[webkit-changes] [WebKit/WebKit] a75b74: Fix handleRecursiveTailCall for osr exit at op_tai...

Commit Queue noreply at github.com
Thu Apr 20 11:34:28 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a75b74fc83c06296ff667aaaabf593697eb2fa1b
      https://github.com/WebKit/WebKit/commit/a75b74fc83c06296ff667aaaabf593697eb2fa1b
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A JSTests/stress/osr-exit-at-tail-call-in-tail-recursion.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

  Log Message:
  -----------
  Fix handleRecursiveTailCall for osr exit at op_tail_call
https://bugs.webkit.org/show_bug.cgi?id=254574
rdar://107598022

Reviewed by Yusuke Suzuki.

Previously, we introduced a patch https://commits.webkit.org/260787@main
which merges op_enter, op_get_scope, and op_check_traps into op_enter
for less prologue overhead. However, the patch crashes in a tail recursion
when OSR exit from FTL to Baseline at op_tail_call. This is becuase we
exit to the offset(op_enter) + 1 which would miss the execution of op_get_scope
that merged into op_enter in the previous path. In that case, program would
crash when trying to dereference an undefined scope after OSR exit. To fix this
issue we should just update the exit to  offset(op_enter) instead of
offset(op_enter) + 1.

JavaScript tail recursion foo:
function foo(n) {
    ...
    return foo(n);
}

Bytecode for foo with scope at loc4:
[  0] enter
[  1] ...
...
[ 11] resolve_scope  dst:loc10, scope:loc4
...
[ 38] tail_call ...
[...] ret       ...

DFG for foo:
...
--> foo // inlined recursive tail call
    ...
    @node(..., bc#38, exit: bc#38 --> bc#1, ...)
    ...
<-- foo

DFG for foo:
...
--> foo // inlined recursive tail call
    ...
    @node(..., bc#38, exit: bc#38 --> bc#0, ...)
    ...
<-- foo

* JSTests/stress/osr-exit-at-tail-call-in-tail-recursion.js: Added.
(foo):
(bar):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):

Canonical link: https://commits.webkit.org/263183@main

More information about the webkit-changes mailing list