Ignore:
Timestamp:
Oct 20, 2020, 9:00:05 PM (5 years ago)
Author:
[email protected]
Message:

Don't OSR exit to bc#0 for FTL argument type checks during loop OSR entry
https://bugs.webkit.org/show_bug.cgi?id=217925
<rdar://problem/70369407>

Reviewed by Michael Saboff and Tadeu Zagallo.

JSTests:

  • stress/ftl-osr-entry-should-not-exit-to-bc-zero.js: Added.

Source/JavaScriptCore:

When the FTL was emitting type checks for the named arguments of a function,
it was always emitting these type checks with an exit origin of bc#0. It was
doing this even if we were an OSR entry compilation! This meant that type
checks for arguments that failed during loop OSR entry would incorrectly exit
back to bc#0.

This patch fixes this by having the OSR entry runtime code validate the
argument types before OSR entering. The current OSR entry compiled code in
the FTL is designed to only allow exiting after all ExtractOSREntryLocal and
MovHints have executed, so it is simpler to put the type checks in the runtime
instead of the compiled code.

This patch also makes it so we do exponential backoff when failing to OSR
enter. This is needed due to insufficient profiling where we never properly
profile the type of arguments. Before this, we'd OSR exit in the FTL code
itself, which does exponential backoff when recompiling. This patch builds
this same exponential backoff in for when we fail to OSR enter enough times
to give up on the OSR entry compilation.

  • ftl/FTLForOSREntryJITCode.h:
  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::lower):

  • ftl/FTLOSREntry.cpp:

(JSC::FTL::prepareOSREntry):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ftl/FTLOSREntry.cpp

    r264804 r268783  
    7575        JSValue valueOnStack = callFrame->r(virtualRegisterForArgumentIncludingThis(argument)).asanUnsafeJSValue();
    7676        Optional<JSValue> reconstructedValue = values.argument(argument);
     77        {
     78            JSValue valueToValidate = reconstructedValue ? *reconstructedValue : valueOnStack;
     79            auto flushFormat = entryCode->argumentFlushFormats()[argument];
     80            switch (flushFormat) {
     81            case DFG::FlushedInt32:
     82                if (!valueToValidate.isInt32())
     83                    return nullptr;
     84                break;
     85            case DFG::FlushedBoolean:
     86                if (!valueToValidate.isBoolean())
     87                    return nullptr;
     88                break;
     89            case DFG::FlushedCell:
     90                if (!valueToValidate.isCell())
     91                    return nullptr;
     92                break;
     93            case DFG::FlushedJSValue:
     94                break;
     95            default:
     96                dataLogLn("Unknown flush format for argument during FTL osr entry: ", flushFormat);
     97                RELEASE_ASSERT_NOT_REACHED();
     98                break;
     99            }
     100        }
     101
    77102        if (!argument) {
    78103            // |this| argument can be unboxed. We should store boxed value instead for loop OSR entry since FTL assumes that all arguments are flushed JSValue.
Note: See TracChangeset for help on using the changeset viewer.