Don't OSR enter into an FTL CodeBlock that has been jettisoned
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 May 2019 17:41:42 +0000 (17:41 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 May 2019 17:41:42 +0000 (17:41 +0000)
https://bugs.webkit.org/show_bug.cgi?id=197531
<rdar://problem/50162379>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.

Source/JavaScriptCore:

Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR
enter into an FTL OSR entry code block that has been jettisoned already.

* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):
* dfg/DFGJITCode.h:
(JSC::DFG::JITCode::clearOSREntryBlock): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
(JSC::DFG::prepareCatchOSREntry):
* dfg/DFGOperations.cpp:
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245017 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGJITCode.cpp
Source/JavaScriptCore/dfg/DFGJITCode.h
Source/JavaScriptCore/dfg/DFGOSREntry.cpp
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/ftl/FTLOSREntry.cpp

index 830e791..8e0ae92 100644 (file)
@@ -1,3 +1,13 @@
+2019-05-07  Saam Barati  <sbarati@apple.com>
+
+        Don't OSR enter into an FTL CodeBlock that has been jettisoned
+        https://bugs.webkit.org/show_bug.cgi?id=197531
+        <rdar://problem/50162379>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
+
 2019-05-06  Dean Jackson  <dino@apple.com>
 
         Update test262 expectations for Proxy passes
diff --git a/JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js b/JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js
new file mode 100644 (file)
index 0000000..7f0d1da
--- /dev/null
@@ -0,0 +1,14 @@
+//@ runDefault("--useRandomizingFuzzerAgent=1", "--validateAbstractInterpreterState=1", "--jitPolicyScale=0", "--useConcurrentJIT=0", "--validateAbstractInterpreterStateProbability=1.0")
+
+let x = [];
+let k = 1;
+z = 0;
+
+for (var i = 0; i < 36; i++) {
+    k = k * 2;
+    x[k - 2] = k;
+}
+
+for (var j = 0; j === -1; j++) {
+    z = z;
+}
index a8db599..05863dd 100644 (file)
@@ -1,3 +1,25 @@
+2019-05-07  Saam Barati  <sbarati@apple.com>
+
+        Don't OSR enter into an FTL CodeBlock that has been jettisoned
+        https://bugs.webkit.org/show_bug.cgi?id=197531
+        <rdar://problem/50162379>
+
+        Reviewed by Yusuke Suzuki.
+
+        Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR
+        enter into an FTL OSR entry code block that has been jettisoned already.
+
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::clearOSREntryBlock): Deleted.
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+
 2019-05-06  Keith Miller  <keith_miller@apple.com>
 
         JSWrapperMap should check if existing prototype properties are wrappers when copying exported methods.
index 8afbc24..475419f 100644 (file)
@@ -211,6 +211,17 @@ void JITCode::setOSREntryBlock(VM& vm, const JSCell* owner, CodeBlock* osrEntryB
     }
     m_osrEntryBlock.set(vm, owner, osrEntryBlock);
 }
+
+void JITCode::clearOSREntryBlockAndResetThresholds(CodeBlock *dfgCodeBlock)
+{ 
+    ASSERT(m_osrEntryBlock);
+
+    unsigned osrEntryBytecode = m_osrEntryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
+    m_osrEntryBlock.clear();
+    osrEntryRetry = 0;
+    tierUpEntryTriggers.set(osrEntryBytecode, JITCode::TriggerReason::DontTrigger);
+    setOptimizationThresholdBasedOnCompilationResult(dfgCodeBlock, CompilationDeferred);
+}
 #endif // ENABLE(FTL_JIT)
 
 void JITCode::validateReferences(const TrackedReferences& trackedReferences)
index af825ed..7baef0f 100644 (file)
@@ -121,7 +121,7 @@ public:
 #if ENABLE(FTL_JIT)
     CodeBlock* osrEntryBlock() { return m_osrEntryBlock.get(); }
     void setOSREntryBlock(VM&, const JSCell* owner, CodeBlock* osrEntryBlock);
-    void clearOSREntryBlock() { m_osrEntryBlock.clear(); }
+    void clearOSREntryBlockAndResetThresholds(CodeBlock* dfgCodeBlock);
 #endif
 
     static ptrdiff_t commonDataOffset() { return OBJECT_OFFSETOF(JITCode, common); }
index 7e03ecd..a7f0506 100644 (file)
@@ -98,6 +98,7 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
     ASSERT(codeBlock->alternative());
     ASSERT(codeBlock->alternative()->jitType() == JITType::BaselineJIT);
     ASSERT(!codeBlock->jitCodeMap());
+    ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid);
 
     if (!Options::useOSREntryToDFG())
         return nullptr;
@@ -342,6 +343,7 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
 MacroAssemblerCodePtr<ExceptionHandlerPtrTag> prepareCatchOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex)
 { 
     ASSERT(codeBlock->jitType() == JITType::DFGJIT || codeBlock->jitType() == JITType::FTLJIT);
+    ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid);
 
     if (!Options::useOSREntryToDFG() && codeBlock->jitCode()->jitType() == JITType::DFGJIT)
         return nullptr;
index fad6441..1fa9b6b 100644 (file)
@@ -3319,12 +3319,7 @@ static char* tierUpCommon(ExecState* exec, unsigned originBytecodeIndex, bool ca
         // OSR entry failed. Oh no! This implies that we need to retry. We retry
         // without exponential backoff and we only do this for the entry code block.
         CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("OSR entry failed too many times"));
-        unsigned osrEntryBytecode = entryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex();
-        jitCode->clearOSREntryBlock();
-        jitCode->osrEntryRetry = 0;
-        jitCode->tierUpEntryTriggers.set(osrEntryBytecode, JITCode::TriggerReason::DontTrigger);
-        jitCode->setOptimizationThresholdBasedOnCompilationResult(
-            codeBlock, CompilationDeferred);
+        jitCode->clearOSREntryBlockAndResetThresholds(codeBlock);
         return nullptr;
     }
 
index 0021bae..259b3cf 100644 (file)
@@ -48,6 +48,11 @@ void* prepareOSREntry(
     ExecutableBase* executable = dfgCodeBlock->ownerExecutable();
     DFG::JITCode* dfgCode = dfgCodeBlock->jitCode()->dfg();
     ForOSREntryJITCode* entryCode = entryCodeBlock->jitCode()->ftlForOSREntry();
+
+    if (!entryCode->dfgCommon()->isStillValid) {
+        dfgCode->clearOSREntryBlockAndResetThresholds(dfgCodeBlock);
+        return 0;
+    }
     
     if (Options::verboseOSR()) {
         dataLog(