[JSC] llintTrue / jitTrue can encounter native functions
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Jun 2020 23:40:13 +0000 (23:40 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Jun 2020 23:40:13 +0000 (23:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=213442
<rdar://problem/64257914>

Reviewed by Mark Lam.

JSTests:

* stress/baselinejittrue.js: Added.
(shouldBe):
(jitCode1):
(jitCode2):
* stress/baselintjittrue.js: Added.
(shouldBe):
(llintCode1):
(llintCode2):
* stress/llinttrue-in-eval.js: Added.
* stress/llinttrue.js: Added.
(shouldBe):
(llintCode1):
(llintCode2):

Source/JavaScriptCore:

If the CallFrame is for native function, associated CodeBlock is nullptr.
This patch fixes this case to handle it gracefully.

* tools/JSDollarVM.cpp:
(JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
(JSC::CallerFrameJITTypeFunctor::operator() const):
(JSC::functionBaselineJITTrue):
(JSC::JSDollarVM::finishCreation):
(JSC::functionJITTrue): Deleted.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@263483 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/baselinejittrue.js [new file with mode: 0644]
JSTests/stress/baselintjittrue.js [new file with mode: 0644]
JSTests/stress/llinttrue-in-eval.js [new file with mode: 0644]
JSTests/stress/llinttrue.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/tools/JSDollarVM.cpp

index 2f8d3b3..77b042f 100644 (file)
@@ -1,3 +1,25 @@
+2020-06-24  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] llintTrue / jitTrue can encounter native functions
+        https://bugs.webkit.org/show_bug.cgi?id=213442
+        <rdar://problem/64257914>
+
+        Reviewed by Mark Lam.
+
+        * stress/baselinejittrue.js: Added.
+        (shouldBe):
+        (jitCode1):
+        (jitCode2):
+        * stress/baselintjittrue.js: Added.
+        (shouldBe):
+        (llintCode1):
+        (llintCode2):
+        * stress/llinttrue-in-eval.js: Added.
+        * stress/llinttrue.js: Added.
+        (shouldBe):
+        (llintCode1):
+        (llintCode2):
+
 2020-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
 
         Add DFG/FTL fast path for GetPrototypeOf based on OverridesGetPrototype flag
diff --git a/JSTests/stress/baselinejittrue.js b/JSTests/stress/baselinejittrue.js
new file mode 100644 (file)
index 0000000..55bcac9
--- /dev/null
@@ -0,0 +1,19 @@
+//@ runDefault("--useLLInt=0", "--useDFGJIT=0")
+
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function jitCode1() {
+    return $vm.llintTrue();
+}
+
+function jitCode2() {
+    return $vm.baselineJITTrue();
+}
+
+if ($vm.useJIT()) {
+    shouldBe(jitCode1(), false);
+    shouldBe(jitCode2(), true);
+}
diff --git a/JSTests/stress/baselintjittrue.js b/JSTests/stress/baselintjittrue.js
new file mode 100644 (file)
index 0000000..cb28fa3
--- /dev/null
@@ -0,0 +1,17 @@
+//@ runDefault("--useJIT=0")
+
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function llintCode1() {
+    return $vm.llintTrue();
+}
+
+function llintCode2() {
+    return $vm.baselineJITTrue();
+}
+
+shouldBe(llintCode1(), true);
+shouldBe(llintCode2(), false);
diff --git a/JSTests/stress/llinttrue-in-eval.js b/JSTests/stress/llinttrue-in-eval.js
new file mode 100644 (file)
index 0000000..cc45536
--- /dev/null
@@ -0,0 +1,2 @@
+eval(`$vm.llintTrue()`);
+eval(`$vm.baselineJITTrue()`);
diff --git a/JSTests/stress/llinttrue.js b/JSTests/stress/llinttrue.js
new file mode 100644 (file)
index 0000000..cb28fa3
--- /dev/null
@@ -0,0 +1,17 @@
+//@ runDefault("--useJIT=0")
+
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function llintCode1() {
+    return $vm.llintTrue();
+}
+
+function llintCode2() {
+    return $vm.baselineJITTrue();
+}
+
+shouldBe(llintCode1(), true);
+shouldBe(llintCode2(), false);
index a912eee..184d6a3 100644 (file)
@@ -1,3 +1,21 @@
+2020-06-24  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] llintTrue / jitTrue can encounter native functions
+        https://bugs.webkit.org/show_bug.cgi?id=213442
+        <rdar://problem/64257914>
+
+        Reviewed by Mark Lam.
+
+        If the CallFrame is for native function, associated CodeBlock is nullptr.
+        This patch fixes this case to handle it gracefully.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
+        (JSC::CallerFrameJITTypeFunctor::operator() const):
+        (JSC::functionBaselineJITTrue):
+        (JSC::JSDollarVM::finishCreation):
+        (JSC::functionJITTrue): Deleted.
+
 2020-06-24  Umar Iqbal  <uiqbal@apple.com>
 
         We should resurrect the older patch that collects some statistics of web API calls
index bb0c982..e12f481 100644 (file)
@@ -1783,16 +1783,17 @@ static EncodedJSValue JSC_HOST_CALL functionCpuClflush(JSGlobalObject* globalObj
 class CallerFrameJITTypeFunctor {
 public:
     CallerFrameJITTypeFunctor()
-        : m_currentFrame(0)
-        , m_jitType(JITType::None)
     {
         DollarVMAssertScope assertScope;
     }
 
     StackVisitor::Status operator()(StackVisitor& visitor) const
     {
-        if (m_currentFrame++ > 1) {
-            m_jitType = visitor->codeBlock()->jitType();
+        unsigned index = m_currentFrame++;
+        // First frame (index 0) is `llintTrue` etc. function itself.
+        if (index == 1) {
+            if (visitor->codeBlock())
+                m_jitType = visitor->codeBlock()->jitType();
             return StackVisitor::Done;
         }
         return StackVisitor::Continue;
@@ -1801,8 +1802,8 @@ public:
     JITType jitType() { return m_jitType; }
 
 private:
-    mutable unsigned m_currentFrame;
-    mutable JITType m_jitType;
+    mutable unsigned m_currentFrame { 0 };
+    mutable JITType m_jitType { JITType::None };
 };
 
 static FunctionExecutable* getExecutableForFunction(JSValue theFunctionValue)
@@ -1836,8 +1837,8 @@ static EncodedJSValue JSC_HOST_CALL functionLLintTrue(JSGlobalObject* globalObje
 }
 
 // Returns true if the current frame is a baseline JIT frame.
-// Usage: isBaselineJIT = $vm.jitTrue()
-static EncodedJSValue JSC_HOST_CALL functionJITTrue(JSGlobalObject* globalObject, CallFrame* callFrame)
+// Usage: isBaselineJIT = $vm.baselineJITTrue()
+static EncodedJSValue JSC_HOST_CALL functionBaselineJITTrue(JSGlobalObject* globalObject, CallFrame* callFrame)
 {
     DollarVMAssertScope assertScope;
     VM& vm = globalObject->vm();
@@ -3131,7 +3132,7 @@ void JSDollarVM::finishCreation(VM& vm)
     addFunction(vm, "cpuClflush", functionCpuClflush, 2);
 
     addFunction(vm, "llintTrue", functionLLintTrue, 0);
-    addFunction(vm, "jitTrue", functionJITTrue, 0);
+    addFunction(vm, "baselineJITTrue", functionBaselineJITTrue, 0);
 
     addFunction(vm, "noInline", functionNoInline, 1);