Context Navigation

← Previous Changeset
Next Changeset →

Changeset 239244 in webkit

Timestamp:

Dec 14, 2018 6:28:17 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
https://bugs.webkit.org/show_bug.cgi?id=192717
<rdar://problem/46660677>

Reviewed by Saam Barati.

JSTests:

stress/regress-192717.js: Added.

Source/JavaScriptCore:

When throwing a StackOverflowError, we convert the topCallFrame into a
StackOverflowFrame. Previously, we would nullify the codeBlock field in the frame
because a StackOverflowFrame is only a sentinel and doesn't really correspond to
any CodeBlocks. However, this is a problem because the topCallFrame may be the
only remaining place that references the CodeBlock that the stack overflow is
triggered in. The way we handle exceptions in JIT code is to return (from the
runtime operation function throwing the exception) to the JIT code to check for
the exception and if needed, do some clean up before jumping to the exception
handling thunk. As a result, we need to keep that JIT code alive, which means we
need to keep its CodeBlock alive. We only need to keep this CodeBlock alive until
we've unwound (in terms of exception handling) out of it.

We fix this issue by storing the CodeBlock to keep alive in the StackOverflowFrame
for the GC to scan while the frame is still on the stack.

We removed the call to convertToStackOverflowFrame() in
lookupExceptionHandlerFromCallerFrame() because it is redundant.
lookupExceptionHandlerFromCallerFrame() will only every be called after
a StackOverFlowError has been thrown. Hence, the top frame is already
guaranteed to be a StackOverflowFrame, and there should always be a
StackOverFlowError exception pending. We added assertions for these
instead.

interpreter/CallFrame.cpp:

(JSC::CallFrame::convertToStackOverflowFrame):

interpreter/CallFrame.h:
jit/JITOperations.cpp:
llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

runtime/CommonSlowPaths.h:

(JSC::CommonSlowPaths::codeBlockFromCallFrameCallee):
(JSC::CommonSlowPaths::arityCheckFor):

runtime/VM.h:

(JSC::VM::exceptionForInspection const):

Location:

trunk

Files:

: 1 added
: 9 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/regress-192717.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/interpreter/CallFrame.cpp (modified) (2 diffs)
Source/JavaScriptCore/interpreter/CallFrame.h (modified) (1 diff)
Source/JavaScriptCore/jit/JITOperations.cpp (modified) (4 diffs)
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/CommonSlowPaths.h (modified) (1 diff)
Source/JavaScriptCore/runtime/VM.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r239231
+                      r239244
+-12-14  Mark Lam  <mark.lam@apple.com>
+        CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
+        https://bugs.webkit.org/show_bug.cgi?id=192717
+        <rdar://problem/46660677>
+        Reviewed by Saam Barati.
+        * stress/regress-192717.js: Added.
 -12-14  Commit Queue  <commit-queue@webkit.org>

trunk/Source/JavaScriptCore/ChangeLog

-                      r239237
+                      r239244
+-12-14  Mark Lam  <mark.lam@apple.com>
+        CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
+        https://bugs.webkit.org/show_bug.cgi?id=192717
+        <rdar://problem/46660677>
+        Reviewed by Saam Barati.
+        When throwing a StackOverflowError, we convert the topCallFrame into a
+        StackOverflowFrame.  Previously, we would nullify the codeBlock field in the frame
+        because a StackOverflowFrame is only a sentinel and doesn't really correspond to
+        any CodeBlocks.  However, this is a problem because the topCallFrame may be the
+        only remaining place that references the CodeBlock that the stack overflow is
+        triggered in.  The way we handle exceptions in JIT code is to return (from the
+        runtime operation function throwing the exception) to the JIT code to check for
+        the exception and if needed, do some clean up before jumping to the exception
+        handling thunk.  As a result, we need to keep that JIT code alive, which means we
+        need to keep its CodeBlock alive.  We only need to keep this CodeBlock alive until
+        we've unwound (in terms of exception handling) out of it.
+        We fix this issue by storing the CodeBlock to keep alive in the StackOverflowFrame
+        for the GC to scan while the frame is still on the stack.
+        We removed the call to convertToStackOverflowFrame() in
+        lookupExceptionHandlerFromCallerFrame() because it is redundant.
+        lookupExceptionHandlerFromCallerFrame() will only every be called after
+        a StackOverFlowError has been thrown.  Hence, the top frame is already
+        guaranteed to be a StackOverflowFrame, and there should always be a
+        StackOverFlowError exception pending.  We added assertions for these
+        instead.
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::convertToStackOverflowFrame):
+        * interpreter/CallFrame.h:
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::codeBlockFromCallFrameCallee):
+        (JSC::CommonSlowPaths::arityCheckFor):
+        * runtime/VM.h:
+        (JSC::VM::exceptionForInspection const):
 -12-14  David Kilzer  <ddkilzer@apple.com>

trunk/Source/JavaScriptCore/interpreter/CallFrame.cpp

-                      r237547
+                      r239244
+}
 void CallFrame::convertToStackOverflowFrame(VM& vm)
+void CallFrame::convertToStackOverflowFrame(VM& vm, CodeBlock* codeBlockToKeepAliveUntilFrameIsUnwound)
+{
     ASSERT(!isGlobalExec());
+    ASSERT(codeBlockToKeepAliveUntilFrameIsUnwound->inherits<CodeBlock>(vm));
     EntryFrame* entryFrame = vm.topEntryFrame;
 …
     JSObject* stackOverflowCallee = originCallee->globalObject()->stackOverflowFrameCallee();
     setCodeBlock(nullptr);
+    setCodeBlock(codeBlockToKeepAliveUntilFrameIsUnwound);
     setCallee(stackOverflowCallee);
     setArgumentCountIncludingThis(0);

trunk/Source/JavaScriptCore/interpreter/CallFrame.h

r237547	r239244
258	258	}
259	259
260		void convertToStackOverflowFrame(VM&);
	260	void convertToStackOverflowFrame(VM&, CodeBlock* codeBlockToKeepAliveUntilFrameIsUnwound);
261	261	inline bool isStackOverflowFrame() const;
262	262	inline bool isWasmFrame() const;

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

-                      r238425
+                      r239244
     VM* vm = codeBlock->vm();
     auto scope = DECLARE_THROW_SCOPE(*vm);
     exec->convertToStackOverflowFrame(*vm);
+    exec->convertToStackOverflowFrame(*vm, codeBlock);
     NativeCallFrameTracer tracer(vm, exec);
     throwStackOverflowError(exec, scope);
 …
     int32_t missingArgCount = CommonSlowPaths::arityCheckFor(exec, *vm, CodeForCall);
+    if (missingArgCount < 0) {
+        exec->convertToStackOverflowFrame(*vm);
+    if (UNLIKELY(missingArgCount < 0)) {
+        CodeBlock* codeBlock = CommonSlowPaths::codeBlockFromCallFrameCallee(exec, CodeForCall);
+        exec->convertToStackOverflowFrame(*vm, codeBlock);
         NativeCallFrameTracer tracer(vm, exec);
         throwStackOverflowError(vm->topCallFrame, scope);
 …
     int32_t missingArgCount = CommonSlowPaths::arityCheckFor(exec, *vm, CodeForConstruct);
+    if (missingArgCount < 0) {
+        exec->convertToStackOverflowFrame(*vm);
+    if (UNLIKELY(missingArgCount < 0)) {
+        CodeBlock* codeBlock = CommonSlowPaths::codeBlockFromCallFrameCallee(exec, CodeForCall);
+        exec->convertToStackOverflowFrame(*vm, codeBlock);
         NativeCallFrameTracer tracer(vm, exec);
         throwStackOverflowError(vm->topCallFrame, scope);
 …
 void JIT_OPERATION lookupExceptionHandlerFromCallerFrame(VM* vm, ExecState* exec)
+{
+    exec->convertToStackOverflowFrame(*vm);
+    ASSERT(exec->isStackOverflowFrame());
+    ASSERT(jsCast<ErrorInstance*>(vm->exceptionForInspection()->value().asCell())->isStackOverflowError());
     lookupExceptionHandler(vm, exec);
+}

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

r238141	r239244
560	560	#endif
561	561
562		exec->convertToStackOverflowFrame(vm);
	562	exec->convertToStackOverflowFrame(vm, codeBlock);
563	563	ErrorHandlingScope errorScope(vm);
564	564	throwStackOverflowError(exec, throwScope);

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

-                      r238790
+                      r239244
     BEGIN();
     int slotsToAdd = CommonSlowPaths::arityCheckFor(exec, vm, CodeForCall);
+    if (slotsToAdd < 0) {
+        exec->convertToStackOverflowFrame(vm);
+    if (UNLIKELY(slotsToAdd < 0)) {
+        CodeBlock* codeBlock = CommonSlowPaths::codeBlockFromCallFrameCallee(exec, CodeForCall);
+        exec->convertToStackOverflowFrame(vm, codeBlock);
         NativeCallFrameTracer tracer(&vm, exec);
         ErrorHandlingScope errorScope(vm);
 …
     BEGIN();
     int slotsToAdd = CommonSlowPaths::arityCheckFor(exec, vm, CodeForConstruct);
+    if (slotsToAdd < 0) {
+        exec->convertToStackOverflowFrame(vm);
+    if (UNLIKELY(slotsToAdd < 0)) {
+        CodeBlock* codeBlock = CommonSlowPaths::codeBlockFromCallFrameCallee(exec, CodeForCall);
+        exec->convertToStackOverflowFrame(vm, codeBlock);
         NativeCallFrameTracer tracer(&vm, exec);
         ErrorHandlingScope errorScope(vm);

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

-                      r238543
+                      r239244
+}
 ALWAYS_INLINE int arityCheckFor(ExecState* exec, VM& vm, CodeSpecializationKind kind)
+ALWAYS_INLINE CodeBlock* codeBlockFromCallFrameCallee(ExecState* exec, CodeSpecializationKind kind)
+{
     JSFunction* callee = jsCast<JSFunction*>(exec->jsCallee());
     ASSERT(!callee->isHostFunction());
+    CodeBlock* newCodeBlock = callee->jsExecutable()->codeBlockFor(kind);
+    return callee->jsExecutable()->codeBlockFor(kind);
+}
+ALWAYS_INLINE int arityCheckFor(ExecState* exec, VM& vm, CodeSpecializationKind kind)
+{
+    CodeBlock* newCodeBlock = codeBlockFromCallFrameCallee(exec, kind);
     ASSERT(exec->argumentCountIncludingThis() < static_cast<unsigned>(newCodeBlock->numParameters()));
     int padding = numberOfStackPaddingSlotsWithExtraSlots(newCodeBlock, exec->argumentCountIncludingThis());

trunk/Source/JavaScriptCore/runtime/VM.h

-                      r239231
+                      r239244
     JSCell** addressOfLastException() { return reinterpret_cast<JSCell**>(&m_lastException); }
+    // This should only be used for test or assertion code that wants to inspect
+    // the pending exception without interfering with Throw/CatchScopes.
+    Exception* exceptionForInspection() const { return m_exception; }
     void setFailNextNewCodeBlock() { m_failNextNewCodeBlock = true; }
     bool getAndClearFailNextNewCodeBlock()

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 239244 in webkit

Legend:

Download in other formats: