nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp

91 lines
3.3 KiB
C++
Raw Permalink Normal View History

Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
/*
* Copyright (C) 2015 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "ExecutableAllocationFuzz.h"
#include "TestRunnerUtils.h"
#include <wtf/Atomics.h>
#include <wtf/DataLog.h>
jitCompileAndSetHeuristics shouldn't return true when we fail to compile https://bugs.webkit.org/show_bug.cgi?id=227155 Reviewed by Tadeu Zagallo. JSTests: * microbenchmarks/interpreter-wasm.js: * microbenchmarks/memcpy-wasm-large.js: * microbenchmarks/memcpy-wasm-medium.js: * microbenchmarks/memcpy-wasm-small.js: * microbenchmarks/memcpy-wasm.js: * stress/wasm-error-message-cross-threads.js: Source/JavaScriptCore: jitCompileAndSetHeuristics should only return true when we've successfully compiled a baseline JIT CodeBlock. However, with the rewrite to using a unified JIT worklist, the code was changed to returning true when a compilation finished, regardless of it being successful or not. This patch fixes that error. This bug was found by our existing executable allocation fuzzer, but at a low hit rate. That fuzzer only ran a single test case. This patch also introduces a new form of the executable fuzzer where we fail to allocate JIT code randomly, and the crash manifests more reliably. And this patch also hooks the new fuzzer into more JSC stress tests. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): * jit/ExecutableAllocationFuzz.cpp: (JSC::doExecutableAllocationFuzzing): * jsc.cpp: (runJSC): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::jitCompileAndSetHeuristics): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/OptionsList.h: Source/WTF: * wtf/WeakRandom.h: Tools: * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/239041@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279126 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-22 17:48:42 +00:00
#include <wtf/WeakRandom.h>
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
namespace JSC {
static Atomic<unsigned> s_numberOfExecutableAllocationFuzzChecks;
unsigned numberOfExecutableAllocationFuzzChecks()
{
return s_numberOfExecutableAllocationFuzzChecks.load();
}
ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
{
Rename some JSC option names to be more uniform. https://bugs.webkit.org/show_bug.cgi?id=150127 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Renaming JSC_enableXXX options to JSC_useXXX, and JSC_showXXX options to JSC_dumpXXX. Also will renaming a few other miscellaneous to options, to abide by this scheme. Also renaming some functions to match the option names where relevant. * API/tests/ExecutionTimeLimitTest.cpp: (testExecutionTimeLimit): * assembler/AbstractMacroAssembler.h: (JSC::optimizeForARMv7IDIVSupported): (JSC::optimizeForARM64): (JSC::optimizeForX86): * assembler/LinkBuffer.cpp: (JSC::shouldDumpDisassemblyFor): (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): (JSC::shouldShowDisassemblyFor): Deleted. * assembler/LinkBuffer.h: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::jettison): * bytecode/CodeBlockJettisoningWatchpoint.cpp: (JSC::CodeBlockJettisoningWatchpoint::fireInternal): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp: (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire): * dfg/DFGAdaptiveStructureWatchpoint.cpp: (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGCommon.h: (JSC::DFG::leastUpperBound): (JSC::DFG::shouldDumpDisassembly): (JSC::DFG::shouldShowDisassembly): Deleted. * dfg/DFGDriver.cpp: (JSC::DFG::compileImpl): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::JITCompiler): (JSC::DFG::JITCompiler::disassemble): * dfg/DFGJumpReplacement.cpp: (JSC::DFG::JumpReplacement::fire): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSRExitCompiler.cpp: * dfg/DFGOSRExitFuzz.h: (JSC::DFG::doOSRExitFuzzing): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithSqrt): * dfg/DFGTierUpCheckInjectionPhase.cpp: (JSC::DFG::TierUpCheckInjectionPhase::run): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateDataSection): * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::~JITCode): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::DFG::LowerDFGToLLVM::callCheck): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): (JSC::FTL::compileFTLOSRExit): * ftl/FTLState.h: (JSC::FTL::verboseCompilationEnabled): (JSC::FTL::shouldDumpDisassembly): (JSC::FTL::shouldShowDisassembly): Deleted. * heap/Heap.cpp: (JSC::Heap::addToRememberedSet): (JSC::Heap::didFinishCollection): (JSC::Heap::shouldDoFullCollection): * heap/Heap.h: (JSC::Heap::isDeferred): (JSC::Heap::structureIDTable): * heap/HeapStatistics.cpp: (JSC::StorageStatistics::storageCapacity): (JSC::HeapStatistics::dumpObjectStatistics): (JSC::HeapStatistics::showObjectStatistics): Deleted. * heap/HeapStatistics.h: * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::createArguments): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::callExceptionFuzz): * jit/ExecutableAllocationFuzz.cpp: (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCode.cpp: (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::unlink): (JSC::PolymorphicCallNode::clearCallLinkInfo): (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): * jit/Repatch.cpp: (JSC::linkFor): (JSC::unlinkFor): (JSC::linkVirtualFor): * jsc.cpp: (functionEnableExceptionFuzz): (jscmain): * llvm/InitializeLLVM.cpp: (JSC::initializeLLVMImpl): * runtime/ExceptionFuzz.cpp: (JSC::doExceptionFuzzing): * runtime/ExceptionFuzz.h: (JSC::doExceptionFuzzingIfEnabled): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/Options.cpp: (JSC::recomputeDependentOptions): (JSC::Options::initialize): (JSC::Options::dumpOptionsIfNeeded): (JSC::Options::setOption): (JSC::Options::dumpAllOptions): (JSC::Options::dumpAllOptionsInALine): (JSC::Options::dumpOption): * runtime/Options.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::exceptionFuzzingBuffer): * runtime/WriteBarrierInlines.h: (JSC::WriteBarrierBase<T>::set): (JSC::WriteBarrierBase<Unknown>::set): * tests/executableAllocationFuzz.yaml: * tests/stress/arrowfunction-typeof.js: * tests/stress/disable-function-dot-arguments.js: (foo): * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: (sqrtOnInteger): * tests/stress/regress-148564.js: Tools: * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/168267@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191058 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-10-14 18:57:07 +00:00
ASSERT(Options::useExecutableAllocationFuzz());
jitCompileAndSetHeuristics shouldn't return true when we fail to compile https://bugs.webkit.org/show_bug.cgi?id=227155 Reviewed by Tadeu Zagallo. JSTests: * microbenchmarks/interpreter-wasm.js: * microbenchmarks/memcpy-wasm-large.js: * microbenchmarks/memcpy-wasm-medium.js: * microbenchmarks/memcpy-wasm-small.js: * microbenchmarks/memcpy-wasm.js: * stress/wasm-error-message-cross-threads.js: Source/JavaScriptCore: jitCompileAndSetHeuristics should only return true when we've successfully compiled a baseline JIT CodeBlock. However, with the rewrite to using a unified JIT worklist, the code was changed to returning true when a compilation finished, regardless of it being successful or not. This patch fixes that error. This bug was found by our existing executable allocation fuzzer, but at a low hit rate. That fuzzer only ran a single test case. This patch also introduces a new form of the executable fuzzer where we fail to allocate JIT code randomly, and the crash manifests more reliably. And this patch also hooks the new fuzzer into more JSC stress tests. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): * jit/ExecutableAllocationFuzz.cpp: (JSC::doExecutableAllocationFuzzing): * jsc.cpp: (runJSC): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::jitCompileAndSetHeuristics): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/OptionsList.h: Source/WTF: * wtf/WeakRandom.h: Tools: * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/239041@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279126 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-22 17:48:42 +00:00
if (Options::fireExecutableAllocationFuzzRandomly()) {
static LazyNeverDestroyed<WeakRandom> random;
static std::once_flag once;
std::call_once(once, [] () {
random.construct();
});
static Lock fuzzingLock;
Locker locker { fuzzingLock };
if (random->returnTrueWithProbability(Options::fireExecutableAllocationFuzzRandomlyProbability()))
return PretendToFailExecutableAllocation;
return AllowNormalExecutableAllocation;
}
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
Unreviewed, reverting r279916. https://bugs.webkit.org/show_bug.cgi?id=228037 some of tests are timing out Reverted changeset: "Convert small JIT pool tests into executable fuzzing" https://bugs.webkit.org/show_bug.cgi?id=226279 https://commits.webkit.org/r279916 Canonical link: https://commits.webkit.org/239746@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280004 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-07-16 22:18:46 +00:00
unsigned oldValue;
unsigned newValue;
do {
oldValue = s_numberOfExecutableAllocationFuzzChecks.load();
newValue = oldValue + 1;
} while (!s_numberOfExecutableAllocationFuzzChecks.compareExchangeWeak(oldValue, newValue));
if (newValue == Options::fireExecutableAllocationFuzzAt()) {
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
if (Options::verboseExecutableAllocationFuzz()) {
dataLog("Will pretend to fail executable allocation.\n");
WTFReportBacktrace();
}
return PretendToFailExecutableAllocation;
}
Unreviewed, reverting r279916. https://bugs.webkit.org/show_bug.cgi?id=228037 some of tests are timing out Reverted changeset: "Convert small JIT pool tests into executable fuzzing" https://bugs.webkit.org/show_bug.cgi?id=226279 https://commits.webkit.org/r279916 Canonical link: https://commits.webkit.org/239746@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280004 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-07-16 22:18:46 +00:00
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
if (Options::fireExecutableAllocationFuzzAtOrAfter()
Unreviewed, reverting r279916. https://bugs.webkit.org/show_bug.cgi?id=228037 some of tests are timing out Reverted changeset: "Convert small JIT pool tests into executable fuzzing" https://bugs.webkit.org/show_bug.cgi?id=226279 https://commits.webkit.org/r279916 Canonical link: https://commits.webkit.org/239746@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280004 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-07-16 22:18:46 +00:00
&& newValue >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
if (Options::verboseExecutableAllocationFuzz()) {
dataLog("Will pretend to fail executable allocation.\n");
WTFReportBacktrace();
}
return PretendToFailExecutableAllocation;
Unreviewed, reverting r279916. https://bugs.webkit.org/show_bug.cgi?id=228037 some of tests are timing out Reverted changeset: "Convert small JIT pool tests into executable fuzzing" https://bugs.webkit.org/show_bug.cgi?id=226279 https://commits.webkit.org/r279916 Canonical link: https://commits.webkit.org/239746@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280004 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-07-16 22:18:46 +00:00
}
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC https://bugs.webkit.org/show_bug.cgi?id=142993 Source/JavaScriptCore: Reviewed by Geoffrey Garen and Mark Lam. This changes the most commonly invoked paths that relied on JITCompilationMustSucceed into using JITCompilationCanFail and having a legit fallback path. This mostly involves having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation failure, but also involves adding the same kind of thing to the stub generators in Repatch. Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, like host call stub generation, could handle a GC, but those get invoked very rarely. So, this patch changes the releaseExecutableMemory() call into a crash with some diagnostic printout. Also add a way of inducing executable allocation failure, so that we can test this. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::link): Deleted. (JSC::DFG::JITCompiler::linkFunction): Deleted. * dfg/DFGJITCompiler.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateCodeSection): (JSC::FTL::mmAllocateDataSection): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.h: * jit/ArityCheckFailReturnThunks.cpp: (JSC::ArityCheckFailReturnThunks::returnPCsFor): * jit/ExecutableAllocationFuzz.cpp: Added. (JSC::numberOfExecutableAllocationFuzzChecks): (JSC::doExecutableAllocationFuzzing): * jit/ExecutableAllocationFuzz.h: Added. (JSC::doExecutableAllocationFuzzingIfEnabled): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITCompilationEffort.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::tryCacheGetByID): (JSC::tryBuildGetByIDList): (JSC::emitPutReplaceStub): (JSC::emitPutTransitionStubAndGetOldStructure): (JSC::tryCachePutByID): (JSC::tryBuildPutByIdList): (JSC::tryRepatchIn): (JSC::linkPolymorphicCall): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: * runtime/VM.cpp: * tests/executableAllocationFuzz: Added. * tests/executableAllocationFuzz.yaml: Added. * tests/executableAllocationFuzz/v8-raytrace.js: Added. Tools: Reviewed by Mark Lam. Bunch of support for testing executable allocation failure. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added. (fail): * Scripts/run-javascriptcore-tests: (runJSCStressTests): * Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/161099@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2015-03-26 01:26:56 +00:00
return AllowNormalExecutableAllocation;
}
} // namespace JSC