2013-07-25 03:58:20 +00:00
|
|
|
/*
|
2018-07-24 23:14:12 +00:00
|
|
|
* Copyright (C) 2013-2018 Apple Inc. All rights reserved.
|
2013-07-25 03:58:20 +00:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
|
|
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
|
|
|
|
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
|
|
|
|
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "config.h"
|
2014-02-17 19:00:03 +00:00
|
|
|
#include "DFGCommonData.h"
|
2013-07-25 03:58:20 +00:00
|
|
|
|
|
|
|
#if ENABLE(DFG_JIT)
|
|
|
|
|
2014-02-10 19:26:29 +00:00
|
|
|
#include "CodeBlock.h"
|
2013-07-25 03:58:20 +00:00
|
|
|
#include "DFGNode.h"
|
2013-08-16 03:28:39 +00:00
|
|
|
#include "DFGPlan.h"
|
2015-08-18 18:28:54 +00:00
|
|
|
#include "InlineCallFrame.h"
|
2020-05-19 23:56:00 +00:00
|
|
|
#include "JSCJSValueInlines.h"
|
DFG fragile frozen values are fundamentally broken
https://bugs.webkit.org/show_bug.cgi?id=146602
Reviewed by Mark Lam.
This change gets rid of the FragileValue value strength, because it was fundamentally
broken.
FragileValue was a value known to the compiler but not tracked by the GC in any way -
it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
must-handle values. The philosophy was that if the compiler did use the value for
optimization, it would have been strengthened to a weak value (or maybe even a strong
value, though we probably won't do that). But this was too much of a pipe dream. I've
found at least one case where the compiler did use the value, but never strengthened
it: it would happen if the value ended up in an OSR entry data expected value. Then if
we GCed, we might have killed the value, but OSR entry would still try to use it for
validation. That might have sort of just worked, but it's clearly shady.
The reason why we made must-handle values fragile and not weak is that most of the time
the values disappear from the abstract state: they are LUBed to a non-constant. If we
kept them around as weak, we'd have too many cases of the GC killing the code because
it thought that the value was somehow meaningful to the code when it was only used as a
temporary artifact of optimization.
So, it's true that it's very important for must-handle values not to automatically be
weak or strong. It's also true that the values are necessary for AI bootstrap because
we need to know what values OSR entry will require. But we shouldn't accomplish these
goals by having the compiler hold onto what are essentially dangling pointers.
This implements a better solution: instead of having InPlaceAbstractState bootstrap the
AI with must-handle values at the beginning, we now widen the valuesAtHead of the
must-handle block after AI converges. This widening is done in CFAPhase. This allows us
to see if the must-handle values are necessary at all. In most cases, the widening
takes a non-constant abstract value and simply amends something to its type based on
the type of the must-handle value, and so the must-handle value never actually shows up
in either the IR or any abstract value. In the unlikely event that the value at head is
bottom, we freeze the must-handle value. This change removes FragileValue, and this
freezing uses WeakValue as the strength. That makes sense: since the abstract value was
bottom, the must-handle value becomes integral to the IR and so it makes no sense for
the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
sometimes happen for example if you have a very long-running loop whose pre-header
allocates some object, but that pre-header appears to always exit to the optimizing JIT
because it was only profiled once in the LLInt and that profiling appears insufficient
to the DFG. In that case, we'll effectively constant-fold the references to the object
inside the loop, which is both efficient (yay constant folding!) and necessary
(otherwise we wouldn't know what the type of the variable should have been).
Testing and debugging this is complicated. So, this adds some new capabilities:
- DFG IR dumps also dump all of the FrozenValues that point to the heap along with
their strengths, so that it's easy to see what GC objects the DFG feels are necessary
for the compilation.
- DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
to see what GC pointers (and other things) are used for OSR entry validation. The
printouts are quite detailed, and should also help other kinds of OSR entry
debugging.
- DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
data structures are also properly registered as either weak or strong pointers in the
CodeBlock. This validation check previously failed due to fragile values ending up in
the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
and in some pre-existing tests (like earley-boyer and 3d-raytrace).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/Operands.h:
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::dump):
(JSC::StructureSet::validateReferences):
* bytecode/StructureSet.h:
* bytecode/TrackedReferences.cpp: Added.
(JSC::TrackedReferences::TrackedReferences):
(JSC::TrackedReferences::~TrackedReferences):
(JSC::TrackedReferences::add):
(JSC::TrackedReferences::check):
(JSC::TrackedReferences::dump):
* bytecode/TrackedReferences.h: Added.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::validateReferences):
(JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fullTop):
(JSC::DFG::AbstractValue::merge):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::pointsToHeap):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::freezeFragile): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
(JSC::DFG::JITCode::validateReferences):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchStructurePtr):
(JSC::DFG::JITCompiler::jitCode):
(JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
* dfg/DFGMinifiedGraph.cpp: Added.
(JSC::DFG::MinifiedGraph::prepareAndShrink):
(JSC::DFG::MinifiedGraph::validateReferences):
* dfg/DFGMinifiedGraph.h:
(JSC::DFG::MinifiedGraph::append):
(JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::OSREntryData::dump):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::validateReferences):
* dfg/DFGStructureAbstractValue.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp:
(WTF::printInternal):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
* ftl/FTLExitPropertyValue.cpp:
(JSC::FTL::ExitPropertyValue::dump):
(JSC::FTL::ExitPropertyValue::validateReferences):
* ftl/FTLExitPropertyValue.h:
* ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::dump):
(JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
* ftl/FTLExitTimeObjectMaterialization.h:
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dump):
(JSC::FTL::ExitValue::validateReferences):
* ftl/FTLExitValue.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::dfgCommon):
(JSC::FTL::JITCode::validateReferences):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::handles):
(JSC::FTL::JITCode::dataSections):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::validateReferences):
* ftl/FTLOSRExit.h:
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
* jit/JITCode.cpp:
(JSC::JITCode::typeName):
(JSC::JITCode::validateReferences):
(JSC::JITCode::execute):
* jit/JITCode.h:
(JSC::JITCode::start):
* tests/stress/dead-osr-entry-value.js: Added.
(foo):
Canonical link: https://commits.webkit.org/164928@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-07-10 21:19:51 +00:00
|
|
|
#include "TrackedReferences.h"
|
2021-05-24 18:29:01 +00:00
|
|
|
#include <wtf/Lock.h>
|
2017-06-29 17:34:57 +00:00
|
|
|
#include <wtf/NeverDestroyed.h>
|
|
|
|
|
2013-07-25 03:58:20 +00:00
|
|
|
namespace JSC { namespace DFG {
|
|
|
|
|
|
|
|
void CommonData::shrinkToFit()
|
|
|
|
{
|
2020-06-11 20:11:34 +00:00
|
|
|
codeOrigins->shrinkToFit();
|
2021-04-15 07:03:38 +00:00
|
|
|
m_jumpReplacements.shrinkToFit();
|
2013-07-25 03:58:20 +00:00
|
|
|
}
|
|
|
|
|
2021-05-24 18:29:01 +00:00
|
|
|
static Lock pcCodeBlockMapLock;
|
2021-05-23 20:33:29 +00:00
|
|
|
inline HashMap<void*, CodeBlock*>& pcCodeBlockMap() WTF_REQUIRES_LOCK(pcCodeBlockMapLock)
|
2017-06-29 17:34:57 +00:00
|
|
|
{
|
2020-08-05 04:19:05 +00:00
|
|
|
static LazyNeverDestroyed<HashMap<void*, CodeBlock*>> pcCodeBlockMap;
|
|
|
|
static std::once_flag onceKey;
|
|
|
|
std::call_once(onceKey, [&] {
|
|
|
|
pcCodeBlockMap.construct();
|
|
|
|
});
|
2017-06-29 17:34:57 +00:00
|
|
|
return pcCodeBlockMap;
|
|
|
|
}
|
|
|
|
|
Add InvalidationPoints to the DFG and use them for all watchpoints
https://bugs.webkit.org/show_bug.cgi?id=123472
Reviewed by Mark Hahnenberg.
This makes a fundamental change to how watchpoints work in the DFG.
Previously, a watchpoint was an instruction whose execution semantics were something
like:
if (watchpoint->invalidated)
exit
We would implement this without any branch by using jump replacement.
This is a very good optimization. But it's a bit awkward once you get a lot of
watchpoints: semantically we will have lots of these branches in the code, which the
compiler needs to reason about even though they don't actually result in any emitted
code.
Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
called into again, but it would do nothing for CodeBlocks that were already on the
stack.
This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
replacement has nothing to do with watchpoints; instead it's something that happens if
you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
all of the potential call-return safe-exit-points in a CodeBlock. We call these
"InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
collect all of the watchpoint sets that the CodeBlock cares about, and then registering
a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
(because the entrypoint now points to baseline code) and can't be returned into
(because returning exits to baseline before the next bytecode instruction).
This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
for jettison() to be used effectively for things like breakpointing and single-stepping
in the debugger.
Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
can, at any time and for any reason, request that an optimized CodeBlock is rendered
immediately invalid. You can use this for many cool things, I'm sure.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
* bytecode/CodeBlock.h:
* bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/CodeBlockJettisoningWatchpoint.h: Added.
(JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
(JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
(JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGClobberize.cpp:
(JSC::DFG::writesOverlap):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
(JSC::DFG::AbstractHeapOverlaps::operator()):
(JSC::DFG::AbstractHeapOverlaps::result):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::CommonData):
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::DesiredWatchpoints::addLazily):
(JSC::DFG::DesiredWatchpoints::reallyAdd):
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
(JSC::DFG::GenericDesiredWatchpoints::addLazily):
(JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
(JSC::DFG::GenericDesiredWatchpoints::areStillValid):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
(JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
(JSC::DFG::InvalidationPointInjectionPhase::run):
(JSC::DFG::InvalidationPointInjectionPhase::handle):
(JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
(JSC::DFG::performInvalidationPointInjection):
* dfg/DFGInvalidationPointInjectionPhase.h: Added.
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
* dfg/DFGJumpReplacement.cpp: Added.
(JSC::DFG::JumpReplacement::fire):
* dfg/DFGJumpReplacement.h: Added.
(JSC::DFG::JumpReplacement::JumpReplacement):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompilationInfo.h:
* dfg/DFGOperations.cpp:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::reallyAdd):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGWatchpointCollectionPhase.cpp: Added.
(JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
(JSC::DFG::WatchpointCollectionPhase::run):
(JSC::DFG::WatchpointCollectionPhase::handle):
(JSC::DFG::WatchpointCollectionPhase::handleEdge):
(JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
(JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
(JSC::DFG::WatchpointCollectionPhase::addLazily):
(JSC::DFG::WatchpointCollectionPhase::globalObject):
(JSC::DFG::performWatchpointCollection):
* dfg/DFGWatchpointCollectionPhase.h: Added.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
(JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
* jit/JITOperations.cpp:
* jit/JumpReplacementWatchpoint.cpp: Removed.
* jit/JumpReplacementWatchpoint.h: Removed.
Canonical link: https://commits.webkit.org/141672@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@158304 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2013-10-30 19:58:08 +00:00
|
|
|
bool CommonData::invalidate()
|
|
|
|
{
|
|
|
|
if (!isStillValid)
|
|
|
|
return false;
|
2017-06-29 17:34:57 +00:00
|
|
|
|
|
|
|
if (UNLIKELY(hasVMTrapsBreakpointsInstalled)) {
|
2021-05-22 16:49:42 +00:00
|
|
|
Locker locker { pcCodeBlockMapLock };
|
2021-05-23 20:33:29 +00:00
|
|
|
auto& map = pcCodeBlockMap();
|
2021-04-15 07:03:38 +00:00
|
|
|
for (auto& jumpReplacement : m_jumpReplacements)
|
2017-06-29 17:34:57 +00:00
|
|
|
map.remove(jumpReplacement.dataLocation());
|
|
|
|
hasVMTrapsBreakpointsInstalled = false;
|
|
|
|
}
|
|
|
|
|
2021-04-15 07:03:38 +00:00
|
|
|
for (unsigned i = m_jumpReplacements.size(); i--;)
|
|
|
|
m_jumpReplacements[i].fire();
|
Add InvalidationPoints to the DFG and use them for all watchpoints
https://bugs.webkit.org/show_bug.cgi?id=123472
Reviewed by Mark Hahnenberg.
This makes a fundamental change to how watchpoints work in the DFG.
Previously, a watchpoint was an instruction whose execution semantics were something
like:
if (watchpoint->invalidated)
exit
We would implement this without any branch by using jump replacement.
This is a very good optimization. But it's a bit awkward once you get a lot of
watchpoints: semantically we will have lots of these branches in the code, which the
compiler needs to reason about even though they don't actually result in any emitted
code.
Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
called into again, but it would do nothing for CodeBlocks that were already on the
stack.
This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
replacement has nothing to do with watchpoints; instead it's something that happens if
you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
all of the potential call-return safe-exit-points in a CodeBlock. We call these
"InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
collect all of the watchpoint sets that the CodeBlock cares about, and then registering
a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
(because the entrypoint now points to baseline code) and can't be returned into
(because returning exits to baseline before the next bytecode instruction).
This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
for jettison() to be used effectively for things like breakpointing and single-stepping
in the debugger.
Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
can, at any time and for any reason, request that an optimized CodeBlock is rendered
immediately invalid. You can use this for many cool things, I'm sure.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
* bytecode/CodeBlock.h:
* bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/CodeBlockJettisoningWatchpoint.h: Added.
(JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
(JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
(JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGClobberize.cpp:
(JSC::DFG::writesOverlap):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
(JSC::DFG::AbstractHeapOverlaps::operator()):
(JSC::DFG::AbstractHeapOverlaps::result):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::CommonData):
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::DesiredWatchpoints::addLazily):
(JSC::DFG::DesiredWatchpoints::reallyAdd):
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
(JSC::DFG::GenericDesiredWatchpoints::addLazily):
(JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
(JSC::DFG::GenericDesiredWatchpoints::areStillValid):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
(JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
(JSC::DFG::InvalidationPointInjectionPhase::run):
(JSC::DFG::InvalidationPointInjectionPhase::handle):
(JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
(JSC::DFG::performInvalidationPointInjection):
* dfg/DFGInvalidationPointInjectionPhase.h: Added.
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
* dfg/DFGJumpReplacement.cpp: Added.
(JSC::DFG::JumpReplacement::fire):
* dfg/DFGJumpReplacement.h: Added.
(JSC::DFG::JumpReplacement::JumpReplacement):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompilationInfo.h:
* dfg/DFGOperations.cpp:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::reallyAdd):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGWatchpointCollectionPhase.cpp: Added.
(JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
(JSC::DFG::WatchpointCollectionPhase::run):
(JSC::DFG::WatchpointCollectionPhase::handle):
(JSC::DFG::WatchpointCollectionPhase::handleEdge):
(JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
(JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
(JSC::DFG::WatchpointCollectionPhase::addLazily):
(JSC::DFG::WatchpointCollectionPhase::globalObject):
(JSC::DFG::performWatchpointCollection):
* dfg/DFGWatchpointCollectionPhase.h: Added.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
(JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
* jit/JITOperations.cpp:
* jit/JumpReplacementWatchpoint.cpp: Removed.
* jit/JumpReplacementWatchpoint.h: Removed.
Canonical link: https://commits.webkit.org/141672@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@158304 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2013-10-30 19:58:08 +00:00
|
|
|
isStillValid = false;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-06-29 17:34:57 +00:00
|
|
|
CommonData::~CommonData()
|
|
|
|
{
|
|
|
|
if (UNLIKELY(hasVMTrapsBreakpointsInstalled)) {
|
2021-05-22 16:49:42 +00:00
|
|
|
Locker locker { pcCodeBlockMapLock };
|
2021-05-23 20:33:29 +00:00
|
|
|
auto& map = pcCodeBlockMap();
|
2021-04-15 07:03:38 +00:00
|
|
|
for (auto& jumpReplacement : m_jumpReplacements)
|
2017-06-29 17:34:57 +00:00
|
|
|
map.remove(jumpReplacement.dataLocation());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void CommonData::installVMTrapBreakpoints(CodeBlock* owner)
|
Make the VM Traps mechanism non-polling for the DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=168920
<rdar://problem/30738588>
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
This is currently only enabled for OS(DARWIN) and ENABLE(JIT).
2. Added assembler functions for overwriting an instruction with a breakpoint.
3. Added a new JettisonDueToVMTraps jettison reason.
4. Added CodeBlock and DFG::CommonData utility functions for over-writing
invalidation points with breakpoint instructions.
5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
6. Remove the JSC_alwaysCheckTraps option because of (4) above.
For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
Options::usePollingTraps() to always be true. This makes the VMTraps
implementation fall back to using polling based traps only.
7. Make VMTraps support signal based traps.
Some design and implementation details of signal based VM traps:
- The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
- VMTraps::fireTrap() will set the flag for the requested trap and instantiate
a SignalSender. The SignalSender will send SIGUSR1 to the mutator thread that
we want to trap, and check for the occurence of one of the following events:
a. VMTraps::handleTraps() has been called for the requested trap, or
b. the VM is inactive and is no longer executing any JS code. We determine
this to be the case if the thread no longer owns the JSLock and the VM's
entryScope is null.
Note: the thread can relinquish the JSLock while the VM's entryScope is not
null. This happens when the thread calls JSLock::dropAllLocks() before
calling a host function that may block on IO (or whatever). For our purpose,
this counts as the VM still running JS code, and VM::fireTrap() will still
be waiting.
If the SignalSender does not see either of these events, it will sleep for a
while and then re-send SIGUSR1 and check for the events again. When it sees
one of these events, it will consider the mutator to have received the trap
request.
- The SIGUSR1 handler will try to insert breakpoints at the invalidation points
in the DFG/FTL codeBlock at the top of the stack. This allows the mutator
thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
safe to jettison the codeBlock.
Note: we cannot have the requester thread (that called VMTraps::fireTrap())
insert the breakpoint instructions itself. This is because we need the
register state of the the mutator thread (that we want to trap in) in order to
find the codeBlocks that we wish to insert the breakpoints in. Currently,
we don't have a generic way for the requester thread to get the register state
of another thread.
- The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
invalidation point. If so, it will jettison the codeBlock and adjust the PC
to re-execute the invalidation OSR exit off-ramp. After the OSR exit, the
baseline JIT code will eventually reach an op_check_traps and call
VMTraps::handleTraps().
If the handler is not trapping at an invalidation point, then it must be
observing an assertion failure (which also uses the breakpoint instruction).
In this case, the handler will defer to the default SIGTRAP handler and crash.
- The reason we need the SignalSender is because SignalSender::send() is called
from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
send() needs to make use of the VM pointer, and it is not guaranteed that the
VM will outlive the thread. SignalSender provides the mechanism by which we
can nullify the VM pointer when the VM dies so that the thread does not
continue to use it.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::replaceWithBrk):
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::replaceWithBrk):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::replaceWithBkpt):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::replaceWithBkpt):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::replaceWithJump):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::replaceWithBreakpoint):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::replaceWithJump):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
* assembler/X86Assembler.h:
(JSC::X86Assembler::replaceWithInt3):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
(JSC::CodeBlock::installVMTrapBreakpoints):
* bytecode/CodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCheckTraps):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::CommonData::isVMTrapBreakpoint):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
* dfg/DFGJumpReplacement.cpp:
(JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
* dfg/DFGJumpReplacement.h:
(JSC::DFG::JumpReplacement::dataLocation):
* dfg/DFGNodeType.h:
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
* heap/Heap.cpp:
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/MachineStackMarker.h:
(JSC::MachineThreads::threadsListHead):
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::isValidExecutableMemory):
* jit/ExecutableAllocator.h:
* profiler/ProfilerJettisonReason.cpp:
(WTF::printInternal):
* profiler/ProfilerJettisonReason.h:
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/Options.h:
* runtime/PlatformThread.h:
(JSC::platformThreadSignal):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::ensureWatchdog):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
* runtime/VM.h:
(JSC::VM::ownerThread):
(JSC::VM::traps):
(JSC::VM::handleTraps):
(JSC::VM::needTrapHandling):
(JSC::VM::needAsynchronousTerminationSupport): Deleted.
* runtime/VMTraps.cpp:
(JSC::VMTraps::vm):
(JSC::SignalContext::SignalContext):
(JSC::SignalContext::adjustPCToPointToTrappingInstruction):
(JSC::vmIsInactive):
(JSC::findActiveVMAndStackBounds):
(JSC::handleSigusr1):
(JSC::handleSigtrap):
(JSC::installSignalHandlers):
(JSC::sanitizedTopCallFrame):
(JSC::isSaneFrame):
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::VMTraps):
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::addSignalSender):
(JSC::VMTraps::removeSignalSender):
(JSC::VMTraps::SignalSender::willDestroyVM):
(JSC::VMTraps::SignalSender::send):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
* runtime/VMTraps.h:
(JSC::VMTraps::~VMTraps):
(JSC::VMTraps::needTrapHandling):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::SignalSender::SignalSender):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
* tools/VMInspector.cpp:
* tools/VMInspector.h:
(JSC::VMInspector::getLock):
(JSC::VMInspector::iterate):
Source/WebCore:
No new tests needed. This is covered by existing tests.
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::WorkerScriptController):
(WebCore::WorkerScriptController::scheduleExecutionTermination):
Source/WTF:
Make StackBounds more useful for checking if a pointer is within stack bounds.
* wtf/MetaAllocator.cpp:
(WTF::MetaAllocator::isInAllocatedMemory):
* wtf/MetaAllocator.h:
* wtf/Platform.h:
* wtf/StackBounds.h:
(WTF::StackBounds::emptyBounds):
(WTF::StackBounds::StackBounds):
(WTF::StackBounds::isEmpty):
(WTF::StackBounds::contains):
Canonical link: https://commits.webkit.org/186409@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@213652 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-03-09 19:08:46 +00:00
|
|
|
{
|
2021-05-22 16:49:42 +00:00
|
|
|
Locker locker { pcCodeBlockMapLock };
|
Make the VM Traps mechanism non-polling for the DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=168920
<rdar://problem/30738588>
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
This is currently only enabled for OS(DARWIN) and ENABLE(JIT).
2. Added assembler functions for overwriting an instruction with a breakpoint.
3. Added a new JettisonDueToVMTraps jettison reason.
4. Added CodeBlock and DFG::CommonData utility functions for over-writing
invalidation points with breakpoint instructions.
5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
6. Remove the JSC_alwaysCheckTraps option because of (4) above.
For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
Options::usePollingTraps() to always be true. This makes the VMTraps
implementation fall back to using polling based traps only.
7. Make VMTraps support signal based traps.
Some design and implementation details of signal based VM traps:
- The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
- VMTraps::fireTrap() will set the flag for the requested trap and instantiate
a SignalSender. The SignalSender will send SIGUSR1 to the mutator thread that
we want to trap, and check for the occurence of one of the following events:
a. VMTraps::handleTraps() has been called for the requested trap, or
b. the VM is inactive and is no longer executing any JS code. We determine
this to be the case if the thread no longer owns the JSLock and the VM's
entryScope is null.
Note: the thread can relinquish the JSLock while the VM's entryScope is not
null. This happens when the thread calls JSLock::dropAllLocks() before
calling a host function that may block on IO (or whatever). For our purpose,
this counts as the VM still running JS code, and VM::fireTrap() will still
be waiting.
If the SignalSender does not see either of these events, it will sleep for a
while and then re-send SIGUSR1 and check for the events again. When it sees
one of these events, it will consider the mutator to have received the trap
request.
- The SIGUSR1 handler will try to insert breakpoints at the invalidation points
in the DFG/FTL codeBlock at the top of the stack. This allows the mutator
thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
safe to jettison the codeBlock.
Note: we cannot have the requester thread (that called VMTraps::fireTrap())
insert the breakpoint instructions itself. This is because we need the
register state of the the mutator thread (that we want to trap in) in order to
find the codeBlocks that we wish to insert the breakpoints in. Currently,
we don't have a generic way for the requester thread to get the register state
of another thread.
- The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
invalidation point. If so, it will jettison the codeBlock and adjust the PC
to re-execute the invalidation OSR exit off-ramp. After the OSR exit, the
baseline JIT code will eventually reach an op_check_traps and call
VMTraps::handleTraps().
If the handler is not trapping at an invalidation point, then it must be
observing an assertion failure (which also uses the breakpoint instruction).
In this case, the handler will defer to the default SIGTRAP handler and crash.
- The reason we need the SignalSender is because SignalSender::send() is called
from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
send() needs to make use of the VM pointer, and it is not guaranteed that the
VM will outlive the thread. SignalSender provides the mechanism by which we
can nullify the VM pointer when the VM dies so that the thread does not
continue to use it.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::replaceWithBrk):
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::replaceWithBrk):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::replaceWithBkpt):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::replaceWithBkpt):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::replaceWithJump):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::replaceWithBreakpoint):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::replaceWithJump):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
* assembler/X86Assembler.h:
(JSC::X86Assembler::replaceWithInt3):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
(JSC::CodeBlock::installVMTrapBreakpoints):
* bytecode/CodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCheckTraps):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::CommonData::isVMTrapBreakpoint):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
* dfg/DFGJumpReplacement.cpp:
(JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
* dfg/DFGJumpReplacement.h:
(JSC::DFG::JumpReplacement::dataLocation):
* dfg/DFGNodeType.h:
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
* heap/Heap.cpp:
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/MachineStackMarker.h:
(JSC::MachineThreads::threadsListHead):
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::isValidExecutableMemory):
* jit/ExecutableAllocator.h:
* profiler/ProfilerJettisonReason.cpp:
(WTF::printInternal):
* profiler/ProfilerJettisonReason.h:
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/Options.h:
* runtime/PlatformThread.h:
(JSC::platformThreadSignal):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::ensureWatchdog):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
* runtime/VM.h:
(JSC::VM::ownerThread):
(JSC::VM::traps):
(JSC::VM::handleTraps):
(JSC::VM::needTrapHandling):
(JSC::VM::needAsynchronousTerminationSupport): Deleted.
* runtime/VMTraps.cpp:
(JSC::VMTraps::vm):
(JSC::SignalContext::SignalContext):
(JSC::SignalContext::adjustPCToPointToTrappingInstruction):
(JSC::vmIsInactive):
(JSC::findActiveVMAndStackBounds):
(JSC::handleSigusr1):
(JSC::handleSigtrap):
(JSC::installSignalHandlers):
(JSC::sanitizedTopCallFrame):
(JSC::isSaneFrame):
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::VMTraps):
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::addSignalSender):
(JSC::VMTraps::removeSignalSender):
(JSC::VMTraps::SignalSender::willDestroyVM):
(JSC::VMTraps::SignalSender::send):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
* runtime/VMTraps.h:
(JSC::VMTraps::~VMTraps):
(JSC::VMTraps::needTrapHandling):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::SignalSender::SignalSender):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
* tools/VMInspector.cpp:
* tools/VMInspector.h:
(JSC::VMInspector::getLock):
(JSC::VMInspector::iterate):
Source/WebCore:
No new tests needed. This is covered by existing tests.
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::WorkerScriptController):
(WebCore::WorkerScriptController::scheduleExecutionTermination):
Source/WTF:
Make StackBounds more useful for checking if a pointer is within stack bounds.
* wtf/MetaAllocator.cpp:
(WTF::MetaAllocator::isInAllocatedMemory):
* wtf/MetaAllocator.h:
* wtf/Platform.h:
* wtf/StackBounds.h:
(WTF::StackBounds::emptyBounds):
(WTF::StackBounds::StackBounds):
(WTF::StackBounds::isEmpty):
(WTF::StackBounds::contains):
Canonical link: https://commits.webkit.org/186409@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@213652 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-03-09 19:08:46 +00:00
|
|
|
if (!isStillValid || hasVMTrapsBreakpointsInstalled)
|
|
|
|
return;
|
|
|
|
hasVMTrapsBreakpointsInstalled = true;
|
2017-06-29 17:34:57 +00:00
|
|
|
|
2021-05-23 20:33:29 +00:00
|
|
|
auto& map = pcCodeBlockMap();
|
2017-06-29 17:34:57 +00:00
|
|
|
#if !defined(NDEBUG)
|
|
|
|
// We need to be able to handle more than one invalidation point at the same pc
|
|
|
|
// but we want to make sure we don't forget to remove a pc from the map.
|
|
|
|
HashSet<void*> newReplacements;
|
|
|
|
#endif
|
2021-04-15 07:03:38 +00:00
|
|
|
for (auto& jumpReplacement : m_jumpReplacements) {
|
2017-06-29 17:34:57 +00:00
|
|
|
jumpReplacement.installVMTrapBreakpoint();
|
|
|
|
void* source = jumpReplacement.dataLocation();
|
|
|
|
auto result = map.add(source, owner);
|
|
|
|
UNUSED_PARAM(result);
|
|
|
|
#if !defined(NDEBUG)
|
|
|
|
ASSERT(result.isNewEntry || newReplacements.contains(source));
|
|
|
|
newReplacements.add(source);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
CodeBlock* codeBlockForVMTrapPC(void* pc)
|
|
|
|
{
|
|
|
|
ASSERT(isJITPC(pc));
|
2021-05-22 16:49:42 +00:00
|
|
|
Locker locker { pcCodeBlockMapLock };
|
2021-05-23 20:33:29 +00:00
|
|
|
auto& map = pcCodeBlockMap();
|
2017-06-29 17:34:57 +00:00
|
|
|
auto result = map.find(pc);
|
|
|
|
if (result == map.end())
|
|
|
|
return nullptr;
|
|
|
|
return result->value;
|
Make the VM Traps mechanism non-polling for the DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=168920
<rdar://problem/30738588>
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
This is currently only enabled for OS(DARWIN) and ENABLE(JIT).
2. Added assembler functions for overwriting an instruction with a breakpoint.
3. Added a new JettisonDueToVMTraps jettison reason.
4. Added CodeBlock and DFG::CommonData utility functions for over-writing
invalidation points with breakpoint instructions.
5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
6. Remove the JSC_alwaysCheckTraps option because of (4) above.
For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
Options::usePollingTraps() to always be true. This makes the VMTraps
implementation fall back to using polling based traps only.
7. Make VMTraps support signal based traps.
Some design and implementation details of signal based VM traps:
- The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
- VMTraps::fireTrap() will set the flag for the requested trap and instantiate
a SignalSender. The SignalSender will send SIGUSR1 to the mutator thread that
we want to trap, and check for the occurence of one of the following events:
a. VMTraps::handleTraps() has been called for the requested trap, or
b. the VM is inactive and is no longer executing any JS code. We determine
this to be the case if the thread no longer owns the JSLock and the VM's
entryScope is null.
Note: the thread can relinquish the JSLock while the VM's entryScope is not
null. This happens when the thread calls JSLock::dropAllLocks() before
calling a host function that may block on IO (or whatever). For our purpose,
this counts as the VM still running JS code, and VM::fireTrap() will still
be waiting.
If the SignalSender does not see either of these events, it will sleep for a
while and then re-send SIGUSR1 and check for the events again. When it sees
one of these events, it will consider the mutator to have received the trap
request.
- The SIGUSR1 handler will try to insert breakpoints at the invalidation points
in the DFG/FTL codeBlock at the top of the stack. This allows the mutator
thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
safe to jettison the codeBlock.
Note: we cannot have the requester thread (that called VMTraps::fireTrap())
insert the breakpoint instructions itself. This is because we need the
register state of the the mutator thread (that we want to trap in) in order to
find the codeBlocks that we wish to insert the breakpoints in. Currently,
we don't have a generic way for the requester thread to get the register state
of another thread.
- The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
invalidation point. If so, it will jettison the codeBlock and adjust the PC
to re-execute the invalidation OSR exit off-ramp. After the OSR exit, the
baseline JIT code will eventually reach an op_check_traps and call
VMTraps::handleTraps().
If the handler is not trapping at an invalidation point, then it must be
observing an assertion failure (which also uses the breakpoint instruction).
In this case, the handler will defer to the default SIGTRAP handler and crash.
- The reason we need the SignalSender is because SignalSender::send() is called
from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
send() needs to make use of the VM pointer, and it is not guaranteed that the
VM will outlive the thread. SignalSender provides the mechanism by which we
can nullify the VM pointer when the VM dies so that the thread does not
continue to use it.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::replaceWithBrk):
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::replaceWithBrk):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::replaceWithBkpt):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::replaceWithBkpt):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::replaceWithJump):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::replaceWithBreakpoint):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::replaceWithJump):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
* assembler/X86Assembler.h:
(JSC::X86Assembler::replaceWithInt3):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
(JSC::CodeBlock::installVMTrapBreakpoints):
* bytecode/CodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCheckTraps):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::CommonData::isVMTrapBreakpoint):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
* dfg/DFGJumpReplacement.cpp:
(JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
* dfg/DFGJumpReplacement.h:
(JSC::DFG::JumpReplacement::dataLocation):
* dfg/DFGNodeType.h:
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
* heap/Heap.cpp:
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/MachineStackMarker.h:
(JSC::MachineThreads::threadsListHead):
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::isValidExecutableMemory):
* jit/ExecutableAllocator.h:
* profiler/ProfilerJettisonReason.cpp:
(WTF::printInternal):
* profiler/ProfilerJettisonReason.h:
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/Options.h:
* runtime/PlatformThread.h:
(JSC::platformThreadSignal):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::ensureWatchdog):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
* runtime/VM.h:
(JSC::VM::ownerThread):
(JSC::VM::traps):
(JSC::VM::handleTraps):
(JSC::VM::needTrapHandling):
(JSC::VM::needAsynchronousTerminationSupport): Deleted.
* runtime/VMTraps.cpp:
(JSC::VMTraps::vm):
(JSC::SignalContext::SignalContext):
(JSC::SignalContext::adjustPCToPointToTrappingInstruction):
(JSC::vmIsInactive):
(JSC::findActiveVMAndStackBounds):
(JSC::handleSigusr1):
(JSC::handleSigtrap):
(JSC::installSignalHandlers):
(JSC::sanitizedTopCallFrame):
(JSC::isSaneFrame):
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::VMTraps):
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::addSignalSender):
(JSC::VMTraps::removeSignalSender):
(JSC::VMTraps::SignalSender::willDestroyVM):
(JSC::VMTraps::SignalSender::send):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
* runtime/VMTraps.h:
(JSC::VMTraps::~VMTraps):
(JSC::VMTraps::needTrapHandling):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::SignalSender::SignalSender):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
* tools/VMInspector.cpp:
* tools/VMInspector.h:
(JSC::VMInspector::getLock):
(JSC::VMInspector::iterate):
Source/WebCore:
No new tests needed. This is covered by existing tests.
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::WorkerScriptController):
(WebCore::WorkerScriptController::scheduleExecutionTermination):
Source/WTF:
Make StackBounds more useful for checking if a pointer is within stack bounds.
* wtf/MetaAllocator.cpp:
(WTF::MetaAllocator::isInAllocatedMemory):
* wtf/MetaAllocator.h:
* wtf/Platform.h:
* wtf/StackBounds.h:
(WTF::StackBounds::emptyBounds):
(WTF::StackBounds::StackBounds):
(WTF::StackBounds::isEmpty):
(WTF::StackBounds::contains):
Canonical link: https://commits.webkit.org/186409@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@213652 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-03-09 19:08:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
bool CommonData::isVMTrapBreakpoint(void* address)
|
|
|
|
{
|
|
|
|
if (!isStillValid)
|
|
|
|
return false;
|
2021-04-15 07:03:38 +00:00
|
|
|
for (unsigned i = m_jumpReplacements.size(); i--;) {
|
|
|
|
if (address == m_jumpReplacements[i].dataLocation())
|
Make the VM Traps mechanism non-polling for the DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=168920
<rdar://problem/30738588>
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
This is currently only enabled for OS(DARWIN) and ENABLE(JIT).
2. Added assembler functions for overwriting an instruction with a breakpoint.
3. Added a new JettisonDueToVMTraps jettison reason.
4. Added CodeBlock and DFG::CommonData utility functions for over-writing
invalidation points with breakpoint instructions.
5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
6. Remove the JSC_alwaysCheckTraps option because of (4) above.
For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
Options::usePollingTraps() to always be true. This makes the VMTraps
implementation fall back to using polling based traps only.
7. Make VMTraps support signal based traps.
Some design and implementation details of signal based VM traps:
- The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
- VMTraps::fireTrap() will set the flag for the requested trap and instantiate
a SignalSender. The SignalSender will send SIGUSR1 to the mutator thread that
we want to trap, and check for the occurence of one of the following events:
a. VMTraps::handleTraps() has been called for the requested trap, or
b. the VM is inactive and is no longer executing any JS code. We determine
this to be the case if the thread no longer owns the JSLock and the VM's
entryScope is null.
Note: the thread can relinquish the JSLock while the VM's entryScope is not
null. This happens when the thread calls JSLock::dropAllLocks() before
calling a host function that may block on IO (or whatever). For our purpose,
this counts as the VM still running JS code, and VM::fireTrap() will still
be waiting.
If the SignalSender does not see either of these events, it will sleep for a
while and then re-send SIGUSR1 and check for the events again. When it sees
one of these events, it will consider the mutator to have received the trap
request.
- The SIGUSR1 handler will try to insert breakpoints at the invalidation points
in the DFG/FTL codeBlock at the top of the stack. This allows the mutator
thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
safe to jettison the codeBlock.
Note: we cannot have the requester thread (that called VMTraps::fireTrap())
insert the breakpoint instructions itself. This is because we need the
register state of the the mutator thread (that we want to trap in) in order to
find the codeBlocks that we wish to insert the breakpoints in. Currently,
we don't have a generic way for the requester thread to get the register state
of another thread.
- The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
invalidation point. If so, it will jettison the codeBlock and adjust the PC
to re-execute the invalidation OSR exit off-ramp. After the OSR exit, the
baseline JIT code will eventually reach an op_check_traps and call
VMTraps::handleTraps().
If the handler is not trapping at an invalidation point, then it must be
observing an assertion failure (which also uses the breakpoint instruction).
In this case, the handler will defer to the default SIGTRAP handler and crash.
- The reason we need the SignalSender is because SignalSender::send() is called
from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
send() needs to make use of the VM pointer, and it is not guaranteed that the
VM will outlive the thread. SignalSender provides the mechanism by which we
can nullify the VM pointer when the VM dies so that the thread does not
continue to use it.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::replaceWithBrk):
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::replaceWithBrk):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::replaceWithBkpt):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::replaceWithBkpt):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::replaceWithJump):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::replaceWithBreakpoint):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::replaceWithJump):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
* assembler/X86Assembler.h:
(JSC::X86Assembler::replaceWithInt3):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
(JSC::CodeBlock::installVMTrapBreakpoints):
* bytecode/CodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCheckTraps):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::CommonData::isVMTrapBreakpoint):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
* dfg/DFGJumpReplacement.cpp:
(JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
* dfg/DFGJumpReplacement.h:
(JSC::DFG::JumpReplacement::dataLocation):
* dfg/DFGNodeType.h:
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
* heap/Heap.cpp:
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/MachineStackMarker.h:
(JSC::MachineThreads::threadsListHead):
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::isValidExecutableMemory):
* jit/ExecutableAllocator.h:
* profiler/ProfilerJettisonReason.cpp:
(WTF::printInternal):
* profiler/ProfilerJettisonReason.h:
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/Options.h:
* runtime/PlatformThread.h:
(JSC::platformThreadSignal):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::ensureWatchdog):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
* runtime/VM.h:
(JSC::VM::ownerThread):
(JSC::VM::traps):
(JSC::VM::handleTraps):
(JSC::VM::needTrapHandling):
(JSC::VM::needAsynchronousTerminationSupport): Deleted.
* runtime/VMTraps.cpp:
(JSC::VMTraps::vm):
(JSC::SignalContext::SignalContext):
(JSC::SignalContext::adjustPCToPointToTrappingInstruction):
(JSC::vmIsInactive):
(JSC::findActiveVMAndStackBounds):
(JSC::handleSigusr1):
(JSC::handleSigtrap):
(JSC::installSignalHandlers):
(JSC::sanitizedTopCallFrame):
(JSC::isSaneFrame):
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
(JSC::VMTraps::VMTraps):
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::addSignalSender):
(JSC::VMTraps::removeSignalSender):
(JSC::VMTraps::SignalSender::willDestroyVM):
(JSC::VMTraps::SignalSender::send):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
* runtime/VMTraps.h:
(JSC::VMTraps::~VMTraps):
(JSC::VMTraps::needTrapHandling):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::SignalSender::SignalSender):
(JSC::VMTraps::invalidateCodeBlocksOnStack):
* tools/VMInspector.cpp:
* tools/VMInspector.h:
(JSC::VMInspector::getLock):
(JSC::VMInspector::iterate):
Source/WebCore:
No new tests needed. This is covered by existing tests.
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::WorkerScriptController):
(WebCore::WorkerScriptController::scheduleExecutionTermination):
Source/WTF:
Make StackBounds more useful for checking if a pointer is within stack bounds.
* wtf/MetaAllocator.cpp:
(WTF::MetaAllocator::isInAllocatedMemory):
* wtf/MetaAllocator.h:
* wtf/Platform.h:
* wtf/StackBounds.h:
(WTF::StackBounds::emptyBounds):
(WTF::StackBounds::StackBounds):
(WTF::StackBounds::isEmpty):
(WTF::StackBounds::contains):
Canonical link: https://commits.webkit.org/186409@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@213652 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-03-09 19:08:46 +00:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
DFG fragile frozen values are fundamentally broken
https://bugs.webkit.org/show_bug.cgi?id=146602
Reviewed by Mark Lam.
This change gets rid of the FragileValue value strength, because it was fundamentally
broken.
FragileValue was a value known to the compiler but not tracked by the GC in any way -
it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
must-handle values. The philosophy was that if the compiler did use the value for
optimization, it would have been strengthened to a weak value (or maybe even a strong
value, though we probably won't do that). But this was too much of a pipe dream. I've
found at least one case where the compiler did use the value, but never strengthened
it: it would happen if the value ended up in an OSR entry data expected value. Then if
we GCed, we might have killed the value, but OSR entry would still try to use it for
validation. That might have sort of just worked, but it's clearly shady.
The reason why we made must-handle values fragile and not weak is that most of the time
the values disappear from the abstract state: they are LUBed to a non-constant. If we
kept them around as weak, we'd have too many cases of the GC killing the code because
it thought that the value was somehow meaningful to the code when it was only used as a
temporary artifact of optimization.
So, it's true that it's very important for must-handle values not to automatically be
weak or strong. It's also true that the values are necessary for AI bootstrap because
we need to know what values OSR entry will require. But we shouldn't accomplish these
goals by having the compiler hold onto what are essentially dangling pointers.
This implements a better solution: instead of having InPlaceAbstractState bootstrap the
AI with must-handle values at the beginning, we now widen the valuesAtHead of the
must-handle block after AI converges. This widening is done in CFAPhase. This allows us
to see if the must-handle values are necessary at all. In most cases, the widening
takes a non-constant abstract value and simply amends something to its type based on
the type of the must-handle value, and so the must-handle value never actually shows up
in either the IR or any abstract value. In the unlikely event that the value at head is
bottom, we freeze the must-handle value. This change removes FragileValue, and this
freezing uses WeakValue as the strength. That makes sense: since the abstract value was
bottom, the must-handle value becomes integral to the IR and so it makes no sense for
the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
sometimes happen for example if you have a very long-running loop whose pre-header
allocates some object, but that pre-header appears to always exit to the optimizing JIT
because it was only profiled once in the LLInt and that profiling appears insufficient
to the DFG. In that case, we'll effectively constant-fold the references to the object
inside the loop, which is both efficient (yay constant folding!) and necessary
(otherwise we wouldn't know what the type of the variable should have been).
Testing and debugging this is complicated. So, this adds some new capabilities:
- DFG IR dumps also dump all of the FrozenValues that point to the heap along with
their strengths, so that it's easy to see what GC objects the DFG feels are necessary
for the compilation.
- DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
to see what GC pointers (and other things) are used for OSR entry validation. The
printouts are quite detailed, and should also help other kinds of OSR entry
debugging.
- DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
data structures are also properly registered as either weak or strong pointers in the
CodeBlock. This validation check previously failed due to fragile values ending up in
the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
and in some pre-existing tests (like earley-boyer and 3d-raytrace).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/Operands.h:
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::dump):
(JSC::StructureSet::validateReferences):
* bytecode/StructureSet.h:
* bytecode/TrackedReferences.cpp: Added.
(JSC::TrackedReferences::TrackedReferences):
(JSC::TrackedReferences::~TrackedReferences):
(JSC::TrackedReferences::add):
(JSC::TrackedReferences::check):
(JSC::TrackedReferences::dump):
* bytecode/TrackedReferences.h: Added.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::validateReferences):
(JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fullTop):
(JSC::DFG::AbstractValue::merge):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::pointsToHeap):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::freezeFragile): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
(JSC::DFG::JITCode::validateReferences):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchStructurePtr):
(JSC::DFG::JITCompiler::jitCode):
(JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
* dfg/DFGMinifiedGraph.cpp: Added.
(JSC::DFG::MinifiedGraph::prepareAndShrink):
(JSC::DFG::MinifiedGraph::validateReferences):
* dfg/DFGMinifiedGraph.h:
(JSC::DFG::MinifiedGraph::append):
(JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::OSREntryData::dump):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::validateReferences):
* dfg/DFGStructureAbstractValue.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp:
(WTF::printInternal):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
* ftl/FTLExitPropertyValue.cpp:
(JSC::FTL::ExitPropertyValue::dump):
(JSC::FTL::ExitPropertyValue::validateReferences):
* ftl/FTLExitPropertyValue.h:
* ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::dump):
(JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
* ftl/FTLExitTimeObjectMaterialization.h:
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dump):
(JSC::FTL::ExitValue::validateReferences):
* ftl/FTLExitValue.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::dfgCommon):
(JSC::FTL::JITCode::validateReferences):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::handles):
(JSC::FTL::JITCode::dataSections):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::validateReferences):
* ftl/FTLOSRExit.h:
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
* jit/JITCode.cpp:
(JSC::JITCode::typeName):
(JSC::JITCode::validateReferences):
(JSC::JITCode::execute):
* jit/JITCode.h:
(JSC::JITCode::start):
* tests/stress/dead-osr-entry-value.js: Added.
(foo):
Canonical link: https://commits.webkit.org/164928@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-07-10 21:19:51 +00:00
|
|
|
void CommonData::validateReferences(const TrackedReferences& trackedReferences)
|
|
|
|
{
|
|
|
|
if (InlineCallFrameSet* set = inlineCallFrames.get()) {
|
|
|
|
for (InlineCallFrame* inlineCallFrame : *set) {
|
2021-04-07 21:14:57 +00:00
|
|
|
for (ValueRecovery& recovery : inlineCallFrame->m_argumentsWithFixup) {
|
DFG fragile frozen values are fundamentally broken
https://bugs.webkit.org/show_bug.cgi?id=146602
Reviewed by Mark Lam.
This change gets rid of the FragileValue value strength, because it was fundamentally
broken.
FragileValue was a value known to the compiler but not tracked by the GC in any way -
it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
must-handle values. The philosophy was that if the compiler did use the value for
optimization, it would have been strengthened to a weak value (or maybe even a strong
value, though we probably won't do that). But this was too much of a pipe dream. I've
found at least one case where the compiler did use the value, but never strengthened
it: it would happen if the value ended up in an OSR entry data expected value. Then if
we GCed, we might have killed the value, but OSR entry would still try to use it for
validation. That might have sort of just worked, but it's clearly shady.
The reason why we made must-handle values fragile and not weak is that most of the time
the values disappear from the abstract state: they are LUBed to a non-constant. If we
kept them around as weak, we'd have too many cases of the GC killing the code because
it thought that the value was somehow meaningful to the code when it was only used as a
temporary artifact of optimization.
So, it's true that it's very important for must-handle values not to automatically be
weak or strong. It's also true that the values are necessary for AI bootstrap because
we need to know what values OSR entry will require. But we shouldn't accomplish these
goals by having the compiler hold onto what are essentially dangling pointers.
This implements a better solution: instead of having InPlaceAbstractState bootstrap the
AI with must-handle values at the beginning, we now widen the valuesAtHead of the
must-handle block after AI converges. This widening is done in CFAPhase. This allows us
to see if the must-handle values are necessary at all. In most cases, the widening
takes a non-constant abstract value and simply amends something to its type based on
the type of the must-handle value, and so the must-handle value never actually shows up
in either the IR or any abstract value. In the unlikely event that the value at head is
bottom, we freeze the must-handle value. This change removes FragileValue, and this
freezing uses WeakValue as the strength. That makes sense: since the abstract value was
bottom, the must-handle value becomes integral to the IR and so it makes no sense for
the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
sometimes happen for example if you have a very long-running loop whose pre-header
allocates some object, but that pre-header appears to always exit to the optimizing JIT
because it was only profiled once in the LLInt and that profiling appears insufficient
to the DFG. In that case, we'll effectively constant-fold the references to the object
inside the loop, which is both efficient (yay constant folding!) and necessary
(otherwise we wouldn't know what the type of the variable should have been).
Testing and debugging this is complicated. So, this adds some new capabilities:
- DFG IR dumps also dump all of the FrozenValues that point to the heap along with
their strengths, so that it's easy to see what GC objects the DFG feels are necessary
for the compilation.
- DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
to see what GC pointers (and other things) are used for OSR entry validation. The
printouts are quite detailed, and should also help other kinds of OSR entry
debugging.
- DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
data structures are also properly registered as either weak or strong pointers in the
CodeBlock. This validation check previously failed due to fragile values ending up in
the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
and in some pre-existing tests (like earley-boyer and 3d-raytrace).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/Operands.h:
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::dump):
(JSC::StructureSet::validateReferences):
* bytecode/StructureSet.h:
* bytecode/TrackedReferences.cpp: Added.
(JSC::TrackedReferences::TrackedReferences):
(JSC::TrackedReferences::~TrackedReferences):
(JSC::TrackedReferences::add):
(JSC::TrackedReferences::check):
(JSC::TrackedReferences::dump):
* bytecode/TrackedReferences.h: Added.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::validateReferences):
(JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fullTop):
(JSC::DFG::AbstractValue::merge):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::pointsToHeap):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::freezeFragile): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
(JSC::DFG::JITCode::validateReferences):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchStructurePtr):
(JSC::DFG::JITCompiler::jitCode):
(JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
* dfg/DFGMinifiedGraph.cpp: Added.
(JSC::DFG::MinifiedGraph::prepareAndShrink):
(JSC::DFG::MinifiedGraph::validateReferences):
* dfg/DFGMinifiedGraph.h:
(JSC::DFG::MinifiedGraph::append):
(JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::OSREntryData::dump):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::validateReferences):
* dfg/DFGStructureAbstractValue.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp:
(WTF::printInternal):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
* ftl/FTLExitPropertyValue.cpp:
(JSC::FTL::ExitPropertyValue::dump):
(JSC::FTL::ExitPropertyValue::validateReferences):
* ftl/FTLExitPropertyValue.h:
* ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::dump):
(JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
* ftl/FTLExitTimeObjectMaterialization.h:
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dump):
(JSC::FTL::ExitValue::validateReferences):
* ftl/FTLExitValue.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::dfgCommon):
(JSC::FTL::JITCode::validateReferences):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::handles):
(JSC::FTL::JITCode::dataSections):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::validateReferences):
* ftl/FTLOSRExit.h:
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
* jit/JITCode.cpp:
(JSC::JITCode::typeName):
(JSC::JITCode::validateReferences):
(JSC::JITCode::execute):
* jit/JITCode.h:
(JSC::JITCode::start):
* tests/stress/dead-osr-entry-value.js: Added.
(foo):
Canonical link: https://commits.webkit.org/164928@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-07-10 21:19:51 +00:00
|
|
|
if (recovery.isConstant())
|
|
|
|
trackedReferences.check(recovery.constant());
|
|
|
|
}
|
|
|
|
|
2015-10-09 23:10:16 +00:00
|
|
|
if (CodeBlock* baselineCodeBlock = inlineCallFrame->baselineCodeBlock.get())
|
|
|
|
trackedReferences.check(baselineCodeBlock);
|
DFG fragile frozen values are fundamentally broken
https://bugs.webkit.org/show_bug.cgi?id=146602
Reviewed by Mark Lam.
This change gets rid of the FragileValue value strength, because it was fundamentally
broken.
FragileValue was a value known to the compiler but not tracked by the GC in any way -
it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
must-handle values. The philosophy was that if the compiler did use the value for
optimization, it would have been strengthened to a weak value (or maybe even a strong
value, though we probably won't do that). But this was too much of a pipe dream. I've
found at least one case where the compiler did use the value, but never strengthened
it: it would happen if the value ended up in an OSR entry data expected value. Then if
we GCed, we might have killed the value, but OSR entry would still try to use it for
validation. That might have sort of just worked, but it's clearly shady.
The reason why we made must-handle values fragile and not weak is that most of the time
the values disappear from the abstract state: they are LUBed to a non-constant. If we
kept them around as weak, we'd have too many cases of the GC killing the code because
it thought that the value was somehow meaningful to the code when it was only used as a
temporary artifact of optimization.
So, it's true that it's very important for must-handle values not to automatically be
weak or strong. It's also true that the values are necessary for AI bootstrap because
we need to know what values OSR entry will require. But we shouldn't accomplish these
goals by having the compiler hold onto what are essentially dangling pointers.
This implements a better solution: instead of having InPlaceAbstractState bootstrap the
AI with must-handle values at the beginning, we now widen the valuesAtHead of the
must-handle block after AI converges. This widening is done in CFAPhase. This allows us
to see if the must-handle values are necessary at all. In most cases, the widening
takes a non-constant abstract value and simply amends something to its type based on
the type of the must-handle value, and so the must-handle value never actually shows up
in either the IR or any abstract value. In the unlikely event that the value at head is
bottom, we freeze the must-handle value. This change removes FragileValue, and this
freezing uses WeakValue as the strength. That makes sense: since the abstract value was
bottom, the must-handle value becomes integral to the IR and so it makes no sense for
the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
sometimes happen for example if you have a very long-running loop whose pre-header
allocates some object, but that pre-header appears to always exit to the optimizing JIT
because it was only profiled once in the LLInt and that profiling appears insufficient
to the DFG. In that case, we'll effectively constant-fold the references to the object
inside the loop, which is both efficient (yay constant folding!) and necessary
(otherwise we wouldn't know what the type of the variable should have been).
Testing and debugging this is complicated. So, this adds some new capabilities:
- DFG IR dumps also dump all of the FrozenValues that point to the heap along with
their strengths, so that it's easy to see what GC objects the DFG feels are necessary
for the compilation.
- DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
to see what GC pointers (and other things) are used for OSR entry validation. The
printouts are quite detailed, and should also help other kinds of OSR entry
debugging.
- DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
data structures are also properly registered as either weak or strong pointers in the
CodeBlock. This validation check previously failed due to fragile values ending up in
the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
and in some pre-existing tests (like earley-boyer and 3d-raytrace).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/Operands.h:
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::dump):
(JSC::StructureSet::validateReferences):
* bytecode/StructureSet.h:
* bytecode/TrackedReferences.cpp: Added.
(JSC::TrackedReferences::TrackedReferences):
(JSC::TrackedReferences::~TrackedReferences):
(JSC::TrackedReferences::add):
(JSC::TrackedReferences::check):
(JSC::TrackedReferences::dump):
* bytecode/TrackedReferences.h: Added.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::validateReferences):
(JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fullTop):
(JSC::DFG::AbstractValue::merge):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::pointsToHeap):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::freezeFragile): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
(JSC::DFG::JITCode::validateReferences):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchStructurePtr):
(JSC::DFG::JITCompiler::jitCode):
(JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
* dfg/DFGMinifiedGraph.cpp: Added.
(JSC::DFG::MinifiedGraph::prepareAndShrink):
(JSC::DFG::MinifiedGraph::validateReferences):
* dfg/DFGMinifiedGraph.h:
(JSC::DFG::MinifiedGraph::append):
(JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::OSREntryData::dump):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::validateReferences):
* dfg/DFGStructureAbstractValue.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp:
(WTF::printInternal):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
* ftl/FTLExitPropertyValue.cpp:
(JSC::FTL::ExitPropertyValue::dump):
(JSC::FTL::ExitPropertyValue::validateReferences):
* ftl/FTLExitPropertyValue.h:
* ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::dump):
(JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
* ftl/FTLExitTimeObjectMaterialization.h:
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dump):
(JSC::FTL::ExitValue::validateReferences):
* ftl/FTLExitValue.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::dfgCommon):
(JSC::FTL::JITCode::validateReferences):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::handles):
(JSC::FTL::JITCode::dataSections):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::validateReferences):
* ftl/FTLOSRExit.h:
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
* jit/JITCode.cpp:
(JSC::JITCode::typeName):
(JSC::JITCode::validateReferences):
(JSC::JITCode::execute):
* jit/JITCode.h:
(JSC::JITCode::start):
* tests/stress/dead-osr-entry-value.js: Added.
(foo):
Canonical link: https://commits.webkit.org/164928@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-07-10 21:19:51 +00:00
|
|
|
|
|
|
|
if (inlineCallFrame->calleeRecovery.isConstant())
|
|
|
|
trackedReferences.check(inlineCallFrame->calleeRecovery.constant());
|
|
|
|
}
|
|
|
|
}
|
DFG should have adaptive structure watchpoints
https://bugs.webkit.org/show_bug.cgi?id=146929
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
Before this change, if you wanted to efficiently validate whether an object has (or doesn't have) a
property, you'd check that the object still has the structure that you first saw the object have. We
optimized this a bit with transition watchpoints on the structure, which sometimes allowed us to
elide the structure check.
But this approach fails when that object frequently has new properties added to it. This would
change the structure and fire the transition watchpoint, so the code we emitted would be invalid and
we'd have to recompile either the IC or an entire code block.
This change introduces a new concept: an object property condition. This value describes some
condition involving a property on some object. There are four kinds: presence, absence,
absence-of-setter, and equivalence. For example, a presence condition says that we expect that the
object has some property at some offset with some attributes. This allows us to implement a new kind
of watchpoint, which knows about the object property condition that it's being used to enforce. If
the watchpoint fires because of a structure transition, the watchpoint may simply reinstall itself
on the new structure.
Object property conditions are used on the prototype chain of PutById transitions, GetById misses,
and prototype accesses. They are also used for any DFG accesses to object constants, including
global property accesses.
Mostly because of the effect on global property access, this is a 9% speed-up on Kraken. It's
neutral on most other things. It's a 68x speed-up on a microbenchmark that illustrates the prototype
chain situation. It's also a small speed-up on getter-richards.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus):
(JSC::CodeBlock::printPutByIdCacheStatus):
* bytecode/CodeBlockJettisoningWatchpoint.cpp:
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/ComplexGetStatus.cpp:
(JSC::ComplexGetStatus::computeFor):
* bytecode/ComplexGetStatus.h:
(JSC::ComplexGetStatus::ComplexGetStatus):
(JSC::ComplexGetStatus::takesSlowPath):
(JSC::ComplexGetStatus::kind):
(JSC::ComplexGetStatus::offset):
(JSC::ComplexGetStatus::conditionSet):
(JSC::ComplexGetStatus::attributes): Deleted.
(JSC::ComplexGetStatus::specificValue): Deleted.
(JSC::ComplexGetStatus::chain): Deleted.
* bytecode/ConstantStructureCheck.cpp: Removed.
* bytecode/ConstantStructureCheck.h: Removed.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::~GetByIdVariant):
(JSC::GetByIdVariant::operator=):
(JSC::GetByIdVariant::attemptToMerge):
(JSC::GetByIdVariant::dumpInContext):
(JSC::GetByIdVariant::baseStructure): Deleted.
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::operator!):
(JSC::GetByIdVariant::structureSet):
(JSC::GetByIdVariant::conditionSet):
(JSC::GetByIdVariant::offset):
(JSC::GetByIdVariant::callLinkStatus):
(JSC::GetByIdVariant::constantChecks): Deleted.
(JSC::GetByIdVariant::alternateBase): Deleted.
* bytecode/ObjectPropertyCondition.cpp: Added.
(JSC::ObjectPropertyCondition::dumpInContext):
(JSC::ObjectPropertyCondition::dump):
(JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
(JSC::ObjectPropertyCondition::validityRequiresImpurePropertyWatchpoint):
(JSC::ObjectPropertyCondition::isStillValid):
(JSC::ObjectPropertyCondition::structureEnsuresValidity):
(JSC::ObjectPropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
(JSC::ObjectPropertyCondition::isWatchable):
(JSC::ObjectPropertyCondition::isStillLive):
(JSC::ObjectPropertyCondition::validateReferences):
(JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
* bytecode/ObjectPropertyCondition.h: Added.
(JSC::ObjectPropertyCondition::ObjectPropertyCondition):
(JSC::ObjectPropertyCondition::presenceWithoutBarrier):
(JSC::ObjectPropertyCondition::presence):
(JSC::ObjectPropertyCondition::absenceWithoutBarrier):
(JSC::ObjectPropertyCondition::absence):
(JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier):
(JSC::ObjectPropertyCondition::absenceOfSetter):
(JSC::ObjectPropertyCondition::equivalenceWithoutBarrier):
(JSC::ObjectPropertyCondition::equivalence):
(JSC::ObjectPropertyCondition::operator!):
(JSC::ObjectPropertyCondition::object):
(JSC::ObjectPropertyCondition::condition):
(JSC::ObjectPropertyCondition::kind):
(JSC::ObjectPropertyCondition::uid):
(JSC::ObjectPropertyCondition::hasOffset):
(JSC::ObjectPropertyCondition::offset):
(JSC::ObjectPropertyCondition::hasAttributes):
(JSC::ObjectPropertyCondition::attributes):
(JSC::ObjectPropertyCondition::hasPrototype):
(JSC::ObjectPropertyCondition::prototype):
(JSC::ObjectPropertyCondition::hasRequiredValue):
(JSC::ObjectPropertyCondition::requiredValue):
(JSC::ObjectPropertyCondition::hash):
(JSC::ObjectPropertyCondition::operator==):
(JSC::ObjectPropertyCondition::isHashTableDeletedValue):
(JSC::ObjectPropertyCondition::isCompatibleWith):
(JSC::ObjectPropertyCondition::watchingRequiresStructureTransitionWatchpoint):
(JSC::ObjectPropertyCondition::watchingRequiresReplacementWatchpoint):
(JSC::ObjectPropertyCondition::isValidValueForPresence):
(JSC::ObjectPropertyConditionHash::hash):
(JSC::ObjectPropertyConditionHash::equal):
* bytecode/ObjectPropertyConditionSet.cpp: Added.
(JSC::ObjectPropertyConditionSet::forObject):
(JSC::ObjectPropertyConditionSet::forConditionKind):
(JSC::ObjectPropertyConditionSet::numberOfConditionsWithKind):
(JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
(JSC::ObjectPropertyConditionSet::slotBaseCondition):
(JSC::ObjectPropertyConditionSet::mergedWith):
(JSC::ObjectPropertyConditionSet::structuresEnsureValidity):
(JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint):
(JSC::ObjectPropertyConditionSet::needImpurePropertyWatchpoint):
(JSC::ObjectPropertyConditionSet::areStillLive):
(JSC::ObjectPropertyConditionSet::dumpInContext):
(JSC::ObjectPropertyConditionSet::dump):
(JSC::generateConditionsForPropertyMiss):
(JSC::generateConditionsForPropertySetterMiss):
(JSC::generateConditionsForPrototypePropertyHit):
(JSC::generateConditionsForPrototypePropertyHitCustom):
(JSC::generateConditionsForPropertySetterMissConcurrently):
* bytecode/ObjectPropertyConditionSet.h: Added.
(JSC::ObjectPropertyConditionSet::ObjectPropertyConditionSet):
(JSC::ObjectPropertyConditionSet::invalid):
(JSC::ObjectPropertyConditionSet::nonEmpty):
(JSC::ObjectPropertyConditionSet::isValid):
(JSC::ObjectPropertyConditionSet::isEmpty):
(JSC::ObjectPropertyConditionSet::begin):
(JSC::ObjectPropertyConditionSet::end):
(JSC::ObjectPropertyConditionSet::releaseRawPointer):
(JSC::ObjectPropertyConditionSet::adoptRawPointer):
(JSC::ObjectPropertyConditionSet::fromRawPointer):
(JSC::ObjectPropertyConditionSet::Data::Data):
* bytecode/PolymorphicGetByIdList.cpp:
(JSC::GetByIdAccess::GetByIdAccess):
(JSC::GetByIdAccess::~GetByIdAccess):
(JSC::GetByIdAccess::visitWeak):
* bytecode/PolymorphicGetByIdList.h:
(JSC::GetByIdAccess::GetByIdAccess):
(JSC::GetByIdAccess::structure):
(JSC::GetByIdAccess::conditionSet):
(JSC::GetByIdAccess::stubRoutine):
(JSC::GetByIdAccess::chain): Deleted.
(JSC::GetByIdAccess::chainCount): Deleted.
* bytecode/PolymorphicPutByIdList.cpp:
(JSC::PutByIdAccess::fromStructureStubInfo):
(JSC::PutByIdAccess::visitWeak):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::PutByIdAccess):
(JSC::PutByIdAccess::transition):
(JSC::PutByIdAccess::setter):
(JSC::PutByIdAccess::newStructure):
(JSC::PutByIdAccess::conditionSet):
(JSC::PutByIdAccess::stubRoutine):
(JSC::PutByIdAccess::chain): Deleted.
(JSC::PutByIdAccess::chainCount): Deleted.
* bytecode/PropertyCondition.cpp: Added.
(JSC::PropertyCondition::dumpInContext):
(JSC::PropertyCondition::dump):
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
(JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint):
(JSC::PropertyCondition::isStillValid):
(JSC::PropertyCondition::isWatchableWhenValid):
(JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint):
(JSC::PropertyCondition::isWatchable):
(JSC::PropertyCondition::isStillLive):
(JSC::PropertyCondition::validateReferences):
(JSC::PropertyCondition::isValidValueForAttributes):
(JSC::PropertyCondition::isValidValueForPresence):
(JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier):
(WTF::printInternal):
* bytecode/PropertyCondition.h: Added.
(JSC::PropertyCondition::PropertyCondition):
(JSC::PropertyCondition::presenceWithoutBarrier):
(JSC::PropertyCondition::presence):
(JSC::PropertyCondition::absenceWithoutBarrier):
(JSC::PropertyCondition::absence):
(JSC::PropertyCondition::absenceOfSetterWithoutBarrier):
(JSC::PropertyCondition::absenceOfSetter):
(JSC::PropertyCondition::equivalenceWithoutBarrier):
(JSC::PropertyCondition::equivalence):
(JSC::PropertyCondition::operator!):
(JSC::PropertyCondition::kind):
(JSC::PropertyCondition::uid):
(JSC::PropertyCondition::hasOffset):
(JSC::PropertyCondition::offset):
(JSC::PropertyCondition::hasAttributes):
(JSC::PropertyCondition::attributes):
(JSC::PropertyCondition::hasPrototype):
(JSC::PropertyCondition::prototype):
(JSC::PropertyCondition::hasRequiredValue):
(JSC::PropertyCondition::requiredValue):
(JSC::PropertyCondition::hash):
(JSC::PropertyCondition::operator==):
(JSC::PropertyCondition::isHashTableDeletedValue):
(JSC::PropertyCondition::isCompatibleWith):
(JSC::PropertyCondition::watchingRequiresStructureTransitionWatchpoint):
(JSC::PropertyCondition::watchingRequiresReplacementWatchpoint):
(JSC::PropertyConditionHash::hash):
(JSC::PropertyConditionHash::equal):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::operator=):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::setter):
(JSC::PutByIdVariant::makesCalls):
(JSC::PutByIdVariant::attemptToMerge):
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
(JSC::PutByIdVariant::dumpInContext):
(JSC::PutByIdVariant::baseStructure): Deleted.
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::kind):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::structureSet):
(JSC::PutByIdVariant::oldStructure):
(JSC::PutByIdVariant::conditionSet):
(JSC::PutByIdVariant::offset):
(JSC::PutByIdVariant::callLinkStatus):
(JSC::PutByIdVariant::constantChecks): Deleted.
(JSC::PutByIdVariant::alternateBase): Deleted.
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
(JSC::StructureStubClearingWatchpoint::push):
(JSC::StructureStubClearingWatchpoint::fireInternal):
(JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
(JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
(JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
* bytecode/StructureStubClearingWatchpoint.h:
(JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
(JSC::WatchpointsOnStructureStubInfo::codeBlock):
(JSC::WatchpointsOnStructureStubInfo::stubInfo):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::deref):
(JSC::StructureStubInfo::visitWeakReferences):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::initPutByIdTransition):
(JSC::StructureStubInfo::initPutByIdReplace):
(JSC::StructureStubInfo::setSeen):
(JSC::StructureStubInfo::addWatchpoint):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: Added.
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::AdaptiveInferredPropertyValueWatchpoint):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::install):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::fireInternal):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::fireInternal):
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: Added.
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::key):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::StructureWatchpoint::StructureWatchpoint):
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::PropertyWatchpoint::PropertyWatchpoint):
* dfg/DFGAdaptiveStructureWatchpoint.cpp: Added.
(JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
(JSC::DFG::AdaptiveStructureWatchpoint::install):
(JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
* dfg/DFGAdaptiveStructureWatchpoint.h: Added.
(JSC::DFG::AdaptiveStructureWatchpoint::key):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::handlePutByOffset):
(JSC::DFG::ByteCodeParser::check):
(JSC::DFG::ByteCodeParser::promoteToConstant):
(JSC::DFG::ByteCodeParser::planLoad):
(JSC::DFG::ByteCodeParser::load):
(JSC::DFG::ByteCodeParser::presenceLike):
(JSC::DFG::ByteCodeParser::checkPresenceLike):
(JSC::DFG::ByteCodeParser::store):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::emitChecks): Deleted.
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
(JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
(JSC::DFG::InferredValueAdaptor::add):
(JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
(JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
(JSC::DFG::DesiredWatchpoints::addLazily):
(JSC::DFG::DesiredWatchpoints::consider):
(JSC::DFG::DesiredWatchpoints::reallyAdd):
(JSC::DFG::DesiredWatchpoints::areStillValid):
(JSC::DFG::DesiredWatchpoints::dumpInContext):
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::SetPointerAdaptor::add):
(JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
(JSC::DFG::SetPointerAdaptor::dumpInContext):
(JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
(JSC::DFG::InferredValueAdaptor::dumpInContext):
(JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
(JSC::DFG::ArrayBufferViewWatchpointAdaptor::dumpInContext):
(JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated):
(JSC::DFG::AdaptiveStructureWatchpointAdaptor::dumpInContext):
(JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
(JSC::DFG::GenericDesiredWatchpoints::isWatched):
(JSC::DFG::GenericDesiredWatchpoints::dumpInContext):
(JSC::DFG::DesiredWatchpoints::isWatched):
(JSC::DFG::GenericSetAdaptor::add): Deleted.
(JSC::DFG::GenericSetAdaptor::hasBeenInvalidated): Deleted.
* dfg/DFGDesiredWeakReferences.cpp:
(JSC::DFG::DesiredWeakReferences::addLazily):
(JSC::DFG::DesiredWeakReferences::contains):
* dfg/DFGDesiredWeakReferences.h:
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::clearFlagsOnAllNodes):
(JSC::DFG::Graph::watchCondition):
(JSC::DFG::Graph::isSafeToLoad):
(JSC::DFG::Graph::livenessFor):
(JSC::DFG::Graph::tryGetConstantProperty):
(JSC::DFG::Graph::visitChildren):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::identifiers):
(JSC::DFG::Graph::watchpoints):
* dfg/DFGMultiGetByOffsetData.cpp: Added.
(JSC::DFG::GetByOffsetMethod::dumpInContext):
(JSC::DFG::GetByOffsetMethod::dump):
(JSC::DFG::MultiGetByOffsetCase::dumpInContext):
(JSC::DFG::MultiGetByOffsetCase::dump):
(WTF::printInternal):
* dfg/DFGMultiGetByOffsetData.h: Added.
(JSC::DFG::GetByOffsetMethod::GetByOffsetMethod):
(JSC::DFG::GetByOffsetMethod::constant):
(JSC::DFG::GetByOffsetMethod::load):
(JSC::DFG::GetByOffsetMethod::loadFromPrototype):
(JSC::DFG::GetByOffsetMethod::operator!):
(JSC::DFG::GetByOffsetMethod::kind):
(JSC::DFG::GetByOffsetMethod::prototype):
(JSC::DFG::GetByOffsetMethod::offset):
(JSC::DFG::MultiGetByOffsetCase::MultiGetByOffsetCase):
(JSC::DFG::MultiGetByOffsetCase::set):
(JSC::DFG::MultiGetByOffsetCase::method):
* dfg/DFGNode.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
* jit/Repatch.cpp:
(JSC::repatchByIdSelfAccess):
(JSC::checkObjectPropertyCondition):
(JSC::checkObjectPropertyConditions):
(JSC::replaceWithJump):
(JSC::generateByIdStub):
(JSC::actionForCell):
(JSC::tryBuildGetByIDList):
(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStub):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
(JSC::tryRepatchIn):
(JSC::addStructureTransitionCheck): Deleted.
(JSC::emitPutTransitionStubAndGetOldStructure): Deleted.
* runtime/IntendedStructureChain.cpp: Removed.
* runtime/IntendedStructureChain.h: Removed.
* runtime/JSCJSValue.h:
* runtime/JSObject.cpp:
(JSC::throwTypeError):
(JSC::JSObject::convertToDictionary):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
(JSC::JSObject::flattenDictionaryObject):
(JSC::JSObject::convertToDictionary): Deleted.
* runtime/Operations.h:
(JSC::normalizePrototypeChain):
(JSC::normalizePrototypeChainForChainAccess): Deleted.
(JSC::isPrototypeChainNormalized): Deleted.
* runtime/PropertySlot.h:
(JSC::PropertySlot::PropertySlot):
(JSC::PropertySlot::slotBase):
* runtime/Structure.cpp:
(JSC::Structure::addPropertyTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::toCacheableDictionaryTransition):
(JSC::Structure::toUncacheableDictionaryTransition):
(JSC::Structure::ensurePropertyReplacementWatchpointSet):
(JSC::Structure::startWatchingPropertyForReplacements):
(JSC::Structure::didCachePropertyReplacement):
(JSC::Structure::dump):
* runtime/Structure.h:
* runtime/VM.h:
* tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check-new.js: Added.
(foo):
(bar):
(baz):
* tests/stress/multi-get-by-offset-self-or-proto.js: Added.
(foo):
* tests/stress/replacement-watchpoint-dictionary.js: Added.
(foo):
* tests/stress/replacement-watchpoint.js: Added.
(foo):
* tests/stress/undefined-access-dictionary-then-proto-change.js: Added.
(foo):
* tests/stress/undefined-access-then-proto-change.js: Added.
(foo):
LayoutTests:
* js/regress/global-object-access-with-mutating-structure-expected.txt: Added.
* js/regress/global-object-access-with-mutating-structure.html: Added.
* js/regress/prototype-access-with-mutating-prototype-expected.txt: Added.
* js/regress/prototype-access-with-mutating-prototype.html: Added.
* js/regress/script-tests/global-object-access-with-mutating-structure.js: Added.
(foo):
* js/regress/script-tests/prototype-access-with-mutating-prototype.js: Added.
(foo):
* js/regress/script-tests/undefined-property-access.js:
(foo):
(bar):
(baz):
Canonical link: https://commits.webkit.org/165654@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@187780 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-08-03 23:13:56 +00:00
|
|
|
|
2021-04-18 08:06:48 +00:00
|
|
|
for (auto& watchpoint : m_adaptiveStructureWatchpoints)
|
|
|
|
watchpoint.key().validateReferences(trackedReferences);
|
DFG fragile frozen values are fundamentally broken
https://bugs.webkit.org/show_bug.cgi?id=146602
Reviewed by Mark Lam.
This change gets rid of the FragileValue value strength, because it was fundamentally
broken.
FragileValue was a value known to the compiler but not tracked by the GC in any way -
it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
must-handle values. The philosophy was that if the compiler did use the value for
optimization, it would have been strengthened to a weak value (or maybe even a strong
value, though we probably won't do that). But this was too much of a pipe dream. I've
found at least one case where the compiler did use the value, but never strengthened
it: it would happen if the value ended up in an OSR entry data expected value. Then if
we GCed, we might have killed the value, but OSR entry would still try to use it for
validation. That might have sort of just worked, but it's clearly shady.
The reason why we made must-handle values fragile and not weak is that most of the time
the values disappear from the abstract state: they are LUBed to a non-constant. If we
kept them around as weak, we'd have too many cases of the GC killing the code because
it thought that the value was somehow meaningful to the code when it was only used as a
temporary artifact of optimization.
So, it's true that it's very important for must-handle values not to automatically be
weak or strong. It's also true that the values are necessary for AI bootstrap because
we need to know what values OSR entry will require. But we shouldn't accomplish these
goals by having the compiler hold onto what are essentially dangling pointers.
This implements a better solution: instead of having InPlaceAbstractState bootstrap the
AI with must-handle values at the beginning, we now widen the valuesAtHead of the
must-handle block after AI converges. This widening is done in CFAPhase. This allows us
to see if the must-handle values are necessary at all. In most cases, the widening
takes a non-constant abstract value and simply amends something to its type based on
the type of the must-handle value, and so the must-handle value never actually shows up
in either the IR or any abstract value. In the unlikely event that the value at head is
bottom, we freeze the must-handle value. This change removes FragileValue, and this
freezing uses WeakValue as the strength. That makes sense: since the abstract value was
bottom, the must-handle value becomes integral to the IR and so it makes no sense for
the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
sometimes happen for example if you have a very long-running loop whose pre-header
allocates some object, but that pre-header appears to always exit to the optimizing JIT
because it was only profiled once in the LLInt and that profiling appears insufficient
to the DFG. In that case, we'll effectively constant-fold the references to the object
inside the loop, which is both efficient (yay constant folding!) and necessary
(otherwise we wouldn't know what the type of the variable should have been).
Testing and debugging this is complicated. So, this adds some new capabilities:
- DFG IR dumps also dump all of the FrozenValues that point to the heap along with
their strengths, so that it's easy to see what GC objects the DFG feels are necessary
for the compilation.
- DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
to see what GC pointers (and other things) are used for OSR entry validation. The
printouts are quite detailed, and should also help other kinds of OSR entry
debugging.
- DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
data structures are also properly registered as either weak or strong pointers in the
CodeBlock. This validation check previously failed due to fragile values ending up in
the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
and in some pre-existing tests (like earley-boyer and 3d-raytrace).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/Operands.h:
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::dump):
(JSC::StructureSet::validateReferences):
* bytecode/StructureSet.h:
* bytecode/TrackedReferences.cpp: Added.
(JSC::TrackedReferences::TrackedReferences):
(JSC::TrackedReferences::~TrackedReferences):
(JSC::TrackedReferences::add):
(JSC::TrackedReferences::check):
(JSC::TrackedReferences::dump):
* bytecode/TrackedReferences.h: Added.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::validateReferences):
(JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fullTop):
(JSC::DFG::AbstractValue::merge):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::pointsToHeap):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::freezeFragile): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
(JSC::DFG::JITCode::validateReferences):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchStructurePtr):
(JSC::DFG::JITCompiler::jitCode):
(JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
* dfg/DFGMinifiedGraph.cpp: Added.
(JSC::DFG::MinifiedGraph::prepareAndShrink):
(JSC::DFG::MinifiedGraph::validateReferences):
* dfg/DFGMinifiedGraph.h:
(JSC::DFG::MinifiedGraph::append):
(JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::OSREntryData::dump):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::validateReferences):
* dfg/DFGStructureAbstractValue.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp:
(WTF::printInternal):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
* ftl/FTLExitPropertyValue.cpp:
(JSC::FTL::ExitPropertyValue::dump):
(JSC::FTL::ExitPropertyValue::validateReferences):
* ftl/FTLExitPropertyValue.h:
* ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::dump):
(JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
* ftl/FTLExitTimeObjectMaterialization.h:
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dump):
(JSC::FTL::ExitValue::validateReferences):
* ftl/FTLExitValue.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::dfgCommon):
(JSC::FTL::JITCode::validateReferences):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::handles):
(JSC::FTL::JITCode::dataSections):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::validateReferences):
* ftl/FTLOSRExit.h:
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
* jit/JITCode.cpp:
(JSC::JITCode::typeName):
(JSC::JITCode::validateReferences):
(JSC::JITCode::execute):
* jit/JITCode.h:
(JSC::JITCode::start):
* tests/stress/dead-osr-entry-value.js: Added.
(foo):
Canonical link: https://commits.webkit.org/164928@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-07-10 21:19:51 +00:00
|
|
|
}
|
|
|
|
|
2021-04-15 07:03:38 +00:00
|
|
|
void CommonData::finalizeCatchEntrypoints(Vector<CatchEntrypointData>&& catchEntrypoints)
|
2017-09-05 03:21:33 +00:00
|
|
|
{
|
|
|
|
std::sort(catchEntrypoints.begin(), catchEntrypoints.end(),
|
|
|
|
[] (const CatchEntrypointData& a, const CatchEntrypointData& b) { return a.bytecodeIndex < b.bytecodeIndex; });
|
2021-04-15 07:03:38 +00:00
|
|
|
ASSERT(m_catchEntrypoints.isEmpty());
|
|
|
|
m_catchEntrypoints = WTFMove(catchEntrypoints);
|
2017-09-05 03:21:33 +00:00
|
|
|
|
PerformanceTests:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* JetStream2/wasm/HashSet.cpp:
* StitchMarker/wtf/Assertions.h:
* StitchMarker/wtf/DateMath.cpp:
(WTF::initializeDates):
* StitchMarker/wtf/HashTable.h:
* StitchMarker/wtf/Hasher.h:
(WTF::StringHasher::addCharacters):
* StitchMarker/wtf/NeverDestroyed.h:
(WTF::LazyNeverDestroyed::construct):
* StitchMarker/wtf/StackBounds.h:
(WTF::StackBounds::checkConsistency const):
* StitchMarker/wtf/ValueCheck.h:
* StitchMarker/wtf/Vector.h:
(WTF::minCapacity>::checkConsistency):
* StitchMarker/wtf/text/AtomicStringImpl.cpp:
* StitchMarker/wtf/text/AtomicStringImpl.h:
* StitchMarker/wtf/text/StringCommon.h:
(WTF::hasPrefixWithLettersIgnoringASCIICaseCommon):
* StitchMarker/wtf/text/StringImpl.h:
* StitchMarker/wtf/text/SymbolImpl.h:
* StitchMarker/wtf/text/UniquedStringImpl.h:
Source/JavaScriptCore:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* API/tests/testapi.c:
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::replaceWithLoad):
(JSC::ARM64Assembler::replaceWithAddressComputation):
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::LocalWriter::LocalWriter):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
* assembler/ProbeStack.cpp:
(JSC::Probe::Stack::Stack):
* assembler/ProbeStack.h:
* b3/B3FoldPathConstants.cpp:
* b3/B3LowerToAir.cpp:
* b3/B3MemoryValue.cpp:
(JSC::B3::MemoryValue::MemoryValue):
* b3/B3Opcode.cpp:
* b3/B3Type.h:
* b3/B3TypeMap.h:
* b3/B3Width.h:
* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
(JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
(JSC::B3::Air::GenerateAndAllocateRegisters::generate):
* b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
* b3/air/AirArg.cpp:
* b3/air/AirArg.h:
* b3/air/AirCode.h:
* b3/air/AirEmitShuffle.cpp:
(JSC::B3::Air::emitShuffle):
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
* bytecode/AccessCase.cpp:
* bytecode/AccessCase.h:
* bytecode/CallVariant.cpp:
(JSC::variantListWithVariant):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndex):
* bytecode/CodeBlockHash.cpp:
(JSC::CodeBlockHash::dump const):
* bytecode/StructureStubInfo.cpp:
* bytecode/StructureStubInfo.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionCallResolveNode::emitBytecode):
* bytecompiler/RegisterID.h:
(JSC::RegisterID::RegisterID):
(JSC::RegisterID::setIndex):
* debugger/Debugger.cpp:
(JSC::Debugger::removeBreakpoint):
* debugger/DebuggerEvalEnabler.h:
(JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
(JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
* dfg/DFGAbstractValue.cpp:
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::merge):
(JSC::DFG::AbstractValue::checkConsistency const):
(JSC::DFG::AbstractValue::assertIsRegistered const):
* dfg/DFGArithMode.h:
(JSC::DFG::doesOverflow):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::BasicBlock):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::didLink):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGCommon.h:
(JSC::DFG::validationEnabled):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::finalizeCatchEntrypoints):
* dfg/DFGDesiredWatchpoints.h:
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::makeWord):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::finalizeOSREntrypoints):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGScoreBoard.h:
(JSC::DFG::ScoreBoard::assertClear):
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::SlowPathGenerator::generate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
(JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
* dfg/DFGStructureAbstractValue.cpp:
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::assertIsRegistered const):
* dfg/DFGVarargsForwardingPhase.cpp:
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::callPreflight):
(JSC::FTL::DFG::LowerDFGToB3::callCheck):
(JSC::FTL::DFG::LowerDFGToB3::crash):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::assertNoUnswept):
* heap/GCSegmentedArray.h:
(JSC::GCArraySegment::GCArraySegment):
* heap/GCSegmentedArrayInlines.h:
(JSC::GCSegmentedArray<T>::clear):
(JSC::GCSegmentedArray<T>::expand):
(JSC::GCSegmentedArray<T>::validatePrevious):
* heap/HandleSet.cpp:
* heap/HandleSet.h:
* heap/Heap.cpp:
(JSC::Heap::updateAllocationLimits):
* heap/Heap.h:
* heap/MarkedBlock.cpp:
* heap/MarkedBlock.h:
(JSC::MarkedBlock::assertValidCell const):
(JSC::MarkedBlock::assertMarksNotStale):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::beginMarking):
(JSC::MarkedSpace::endMarking):
(JSC::MarkedSpace::assertNoUnswept):
* heap/PreciseAllocation.cpp:
* heap/PreciseAllocation.h:
(JSC::PreciseAllocation::assertValidCell const):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::SlotVisitor):
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
* heap/SlotVisitor.h:
* inspector/InspectorProtocolTypes.h:
(Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::assertValueHasExpectedType):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
(CppProtocolTypesImplementationGenerator):
(CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* interpreter/FrameTracers.h:
(JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::Interpreter):
* interpreter/Interpreter.h:
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::prepareCallOperation):
* jit/BinarySwitch.cpp:
(JSC::BinarySwitch::BinarySwitch):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupStubArgs):
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::emitDeltaCheck):
(JSC::CallFrameShuffler::prepareAny):
* jit/JIT.cpp:
(JSC::JIT::assertStackPointerOffset):
(JSC::JIT::compileWithoutLinking):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_from_scope):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::emitPointerValidation):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntOfflineAsmConfig.h:
* parser/Lexer.cpp:
* parser/Lexer.h:
(JSC::isSafeBuiltinIdentifier):
(JSC::Lexer<T>::lexExpectIdentifier):
* runtime/ArgList.h:
(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
* runtime/Butterfly.h:
(JSC::ContiguousData::ContiguousData):
(JSC::ContiguousData::Data::Data):
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::checkConsistency const):
(JSC::HashMapImpl::assertBufferIsEmpty const):
* runtime/JSCellInlines.h:
(JSC::JSCell::methodTable const):
* runtime/JSFunction.cpp:
* runtime/JSFunction.h:
(JSC::JSFunction::assertTypeInfoFlagInvariants):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
* runtime/JSObject.cpp:
(JSC::JSObject::visitChildren):
(JSC::JSFinalObject::visitChildren):
* runtime/JSObjectInlines.h:
(JSC::JSObject::validatePutOwnDataProperty):
* runtime/JSSegmentedVariableObject.h:
(JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::Lexer::lex):
* runtime/LiteralParser.h:
* runtime/Operations.h:
(JSC::scribbleFreeCells):
* runtime/OptionsList.h:
* runtime/VM.cpp:
(JSC::VM::computeCanUseJIT):
* runtime/VM.h:
(JSC::VM::canUseJIT):
* runtime/VarOffset.h:
(JSC::VarOffset::checkSanity const):
* runtime/WeakMapImpl.h:
(JSC::WeakMapImpl::checkConsistency const):
(JSC::WeakMapImpl::assertBufferIsEmpty const):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::validateInst):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::parseAndCompile):
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser::validationFail const):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::checkConsistency):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
* wasm/WasmSectionParser.h:
* wasm/WasmSections.h:
* wasm/WasmSignatureInlines.h:
(JSC::Wasm::SignatureInformation::get):
* wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::enqueue):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::previousInstanceOffset const):
Source/WebCore:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* Modules/fetch/FetchBodySource.cpp:
(WebCore::FetchBodySource::close):
* Modules/fetch/FetchBodySource.h:
* Modules/webdatabase/DatabaseDetails.h:
(WebCore::DatabaseDetails::DatabaseDetails):
(WebCore::DatabaseDetails::operator=):
* Modules/webdatabase/DatabaseTask.cpp:
(WebCore::DatabaseTask::performTask):
* Modules/webdatabase/DatabaseTask.h:
* Modules/webdatabase/DatabaseThread.cpp:
(WebCore::DatabaseThread::terminationRequested const):
* Modules/webgpu/WHLSL/AST/WHLSLAddressSpace.h:
(WebCore::WHLSL::AST::TypeAnnotation::TypeAnnotation):
* Modules/webgpu/WHLSL/WHLSLHighZombieFinder.cpp:
(WebCore::WHLSL::findHighZombies):
* Modules/webgpu/WHLSL/WHLSLInferTypes.cpp:
(WebCore::WHLSL::matches):
* Modules/webgpu/WHLSL/WHLSLLiteralTypeChecker.cpp:
(WebCore::WHLSL::checkLiteralTypes):
* Modules/webgpu/WHLSL/WHLSLSynthesizeConstructors.cpp:
(WebCore::WHLSL::FindAllTypes::appendNamedType):
* bindings/js/JSCallbackData.h:
* bindings/js/JSLazyEventListener.cpp:
* bindings/js/JSLazyEventListener.h:
* contentextensions/ContentExtensionCompiler.cpp:
(WebCore::ContentExtensions::compileRuleList):
* css/CSSCalculationValue.cpp:
(WebCore::CSSCalcOperationNode::primitiveType const):
* css/CSSComputedStyleDeclaration.cpp:
(WebCore::ComputedStyleExtractor::valueForPropertyInStyle):
* css/CSSPrimitiveValue.cpp:
* css/CSSSelector.cpp:
(WebCore::CSSSelector::selectorText const):
* css/CSSStyleSheet.cpp:
* dom/ActiveDOMObject.cpp:
(WebCore::ActiveDOMObject::suspendIfNeeded):
(WebCore::ActiveDOMObject::assertSuspendIfNeededWasCalled const):
* dom/ActiveDOMObject.h:
* dom/ContainerNode.cpp:
* dom/ContainerNodeAlgorithms.cpp:
* dom/ContainerNodeAlgorithms.h:
* dom/CustomElementReactionQueue.cpp:
* dom/CustomElementReactionQueue.h:
(WebCore::CustomElementReactionDisallowedScope::CustomElementReactionDisallowedScope):
(WebCore::CustomElementReactionDisallowedScope::~CustomElementReactionDisallowedScope):
* dom/Document.cpp:
(WebCore::Document::hitTest):
* dom/Document.h:
(WebCore::Document::decrementReferencingNodeCount):
* dom/Element.cpp:
(WebCore::Element::addShadowRoot):
(WebCore::Element::getURLAttribute const):
(WebCore::Element::getNonEmptyURLAttribute const):
* dom/Element.h:
* dom/ElementAndTextDescendantIterator.h:
(WebCore::ElementAndTextDescendantIterator::ElementAndTextDescendantIterator):
(WebCore::ElementAndTextDescendantIterator::dropAssertions):
(WebCore::ElementAndTextDescendantIterator::popAncestorSiblingStack):
(WebCore::ElementAndTextDescendantIterator::traverseNextSibling):
(WebCore::ElementAndTextDescendantIterator::traversePreviousSibling):
* dom/ElementDescendantIterator.h:
(WebCore::ElementDescendantIterator::ElementDescendantIterator):
(WebCore::ElementDescendantIterator::dropAssertions):
(WebCore::ElementDescendantIterator::operator++):
(WebCore::ElementDescendantIterator::operator--):
(WebCore::ElementDescendantConstIterator::ElementDescendantConstIterator):
(WebCore::ElementDescendantConstIterator::dropAssertions):
(WebCore::ElementDescendantConstIterator::operator++):
* dom/ElementIterator.h:
(WebCore::ElementIterator<ElementType>::ElementIterator):
(WebCore::ElementIterator<ElementType>::traverseNext):
(WebCore::ElementIterator<ElementType>::traversePrevious):
(WebCore::ElementIterator<ElementType>::traverseNextSibling):
(WebCore::ElementIterator<ElementType>::traversePreviousSibling):
(WebCore::ElementIterator<ElementType>::traverseNextSkippingChildren):
(WebCore::ElementIterator<ElementType>::dropAssertions):
(WebCore::ElementIterator<ElementType>::traverseAncestor):
(WebCore::ElementConstIterator<ElementType>::ElementConstIterator):
(WebCore::ElementConstIterator<ElementType>::traverseNext):
(WebCore::ElementConstIterator<ElementType>::traversePrevious):
(WebCore::ElementConstIterator<ElementType>::traverseNextSibling):
(WebCore::ElementConstIterator<ElementType>::traversePreviousSibling):
(WebCore::ElementConstIterator<ElementType>::traverseNextSkippingChildren):
(WebCore::ElementConstIterator<ElementType>::traverseAncestor):
(WebCore::ElementConstIterator<ElementType>::dropAssertions):
* dom/EventContext.cpp:
* dom/EventContext.h:
* dom/EventListener.h:
* dom/EventPath.cpp:
* dom/EventSender.h:
* dom/EventTarget.cpp:
(WebCore::EventTarget::addEventListener):
(WebCore::EventTarget::setAttributeEventListener):
(WebCore::EventTarget::innerInvokeEventListeners):
* dom/Node.cpp:
(WebCore::Node::~Node):
(WebCore::Node::moveNodeToNewDocument):
(WebCore::Node::removedLastRef):
* dom/Node.h:
(WebCore::Node::deref const):
* dom/ScriptDisallowedScope.h:
(WebCore::ScriptDisallowedScope::InMainThread::isEventDispatchAllowedInSubtree):
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::~ScriptExecutionContext):
* dom/ScriptExecutionContext.h:
* dom/SelectorQuery.cpp:
(WebCore::SelectorDataList::execute const):
* dom/SlotAssignment.cpp:
(WebCore::SlotAssignment::addSlotElementByName):
(WebCore::SlotAssignment::removeSlotElementByName):
(WebCore::SlotAssignment::resolveSlotsAfterSlotMutation):
(WebCore::SlotAssignment::findFirstSlotElement):
* dom/SlotAssignment.h:
* dom/TreeScopeOrderedMap.cpp:
(WebCore::TreeScopeOrderedMap::add):
(WebCore::TreeScopeOrderedMap::get const):
* dom/TreeScopeOrderedMap.h:
* fileapi/Blob.cpp:
* fileapi/Blob.h:
* history/BackForwardCache.cpp:
(WebCore::BackForwardCache::removeAllItemsForPage):
* history/BackForwardCache.h:
* html/CanvasBase.cpp:
(WebCore::CanvasBase::notifyObserversCanvasDestroyed):
* html/CanvasBase.h:
* html/HTMLCollection.h:
(WebCore::CollectionNamedElementCache::didPopulate):
* html/HTMLSelectElement.cpp:
(WebCore:: const):
* html/HTMLTableRowsCollection.cpp:
(WebCore::assertRowIsInTable):
* html/HTMLTextFormControlElement.cpp:
(WebCore::HTMLTextFormControlElement::indexForPosition const):
* html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::~CanvasRenderingContext2DBase):
* html/parser/HTMLParserScheduler.cpp:
(WebCore::HTMLParserScheduler::HTMLParserScheduler):
(WebCore::HTMLParserScheduler::suspend):
(WebCore::HTMLParserScheduler::resume):
* html/parser/HTMLParserScheduler.h:
* html/parser/HTMLToken.h:
(WebCore::HTMLToken::beginStartTag):
(WebCore::HTMLToken::beginEndTag):
(WebCore::HTMLToken::endAttribute):
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::HTMLTreeBuilder):
(WebCore::HTMLTreeBuilder::constructTree):
* html/parser/HTMLTreeBuilder.h:
(WebCore::HTMLTreeBuilder::~HTMLTreeBuilder):
* layout/FormattingContext.cpp:
(WebCore::Layout::FormattingContext::geometryForBox const):
* layout/blockformatting/BlockFormattingContext.cpp:
(WebCore::Layout::BlockFormattingContext::computeEstimatedVerticalPosition):
* layout/blockformatting/BlockFormattingContext.h:
* layout/displaytree/DisplayBox.cpp:
(WebCore::Display::Box::Box):
* layout/displaytree/DisplayBox.h:
(WebCore::Display::Box::setTopLeft):
(WebCore::Display::Box::setTop):
(WebCore::Display::Box::setLeft):
(WebCore::Display::Box::setContentBoxHeight):
(WebCore::Display::Box::setContentBoxWidth):
(WebCore::Display::Box::setHorizontalMargin):
(WebCore::Display::Box::setVerticalMargin):
(WebCore::Display::Box::setHorizontalComputedMargin):
(WebCore::Display::Box::setBorder):
(WebCore::Display::Box::setPadding):
* layout/displaytree/DisplayInlineRect.h:
(WebCore::Display::InlineRect::InlineRect):
(WebCore::Display::InlineRect::setTopLeft):
(WebCore::Display::InlineRect::setTop):
(WebCore::Display::InlineRect::setBottom):
(WebCore::Display::InlineRect::setLeft):
(WebCore::Display::InlineRect::setWidth):
(WebCore::Display::InlineRect::setHeight):
* layout/displaytree/DisplayLineBox.h:
(WebCore::Display::LineBox::LineBox):
(WebCore::Display::LineBox::setBaselineOffsetIfGreater):
(WebCore::Display::LineBox::resetBaseline):
(WebCore::Display::LineBox::Baseline::Baseline):
(WebCore::Display::LineBox::Baseline::setAscent):
(WebCore::Display::LineBox::Baseline::setDescent):
(WebCore::Display::LineBox::Baseline::reset):
* layout/displaytree/DisplayRect.h:
(WebCore::Display::Rect::Rect):
(WebCore::Display::Rect::setTopLeft):
(WebCore::Display::Rect::setTop):
(WebCore::Display::Rect::setLeft):
(WebCore::Display::Rect::setWidth):
(WebCore::Display::Rect::setHeight):
(WebCore::Display::Rect::setSize):
(WebCore::Display::Rect::clone const):
* layout/floats/FloatingContext.cpp:
* layout/inlineformatting/InlineLineBuilder.cpp:
(WebCore::Layout::LineBuilder::CollapsibleContent::collapse):
* layout/tableformatting/TableGrid.cpp:
(WebCore::Layout::TableGrid::Column::setWidthConstraints):
(WebCore::Layout::TableGrid::Column::setLogicalWidth):
(WebCore::Layout::TableGrid::Column::setLogicalLeft):
* layout/tableformatting/TableGrid.h:
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::continueAfterContentPolicy):
(WebCore::DocumentLoader::attachToFrame):
(WebCore::DocumentLoader::detachFromFrame):
(WebCore::DocumentLoader::addSubresourceLoader):
* loader/DocumentLoader.h:
* loader/ImageLoader.cpp:
* loader/cache/CachedResource.h:
* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::lruListFor):
(WebCore::MemoryCache::removeFromLRUList):
* page/FrameView.cpp:
(WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive):
* page/FrameViewLayoutContext.cpp:
* page/FrameViewLayoutContext.h:
* page/Page.cpp:
* page/Page.h:
* page/ViewportConfiguration.cpp:
* page/ViewportConfiguration.h:
* page/mac/EventHandlerMac.mm:
(WebCore::CurrentEventScope::CurrentEventScope):
* platform/DateComponents.cpp:
(WebCore::DateComponents::toStringForTime const):
* platform/ScrollableArea.cpp:
* platform/SharedBuffer.cpp:
(WebCore::SharedBuffer::combineIntoOneSegment const):
* platform/SharedBuffer.h:
* platform/Supplementable.h:
* platform/Timer.cpp:
(WebCore::TimerBase::checkHeapIndex const):
(WebCore::TimerBase::updateHeapIfNeeded):
* platform/graphics/BitmapImage.cpp:
* platform/graphics/BitmapImage.h:
* platform/graphics/Image.h:
* platform/graphics/ShadowBlur.cpp:
(WebCore::ScratchBuffer::ScratchBuffer):
(WebCore::ScratchBuffer::getScratchBuffer):
(WebCore::ScratchBuffer::scheduleScratchBufferPurge):
* platform/graphics/ca/win/CACFLayerTreeHost.cpp:
(WebCore::CACFLayerTreeHost::setWindow):
* platform/graphics/ca/win/CACFLayerTreeHost.h:
* platform/graphics/cg/ImageBufferDataCG.cpp:
(WebCore::ImageBufferData::putData):
* platform/graphics/cocoa/FontCacheCoreText.cpp:
* platform/graphics/gstreamer/GstAllocatorFastMalloc.cpp:
(gstAllocatorFastMallocFree):
* platform/graphics/nicosia/cairo/NicosiaPaintingContextCairo.cpp:
(Nicosia::PaintingContextCairo::ForPainting::ForPainting):
* platform/graphics/nicosia/texmap/NicosiaBackingStoreTextureMapperImpl.cpp:
(Nicosia::BackingStoreTextureMapperImpl::createTile):
* platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:
(Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl):
* platform/graphics/win/GradientDirect2D.cpp:
(WebCore::Gradient::fill):
* platform/graphics/win/ImageBufferDataDirect2D.cpp:
(WebCore::ImageBufferData::putData):
* platform/graphics/win/PathDirect2D.cpp:
(WebCore::Path::appendGeometry):
(WebCore::Path::Path):
(WebCore::Path::operator=):
(WebCore::Path::strokeContains const):
(WebCore::Path::transform):
* platform/graphics/win/PlatformContextDirect2D.cpp:
(WebCore::PlatformContextDirect2D::setTags):
* platform/mediastream/MediaStreamTrackPrivate.h:
* platform/mediastream/RealtimeOutgoingAudioSource.cpp:
(WebCore::RealtimeOutgoingAudioSource::~RealtimeOutgoingAudioSource):
* platform/mediastream/RealtimeOutgoingVideoSource.cpp:
(WebCore::RealtimeOutgoingVideoSource::~RealtimeOutgoingVideoSource):
* platform/network/HTTPParsers.cpp:
(WebCore::isCrossOriginSafeHeader):
* platform/sql/SQLiteDatabase.cpp:
* platform/sql/SQLiteDatabase.h:
* platform/sql/SQLiteStatement.cpp:
(WebCore::SQLiteStatement::SQLiteStatement):
(WebCore::SQLiteStatement::prepare):
(WebCore::SQLiteStatement::finalize):
* platform/sql/SQLiteStatement.h:
* platform/win/COMPtr.h:
* rendering/ComplexLineLayout.cpp:
(WebCore::ComplexLineLayout::removeInlineBox const):
* rendering/FloatingObjects.cpp:
(WebCore::FloatingObject::FloatingObject):
(WebCore::FloatingObjects::addPlacedObject):
(WebCore::FloatingObjects::removePlacedObject):
* rendering/FloatingObjects.h:
* rendering/GridTrackSizingAlgorithm.cpp:
* rendering/GridTrackSizingAlgorithm.h:
* rendering/LayoutDisallowedScope.cpp:
* rendering/LayoutDisallowedScope.h:
* rendering/RenderBlock.cpp:
* rendering/RenderBlock.h:
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::layoutBlockChild):
(WebCore::RenderBlockFlow::removeFloatingObject):
(WebCore::RenderBlockFlow::ensureLineBoxes):
* rendering/RenderBoxModelObject.cpp:
* rendering/RenderDeprecatedFlexibleBox.cpp:
(WebCore::RenderDeprecatedFlexibleBox::layoutBlock):
* rendering/RenderElement.cpp:
* rendering/RenderGeometryMap.cpp:
(WebCore::RenderGeometryMap::mapToContainer const):
* rendering/RenderGrid.cpp:
(WebCore::RenderGrid::placeItemsOnGrid const):
(WebCore::RenderGrid::baselinePosition const):
* rendering/RenderInline.cpp:
(WebCore::RenderInline::willBeDestroyed):
* rendering/RenderLayer.cpp:
(WebCore::ClipRectsCache::ClipRectsCache):
(WebCore::RenderLayer::RenderLayer):
(WebCore::RenderLayer::paintList):
(WebCore::RenderLayer::hitTestLayer):
(WebCore::RenderLayer::updateClipRects):
(WebCore::RenderLayer::calculateClipRects const):
* rendering/RenderLayer.h:
* rendering/RenderLayerBacking.cpp:
(WebCore::traverseVisibleNonCompositedDescendantLayers):
* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::computeCompositingRequirements):
(WebCore::RenderLayerCompositor::traverseUnchangedSubtree):
(WebCore::RenderLayerCompositor::updateBackingAndHierarchy):
(WebCore::RenderLayerCompositor::addDescendantsToOverlapMapRecursive const):
(WebCore::RenderLayerCompositor::recursiveRepaintLayer):
(WebCore::RenderLayerCompositor::layerHas3DContent const):
* rendering/RenderLayoutState.cpp:
(WebCore::RenderLayoutState::RenderLayoutState):
(WebCore::RenderLayoutState::computeOffsets):
(WebCore::RenderLayoutState::addLayoutDelta):
* rendering/RenderLayoutState.h:
(WebCore::RenderLayoutState::RenderLayoutState):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::RenderObject):
(WebCore::RenderObject::~RenderObject):
(WebCore::RenderObject::clearNeedsLayout):
* rendering/RenderObject.h:
* rendering/RenderQuote.cpp:
(WebCore::quotesForLanguage):
* rendering/RenderTableCell.h:
* rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::computeOverflowFromCells):
* rendering/RenderTextLineBoxes.cpp:
(WebCore::RenderTextLineBoxes::checkConsistency const):
* rendering/RenderTextLineBoxes.h:
* rendering/line/BreakingContext.h:
(WebCore::tryHyphenating):
* rendering/style/GridArea.h:
(WebCore::GridSpan::GridSpan):
* rendering/style/RenderStyle.cpp:
(WebCore::RenderStyle::~RenderStyle):
* rendering/style/RenderStyle.h:
* rendering/updating/RenderTreeBuilderRuby.cpp:
(WebCore::RenderTreeBuilder::Ruby::detach):
* rendering/updating/RenderTreePosition.cpp:
(WebCore::RenderTreePosition::computeNextSibling):
* rendering/updating/RenderTreePosition.h:
* svg/SVGToOTFFontConversion.cpp:
(WebCore::SVGToOTFFontConverter::Placeholder::Placeholder):
(WebCore::SVGToOTFFontConverter::Placeholder::populate):
(WebCore::SVGToOTFFontConverter::appendCFFTable):
(WebCore::SVGToOTFFontConverter::firstGlyph const):
(WebCore::SVGToOTFFontConverter::appendKERNTable):
* svg/SVGTransformDistance.cpp:
(WebCore::SVGTransformDistance::SVGTransformDistance):
(WebCore::SVGTransformDistance::scaledDistance const):
(WebCore::SVGTransformDistance::addSVGTransforms):
(WebCore::SVGTransformDistance::addToSVGTransform const):
(WebCore::SVGTransformDistance::distance const):
* svg/graphics/SVGImage.cpp:
(WebCore::SVGImage::nativeImage):
* testing/InternalSettings.cpp:
* workers/service/ServiceWorkerJob.h:
* worklets/PaintWorkletGlobalScope.h:
(WebCore::PaintWorkletGlobalScope::~PaintWorkletGlobalScope):
* xml/XPathStep.cpp:
Source/WebKit:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* NetworkProcess/NetworkSession.cpp:
(WebKit::NetworkSession::invalidateAndCancel):
* NetworkProcess/NetworkSession.h:
* NetworkProcess/cache/NetworkCacheStorage.cpp:
(WebKit::NetworkCache::Storage::setCapacity):
* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(toNSURLSessionResponseDisposition):
(WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
* Platform/IPC/Connection.cpp:
(IPC::Connection::waitForMessage):
* Platform/IPC/MessageReceiver.h:
(IPC::MessageReceiver::willBeAddedToMessageReceiverMap):
(IPC::MessageReceiver::willBeRemovedFromMessageReceiverMap):
* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::readFromMachPort):
* Platform/mac/MachUtilities.cpp:
(setMachExceptionPort):
* Shared/API/APIClient.h:
(API::Client::Client):
* Shared/API/Cocoa/WKRemoteObjectCoder.mm:
* Shared/Cocoa/ArgumentCodersCocoa.h:
* Shared/SharedStringHashTableReadOnly.cpp:
* UIProcess/BackingStore.cpp:
(WebKit::BackingStore::incorporateUpdate):
* UIProcess/GenericCallback.h:
* UIProcess/Launcher/mac/ProcessLauncherMac.mm:
(WebKit::ProcessLauncher::launchProcess):
* UIProcess/PageLoadState.h:
(WebKit::PageLoadState::Transaction::Token::Token):
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::~WebPageProxy):
* WebProcess/Network/WebResourceLoader.cpp:
(WebKit::WebResourceLoader::didReceiveResponse):
* WebProcess/Network/WebResourceLoader.h:
* WebProcess/Plugins/Netscape/NetscapePluginStream.cpp:
(WebKit::NetscapePluginStream::NetscapePluginStream):
(WebKit::NetscapePluginStream::notifyAndDestroyStream):
* WebProcess/Plugins/Netscape/NetscapePluginStream.h:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::runModal):
* WebProcess/WebProcess.cpp:
(WebKit::checkDocumentsCaptureStateConsistency):
* WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::updateProcessName):
Source/WebKitLegacy:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* Storage/StorageAreaImpl.cpp:
(WebKit::StorageAreaImpl::StorageAreaImpl):
(WebKit::StorageAreaImpl::close):
* Storage/StorageAreaImpl.h:
Source/WebKitLegacy/mac:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* History/WebHistory.mm:
(-[WebHistoryPrivate removeItemForURLString:]):
* WebView/WebFrame.mm:
Source/WebKitLegacy/win:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
* WebKitQuartzCoreAdditions/CAD3DRenderer.cpp:
(WKQCA::CAD3DRenderer::swapChain):
(WKQCA::CAD3DRenderer::initialize):
* WebKitQuartzCoreAdditions/CAD3DRenderer.h:
* WebView.cpp:
(WebView::Release):
* WebView.h:
Source/WTF:
Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED.
https://bugs.webkit.org/show_bug.cgi?id=205776
Reviewed by Saam Barati.
This patch did the following changes:
1. Replaced ASSERT_DISABLED with ASSERT_ENABLED. This change does away
with the need for the double negative !ASSERT_DISABLED test that is commonly
used all over the code, thereby improving code readability.
In Assertions.h, there is also BACKTRACE_DISABLED, ASSERT_MSG_DISABLED,
ASSERT_ARG_DISABLED, FATAL_DISABLED, ERROR_DISABLED, LOG_DISABLED, and
RELEASE_LOG_DISABLED. We should replace those with ..._ENABLED equivalents
as well. We'll do that in another patch. For now, they are left as is to
minimize the size of this patch.
See https://bugs.webkit.org/show_bug.cgi?id=205780.
2. Fixed some code was guarded with "#ifndef NDEBUG" that should actually be
guarded by "#if ASSERT_ENABLED" instead.
3. In cases where the change is minimal, we move some code around so that we can
test for "#if ASSERT_ENABLED" instead of "#if !ASSERT_ENABLED".
* wtf/Assertions.h:
* wtf/AutomaticThread.cpp:
(WTF::AutomaticThread::start):
* wtf/BitVector.h:
* wtf/BlockObjCExceptions.mm:
(ReportBlockedObjCException):
* wtf/BloomFilter.h:
* wtf/CallbackAggregator.h:
(WTF::CallbackAggregator::CallbackAggregator):
* wtf/CheckedArithmetic.h:
(WTF::observesOverflow<AssertNoOverflow>):
* wtf/CheckedBoolean.h:
(CheckedBoolean::CheckedBoolean):
(CheckedBoolean::operator bool):
* wtf/CompletionHandler.h:
(WTF::CompletionHandler<Out):
* wtf/DateMath.cpp:
(WTF::initializeDates):
* wtf/Gigacage.cpp:
(Gigacage::tryAllocateZeroedVirtualPages):
* wtf/HashTable.h:
(WTF::KeyTraits>::checkKey):
(WTF::KeyTraits>::checkTableConsistencyExceptSize const):
* wtf/LoggerHelper.h:
* wtf/NaturalLoops.h:
(WTF::NaturalLoops::headerOf const):
* wtf/NeverDestroyed.h:
(WTF::LazyNeverDestroyed::construct):
* wtf/OptionSet.h:
(WTF::OptionSet::OptionSet):
* wtf/Platform.h:
* wtf/PtrTag.h:
* wtf/RefCounted.h:
(WTF::RefCountedBase::disableThreadingChecks):
(WTF::RefCountedBase::enableThreadingChecksGlobally):
(WTF::RefCountedBase::RefCountedBase):
(WTF::RefCountedBase::applyRefDerefThreadingCheck const):
* wtf/SingleRootGraph.h:
(WTF::SingleRootGraph::assertIsConsistent const):
* wtf/SizeLimits.cpp:
* wtf/StackBounds.h:
(WTF::StackBounds::checkConsistency const):
* wtf/URLParser.cpp:
(WTF::URLParser::URLParser):
(WTF::URLParser::domainToASCII):
* wtf/ValueCheck.h:
* wtf/Vector.h:
(WTF::Malloc>::checkConsistency):
* wtf/WeakHashSet.h:
* wtf/WeakPtr.h:
(WTF::WeakPtrImpl::WeakPtrImpl):
(WTF::WeakPtrFactory::WeakPtrFactory):
* wtf/text/AtomStringImpl.cpp:
* wtf/text/AtomStringImpl.h:
* wtf/text/StringBuilder.cpp:
(WTF::StringBuilder::reifyString const):
* wtf/text/StringBuilder.h:
* wtf/text/StringCommon.h:
(WTF::hasPrefixWithLettersIgnoringASCIICaseCommon):
* wtf/text/StringHasher.h:
(WTF::StringHasher::addCharacters):
* wtf/text/StringImpl.h:
* wtf/text/SymbolImpl.h:
* wtf/text/UniquedStringImpl.h:
Tools:
Remove WebsiteDataStore::setServiceWorkerRegistrationDirectory
https://bugs.webkit.org/show_bug.cgi?id=205754
Patch by Alex Christensen <achristensen@webkit.org> on 2020-01-06
Reviewed by Youenn Fablet.
* TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm:
* WebKitTestRunner/TestController.cpp:
(WTR::TestController::websiteDataStore):
(WTR::TestController::platformAdjustContext):
* WebKitTestRunner/cocoa/TestControllerCocoa.mm:
(WTR::initializeWebViewConfiguration):
Canonical link: https://commits.webkit.org/218957@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254087 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-01-06 22:24:50 +00:00
|
|
|
#if ASSERT_ENABLED
|
2021-04-15 07:03:38 +00:00
|
|
|
for (unsigned i = 0; i + 1 < m_catchEntrypoints.size(); ++i)
|
|
|
|
ASSERT(m_catchEntrypoints[i].bytecodeIndex <= m_catchEntrypoints[i + 1].bytecodeIndex);
|
2017-09-05 03:21:33 +00:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2019-02-15 21:34:19 +00:00
|
|
|
void CommonData::clearWatchpoints()
|
|
|
|
{
|
2021-04-18 08:06:48 +00:00
|
|
|
m_watchpoints = FixedVector<CodeBlockJettisoningWatchpoint>();
|
|
|
|
m_adaptiveStructureWatchpoints = FixedVector<AdaptiveStructureWatchpoint>();
|
|
|
|
m_adaptiveInferredPropertyValueWatchpoints = FixedVector<AdaptiveInferredPropertyValueWatchpoint>();
|
2019-02-15 21:34:19 +00:00
|
|
|
}
|
|
|
|
|
2013-07-25 03:58:20 +00:00
|
|
|
} } // namespace JSC::DFG
|
|
|
|
|
|
|
|
#endif // ENABLE(DFG_JIT)
|
|
|
|
|