Changeset 244711 in webkit


Ignore:
Timestamp:
Apr 26, 2019 4:32:35 PM (5 years ago)
Author:
ysuzuki@apple.com
Message:

[JSC] linkPolymorphicCall now does GC
https://bugs.webkit.org/show_bug.cgi?id=197306

Reviewed by Saam Barati.

JSTests:

  • stress/link-polymorphic-call-can-gc.js: Added.

(module):
(instance):

Source/JavaScriptCore:

Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.

  • jit/Repatch.cpp:

(JSC::linkPolymorphicCall):

Tools:

The test is sensitive to allocations and even adding $vm makes it non-reproducible.
To add this test, we add runWithoutBaseOption.

  • Scripts/run-jsc-stress-tests:
Location:
trunk
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r244708 r244711  
     12019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
     2
     3        [JSC] linkPolymorphicCall now does GC
     4        https://bugs.webkit.org/show_bug.cgi?id=197306
     5
     6        Reviewed by Saam Barati.
     7
     8        * stress/link-polymorphic-call-can-gc.js: Added.
     9        (module):
     10        (instance):
     11
    1122019-04-26  Robin Morisset  <rmorisset@apple.com>
    213
  • trunk/Source/JavaScriptCore/ChangeLog

    r244708 r244711  
     12019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
     2
     3        [JSC] linkPolymorphicCall now does GC
     4        https://bugs.webkit.org/show_bug.cgi?id=197306
     5
     6        Reviewed by Saam Barati.
     7
     8        Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
     9        But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
     10        does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
     11        We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
     12        caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
     13
     14        * jit/Repatch.cpp:
     15        (JSC::linkPolymorphicCall):
     16
    1172019-04-26  Robin Morisset  <rmorisset@apple.com>
    218
  • trunk/Source/JavaScriptCore/jit/Repatch.cpp

    r244204 r244711  
    956956{
    957957    RELEASE_ASSERT(callLinkInfo.allowStubs());
     958
     959    CallFrame* callerFrame = exec->callerFrame();
     960    VM& vm = callerFrame->vm();
     961
     962    // During execution of linkPolymorphicCall, we strongly assume that we never do GC.
     963    // GC jettisons CodeBlocks, changes CallLinkInfo etc. and breaks assumption done before and after this call.
     964    DeferGCForAWhile deferGCForAWhile(vm.heap);
    958965   
    959966    if (!newVariant) {
     
    962969    }
    963970
    964     CallFrame* callerFrame = exec->callerFrame();
    965 
    966971    // Our caller must be have a cell for a callee. When calling
    967972    // this from Wasm, we ensure the callee is a cell.
    968973    ASSERT(callerFrame->callee().isCell());
    969974
    970     VM& vm = callerFrame->vm();
    971975    CodeBlock* callerCodeBlock = callerFrame->codeBlock();
    972976    bool isWebAssembly = isWebAssemblyToJSCallee(callerFrame->callee().asCell());
  • trunk/Tools/ChangeLog

    r244706 r244711  
     12019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
     2
     3        [JSC] linkPolymorphicCall now does GC
     4        https://bugs.webkit.org/show_bug.cgi?id=197306
     5
     6        Reviewed by Saam Barati.
     7
     8        The test is sensitive to allocations and even adding $vm makes it non-reproducible.
     9        To add this test, we add `runWithoutBaseOption`.
     10
     11        * Scripts/run-jsc-stress-tests:
     12
    1132019-04-26  Alexey Proskuryakov  <ap@apple.com>
    214
  • trunk/Tools/Scripts/run-jsc-stress-tests

    r244543 r244711  
    617617end
    618618
     619def runWithOutputHandlerWithoutBaseOption(kind, outputHandler, *options)
     620    addRunCommand(kind, [pathToVM.to_s] + $testSpecificRequiredOptions + options + [$benchmark.to_s], outputHandler, simpleErrorHandler)
     621end
     622
    619623def run(kind, *options)
    620624    runWithOutputHandler(kind, silentOutputHandler, *options)
     625end
     626
     627def runWithoutBaseOption(kind, *options)
     628    runWithOutputHandlerWithoutBaseOption(kind, silentOutputHandler, *options)
    621629end
    622630
Note: See TracChangeset for help on using the changeset viewer.