Title: [291633] branches/safari-613-branch
- Revision
- 291633
- Author
- alanc...@apple.com
- Date
- 2022-03-22 10:54:28 -0700 (Tue, 22 Mar 2022)
Log Message
Cherry-pick r290517. rdar://problem/89428235
operationMaterializeObjectInOSR should DeferTerminationForAWhile instead of just DeferTermination.
https://bugs.webkit.org/show_bug.cgi?id=237173
rdar://problem/89450245
Reviewed by Yusuke Suzuki.
JSTests:
* stress/termination-exception-in-operationMaterializeObjectInOSR2.js: Added.
Source/_javascript_Core:
DeferTermination can throw the TerminationException on destruction of the scope
object. operationMaterializeObjectInOSR() was using DeferTermination, resulting
in the TerminationException being thrown on exit. This trips up
validateDFGExceptionHandling testing (which is enabled on Debug builds) because the
TerminationException is unexpected. The solution is simply to use
DeferTerminationForAWhile instead, and let a more natural trap checkpoint throw
the TerminationException later.
Also refactored notifyDebuggerOfUnwinding() to return early if a debugger is not
present. This avoids unnecessarily entering and exiting a DeferTermination scope
in notifyDebuggerOfUnwinding(). This was observed while testing this change on
the attached test case.
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290517 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-613-branch/JSTests/ChangeLog (291632 => 291633)
--- branches/safari-613-branch/JSTests/ChangeLog 2022-03-22 17:54:25 UTC (rev 291632)
+++ branches/safari-613-branch/JSTests/ChangeLog 2022-03-22 17:54:28 UTC (rev 291633)
@@ -1,3 +1,50 @@
+2022-03-21 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r290517. rdar://problem/89428235
+
+ operationMaterializeObjectInOSR should DeferTerminationForAWhile instead of just DeferTermination.
+ https://bugs.webkit.org/show_bug.cgi?id=237173
+ rdar://problem/89450245
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/termination-exception-in-operationMaterializeObjectInOSR2.js: Added.
+
+ Source/_javascript_Core:
+
+ DeferTermination can throw the TerminationException on destruction of the scope
+ object. operationMaterializeObjectInOSR() was using DeferTermination, resulting
+ in the TerminationException being thrown on exit. This trips up
+ validateDFGExceptionHandling testing (which is enabled on Debug builds) because the
+ TerminationException is unexpected. The solution is simply to use
+ DeferTerminationForAWhile instead, and let a more natural trap checkpoint throw
+ the TerminationException later.
+
+ Also refactored notifyDebuggerOfUnwinding() to return early if a debugger is not
+ present. This avoids unnecessarily entering and exiting a DeferTermination scope
+ in notifyDebuggerOfUnwinding(). This was observed while testing this change on
+ the attached test case.
+
+ * ftl/FTLOperations.cpp:
+ (JSC::FTL::operationMaterializeObjectInOSR):
+ * interpreter/Interpreter.cpp:
+ (JSC::notifyDebuggerOfUnwinding):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290517 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-25 Mark Lam <mark....@apple.com>
+
+ operationMaterializeObjectInOSR should DeferTerminationForAWhile instead of just DeferTermination.
+ https://bugs.webkit.org/show_bug.cgi?id=237173
+ rdar://problem/89450245
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/termination-exception-in-operationMaterializeObjectInOSR2.js: Added.
+
2022-03-07 Russell Epstein <repst...@apple.com>
Cherry-pick r290265. rdar://problem/88258776
Added: branches/safari-613-branch/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR2.js (0 => 291633)
--- branches/safari-613-branch/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR2.js (rev 0)
+++ branches/safari-613-branch/JSTests/stress/termination-exception-in-operationMaterializeObjectInOSR2.js 2022-03-22 17:54:28 UTC (rev 291633)
@@ -0,0 +1,18 @@
+//@ skip if $buildType == "release"
+//@ runDefault("--watchdog=90", "--jitPolicyScale=0", "--watchdog-exception-ok")
+
+function bar() {
+ try {
+ undefined instanceof [];
+ } catch {}
+ let a = [0];
+ for (let i = 0; i < 100; i++) {}
+ foo();
+ let b = a;
+}
+
+function foo() {
+ bar();
+}
+
+bar();
Modified: branches/safari-613-branch/Source/_javascript_Core/ChangeLog (291632 => 291633)
--- branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-03-22 17:54:25 UTC (rev 291632)
+++ branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-03-22 17:54:28 UTC (rev 291633)
@@ -1,3 +1,66 @@
+2022-03-21 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r290517. rdar://problem/89428235
+
+ operationMaterializeObjectInOSR should DeferTerminationForAWhile instead of just DeferTermination.
+ https://bugs.webkit.org/show_bug.cgi?id=237173
+ rdar://problem/89450245
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/termination-exception-in-operationMaterializeObjectInOSR2.js: Added.
+
+ Source/_javascript_Core:
+
+ DeferTermination can throw the TerminationException on destruction of the scope
+ object. operationMaterializeObjectInOSR() was using DeferTermination, resulting
+ in the TerminationException being thrown on exit. This trips up
+ validateDFGExceptionHandling testing (which is enabled on Debug builds) because the
+ TerminationException is unexpected. The solution is simply to use
+ DeferTerminationForAWhile instead, and let a more natural trap checkpoint throw
+ the TerminationException later.
+
+ Also refactored notifyDebuggerOfUnwinding() to return early if a debugger is not
+ present. This avoids unnecessarily entering and exiting a DeferTermination scope
+ in notifyDebuggerOfUnwinding(). This was observed while testing this change on
+ the attached test case.
+
+ * ftl/FTLOperations.cpp:
+ (JSC::FTL::operationMaterializeObjectInOSR):
+ * interpreter/Interpreter.cpp:
+ (JSC::notifyDebuggerOfUnwinding):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290517 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-25 Mark Lam <mark....@apple.com>
+
+ operationMaterializeObjectInOSR should DeferTerminationForAWhile instead of just DeferTermination.
+ https://bugs.webkit.org/show_bug.cgi?id=237173
+ rdar://problem/89450245
+
+ Reviewed by Yusuke Suzuki.
+
+ DeferTermination can throw the TerminationException on destruction of the scope
+ object. operationMaterializeObjectInOSR() was using DeferTermination, resulting
+ in the TerminationException being thrown on exit. This trips up
+ validateDFGExceptionHandling testing (which is enabled on Debug builds) because the
+ TerminationException is unexpected. The solution is simply to use
+ DeferTerminationForAWhile instead, and let a more natural trap checkpoint throw
+ the TerminationException later.
+
+ Also refactored notifyDebuggerOfUnwinding() to return early if a debugger is not
+ present. This avoids unnecessarily entering and exiting a DeferTermination scope
+ in notifyDebuggerOfUnwinding(). This was observed while testing this change on
+ the attached test case.
+
+ * ftl/FTLOperations.cpp:
+ (JSC::FTL::operationMaterializeObjectInOSR):
+ * interpreter/Interpreter.cpp:
+ (JSC::notifyDebuggerOfUnwinding):
+
2022-03-07 Russell Epstein <repst...@apple.com>
Cherry-pick r290788. rdar://problem/83494949
Modified: branches/safari-613-branch/Source/_javascript_Core/ftl/FTLOperations.cpp (291632 => 291633)
--- branches/safari-613-branch/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-03-22 17:54:25 UTC (rev 291632)
+++ branches/safari-613-branch/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-03-22 17:54:28 UTC (rev 291633)
@@ -192,7 +192,7 @@
// It's too hairy to handle TerminationExceptions during OSR object materialization.
// Let's just wait until after.
- DeferTermination deferTermination(vm);
+ DeferTerminationForAWhile deferTermination(vm);
// We cannot GC. We've got pointers in evil places.
DeferGCForAWhile deferGC(vm);
Modified: branches/safari-613-branch/Source/_javascript_Core/interpreter/Interpreter.cpp (291632 => 291633)
--- branches/safari-613-branch/Source/_javascript_Core/interpreter/Interpreter.cpp 2022-03-22 17:54:25 UTC (rev 291632)
+++ branches/safari-613-branch/Source/_javascript_Core/interpreter/Interpreter.cpp 2022-03-22 17:54:28 UTC (rev 291633)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2022 Apple Inc. All rights reserved.
* Copyright (C) 2008 Cameron Zwarich <cwzwar...@uwaterloo.ca>
*
* Redistribution and use in source and binary forms, with or without
@@ -502,18 +502,21 @@
ALWAYS_INLINE static void notifyDebuggerOfUnwinding(VM& vm, CallFrame* callFrame)
{
+ JSGlobalObject* globalObject = callFrame->lexicalGlobalObject(vm);
+ Debugger* debugger = globalObject->debugger();
+ if (LIKELY(!debugger))
+ return;
+
DeferTermination deferScope(vm);
- JSGlobalObject* globalObject = callFrame->lexicalGlobalObject(vm);
auto catchScope = DECLARE_CATCH_SCOPE(vm);
- if (Debugger* debugger = globalObject->debugger()) {
- SuspendExceptionScope scope(&vm);
- if (callFrame->isAnyWasmCallee()
- || (callFrame->callee().isCell() && callFrame->callee().asCell()->inherits<JSFunction>(vm)))
- debugger->unwindEvent(callFrame);
- else
- debugger->didExecuteProgram(callFrame);
- catchScope.assertNoException();
- }
+
+ SuspendExceptionScope scope(&vm);
+ if (callFrame->isAnyWasmCallee()
+ || (callFrame->callee().isCell() && callFrame->callee().asCell()->inherits<JSFunction>(vm)))
+ debugger->unwindEvent(callFrame);
+ else
+ debugger->didExecuteProgram(callFrame);
+ catchScope.assertNoException();
}
CatchInfo::CatchInfo(const HandlerInfo* handler, CodeBlock* codeBlock)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
