[webkit-changes] [191016] trunk/Source/JavaScriptCore

[sbarati]

Title: [191016] trunk/Source/_javascript_Core

Revision

191016

Author

sbar...@apple.com

Date

2015-10-13 17:12:18 -0700 (Tue, 13 Oct 2015)

Log Message

We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table
https://bugs.webkit.org/show_bug.cgi?id=150016

Reviewed by Geoffrey Garen.

There was a bug where we created a GCAwareJITStubRoutineWithExceptionHandler
for inline caches that were custom setters/getters (but not JS getters/setters).
This is wrong; we only create GCAwareJITStubRoutineWithExceptionHandler when we have
an inline cache with a JS getter/setter call which causes the inline cache to add itself
to the CodeBlock's exception handling table. The problem was that we created
a GCAwareJITStubRoutineWithExceptionHandler that tried to remove itself from
the exception handler table only to find out that it didn't have an entry in the table.

* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp
• trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (191015 => 191016)

--- trunk/Source/_javascript_Core/ChangeLog	2015-10-14 00:10:07 UTC (rev 191015)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-10-14 00:12:18 UTC (rev 191016)
@@ -1,3 +1,21 @@
+2015-10-13  Saam barati  <sbar...@apple.com>
+
+        We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table
+        https://bugs.webkit.org/show_bug.cgi?id=150016
+
+        Reviewed by Geoffrey Garen.
+
+        There was a bug where we created a GCAwareJITStubRoutineWithExceptionHandler
+        for inline caches that were custom setters/getters (but not JS getters/setters).
+        This is wrong; we only create GCAwareJITStubRoutineWithExceptionHandler when we have
+        an inline cache with a JS getter/setter call which causes the inline cache to add itself
+        to the CodeBlock's exception handling table. The problem was that we created
+        a GCAwareJITStubRoutineWithExceptionHandler that tried to remove itself from
+        the exception handler table only to find out that it didn't have an entry in the table.
+
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+
 2015-10-13  Joseph Pecoraro  <pecor...@apple.com>
 
         Simplify WeakBlock visit and reap phases

Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (191015 => 191016)

--- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp	2015-10-14 00:10:07 UTC (rev 191015)
+++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp	2015-10-14 00:12:18 UTC (rev 191016)
@@ -1324,6 +1324,8 @@
         failure = state.failAndRepatch;
     failure.append(jit.jump());
 
+    CodeBlock* codeBlockThatOwnsExceptionHandlers = nullptr;
+    CallSiteIndex callSiteIndexForExceptionHandling;
     if (state.needsToRestoreRegistersIfException() && hasJSGetterSetterCall) {
         // Emit the exception handler.
         // Note that this code is only reachable when doing genericUnwind from a pure JS getter/setter .
@@ -1354,6 +1356,12 @@
                 handlerToRegister.end = newExceptionHandlingCallSite.bits() + 1;
                 codeBlock->appendExceptionHandler(handlerToRegister);
             });
+
+        // We set these to indicate to the stub to remove itself from the CodeBlock's
+        // exception handler table when it is deallocated.
+        codeBlockThatOwnsExceptionHandlers = codeBlock;
+        ASSERT(JITCode::isOptimizingJIT(codeBlockThatOwnsExceptionHandlers->jitType()));
+        callSiteIndexForExceptionHandling = state.callSiteIndexForExceptionHandling();
     }
 
     LinkBuffer linkBuffer(vm, jit, codeBlock, JITCompilationCanFail);
@@ -1386,14 +1394,6 @@
     for (auto& entry : cases)
         doesCalls |= entry->doesCalls();
     
-    CodeBlock* codeBlockThatOwnsExceptionHandlers = nullptr;
-    CallSiteIndex callSiteIndexForExceptionHandling = state.originalCallSiteIndex();
-    if (state.needsToRestoreRegistersIfException()) {
-        codeBlockThatOwnsExceptionHandlers = codeBlock;
-        ASSERT(JITCode::isOptimizingJIT(codeBlockThatOwnsExceptionHandlers->jitType()));
-        callSiteIndexForExceptionHandling = state.callSiteIndexForExceptionHandling();
-    }
-
     m_stubRoutine = createJITStubRoutine(code, vm, codeBlock, doesCalls, nullptr, codeBlockThatOwnsExceptionHandlers, callSiteIndexForExceptionHandling);
     m_watchpoints = WTF::move(state.watchpoints);
     if (!state.weakReferences.isEmpty())

Modified: trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp (191015 => 191016)

--- trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp	2015-10-14 00:10:07 UTC (rev 191015)
+++ trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp	2015-10-14 00:12:18 UTC (rev 191016)
@@ -105,6 +105,7 @@
     , m_exceptionHandlerCallSiteIndex(exceptionHandlerCallSiteIndex)
 {
     RELEASE_ASSERT(m_codeBlockWithExceptionHandler);
+    ASSERT(!!m_codeBlockWithExceptionHandler->handlerForIndex(exceptionHandlerCallSiteIndex.bits()));
 }
 
 void GCAwareJITStubRoutineWithExceptionHandler::aboutToDie()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes