WebKit Bugzilla
Attachment 369176 Details for
Bug 197531
: Don't OSR enter into an FTL CodeBlock that has been jettisoned
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for landing
a-backup.diff (text/plain), 6.79 KB, created by
Saam Barati
on 2019-05-06 15:20:27 PDT
(
hide
)
Description:
patch for landing
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2019-05-06 15:20:27 PDT
Size:
6.79 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 244979) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2019-05-06 Saam Barati <sbarati@apple.com> >+ >+ Don't OSR enter into an FTL CodeBlock that has been jettisoned >+ https://bugs.webkit.org/show_bug.cgi?id=197531 >+ <rdar://problem/50162379> >+ >+ Reviewed by Yusuke Suzuki. >+ >+ * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added. >+ > 2019-05-06 Yusuke Suzuki <ysuzuki@apple.com> > > TemplateObject passed to template literal tags are not always identical for the same source location. >Index: JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js >=================================================================== >--- JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js (nonexistent) >+++ JSTests/stress/dont-osr-enter-into-jettisoned-ftl-code-block.js (working copy) >@@ -0,0 +1,14 @@ >+//@ runDefault("--useRandomizingFuzzerAgent=1", "--validateAbstractInterpreterState=1", "--jitPolicyScale=0", "--useConcurrentJIT=0", "--validateAbstractInterpreterStateProbability=1.0") >+ >+let x = []; >+let k = 1; >+z = 0; >+ >+for (var i = 0; i < 36; i++) { >+ k = k * 2; >+ x[k - 2] = k; >+} >+ >+for (var j = 0; j === -1; j++) { >+ z = z; >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 244979) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,25 @@ >+2019-05-06 Saam Barati <sbarati@apple.com> >+ >+ Don't OSR enter into an FTL CodeBlock that has been jettisoned >+ https://bugs.webkit.org/show_bug.cgi?id=197531 >+ <rdar://problem/50162379> >+ >+ Reviewed by Yusuke Suzuki. >+ >+ Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR >+ enter into an FTL OSR entry code block that has been jettisoned already. >+ >+ * dfg/DFGJITCode.cpp: >+ (JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds): >+ * dfg/DFGJITCode.h: >+ (JSC::DFG::JITCode::clearOSREntryBlock): Deleted. >+ * dfg/DFGOSREntry.cpp: >+ (JSC::DFG::prepareOSREntry): >+ (JSC::DFG::prepareCatchOSREntry): >+ * dfg/DFGOperations.cpp: >+ * ftl/FTLOSREntry.cpp: >+ (JSC::FTL::prepareOSREntry): >+ > 2019-05-06 Yusuke Suzuki <ysuzuki@apple.com> > > TemplateObject passed to template literal tags are not always identical for the same source location. >Index: Source/JavaScriptCore/dfg/DFGJITCode.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGJITCode.cpp (revision 244979) >+++ Source/JavaScriptCore/dfg/DFGJITCode.cpp (working copy) >@@ -211,6 +211,17 @@ void JITCode::setOSREntryBlock(VM& vm, c > } > m_osrEntryBlock.set(vm, owner, osrEntryBlock); > } >+ >+void JITCode::clearOSREntryBlockAndResetThresholds(CodeBlock *dfgCodeBlock) >+{ >+ ASSERT(m_osrEntryBlock); >+ >+ unsigned osrEntryBytecode = m_osrEntryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex(); >+ m_osrEntryBlock.clear(); >+ osrEntryRetry = 0; >+ tierUpEntryTriggers.set(osrEntryBytecode, JITCode::TriggerReason::DontTrigger); >+ setOptimizationThresholdBasedOnCompilationResult(dfgCodeBlock, CompilationDeferred); >+} > #endif // ENABLE(FTL_JIT) > > void JITCode::validateReferences(const TrackedReferences& trackedReferences) >Index: Source/JavaScriptCore/dfg/DFGJITCode.h >=================================================================== >--- Source/JavaScriptCore/dfg/DFGJITCode.h (revision 244979) >+++ Source/JavaScriptCore/dfg/DFGJITCode.h (working copy) >@@ -121,7 +121,7 @@ public: > #if ENABLE(FTL_JIT) > CodeBlock* osrEntryBlock() { return m_osrEntryBlock.get(); } > void setOSREntryBlock(VM&, const JSCell* owner, CodeBlock* osrEntryBlock); >- void clearOSREntryBlock() { m_osrEntryBlock.clear(); } >+ void clearOSREntryBlockAndResetThresholds(CodeBlock* dfgCodeBlock); > #endif > > static ptrdiff_t commonDataOffset() { return OBJECT_OFFSETOF(JITCode, common); } >Index: Source/JavaScriptCore/dfg/DFGOSREntry.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGOSREntry.cpp (revision 244979) >+++ Source/JavaScriptCore/dfg/DFGOSREntry.cpp (working copy) >@@ -98,6 +98,7 @@ void* prepareOSREntry(ExecState* exec, C > ASSERT(codeBlock->alternative()); > ASSERT(codeBlock->alternative()->jitType() == JITType::BaselineJIT); > ASSERT(!codeBlock->jitCodeMap()); >+ ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid); > > if (!Options::useOSREntryToDFG()) > return nullptr; >@@ -342,6 +343,7 @@ void* prepareOSREntry(ExecState* exec, C > MacroAssemblerCodePtr<ExceptionHandlerPtrTag> prepareCatchOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex) > { > ASSERT(codeBlock->jitType() == JITType::DFGJIT || codeBlock->jitType() == JITType::FTLJIT); >+ ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid); > > if (!Options::useOSREntryToDFG() && codeBlock->jitCode()->jitType() == JITType::DFGJIT) > return nullptr; >Index: Source/JavaScriptCore/dfg/DFGOperations.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGOperations.cpp (revision 244979) >+++ Source/JavaScriptCore/dfg/DFGOperations.cpp (working copy) >@@ -3315,12 +3315,7 @@ static char* tierUpCommon(ExecState* exe > // OSR entry failed. Oh no! This implies that we need to retry. We retry > // without exponential backoff and we only do this for the entry code block. > CODEBLOCK_LOG_EVENT(codeBlock, "delayFTLCompile", ("OSR entry failed too many times")); >- unsigned osrEntryBytecode = entryBlock->jitCode()->ftlForOSREntry()->bytecodeIndex(); >- jitCode->clearOSREntryBlock(); >- jitCode->osrEntryRetry = 0; >- jitCode->tierUpEntryTriggers.set(osrEntryBytecode, JITCode::TriggerReason::DontTrigger); >- jitCode->setOptimizationThresholdBasedOnCompilationResult( >- codeBlock, CompilationDeferred); >+ jitCode->clearOSREntryBlockAndResetThresholds(codeBlock); > return nullptr; > } > >Index: Source/JavaScriptCore/ftl/FTLOSREntry.cpp >=================================================================== >--- Source/JavaScriptCore/ftl/FTLOSREntry.cpp (revision 244979) >+++ Source/JavaScriptCore/ftl/FTLOSREntry.cpp (working copy) >@@ -48,6 +48,11 @@ void* prepareOSREntry( > ExecutableBase* executable = dfgCodeBlock->ownerExecutable(); > DFG::JITCode* dfgCode = dfgCodeBlock->jitCode()->dfg(); > ForOSREntryJITCode* entryCode = entryCodeBlock->jitCode()->ftlForOSREntry(); >+ >+ if (!entryCode->dfgCommon()->isStillValid) { >+ dfgCode->clearOSREntryBlockAndResetThresholds(dfgCodeBlock); >+ return 0; >+ } > > if (Options::verboseOSR()) { > dataLog(
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369176">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197531
:
368824
|
368843
|
368858
|
368908
|
369174
| 369176 |
369275