Baseline JIT should do argument value profiling after checking for stack overflow
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 May 2019 03:10:43 +0000 (03:10 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 May 2019 03:10:43 +0000 (03:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=197052
<rdar://problem/50009602>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/check-stack-overflow-before-value-profiling-arguments.js: Added.

Source/JavaScriptCore:

Otherwise, we may do value profiling without running a write barrier, which
is against the rules of how we do value profiling.

* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244865 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JIT.cpp

index fb77593..e5487fe 100644 (file)
@@ -1,3 +1,13 @@
+2019-05-01  Saam barati  <sbarati@apple.com>
+
+        Baseline JIT should do argument value profiling after checking for stack overflow
+        https://bugs.webkit.org/show_bug.cgi?id=197052
+        <rdar://problem/50009602>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
+
 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
diff --git a/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js b/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js
new file mode 100644 (file)
index 0000000..65b4151
--- /dev/null
@@ -0,0 +1,41 @@
+//@ runDefault("--useConcurrentJIT=0", "--thresholdForJITAfterWarmUp=10", "--slowPathAllocsBetweenGCs=10", "--useConcurrentGC=0")
+
+function fullGC() {
+    for (var i = 0; i < 10; i++) {
+        new Float64Array(0x1000000);
+    }
+}
+
+function outer() {
+    function f() {
+        try {
+            const r = f();
+        } catch(e) {
+            const o = Object();
+            function inner(a1, a2, a3) {
+                try {
+                    const r1 = new Uint32Array();
+                    const r2 = r1.values();
+                } catch(e2) {
+                }
+            }
+            const result = inner();
+        }
+    }
+
+    f();
+
+    function edenGC() {
+        for (let i = 0; i < 100; i++) {
+            const floatArray = new Float64Array(0x10000);
+        }
+    }
+    edenGC();
+}
+
+for (let i = 0; i < 100; i++) {
+    const result = outer();
+}
+
+fullGC();
+
index 70367eb..84b4423 100644 (file)
@@ -1,3 +1,17 @@
+2019-05-01  Saam barati  <sbarati@apple.com>
+
+        Baseline JIT should do argument value profiling after checking for stack overflow
+        https://bugs.webkit.org/show_bug.cgi?id=197052
+        <rdar://problem/50009602>
+
+        Reviewed by Yusuke Suzuki.
+
+        Otherwise, we may do value profiling without running a write barrier, which
+        is against the rules of how we do value profiling.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+
 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
index ec5b87c..f1975bf 100644 (file)
@@ -681,6 +681,22 @@ void JIT::compileWithoutLinking(JITCompilationEffort effort)
     sampleInstruction(m_codeBlock->instructions().begin());
 #endif
 
+    int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
+    unsigned maxFrameSize = -frameTopOffset;
+    addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
+    JumpList stackOverflow;
+    if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
+        stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
+    stackOverflow.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfSoftStackLimit()), regT1));
+
+    move(regT1, stackPointerRegister);
+    checkStackPointerAlignment();
+    if (Options::zeroStackFrame())
+        clearStackFrame(callFrameRegister, stackPointerRegister, regT0, maxFrameSize);
+
+    emitSaveCalleeSaves();
+    emitMaterializeTagCheckRegisters();
+
     if (m_codeBlock->codeType() == FunctionCode) {
         ASSERT(m_bytecodeOffset == std::numeric_limits<unsigned>::max());
         if (shouldEmitProfiling()) {
@@ -700,22 +716,6 @@ void JIT::compileWithoutLinking(JITCompilationEffort effort)
             }
         }
     }
-
-    int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
-    unsigned maxFrameSize = -frameTopOffset;
-    addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
-    JumpList stackOverflow;
-    if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
-        stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
-    stackOverflow.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfSoftStackLimit()), regT1));
-
-    move(regT1, stackPointerRegister);
-    checkStackPointerAlignment();
-    if (Options::zeroStackFrame())
-        clearStackFrame(callFrameRegister, stackPointerRegister, regT0, maxFrameSize);
-
-    emitSaveCalleeSaves();
-    emitMaterializeTagCheckRegisters();
     
     RELEASE_ASSERT(!JITCode::isJIT(m_codeBlock->jitType()));