Changeset 241927 in webkit

Timestamp:

Feb 21, 2019 6:02:32 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Add more doesGC() assertions.
​https://bugs.webkit.org/show_bug.cgi?id=194911
<rdar://problem/48285723>

Reviewed by Saam Barati and Yusuke Suzuki.

• dfg/DFGOSRExit.cpp:

(JSC::DFG::OSRExit::compileOSRExit):

• Set expectDoesGC here because we no longer have to worry about missing store barriers in optimized code after this point. This will prevent false positive assertion failures arising from functions called beneath compileOSRExit().

(JSC::DFG::OSRExit::compileExit):

• Add a comment to explain why the generated ramp needs to set expectDoesGC even though compileOSRExit() also sets it. Reason: compileOSRExit() is only called for the first OSR from this code origin, the generated ramp is called for many subsequents OSR exits from this code origin.

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• Added a comment for the equivalent reason to the one above.

(JSC::FTL::compileFTLOSRExit):

• Set expectDoesGC here because we no longer have to worry about missing store barriers in optimized code after this point. This will prevent false positive assertion failures arising from functions called beneath compileFTLOSRExit().

• heap/CompleteSubspace.cpp:

(JSC::CompleteSubspace::tryAllocateSlow):

• heap/CompleteSubspaceInlines.h:

(JSC::CompleteSubspace::allocateNonVirtual):

• assert expectDoesGC.

• heap/DeferGC.h:

(JSC::DeferGC::~DeferGC):

• assert expectDoesGC.
• Also added WTF_FORBID_HEAP_ALLOCATION to DeferGC, DeferGCForAWhile, and DisallowGC because all 3 should be stack allocated RAII objects.

• heap/GCDeferralContext.h:
• heap/GCDeferralContextInlines.h:

(JSC::GCDeferralContext::~GCDeferralContext):

• Added WTF_FORBID_HEAP_ALLOCATION.
• assert expectDoesGC.

• heap/Heap.cpp:

(JSC::Heap::collectNow):
(JSC::Heap::collectAsync):
(JSC::Heap::collectSync):
(JSC::Heap::stopIfNecessarySlow):
(JSC::Heap::collectIfNecessaryOrDefer):

• heap/HeapInlines.h:

(JSC::Heap::acquireAccess):
(JSC::Heap::stopIfNecessary):

• heap/LargeAllocation.cpp:

(JSC::LargeAllocation::tryCreate):

• heap/LocalAllocatorInlines.h:

(JSC::LocalAllocator::allocate):

• conservatively assert expectDoesGC on these functions that may trigger a GC though they don't always do.

• runtime/DisallowScope.h:
• DisallowScope should be stack allocated because it's an RAII object.

• runtime/JSCellInlines.h:

(JSC::tryAllocateCellHelper):

• Remove the expectDoesGC assertion because it is now covered by assertions in CompleteSubspace, LargeAllocation, and LocalAllocator.

• runtime/RegExpMatchesArray.h:

(JSC::createRegExpMatchesArray):

• assert expectDoesGC.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGOSRExit.cpp (modified) (2 diffs)
• ftl/FTLOSRExitCompiler.cpp (modified) (2 diffs)
• heap/CompleteSubspace.cpp (modified) (2 diffs)
• heap/CompleteSubspaceInlines.h (modified) (2 diffs)
• heap/DeferGC.h (modified) (5 diffs)
• heap/GCDeferralContext.h (modified) (3 diffs)
• heap/GCDeferralContextInlines.h (modified) (2 diffs)
• heap/Heap.cpp (modified) (7 diffs)
• heap/HeapInlines.h (modified) (2 diffs)
• heap/LargeAllocation.cpp (modified) (1 diff)
• heap/LocalAllocatorInlines.h (modified) (2 diffs)
• runtime/DisallowScope.h (modified) (3 diffs)
• runtime/JSCellInlines.h (modified) (1 diff)
• runtime/RegExpMatchesArray.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-02-21  Mark Lam  <mark.lam@apple.com>
+
+        Add more doesGC() assertions.
+        https://bugs.webkit.org/show_bug.cgi?id=194911
+        <rdar://problem/48285723>
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileOSRExit):
+        - Set expectDoesGC here because we no longer have to worry about missing store
+          barriers in optimized code after this point.  This will prevent false positive
+          assertion failures arising from functions called beneath compileOSRExit().
+
+        (JSC::DFG::OSRExit::compileExit):
+        - Add a comment to explain why the generated ramp needs to set expectDoesGC even
+          though compileOSRExit() also sets it.  Reason: compileOSRExit() is only called
+          for the first OSR from this code origin, the generated ramp is called for many
+          subsequents OSR exits from this code origin.
+
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        - Added a comment for the equivalent reason to the one above.
+
+        (JSC::FTL::compileFTLOSRExit):
+        - Set expectDoesGC here because we no longer have to worry about missing store
+          barriers in optimized code after this point.  This will prevent false positive
+          assertion failures arising from functions called beneath compileFTLOSRExit().
+
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspaceInlines.h:
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        - assert expectDoesGC.
+
+        * heap/DeferGC.h:
+        (JSC::DeferGC::~DeferGC):
+        - assert expectDoesGC.
+        - Also added WTF_FORBID_HEAP_ALLOCATION to DeferGC, DeferGCForAWhile, and DisallowGC
+          because all 3 should be stack allocated RAII objects.
+
+        * heap/GCDeferralContext.h:
+        * heap/GCDeferralContextInlines.h:
+        (JSC::GCDeferralContext::~GCDeferralContext):
+        - Added WTF_FORBID_HEAP_ALLOCATION.
+        - assert expectDoesGC.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::collectNow):
+        (JSC::Heap::collectAsync):
+        (JSC::Heap::collectSync):
+        (JSC::Heap::stopIfNecessarySlow):
+        (JSC::Heap::collectIfNecessaryOrDefer):
+        * heap/HeapInlines.h:
+        (JSC::Heap::acquireAccess):
+        (JSC::Heap::stopIfNecessary):
+        * heap/LargeAllocation.cpp:
+        (JSC::LargeAllocation::tryCreate):
+        * heap/LocalAllocatorInlines.h:
+        (JSC::LocalAllocator::allocate):
+        - conservatively assert expectDoesGC on these functions that may trigger a GC
+          though they don't always do.
+
+        * runtime/DisallowScope.h:
+        - DisallowScope should be stack allocated because it's an RAII object.
+
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        - Remove the expectDoesGC assertion because it is now covered by assertions in
+          CompleteSubspace, LargeAllocation, and LocalAllocator.
+
+        * runtime/RegExpMatchesArray.h:
+        (JSC::createRegExpMatchesArray):
+        - assert expectDoesGC.
+
 2019-02-21  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGOSRExit.cpp

@@ -1016 +1016 @@
     auto scope = DECLARE_THROW_SCOPE(*vm);
 
+    if (validateDFGDoesGC) {
+        // We're about to exit optimized code. So, there's no longer any optimized
+        // code running that expects no GC.
+        vm->heap.setExpectDoesGC(true);
+    }
+
     if (vm->callFrameForCatch)
         RELEASE_ASSERT(vm->callFrameForCatch == exec);
@@ -1400 +1406 @@
         // code running that expects no GC. We need to set this before arguments
         // materialization below (see emitRestoreArguments()).
+
+        // Even though we set Heap::m_expectDoesGC in compileOSRExit(), we also need
+        // to set it here because compileOSRExit() is only called on the first time
+        // we exit from this site, but all subsequent exits will take this compiled
+        // ramp without calling compileOSRExit() first.
         jit.store8(CCallHelpers::TrustedImm32(true), vm.heap.addressOfExpectDoesGC());
     }

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -249 +249 @@
         // code running that expects no GC. We need to set this before object
         // materialization below.
+
+        // Even though we set Heap::m_expectDoesGC in compileFTLOSRExit(), we also need
+        // to set it here because compileFTLOSRExit() is only called on the first time
+        // we exit from this site, but all subsequent exits will take this compiled
+        // ramp without calling compileFTLOSRExit() first.
         jit.store8(CCallHelpers::TrustedImm32(true), vm->heap.addressOfExpectDoesGC());
     }
@@ -527 +532 @@
 
     VM& vm = exec->vm();
+
+    if (validateDFGDoesGC) {
+        // We're about to exit optimized code. So, there's no longer any optimized
+        // code running that expects no GC.
+        vm.heap.setExpectDoesGC(true);
+    }
+
     if (vm.callFrameForCatch)
         RELEASE_ASSERT(vm.callFrameForCatch == exec);

trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -123 +123 @@
 void* CompleteSubspace::tryAllocateSlow(VM& vm, size_t size, GCDeferralContext* deferralContext)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm.heap.expectDoesGC());
+
     sanitizeStackForVM(&vm);
     

trunk/Source/JavaScriptCore/heap/CompleteSubspaceInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 ALWAYS_INLINE void* CompleteSubspace::allocateNonVirtual(VM& vm, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm.heap.expectDoesGC());
+
     if (Allocator allocator = allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists))
         return allocator.allocate(deferralContext, failureMode);

trunk/Source/JavaScriptCore/heap/DeferGC.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 class DeferGC {
     WTF_MAKE_NONCOPYABLE(DeferGC);
+    WTF_FORBID_HEAP_ALLOCATION;
 public:
     DeferGC(Heap& heap)
@@ -43 +44 @@
     ~DeferGC()
     {
+        if (validateDFGDoesGC)
+            RELEASE_ASSERT(m_heap.expectDoesGC());
         m_heap.decrementDeferralDepthAndGCIfNeeded();
     }
@@ -52 +55 @@
 class DeferGCForAWhile {
     WTF_MAKE_NONCOPYABLE(DeferGCForAWhile);
+    WTF_FORBID_HEAP_ALLOCATION;
 public:
     DeferGCForAWhile(Heap& heap)
@@ -70 +74 @@
 class DisallowGC : public DisallowScope<DisallowGC> {
     WTF_MAKE_NONCOPYABLE(DisallowGC);
+    WTF_FORBID_HEAP_ALLOCATION;
     typedef DisallowScope<DisallowGC> Base;
 public:

trunk/Source/JavaScriptCore/heap/GCDeferralContext.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
+#include <wtf/ForbidHeapAllocation.h>
+
 namespace JSC {
 
@@ -33 +35 @@
 
 class GCDeferralContext {
+    WTF_FORBID_HEAP_ALLOCATION;
+
     friend class Heap;
     friend class BlockDirectory;

trunk/Source/JavaScriptCore/heap/GCDeferralContextInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38 +38 @@
 ALWAYS_INLINE GCDeferralContext::~GCDeferralContext()
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(m_heap.expectDoesGC());
+
     if (UNLIKELY(m_shouldGC))
         m_heap.collectIfNecessaryOrDefer();

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
@@ -1030 +1030 @@
 void Heap::collectNow(Synchronousness synchronousness, GCRequest request)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     switch (synchronousness) {
     case Async: {
@@ -1062 +1065 @@
 void Heap::collectAsync(GCRequest request)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     if (!m_isSafeToCollect)
         return;
@@ -1083 +1089 @@
 void Heap::collectSync(GCRequest request)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     if (!m_isSafeToCollect)
         return;
-    
+
     waitForCollection(requestCollection(request));
 }
@@ -1738 +1747 @@
 void Heap::stopIfNecessarySlow()
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     while (stopIfNecessarySlow(m_worldState.load())) { }
     
@@ -1750 +1762 @@
 bool Heap::stopIfNecessarySlow(unsigned oldState)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     RELEASE_ASSERT(oldState & hasAccessBit);
     RELEASE_ASSERT(!(oldState & stoppedBit));
@@ -2539 +2554 @@
 {
     ASSERT(deferralContext || isDeferred() || !DisallowGC::isInEffectOnCurrentThread());
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
 
     if (!m_isSafeToCollect)
         return;
+
     switch (mutatorState()) {
     case MutatorState::Running:

trunk/Source/JavaScriptCore/heap/HeapInlines.h

@@ -239 +239 @@
 inline void Heap::acquireAccess()
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     if (m_worldState.compareExchangeWeak(0, hasAccessBit))
         return;
@@ -263 +266 @@
 inline void Heap::stopIfNecessary()
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(expectDoesGC());
+
     if (mayNeedToStop())
         stopIfNecessarySlow();

trunk/Source/JavaScriptCore/heap/LargeAllocation.cpp

@@ -37 +37 @@
 LargeAllocation* LargeAllocation::tryCreate(Heap& heap, size_t size, Subspace* subspace)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(heap.expectDoesGC());
+
     // This includes padding at the end of the allocation to maintain the distancing constraint.
     constexpr size_t distancing = minimumDistanceBetweenCellsFromDifferentOrigins;

trunk/Source/JavaScriptCore/heap/LocalAllocatorInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32 +32 @@
 ALWAYS_INLINE void* LocalAllocator::allocate(GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(m_directory->heap()->expectDoesGC());
     return m_freeList.allocate(
         [&] () -> HeapCell* {

trunk/Source/JavaScriptCore/runtime/DisallowScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
+#include <wtf/ForbidHeapAllocation.h>
 #include <wtf/Noncopyable.h>
 
@@ -33 +34 @@
 class DisallowScope {
     WTF_MAKE_NONCOPYABLE(DisallowScope);
+    WTF_FORBID_HEAP_ALLOCATION;
 public:
 #ifdef NDEBUG

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -167 +167 @@
 {
     VM& vm = *heap.vm();
-    if (validateDFGDoesGC)
-        RELEASE_ASSERT(heap.expectDoesGC());
-
     ASSERT(deferralContext || !DisallowGC::isInEffectOnCurrentThread());
     ASSERT(size >= sizeof(T));

trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h

@@ -63 +63 @@
     RegExp* regExp, unsigned startOffset, MatchResult& result)
 {
+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm.heap.expectDoesGC());
+
     Vector<int, 32> subpatternResults;
     int position = regExp->matchInline(vm, inputValue, startOffset, subpatternResults);