Changeset 221849 in webkit for trunk/Source/JavaScriptCore/jit/JITOperations.cpp

Timestamp:

Sep 10, 2017, 11:23:39 PM (8 years ago)

Author:

[email protected]

Message:

Fix all ExceptionScope verification failures in JavaScriptCore.
​https://bugs.webkit.org/show_bug.cgi?id=176662
<rdar://problem/34352085>

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope verification for release builds too (though this requires manually setting ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).

This is useful because it allows us to run the tests more quickly to check
if any regressions have occurred. Debug builds run so much slower and not
good for a quick turn around. Debug builds are necessary though to get
trace information without inlining by the C++ compiler. This is necessary to
diagnose where the missing exception check is.

2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last simulated throw when an exception scope verification fails.

Previously, this option dumps the stack trace on all simulated throws. That
turned out to not be very useful, and slows down the debugging process.
Instead, the new implementation captures the stack trace and only dumps it
if we have a verification failure.

3. Fixed missing exception checks and book-keeping needed to allow the JSC tests to pass with JSC_validateExceptionChecks=true.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• dfg/DFGOSRExit.cpp:

(JSC::DFG::OSRExit::executeOSRExit):

• dfg/DFGOperations.cpp:
• interpreter/Interpreter.cpp:

(JSC::eval):
(JSC::loadVarargs):
(JSC::Interpreter::unwind):
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):

• jit/JITOperations.cpp:

(JSC::getByVal):

• jsc.cpp:

(WTF::CustomGetter::customGetterAcessor):
(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderResolve):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::getByVal):
(JSC::LLInt::setUpCall):

• parser/Parser.h:

(JSC::Parser::popScopeInternal):

• runtime/AbstractModuleRecord.cpp:

(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::resolveExportImpl):
(JSC::getExportedNames):
(JSC::AbstractModuleRecord::getModuleNamespace):

• runtime/ArrayPrototype.cpp:

(JSC::getProperty):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
(JSC::arrayProtoPrivateFuncAppendMemcpy):

• runtime/CatchScope.h:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/DatePrototype.cpp:

(JSC::dateProtoFuncSetTime):
(JSC::setNewValueFromTimeArgs):

• runtime/DirectArguments.h:

(JSC::DirectArguments::length const):

• runtime/ErrorPrototype.cpp:

(JSC::errorProtoFuncToString):

• runtime/ExceptionFuzz.cpp:

(JSC::doExceptionFuzzing):

• runtime/ExceptionScope.h:

(JSC::ExceptionScope::needExceptionCheck):
(JSC::ExceptionScope::assertNoException):

• runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::defineOwnProperty):

• runtime/HashMapImpl.h:

(JSC::HashMapImpl::rehash):

• runtime/IntlDateTimeFormat.cpp:

(JSC::IntlDateTimeFormat::formatToParts):

• runtime/JSArray.cpp:

(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::put):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):

• runtime/JSCJSValueInlines.h:

(JSC::JSValue::toIndex const):
(JSC::JSValue::get const):
(JSC::JSValue::getPropertySlot const):
(JSC::JSValue::equalSlowCaseInline):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::set):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::put):

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::decode):
(JSC::globalFuncEval):
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
(JSC::globalFuncImportModule):

• runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

• runtime/JSInternalPromiseDeferred.cpp:

(JSC::JSInternalPromiseDeferred::create):

• runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

• runtime/JSModuleEnvironment.cpp:

(JSC::JSModuleEnvironment::getOwnPropertySlot):
(JSC::JSModuleEnvironment::put):
(JSC::JSModuleEnvironment::deleteProperty):

• runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provide):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

• runtime/JSModuleRecord.cpp:

(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):

• runtime/JSONObject.cpp:

(JSC::Stringifier::stringify):
(JSC::Stringifier::toJSON):
(JSC::JSONProtoFuncParse):

• runtime/JSObject.cpp:

(JSC::JSObject::calculatedClassName):
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::ordinaryToPrimitive const):
(JSC::JSObject::toPrimitive const):
(JSC::JSObject::hasInstance):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::toNumber const):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::validateAndApplyPropertyDescriptor):
(JSC::JSObject::defineOwnNonIndexProperty):
(JSC::JSObject::getGenericPropertyNames):

• runtime/JSObject.h:

(JSC::JSObject::get const):

• runtime/JSObjectInlines.h:

(JSC::JSObject::getPropertySlot const):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
(JSC::JSObject::putInlineForJSObject):

• runtime/JSPromiseConstructor.cpp:

(JSC::constructPromise):

• runtime/JSPromiseDeferred.cpp:

(JSC::JSPromiseDeferred::create):

• runtime/JSScope.cpp:

(JSC::abstractAccess):
(JSC::JSScope::resolve):
(JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
(JSC::JSScope::abstractResolve):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::tryJSONPParse):
(JSC::LiteralParser<CharType>::parse):

• runtime/Lookup.h:

(JSC::putEntry):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/NumberPrototype.cpp:

(JSC::numberProtoFuncToString):

• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorGetOwnPropertyDescriptors):
(JSC::objectConstructorAssign):
(JSC::objectConstructorValues):
(JSC::toPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
(JSC::defineProperties):
(JSC::objectConstructorDefineProperties):
(JSC::ownPropertyKeys):

• runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString):

• runtime/Options.h:
• runtime/ParseInt.h:

(JSC::toStringView):

• runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performPut):

• runtime/ReflectObject.cpp:

(JSC::reflectObjectDefineProperty):

• runtime/RegExpConstructor.cpp:

(JSC::toFlags):
(JSC::regExpCreate):
(JSC::constructRegExp):

• runtime/RegExpObject.cpp:

(JSC::collectMatches):

• runtime/RegExpObjectInlines.h:

(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):

• runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncTestFast):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncMatchFast):
(JSC::regExpProtoFuncToString):
(JSC::regExpProtoFuncSplitFast):

• runtime/ScriptExecutable.cpp:

(JSC::ScriptExecutable::newCodeBlockFor):
(JSC::ScriptExecutable::prepareForExecutionImpl):

• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/ThrowScope.cpp:

(JSC::ThrowScope::simulateThrow):

• runtime/VM.cpp:

(JSC::VM::verifyExceptionCheckNeedIsSatisfied):

• runtime/VM.h:
• runtime/WeakMapPrototype.cpp:

(JSC::protoFuncWeakMapSet):

• runtime/WeakSetPrototype.cpp:

(JSC::protoFuncWeakSetAdd):

• wasm/js/WebAssemblyModuleConstructor.cpp:

(JSC::WebAssemblyModuleConstructor::createModule):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):

• wasm/js/WebAssemblyPrototype.cpp:

(JSC::reject):
(JSC::webAssemblyCompileFunc):
(JSC::resolve):
(JSC::webAssemblyInstantiateFunc):

Source/WebCore:

No new tests because this is covered by existing tests with the JSC_validateExceptionChecks=true enabled.

• bindings/js/JSCustomElementInterface.cpp:

(WebCore::JSCustomElementInterface::tryToConstructCustomElement):

• bindings/js/JSCustomElementRegistryCustom.cpp:

(WebCore::whenDefinedPromise):

• bindings/js/JSDOMConvertRecord.h:
• bindings/js/JSDOMMapLike.cpp:

(WebCore::createBackingMap):

• bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::DeferredPromise::reject):

• bindings/js/JSDOMPromiseDeferred.h:

(WebCore::callPromiseFunction):

File:

• trunk/Source/JavaScriptCore/jit/JITOperations.cpp (modified) (26 diffs)

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -354 +354 @@
     Identifier ident = Identifier::fromUid(vm, key);
     LOG_IC((ICEvent::OperationIn, base->classInfo(*vm), ident));
+    scope.release();
     return JSValue::encode(jsBoolean(asObject(base)->hasProperty(exec, ident)));
 }
@@ -554 +555 @@
         if (baseValue.isObject()) {
             JSObject* object = asObject(baseValue);
-            if (object->canSetIndexQuickly(i))
+            if (object->canSetIndexQuickly(i)) {
                 object->setIndexQuickly(vm, i, value);
-            else {
-                // FIXME: This will make us think that in-bounds typed array accesses are actually
-                // out-of-bounds.
-                // https://bugs.webkit.org/show_bug.cgi?id=149886
-                byValInfo->arrayProfile->setOutOfBounds();
-                object->methodTable(vm)->putByIndex(object, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
+                return;
             }
-        } else
-            baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
+
+            // FIXME: This will make us think that in-bounds typed array accesses are actually
+            // out-of-bounds.
+            // https://bugs.webkit.org/show_bug.cgi?id=149886
+            byValInfo->arrayProfile->setOutOfBounds();
+            scope.release();
+            object->methodTable(vm)->putByIndex(object, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
+            return;
+        }
+
+        scope.release();
+        baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
         return;
     }
@@ -604 +610 @@
         }
 
+        scope.release();
         baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
@@ -613 +620 @@
         if (subscriptAsDouble == subscriptAsUInt32 && isIndex(subscriptAsUInt32)) {
             byValInfo->tookSlowPath = true;
+            scope.release();
             baseObject->putDirectIndex(callFrame, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
             return;
@@ -624 +632 @@
     if (std::optional<uint32_t> index = parseIndex(property)) {
         byValInfo->tookSlowPath = true;
+        scope.release();
         baseObject->putDirectIndex(callFrame, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
@@ -958 +967 @@
         CodeBlock** codeBlockSlot = execCallee->addressOfCodeBlock();
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(*vm, callee, scope, kind, *codeBlockSlot);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (error) {
             return encodeResult(
@@ -1017 +1026 @@
         
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(*vm, callee, scope, kind, codeBlock);
-        ASSERT_UNUSED(throwScope, throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT_UNUSED(throwScope, throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (error)
             return;
@@ -1044 +1053 @@
     JSValue calleeAsValue = execCallee->guaranteedJSValueCallee();
     calleeAsFunctionCell = getJSFunction(calleeAsValue);
-    if (UNLIKELY(!calleeAsFunctionCell))
+    if (UNLIKELY(!calleeAsFunctionCell)) {
+        throwScope.release();
         return handleHostCall(execCallee, calleeAsValue, callLinkInfo);
+    }
     
     JSFunction* function = jsCast<JSFunction*>(calleeAsFunctionCell);
@@ -1062 +1073 @@
         CodeBlock** codeBlockSlot = execCallee->addressOfCodeBlock();
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(*vm, function, scope, kind, *codeBlockSlot);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (error) {
             return encodeResult(
@@ -1594 +1605 @@
     RETURN_IF_EXCEPTION(scope, void());
 
+    scope.release();
     if (accessorType == AccessorType::Getter)
         base->putGetter(exec, propertyKey, accessor, attribute);
@@ -1761 +1773 @@
             if (asString(baseValue)->canGetIndex(i)) {
                 ctiPatchCallByReturnAddress(returnAddress, FunctionPtr(operationGetByValString));
+                scope.release();
                 return asString(baseValue)->getIndex(exec, i);
             }
@@ -1777 +1790 @@
         }
 
+        scope.release();
         return baseValue.get(exec, i);
     }
@@ -1789 +1803 @@
         byValInfo->tookSlowPath = true;
 
+    scope.release();
     return baseValue.get(exec, property);
 }
@@ -1980 +1995 @@
     if (LIKELY(subscript.isUInt32())) {
         uint32_t i = subscript.asUInt32();
-        if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
-            result = asString(baseValue)->getIndex(exec, i);
-        else {
-            result = baseValue.get(exec, i);
-            if (!isJSString(baseValue)) {
-                ASSERT(exec->bytecodeOffset());
-                ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(byValInfo->stubRoutine ? operationGetByValGeneric : operationGetByValOptimize));
-            }
+        if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i)) {
+            scope.release();
+            return JSValue::encode(asString(baseValue)->getIndex(exec, i));
+        }
+        result = baseValue.get(exec, i);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        if (!isJSString(baseValue)) {
+            ASSERT(exec->bytecodeOffset());
+            ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(byValInfo->stubRoutine ? operationGetByValGeneric : operationGetByValOptimize));
         }
     } else {
@@ -1994 +2010 @@
         auto property = subscript.toPropertyKey(exec);
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        scope.release();
         result = baseValue.get(exec, property);
     }
@@ -2012 +2029 @@
 
     JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
+    RETURN_IF_EXCEPTION(scope, false);
     if (!baseObj)
         return false;
     bool couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, Identifier::fromUid(&vm, uid));
+    RETURN_IF_EXCEPTION(scope, false);
     if (!couldDelete && exec->codeBlock()->isStrictMode())
         throwTypeError(exec, scope, ASCIILiteral(UnableToDeletePropertyError));
@@ -2032 +2051 @@
 
     JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
+    RETURN_IF_EXCEPTION(scope, false);
     JSValue key = JSValue::decode(encodedKey);
     if (!baseObj)
@@ -2041 +2061 @@
         couldDelete = baseObj->methodTable(vm)->deletePropertyByIndex(baseObj, exec, index);
     else {
-        RETURN_IF_EXCEPTION(scope, false);
         Identifier property = key.toPropertyKey(exec);
         RETURN_IF_EXCEPTION(scope, false);
         couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, property);
     }
+    RETURN_IF_EXCEPTION(scope, false);
     if (!couldDelete && exec->codeBlock()->isStrictMode())
         throwTypeError(exec, scope, ASCIILiteral(UnableToDeletePropertyError));
@@ -2198 +2218 @@
     ASSERT(getPutInfo.resolveType() != ModuleVar);
 
+    throwScope.release();
     return JSValue::encode(scope->getPropertySlot(exec, ident, [&] (bool found, PropertySlot& slot) -> JSValue {
         if (!found) {
@@ -2249 +2270 @@
 
     bool hasProperty = scope->hasProperty(exec, ident);
+    EXCEPTION_ASSERT(!throwScope.exception() || !hasProperty);
     if (hasProperty
         && scope->isGlobalLexicalEnvironment()
@@ -2521 +2543 @@
     double a = op1.toNumber(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    scope.release();
     double b = op2.toNumber(exec);
     return JSValue::encode(jsNumber(a * b));
@@ -2622 +2645 @@
     JSValue operand = JSValue::decode(encodedOperand);
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     return JSValue::encode(jsNumber(-number));
 }
@@ -2636 +2658 @@
     arithProfile.observeLHS(operand);
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     JSValue result = jsNumber(-number);
@@ -2673 +2694 @@
     
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSValue result = jsNumber(-number);
     arithProfile->observeResult(result);
@@ -2697 +2717 @@
 
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     return JSValue::encode(jsNumber(-number));
 }
@@ -2710 +2729 @@
     double a = op1.toNumber(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    scope.release();
     double b = op2.toNumber(exec);
     return JSValue::encode(jsNumber(a - b));