Changeset 245017 in webkit

Timestamp:

May 7, 2019 10:41:42 AM (5 years ago)

Author:

sbarati@apple.com

Message:

Don't OSR enter into an FTL CodeBlock that has been jettisoned
​https://bugs.webkit.org/show_bug.cgi?id=197531
<rdar://problem/50162379>

Reviewed by Yusuke Suzuki.

JSTests:

• stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.

Source/JavaScriptCore:

Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR
enter into an FTL OSR entry code block that has been jettisoned already.

• dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):

• dfg/DFGJITCode.h:

(JSC::DFG::JITCode::clearOSREntryBlock): Deleted.

• dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):
(JSC::DFG::prepareCatchOSREntry):

• dfg/DFGOperations.cpp:
• ftl/FTLOSREntry.cpp:

(JSC::FTL::prepareOSREntry):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGJITCode.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGJITCode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSREntry.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOSREntry.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-05-07  Saam Barati  <sbarati@apple.com>
+
+        Don't OSR enter into an FTL CodeBlock that has been jettisoned
+        https://bugs.webkit.org/show_bug.cgi?id=197531
+        <rdar://problem/50162379>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
+
 2019-05-06  Dean Jackson  <dino@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-05-07  Saam Barati  <sbarati@apple.com>
+
+        Don't OSR enter into an FTL CodeBlock that has been jettisoned
+        https://bugs.webkit.org/show_bug.cgi?id=197531
+        <rdar://problem/50162379>
+
+        Reviewed by Yusuke Suzuki.
+
+        Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR
+        enter into an FTL OSR entry code block that has been jettisoned already.
+
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::clearOSREntryBlock): Deleted.
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+
 2019-05-06  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp

@@ -212 +212 @@
     m_osrEntryBlock.set(vm, owner, osrEntryBlock);
 }
+
+void JITCode::clearOSREntryBlockAndResetThresholds(CodeBlock *dfgCodeBlock)
+{ 
+    ASSERT(m_osrEntryBlock);
+
+    unsigned osrEntryBytecode = m_osrEntryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
+    m_osrEntryBlock.clear();
+    osrEntryRetry = 0;
+    tierUpEntryTriggers.set(osrEntryBytecode, JITCode::TriggerReason::DontTrigger);
+    setOptimizationThresholdBasedOnCompilationResult(dfgCodeBlock, CompilationDeferred);
+}
 #endif // ENABLE(FTL_JIT)
 

trunk/Source/JavaScriptCore/dfg/DFGJITCode.h

@@ -122 +122 @@
     CodeBlock* osrEntryBlock() { return m_osrEntryBlock.get(); }
     void setOSREntryBlock(VM&, const JSCell* owner, CodeBlock* osrEntryBlock);
-    void clearOSREntryBlock() { m_osrEntryBlock.clear(); }
+    void clearOSREntryBlockAndResetThresholds(CodeBlock* dfgCodeBlock);
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

@@ -99 +99 @@
     ASSERT(codeBlock->alternative()->jitType() == JITType::BaselineJIT);
     ASSERT(!codeBlock->jitCodeMap());
+    ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid);
 
     if (!Options::useOSREntryToDFG())
@@ -343 +344 @@
 { 
     ASSERT(codeBlock->jitType() == JITType::DFGJIT || codeBlock->jitType() == JITType::FTLJIT);
+    ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid);
 
     if (!Options::useOSREntryToDFG() && codeBlock->jitCode()->jitType() == JITType::DFGJIT)

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -3320 +3320 @@
         // without exponential backoff and we only do this for the entry code block.
         CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("OSR entry failed too many times"));
-        unsigned osrEntryBytecode = entryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
-        jitCode->clearOSREntryBlock();
-        jitCode->osrEntryRetry = 0;
-        jitCode->tierUpEntryTriggers.set(osrEntryBytecode, JITCode::TriggerReason::DontTrigger);
-        jitCode->setOptimizationThresholdBasedOnCompilationResult(
-            codeBlock, CompilationDeferred);
+        jitCode->clearOSREntryBlockAndResetThresholds(codeBlock);
         return nullptr;
     }

trunk/Source/JavaScriptCore/ftl/FTLOSREntry.cpp

@@ -49 +49 @@
     DFG::JITCode* dfgCode = dfgCodeBlock->jitCode()->dfg();
     ForOSREntryJITCode* entryCode = entryCodeBlock->jitCode()->ftlForOSREntry();
+
+    if (!entryCode->dfgCommon()->isStillValid) {
+        dfgCode->clearOSREntryBlockAndResetThresholds(dfgCodeBlock);
+        return 0;
+    }
     
     if (Options::verboseOSR()) {