+        * interpreter/CLoopStack.cpp:
+        (JSC::CLoopStack::grow):
+        * interpreter/CLoopStack.h:
+        (JSC::CLoopStack::size):
+        * interpreter/CLoopStackInlines.h:
+        (JSC::CLoopStack::ensureCapacityFor):
+        (JSC::CLoopStack::isSafeToRecurse):
+        (JSC::CLoopStack::topOfFrameFor):
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::CachedCall):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * parser/Parser.cpp:
+        * runtime/Options.h:
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::getOwnPropertySlotCommon):
+        (JSC::ProxyObject::performPut):
+        (JSC::performProxyCall):
+        (JSC::performProxyConstruct):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performPreventExtensions):
+        (JSC::ProxyObject::performIsExtensible):
+        (JSC::ProxyObject::performDefineOwnProperty):
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        (JSC::ProxyObject::performSetPrototype):
+        (JSC::ProxyObject::performGetPrototype):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::finishCreation):
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * runtime/StringRecursionChecker.h:
+        (JSC::StringRecursionChecker::performCheck):
+        * runtime/VM.cpp:
+        (JSC::VM::setStackPointerAtVMEntry):
+        (JSC::VM::updateSoftReservedZoneSize):
+        (JSC::preCommitStackMemory):
+        (JSC::VM::updateStackLimits):
+        (JSC::VM::updateStackLimit): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::stackLimit):
+        (JSC::VM::softStackLimit):
+        (JSC::VM::addressOfSoftStackLimit):
+        (JSC::VM::setCLoopStackLimit):
+        (JSC::VM::isSafeToRecurse):
+        (JSC::VM::lastStackTop):
+        (JSC::VM::setException):
+        * runtime/VMInlines.h:
+        (JSC::VM::ensureStackCapacityFor):
+        (JSC::VM::isSafeToRecurseSoft):
+        (JSC::VM::shouldTriggerTermination):
+        * tests/stress/promise-infinite-recursion-should-not-crash.js: Added.
+        (testPromise):
+        (promiseFunc):
+        * yarr/YarrPattern.cpp:
+
 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -385 +385 @@
             // Node::emitCode assumes that dst, if provided, is either a local or a referenced temporary.
             ASSERT(!dst || dst == ignoredResult() || !dst->isTemporary() || dst->refCount());
-            if (!m_vm->isSafeToRecurse()) {
+            if (UNLIKELY(!m_vm->isSafeToRecurse())) {
                 emitThrowExpressionTooDeepException();
                 return;
@@ -412 +412 @@
             // Node::emitCode assumes that dst, if provided, is either a local or a referenced temporary.
             ASSERT(!dst || dst == ignoredResult() || !dst->isTemporary() || dst->refCount());
-            if (!m_vm->isSafeToRecurse())
+            if (UNLIKELY(!m_vm->isSafeToRecurse()))
                 return emitThrowExpressionTooDeepException();
             return n->emitBytecode(*this, dst);
@@ -429 +429 @@
         void emitNodeInConditionContext(ExpressionNode* n, Label* trueTarget, Label* falseTarget, FallThroughMode fallThroughMode)
         {
-            if (!m_vm->isSafeToRecurse()) {
+            if (UNLIKELY(!m_vm->isSafeToRecurse())) {
                 emitThrowExpressionTooDeepException();
                 return;

trunk/Source/JavaScriptCore/interpreter/CLoopStack.cpp

@@ -89 +89 @@
 
     // Compute the chunk size of additional memory to commit, and see if we
-    // have it is still within our budget. If not, we'll fail to grow and
+    // have it still within our budget. If not, we'll fail to grow and
     // return false.
     ptrdiff_t delta = reinterpret_cast<char*>(m_commitTop) - reinterpret_cast<char*>(newTopOfStackWithReservedZone);

trunk/Source/JavaScriptCore/interpreter/CLoopStack.h

@@ -69 +69 @@
 
         void setSoftReservedZoneSize(size_t);
+        bool isSafeToRecurse() const;
 
         inline Register* topOfStack();

trunk/Source/JavaScriptCore/interpreter/CLoopStackInlines.h

@@ -43 +43 @@
 }
 
+bool CLoopStack::isSafeToRecurse() const
+{
+    void* reservationLimit = reinterpret_cast<int8_t*>(reservationTop() + m_reservedZoneSizeInRegisters);
+    return !m_topCallFrame || (m_topCallFrame->topOfFrame() > reservationLimit);
+}
+
 inline Register* CLoopStack::topOfFrameFor(CallFrame* frame)
 {

trunk/Source/JavaScriptCore/interpreter/CachedCall.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 #include "ProtoCallFrame.h"
 #include "VMEntryScope.h"
+#include "VMInlines.h"
 
 namespace JSC {
@@ -45 +46 @@
         {
             ASSERT(!function->isHostFunctionNonInline());
-            if (callFrame->vm().isSafeToRecurse()) {
+            if (UNLIKELY(callFrame->vm().isSafeToRecurseSoft())) {
                 m_arguments.resize(argumentCount);
                 m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments.data());

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -829 +829 @@
         return jsNull();
 
-    if (!vm.isSafeToRecurse())
+    if (UNLIKELY(!vm.isSafeToRecurseSoft()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -989 +989 @@
 
     VMEntryScope entryScope(vm, globalObject);
-    if (!vm.isSafeToRecurse())
+    if (UNLIKELY(!vm.isSafeToRecurseSoft()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -1051 +1051 @@
 
     VMEntryScope entryScope(vm, globalObject);
-    if (!vm.isSafeToRecurse())
+    if (UNLIKELY(!vm.isSafeToRecurseSoft()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
@@ -1148 +1148 @@
 
     VMEntryScope entryScope(vm, scope->globalObject());
-    if (!vm.isSafeToRecurse())
+    if (UNLIKELY(!vm.isSafeToRecurseSoft()))
         return checkedReturn(throwStackOverflowError(callFrame));        
 
@@ -1249 +1249 @@
 
     VMEntryScope entryScope(vm, scope->globalObject());
-    if (!vm.isSafeToRecurse())
+    if (UNLIKELY(!vm.isSafeToRecurseSoft()))
         return checkedReturn(throwStackOverflowError(callFrame));
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -483 +483 @@
     dataLogF("Num vars = %u.\n", exec->codeBlock()->m_numVars);
 
-#if ENABLE(JIT)
-    dataLogF("Current end is at %p.\n", exec->vm().softStackLimit());
-#else
-    dataLogF("Current end is at %p.\n", exec->vm().cloopStackLimit());
+    dataLogF("Current OS stack end is at %p.\n", exec->vm().softStackLimit());
+#if !ENABLE(JIT)
+    dataLogF("Current C Loop stack end is at %p.\n", exec->vm().cloopStackLimit());
 #endif
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -56 +56 @@
 #define consumeOrFailWithFlags(tokenType, flags, ...) do { if (!consume(tokenType, flags)) { handleErrorToken(); internalFailWithMessage(true, __VA_ARGS__); } } while (0)
 #define matchOrFail(tokenType, ...) do { if (!match(tokenType)) { handleErrorToken(); internalFailWithMessage(true, __VA_ARGS__); } } while (0)
-#define failIfStackOverflow() do { if (!canRecurse()) failWithStackOverflow(); } while (0)
+#define failIfStackOverflow() do { if (UNLIKELY(!canRecurse())) failWithStackOverflow(); } while (0)
 #define semanticFail(...) do { internalFailWithMessage(false, __VA_ARGS__); } while (0)
 #define semanticFailIfTrue(cond, ...) do { if (cond) internalFailWithMessage(false, __VA_ARGS__); } while (0)

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -114 +114 @@
     \
     v(unsigned, maxPerThreadStackUsage, 4 * MB, Normal, "Max allowed stack usage by the VM") \
-    v(unsigned, softReservedZoneSize, 128 * KB, Normal, "The amount of stack JSC usually reserves for host code.") \
-    v(unsigned, reservedZoneSize, 64 * KB, Normal, "This is the amount of stack JSC guarantees for client and VM code.") \
+    v(unsigned, softReservedZoneSize, 128 * KB, Normal, "A buffer greater than reservedZoneSize that reserves space for stringifying exceptions.") \
+    v(unsigned, reservedZoneSize, 64 * KB, Normal, "The amount of stack space we guarantee to our clients (and to interal VM code that does not call out to clients).") \
     \
     v(bool, crashIfCantAllocateJITMemory, false, Normal, nullptr) \

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

@@ -34 +34 @@
 #include "SlotVisitorInlines.h"
 #include "StructureInlines.h"
+#include "VMInlines.h"
 
 // Note that this file is compile with -fno-optimize-sibling-calls because we rely on the machine stack
@@ -99 +100 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return JSValue();
@@ -168 +169 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -274 +275 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -339 +340 @@
 bool ProxyObject::getOwnPropertySlotCommon(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
 {
-    if (UNLIKELY(!exec->vm().isSafeToRecurse())) {
+    if (UNLIKELY(!exec->vm().isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -377 +378 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -469 +470 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return JSValue::encode(JSValue());
@@ -518 +519 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return JSValue::encode(JSValue());
@@ -573 +574 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -649 +650 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -701 +702 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -759 +760 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -856 +857 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return;
@@ -1005 +1006 @@
 
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return false;
@@ -1069 +1070 @@
 {
     VM& vm = exec->vm();
-    if (UNLIKELY(!vm.isSafeToRecurse())) {
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec);
         return JSValue();

trunk/Source/JavaScriptCore/runtime/RegExp.cpp

@@ -223 +223 @@
 {
     Base::finishCreation(vm);
-    Yarr::YarrPattern pattern(m_patternString, m_flags, &m_constructionError, vm.softStackLimit());
+    Yarr::YarrPattern pattern(m_patternString, m_flags, &m_constructionError, vm.stackLimit());
     if (m_constructionError)
         m_state = ParseError;
@@ -265 +265 @@
     ConcurrentJITLocker locker(m_lock);
     
-    Yarr::YarrPattern pattern(m_patternString, m_flags, &m_constructionError, vm->softStackLimit());
+    Yarr::YarrPattern pattern(m_patternString, m_flags, &m_constructionError, vm->stackLimit());
     if (m_constructionError) {
         RELEASE_ASSERT_NOT_REACHED();
@@ -318 +318 @@
     ConcurrentJITLocker locker(m_lock);
     
-    Yarr::YarrPattern pattern(m_patternString, m_flags, &m_constructionError, vm->softStackLimit());
+    Yarr::YarrPattern pattern(m_patternString, m_flags, &m_constructionError, vm->stackLimit());
     if (m_constructionError) {
         RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/runtime/StringRecursionChecker.h

@@ -1 +1 @@
 /*
- *  Copyright (C) 2011 Apple Inc. All rights reserved.
+ *  Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -22 +22 @@
 
 #include "Interpreter.h"
+#include "VMInlines.h"
 #include <wtf/StackStats.h>
 #include <wtf/WTFThreadData.h>
@@ -51 +52 @@
 {
     VM& vm = m_exec->vm();
-    if (!vm.isSafeToRecurse())
+    if (UNLIKELY(!vm.isSafeToRecurseSoft()))
         return throwStackOverflowError();
 

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -611 +611 @@
 {
     m_stackPointerAtVMEntry = sp;
-    updateStackLimit();
+    updateStackLimits();
 }
 
@@ -622 +622 @@
 #endif
 
-    updateStackLimit();
+    updateStackLimits();
 
     return oldSoftReservedZoneSize;
@@ -652 +652 @@
 #endif
 
-inline void VM::updateStackLimit()
+inline void VM::updateStackLimits()
 {
 #if PLATFORM(WIN)
@@ -658 +658 @@
 #endif
 
+    size_t reservedZoneSize = Options::reservedZoneSize();
     if (m_stackPointerAtVMEntry) {
         ASSERT(wtfThreadData().stack().isGrowingDownward());
         char* startOfStack = reinterpret_cast<char*>(m_stackPointerAtVMEntry);
         m_softStackLimit = wtfThreadData().stack().recursionLimit(startOfStack, Options::maxPerThreadStackUsage(), m_currentSoftReservedZoneSize);
+        m_stackLimit = wtfThreadData().stack().recursionLimit(startOfStack, Options::maxPerThreadStackUsage(), reservedZoneSize);
     } else {
         m_softStackLimit = wtfThreadData().stack().recursionLimit(m_currentSoftReservedZoneSize);
+        m_stackLimit = wtfThreadData().stack().recursionLimit(reservedZoneSize);
     }
 
 #if PLATFORM(WIN)
+    // We only need to precommit stack memory dictated by the VM::m_softStackLimit limit.
+    // This is because VM::m_softStackLimit applies to stack usage by LLINT asm or JIT
+    // generated code which can allocate stack space that the C++ compiler does not know
+    // about. As such, we have to precommit that stack memory manually.
+    //
+    // In contrast, we do not need to worry about VM::m_stackLimit because that limit is
+    // used exclusively by C++ code, and the C++ compiler will automatically commit the
+    // needed stack pages.
     if (lastSoftStackLimit != m_softStackLimit)
         preCommitStackMemory(m_softStackLimit);

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -466 +466 @@
     inline bool ensureStackCapacityFor(Register* newTopOfStack);
 
+    void* stackLimit() { return m_stackLimit; }
     void* softStackLimit() { return m_softStackLimit; }
     void** addressOfSoftStackLimit() { return &m_softStackLimit; }
@@ -473 +474 @@
 #endif
 
-    bool isSafeToRecurse(size_t neededStackInBytes = 0) const
-    {
-        ASSERT(wtfThreadData().stack().isGrowingDownward());
-        int8_t* curr = reinterpret_cast<int8_t*>(&curr);
-        int8_t* limit = reinterpret_cast<int8_t*>(m_softStackLimit);
-        return curr >= limit && static_cast<size_t>(curr - limit) >= neededStackInBytes;
+    inline bool isSafeToRecurseSoft() const;
+    bool isSafeToRecurse() const
+    {
+        return isSafeToRecurse(m_stackLimit);
     }
 
@@ -627 +626 @@
     void createNativeThunk();
 
-    void updateStackLimit();
+    void updateStackLimits();
+
+    bool isSafeToRecurse(void* stackLimit) const
+    {
+        ASSERT(wtfThreadData().stack().isGrowingDownward());
+        void* curr = reinterpret_cast<void*>(&curr);
+        return curr >= stackLimit;
+    }
 
     void setException(Exception* exception)
@@ -650 +656 @@
     void* m_stackPointerAtVMEntry;
     size_t m_currentSoftReservedZoneSize;
+    void* m_stackLimit { nullptr };
     void* m_softStackLimit { nullptr };
 #if !ENABLE(JIT)

trunk/Source/JavaScriptCore/runtime/VMInlines.h

@@ -48 +48 @@
 }
 
+bool VM::isSafeToRecurseSoft() const
+{
+    bool safe = isSafeToRecurse(m_softStackLimit);
+#if !ENABLE(JIT)
+    safe = safe && interpreter->cloopStack().isSafeToRecurse();
+#endif
+    return safe;
+}
+
 bool VM::shouldTriggerTermination(ExecState* exec)
 {

trunk/Source/JavaScriptCore/yarr/YarrPattern.cpp

@@ -581 +581 @@
     bool setupAlternativeOffsets(PatternAlternative* alternative, unsigned currentCallFrameSize, unsigned initialInputPosition, unsigned& newCallFrameSize) WARN_UNUSED_RETURN
     {
-        if (!isSafeToRecurse())
+        if (UNLIKELY(!isSafeToRecurse()))
             return false;
 
@@ -683 +683 @@
     bool setupDisjunctionOffsets(PatternDisjunction* disjunction, unsigned initialCallFrameSize, unsigned initialInputPosition, unsigned& callFrameSize) WARN_UNUSED_RETURN
     {
-        if (!isSafeToRecurse())
+        if (UNLIKELY(!isSafeToRecurse()))
             return false;
 

trunk/Tools/ChangeLog

@@ +1 @@
+2016-07-12  Mark Lam  <mark.lam@apple.com>
+
+        We should use different stack limits for stack checks from JS and host code.
+        https://bugs.webkit.org/show_bug.cgi?id=159442
+        <rdar://problem/26889188>
+
+        Reviewed by Geoffrey Garen.
+
+        In http://trac.webkit.org/r203067, we limited the amount of stack that tests will
+        run with to keep stack overflow tests sane.  Turns out, we also need to teach the
+        LayoutTestRelay to pass env vars over to the iOS simulator.  This is needed in
+        order to keep the js/regress-139548.html test happy with this patch.
+
+        Also fixed up run_webkit_tests.py to explicitly pass an int size value for the
+        JSC_maxPerThreadStackUsage option.  Otherwise, it will pass a float value.
+
+        * LayoutTestRelay/LayoutTestRelay/LTRelayController.m:
+        (-[LTRelayController _environmentVariables]):
+        * Scripts/webkitpy/layout_tests/run_webkit_tests.py:
+        (main):
+
 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Tools/LayoutTestRelay/LayoutTestRelay/LTRelayController.m

@@ -29 +29 @@
 #import "LTPipeRelay.h"
 #import <AppKit/AppKit.h>
+#import <crt_externs.h>
 
 @interface LTRelayController ()
@@ -194 +195 @@
         }
 
+        for (char** envp = *_NSGetEnviron(); *envp; envp++) {
+            const char* env = *envp;
+            if (!strncmp("JSC_", env, 4) || !strncmp("__XPC_JSC_", env, 10)) {
+                const char* equal = strchr(env, '=');
+                if (!equal) {
+                    NSLog(@"Missing '=' in env var '%s'", env);
+                    continue;
+                }
+
+                static const size_t maxKeyLength = 256;
+                size_t keyLength = equal - env;
+                if (keyLength >= maxKeyLength) {
+                    NSLog(@"Env var '%s' is too long", env);
+                    continue;
+                }
+
+                char key[maxKeyLength];
+                strncpy(key, env, keyLength);
+                key[keyLength] = '\0';
+                const char* value = equal + 1;
+
+                NSString *nsKey = [NSString stringWithUTF8String:key];
+                NSString *nsValue = [NSString stringWithUTF8String:value];
+                [dictionary setObject:nsValue forKey:nsKey];
+            }
+        }
+
         environmentVariables = [dictionary copy];
     });

trunk/Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py

@@ -76 +76 @@
     try:
         # Force all tests to use a smaller stack so that stack overflow tests can run faster.
-        stackSizeInBytes = 1.5 * 1024 * 1024
+        stackSizeInBytes = int(1.5 * 1024 * 1024)
         options.additional_env_var.append('JSC_maxPerThreadStackUsage=' + str(stackSizeInBytes))
         options.additional_env_var.append('__XPC_JSC_maxPerThreadStackUsage=' + str(stackSizeInBytes))