[webkit-changes] [WebKit/WebKit] d1282e: exceptions can't always be checked under silent sp...

Keith Miller noreply at github.com
Mon May 20 19:13:28 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d1282e05222cf31b112823d5c8a08632d5ff0558
      https://github.com/WebKit/WebKit/commit/d1282e05222cf31b112823d5c8a08632d5ff0558
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-05-20 (Mon, 20 May 2024)

  Changed paths:
    M JSTests/stress/generator-cell-with-type.js
    A JSTests/stress/stack-overflow-in-scope-with-catch.js
    M Source/JavaScriptCore/Scripts/process-entitlements.sh
    M Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h
    M Source/JavaScriptCore/dfg/DFGCallArrayAllocatorSlowPathGenerator.h
    M Source/JavaScriptCore/dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h
    M Source/JavaScriptCore/dfg/DFGRegisterBank.h
    M Source/JavaScriptCore/dfg/DFGSaneStringGetByValSlowPathGenerator.h
    M Source/JavaScriptCore/dfg/DFGSilentRegisterSavePlan.h
    M Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/GPRInfo.h
    M Source/JavaScriptCore/jit/OperationResult.h
    M Source/JavaScriptCore/jit/Reg.h
    M Source/JavaScriptCore/jit/RegisterSet.h

  Log Message:
  -----------
  exceptions can't always be checked under silent spill in DFG
https://bugs.webkit.org/show_bug.cgi?id=274291
rdar://128067350

Reviewed by Yusuke Suzuki.

If we're catching an exception in the same DFG frame it's potentially
not safe to check for exceptions under a silent spill. This is because
the OSR exit ramp does not know about the silent spill. So values will
not be restored. There were a couple of possible fixes:

1) teach the DFGVariableEventStream about exceptions under silent spill.
2) add extra metadata about the fact we’re under a silent spill and silent
   fill before hitting the OSR exit ramp.
3) move the exception to an unused gpr until we can silent fill if needed.

I went with option 3. 1. has the problem that it's complicated and might
be a memory regression. 2. could bloat code size.

I also noticed that my `requires (!OperationHasResult<T>)` checks were not
properly eliminating overloads. This is because when you do e.g.
`requires (!OperationHasResult<int>)` the `OperationHasResult<int>` will
fail SFINAE but that just makes the concept false which then becomes true
in the requirement. Instead we now have a new `OperationIsVoid<T>` concept.

* JSTests/stress/stack-overflow-in-scope-with-catch.js: Added.
(foo.catch.Set.Symbol.hasInstance):
(foo.finally.bar):
(foo.goo.baz):
(foo.goo):
(foo):
* Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h:
* Source/JavaScriptCore/dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
* Source/JavaScriptCore/dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
* Source/JavaScriptCore/dfg/DFGSaneStringGetByValSlowPathGenerator.h:
* Source/JavaScriptCore/dfg/DFGSilentRegisterSavePlan.h:
(JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
(JSC::DFG::SilentRegisterSavePlan::reg const):
(JSC::DFG::SilentRegisterSavePlan::gpr const):
(JSC::DFG::SilentRegisterSavePlan::fpr const):
* Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallSlowPathGenerator::setUp):
(JSC::DFG::CallSlowPathGenerator::tearDown):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::exceptionCheck):
(JSC::DFG::SpeculativeJIT::silentSpillImpl):
(JSC::DFG::SpeculativeJIT::silentFillImpl):
(JSC::DFG::SpeculativeJIT::compileToLowerCase):
(JSC::DFG::SpeculativeJIT::silentSpill): Deleted.
(JSC::DFG::SpeculativeJIT::silentFill): Deleted.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::spillPlanInterferesWithReg):
(JSC::DFG::SpeculativeJIT::silentSpill):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
(JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
(JSC::DFG::SpeculativeJIT::operationExceptionCheck):
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::tryHandleOrGetExceptionUnderSilentSpill):
(JSC::DFG::SpeculativeJIT::callOperationWithSilentSpill):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compileGetByVal):
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/jit/GPRInfo.h:
(JSC::NoOverlapImpl::noOverlapImpl):
* Source/JavaScriptCore/jit/OperationResult.h:
* Source/JavaScriptCore/jit/Reg.h:

Canonical link: https://commits.webkit.org/279031@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list