Changeset 293714 in webkit

Timestamp:

May 2, 2022, 10:07:01 PM (3 years ago)

Author:

[email protected]

Message:

[JSC] Introduce unlinked version of invalidation
​https://bugs.webkit.org/show_bug.cgi?id=239887

Reviewed by Saam Barati.

This patch makes invalidation mechanism unlinked for unlinked DFG.

1. We always use CheckTraps instead of InvalidationPoint with VMTraps so that we do not need

to repatch existing code.

2. We introduce load-and-branch based InvalidationPoint for unlinked DFG so that we do not need

to repatch it to jump to OSR exit when watchpoint fires. We store this condition in DFG::JITData
so that code can quickly access to that.

3. We make isStillValid conditions in DFG::CommonData always true for unlinked DFG code. Instead,

we check isJettisoned() condition of CodeBlock since it will become eventually per CodeBlock
information (while this CodeBlock gets invalidated, unlinked DFG code itself can be used for
the other CodeBlock).

After this change, now, jumpReplacements for unlinked DFG becomes empty. We no longer repatch these invalidation points.

• Source/JavaScriptCore/bytecode/CodeBlock.cpp:

(JSC::CodeBlock::jettison):
(JSC::CodeBlock::hasInstalledVMTrapsBreakpoints const):
(JSC::CodeBlock::canInstallVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): Deleted.

• Source/JavaScriptCore/bytecode/CodeBlock.h:
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• Source/JavaScriptCore/dfg/DFGCommonData.cpp:

(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::~CommonData):
(JSC::DFG::CommonData::installVMTrapBreakpoints):
(JSC::DFG::CommonData::isVMTrapBreakpoint):

• Source/JavaScriptCore/dfg/DFGCommonData.h:

(JSC::DFG::CommonData::CommonData):
(JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints const):
(JSC::DFG::CommonData::isStillValid const):

• Source/JavaScriptCore/dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• Source/JavaScriptCore/dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::JITCode):

• Source/JavaScriptCore/dfg/DFGJITCode.h:
• Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::link):

• Source/JavaScriptCore/dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):
(JSC::DFG::prepareCatchOSREntry):

• Source/JavaScriptCore/dfg/DFGPlan.cpp:

(JSC::DFG::Plan::finalize):

• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileInvalidationPoint):
(JSC::DFG::SpeculativeJIT::compileCheckTraps):
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint): Deleted.

• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• Source/JavaScriptCore/ftl/FTLJITCode.cpp:

(JSC::FTL::JITCode::JITCode):

• Source/JavaScriptCore/ftl/FTLJITCode.h:

(JSC::FTL::JITCode::isUnlinked const):

• Source/JavaScriptCore/ftl/FTLOSREntry.cpp:

(JSC::FTL::prepareOSREntry):

• Source/JavaScriptCore/jit/JITCode.cpp:

(JSC::JITCode::isUnlinked const):

• Source/JavaScriptCore/jit/JITCode.h:
• Source/JavaScriptCore/runtime/VMTraps.cpp:

(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::handleTraps):

Canonical link: ​https://commits.webkit.org/250203@main

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/polling-based-trap-on-unlinked-dfg.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGCommonData.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGCommonData.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGJITCode.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGJITCode.h (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSREntry.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGPlan.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLJITCode.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLJITCode.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOSREntry.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITCode.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITCode.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/VMTraps.cpp (modified) (5 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2022-04-29  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Introduce unlinked version of invalidation
+        https://bugs.webkit.org/show_bug.cgi?id=239887
+
+        Reviewed by Saam Barati.
+
+        * stress/polling-based-trap-on-unlinked-dfg.js: Added.
+        (test):
+
 2022-05-01  Yusuke Suzuki  <[email protected]>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2022-04-29  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Introduce unlinked version of invalidation
+        https://bugs.webkit.org/show_bug.cgi?id=239887
+
+        Reviewed by Saam Barati.
+
+        This patch makes invalidation mechanism unlinked for unlinked DFG.
+
+        1. We always use CheckTraps instead of InvalidationPoint with VMTraps so that we do not need
+           to repatch existing code.
+        2. We introduce load-and-branch based InvalidationPoint for unlinked DFG so that we do not need
+           to repatch it to jump to OSR exit when watchpoint fires. We store this condition in DFG::JITData
+           so that code can quickly access to that.
+        3. We make isStillValid conditions in DFG::CommonData always true for unlinked DFG code. Instead,
+           we check isJettisoned() condition of CodeBlock since it will become eventually per CodeBlock
+           information (while this CodeBlock gets invalidated, unlinked DFG code itself can be used for
+           the other CodeBlock).
+
+        After this change, now, jumpReplacements for unlinked DFG becomes empty. We no longer repatch these invalidation points.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::jettison):
+        (JSC::CodeBlock::hasInstalledVMTrapsBreakpoints const):
+        (JSC::CodeBlock::canInstallVMTrapBreakpoints const):
+        (JSC::CodeBlock::installVMTrapBreakpoints):
+        (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::isJettisoned const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::invalidateLinkedCode):
+        (JSC::DFG::CommonData::~CommonData):
+        (JSC::DFG::CommonData::installVMTrapBreakpoints):
+        (JSC::DFG::CommonData::invalidate): Deleted.
+        (JSC::DFG::CommonData::isVMTrapBreakpoint): Deleted.
+        * dfg/DFGCommonData.h:
+        (JSC::DFG::CommonData::CommonData):
+        (JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints const):
+        (JSC::DFG::CommonData::isUnlinked const):
+        (JSC::DFG::CommonData::isStillValid const):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::JITCode):
+        * dfg/DFGJITCode.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::finalize):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInvalidationPoint):
+        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
+        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::JITCode):
+        * ftl/FTLJITCode.h:
+        (JSC::FTL::JITCode::isUnlinked const):
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+        * jit/JITCode.cpp:
+        (JSC::JITCode::isUnlinked const):
+        * jit/JITCode.h:
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        (JSC::VMTraps::handleTraps):
+
 2022-05-02  Yusuke Suzuki  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -2251 +2251 @@
         
         // This accomplishes (1), and does its own book-keeping about whether it has already happened.
-        if (!jitCode()->dfgCommon()->invalidate()) {
-            // We've already been invalidated.
-            RELEASE_ASSERT(this != replacement() || (vm.heap.currentThreadIsDoingGCWork() && !vm.heap.isMarked(ownerExecutable())));
-            return;
+        if (auto* jitData = dfgJITData()) {
+            if (jitData->isInvalidated()) {
+                // We've already been invalidated.
+                RELEASE_ASSERT(this != replacement() || (vm.heap.currentThreadIsDoingGCWork() && !vm.heap.isMarked(ownerExecutable())));
+                return;
+            }
+            jitData->invalidate();
+        }
+        if (!jitCode()->isUnlinked()) {
+            if (!jitCode()->dfgCommon()->invalidateLinkedCode()) {
+                // We've already been invalidated.
+                RELEASE_ASSERT(this != replacement() || (vm.heap.currentThreadIsDoingGCWork() && !vm.heap.isMarked(ownerExecutable())));
+                return;
+            }
         }
     }
@@ -3480 +3490 @@
 }
 
-bool CodeBlock::hasInstalledVMTrapBreakpoints() const
+bool CodeBlock::hasInstalledVMTrapsBreakpoints() const
+{
+#if ENABLE(SIGNAL_BASED_VM_TRAPS)
+    // This function may be called from a signal handler. We need to be
+    // careful to not call anything that is not signal handler safe, e.g.
+    // we should not perturb the refCount of m_jitCode.
+    if (!canInstallVMTrapBreakpoints())
+        return false;
+    return m_jitCode->dfgCommon()->hasInstalledVMTrapsBreakpoints();
+#else
+    return false;
+#endif
+}
+
+bool CodeBlock::canInstallVMTrapBreakpoints() const
 {
 #if ENABLE(SIGNAL_BASED_VM_TRAPS)
@@ -3488 +3512 @@
     if (!JITCode::isOptimizingJIT(jitType()))
         return false;
-    return m_jitCode->dfgCommon()->hasInstalledVMTrapsBreakpoints();
+    if (m_jitCode->isUnlinked())
+        return false;
+    return true;
 #else
     return false;
@@ -3500 +3526 @@
     // careful to not call anything that is not signal handler safe, e.g.
     // we should not perturb the refCount of m_jitCode.
-    if (!JITCode::isOptimizingJIT(jitType()))
+    if (!canInstallVMTrapBreakpoints())
         return false;
     auto& commonData = *m_jitCode->dfgCommon();

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -228 +228 @@
     JSParserScriptMode scriptMode() const { return m_unlinkedCode->scriptMode(); }
 
-    bool hasInstalledVMTrapBreakpoints() const;
+    bool hasInstalledVMTrapsBreakpoints() const;
+    bool canInstallVMTrapBreakpoints() const;
     bool installVMTrapBreakpoints();
 
@@ -740 +741 @@
     }
 
+    bool isJettisoned() const { return m_isJettisoned; }
+
     enum SteppingMode {
         SteppingModeDisabled,

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -8125 +8125 @@
         
         case op_check_traps: {
-            addToGraph(Options::usePollingTraps() ? CheckTraps : InvalidationPoint);
+            addToGraph((Options::usePollingTraps() || m_graph.m_plan.isUnlinked()) ? CheckTraps : InvalidationPoint);
             NEXT_OPCODE(op_check_traps);
         }

trunk/Source/JavaScriptCore/dfg/DFGCommonData.cpp

@@ -56 +56 @@
 }
 
-bool CommonData::invalidate()
+bool CommonData::invalidateLinkedCode()
 {
-    if (!isStillValid)
+    if (m_isUnlinked) {
+        ASSERT(m_jumpReplacements.isEmpty());
+        return true;
+    }
+
+    if (!m_isStillValid)
         return false;
 
-    if (UNLIKELY(hasVMTrapsBreakpointsInstalled)) {
+    if (UNLIKELY(m_hasVMTrapsBreakpointsInstalled)) {
         Locker locker { pcCodeBlockMapLock };
         auto& map = pcCodeBlockMap();
         for (auto& jumpReplacement : m_jumpReplacements)
             map.remove(jumpReplacement.dataLocation());
-        hasVMTrapsBreakpointsInstalled = false;
+        m_hasVMTrapsBreakpointsInstalled = false;
     }
 
     for (unsigned i = m_jumpReplacements.size(); i--;)
         m_jumpReplacements[i].fire();
-    isStillValid = false;
+
+    m_isStillValid = false;
     return true;
 }
@@ -77 +83 @@
 CommonData::~CommonData()
 {
-    if (UNLIKELY(hasVMTrapsBreakpointsInstalled)) {
+    if (m_isUnlinked)
+        return;
+    if (UNLIKELY(m_hasVMTrapsBreakpointsInstalled)) {
         Locker locker { pcCodeBlockMapLock };
         auto& map = pcCodeBlockMap();
@@ -87 +95 @@
 void CommonData::installVMTrapBreakpoints(CodeBlock* owner)
 {
+    ASSERT(!m_isUnlinked);
     Locker locker { pcCodeBlockMapLock };
-    if (!isStillValid || hasVMTrapsBreakpointsInstalled)
+    if (!m_isStillValid || m_hasVMTrapsBreakpointsInstalled)
         return;
-    hasVMTrapsBreakpointsInstalled = true;
+    m_hasVMTrapsBreakpointsInstalled = true;
 
     auto& map = pcCodeBlockMap();
@@ -119 +128 @@
         return nullptr;
     return result->value;
-}
-
-bool CommonData::isVMTrapBreakpoint(void* address)
-{
-    if (!isStillValid)
-        return false;
-    for (unsigned i = m_jumpReplacements.size(); i--;) {
-        if (address == m_jumpReplacements[i].dataLocation())
-            return true;
-    }
-    return false;
 }
 

trunk/Source/JavaScriptCore/dfg/DFGCommonData.h

@@ -80 +80 @@
     WTF_MAKE_NONCOPYABLE(CommonData);
 public:
-    CommonData()
+    CommonData(bool isUnlinked)
         : codeOrigins(CodeOriginPool::create())
+        , m_isUnlinked(isUnlinked)
     { }
     ~CommonData();
@@ -87 +88 @@
     void shrinkToFit();
     
-    bool invalidate(); // Returns true if we did invalidate, or false if the code block was already invalidated.
-    bool hasInstalledVMTrapsBreakpoints() const { return isStillValid && hasVMTrapsBreakpointsInstalled; }
+    bool invalidateLinkedCode(); // Returns true if we did invalidate, or false if the code block was already invalidated.
+    bool hasInstalledVMTrapsBreakpoints() const { return m_isStillValid && m_hasVMTrapsBreakpointsInstalled; }
     void installVMTrapBreakpoints(CodeBlock* owner);
-    bool isVMTrapBreakpoint(void* address);
+
+    bool isUnlinked() const { return m_isUnlinked; }
+    bool isStillValid() const { return m_isStillValid; }
 
     CatchEntrypointData* catchOSREntryDataForBytecodeIndex(BytecodeIndex bytecodeIndex)
@@ -137 +140 @@
     ScratchBuffer* catchOSREntryBuffer;
     RefPtr<Profiler::Compilation> compilation;
-    bool isStillValid { true };
-    bool hasVMTrapsBreakpointsInstalled { false };
     
 #if USE(JSVALUE32_64)
@@ -146 +147 @@
     unsigned frameRegisterCount { std::numeric_limits<unsigned>::max() };
     unsigned requiredRegisterCountForExit { std::numeric_limits<unsigned>::max() };
+
+private:
+    bool m_isUnlinked { false };
+    bool m_isStillValid { true };
+    bool m_hasVMTrapsBreakpointsInstalled { false };
 };
 

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -454 +454 @@
     case CheckTraps:
         // FIXME: https://bugs.webkit.org/show_bug.cgi?id=194323
-        ASSERT(Options::usePollingTraps());
+        ASSERT(Options::usePollingTraps() || graph.m_plan.isUnlinked());
         return true;
 

trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp

@@ -38 +38 @@
 JITCode::JITCode(bool isUnlinked)
     : DirectJITCode(JITType::DFGJIT)
-    , isUnlinked(isUnlinked)
+    , common(isUnlinked)
 {
 }

trunk/Source/JavaScriptCore/dfg/DFGJITCode.h

@@ -58 +58 @@
 
     static ptrdiff_t offsetOfExits() { return OBJECT_OFFSETOF(JITData, m_exits); }
+    static ptrdiff_t offsetOfIsInvalidated() { return OBJECT_OFFSETOF(JITData, m_isInvalidated); }
 
     static std::unique_ptr<JITData> create(unsigned poolSize, ExitVector&& exits)
@@ -70 +71 @@
     const MacroAssemblerCodeRef<OSRExitPtrTag>& exitCode(unsigned exitIndex) const { return m_exits[exitIndex]; }
 
+    bool isInvalidated() const { return !!m_isInvalidated; }
+
+    void invalidate()
+    {
+        m_isInvalidated = 1;
+    }
+
 private:
     explicit JITData(unsigned size, ExitVector&& exits)
@@ -78 +86 @@
 
     ExitVector m_exits;
+    uint8_t m_isInvalidated { 0 };
 };
 
@@ -87 +96 @@
     CommonData* dfgCommon() final;
     JITCode* dfg() final;
+    bool isUnlinked() const { return common.isUnlinked(); }
     
     OSREntryData* osrEntryDataForBytecodeIndex(BytecodeIndex bytecodeIndex)
@@ -181 +191 @@
     bool abandonOSREntry { false };
 #endif // ENABLE(FTL_JIT)
-    bool isUnlinked { false };
 };
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -292 +292 @@
         linkBuffer.link(m_exceptionChecksWithCallFrameRollback, CodeLocationLabel(vm().getCTIStub(handleExceptionWithCallFrameRollbackGenerator).retaggedCode<NoPtrTag>()));
 
-    Vector<JumpReplacement> jumpReplacements;
-    MacroAssemblerCodeRef<JITThunkPtrTag> osrExitThunk = vm().getCTIStub(osrExitGenerationThunkGenerator);
-    auto target = CodeLocationLabel<JITThunkPtrTag>(osrExitThunk.code());
-    for (unsigned i = 0; i < m_osrExit.size(); ++i) {
-        OSRExitCompilationInfo& info = m_exitCompilationInfo[i];
-
-        if (!m_graph.m_plan.isUnlinked()) {
+    if (!m_graph.m_plan.isUnlinked()) {
+        MacroAssemblerCodeRef<JITThunkPtrTag> osrExitThunk = vm().getCTIStub(osrExitGenerationThunkGenerator);
+        auto target = CodeLocationLabel<JITThunkPtrTag>(osrExitThunk.code());
+        Vector<JumpReplacement> jumpReplacements;
+        for (unsigned i = 0; i < m_osrExit.size(); ++i) {
+            OSRExitCompilationInfo& info = m_exitCompilationInfo[i];
             linkBuffer.link(info.m_patchableJump.m_jump, target);
             OSRExit& exit = m_osrExit[i];
             exit.m_patchableJumpLocation = linkBuffer.locationOf<JSInternalPtrTag>(info.m_patchableJump);
-        }
-
-        if (info.m_replacementSource.isSet()) {
-            jumpReplacements.append(JumpReplacement(
-                linkBuffer.locationOf<JSInternalPtrTag>(info.m_replacementSource),
-                linkBuffer.locationOf<OSRExitPtrTag>(info.m_replacementDestination)));
-        }
-    }
-    m_jitCode->common.m_jumpReplacements = WTFMove(jumpReplacements);
+            if (info.m_replacementSource.isSet()) {
+                jumpReplacements.append(JumpReplacement(
+                    linkBuffer.locationOf<JSInternalPtrTag>(info.m_replacementSource),
+                    linkBuffer.locationOf<OSRExitPtrTag>(info.m_replacementDestination)));
+            }
+        }
+        m_jitCode->common.m_jumpReplacements = WTFMove(jumpReplacements);
+    }
+
+#if ASSERT_ENABLED
+    for (auto& info : m_exitCompilationInfo) {
+        if (info.m_replacementSource.isSet())
+            ASSERT(!m_graph.m_plan.isUnlinked());
+    }
+    if (m_graph.m_plan.isUnlinked())
+        ASSERT(m_jitCode->common.m_jumpReplacements.isEmpty());
+#endif
     
     if (UNLIKELY(m_graph.compilation())) {

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

@@ -98 +98 @@
     ASSERT(codeBlock->alternative());
     ASSERT(codeBlock->alternative()->jitType() == JITType::BaselineJIT);
-    ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid);
+    ASSERT(codeBlock->jitCode()->dfgCommon()->isStillValid());
+    ASSERT(!codeBlock->isJettisoned());
 
     if (!Options::useOSREntryToDFG())
@@ -347 +348 @@
 {
     ASSERT(optimizedCodeBlock->jitType() == JITType::DFGJIT || optimizedCodeBlock->jitType() == JITType::FTLJIT);
-    ASSERT(optimizedCodeBlock->jitCode()->dfgCommon()->isStillValid);
+    ASSERT(optimizedCodeBlock->jitCode()->dfgCommon()->isStillValid());
+    ASSERT(!optimizedCodeBlock->isJettisoned());
 
     if (!Options::useOSREntryToDFG() && optimizedCodeBlock->jitCode()->jitType() == JITType::DFGJIT)

trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp

@@ -555 +555 @@
         }
 
-        // Since Plan::reallyAdd could fire watchpoints (see ArrayBufferViewWatchpointAdaptor::add), it is possible that the current CodeBlock is now invalidated.
-        if (!m_codeBlock->jitCode()->dfgCommon()->isStillValid) {
+        // Since Plan::reallyAdd could fire watchpoints (see ArrayBufferViewWatchpointAdaptor::add),
+        // it is possible that the current CodeBlock is now invalidated & jettisoned.
+        if (m_codeBlock->isJettisoned()) {
             CODEBLOCK_LOG_EVENT(m_codeBlock, "dfgFinalize", ("invalidated"));
             return CompilationInvalidated;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -325 +325 @@
 }
 
-void SpeculativeJIT::emitInvalidationPoint(Node* node)
+void SpeculativeJIT::compileInvalidationPoint(Node* node)
 {
     if (!m_compileOkay)
         return;
+
+#if USE(JSVALUE64)
+    if (m_graph.m_plan.isUnlinked()) {
+        auto exitJump = m_jit.branchTest8(CCallHelpers::NonZero, CCallHelpers::Address(GPRInfo::constantsRegister, JITData::offsetOfIsInvalidated()));
+        speculationCheck(UncountableInvalidation, JSValueRegs(), nullptr, exitJump);
+        noResult(node);
+        return;
+    }
+#endif
+
     OSRExitCompilationInfo& info = m_jit.appendExitInfo(JITCompiler::JumpList());
     m_jit.appendOSRExit(OSRExit(
@@ -2498 +2508 @@
 void SpeculativeJIT::compileCheckTraps(Node* node)
 {
-    ASSERT(Options::usePollingTraps());
+    ASSERT(Options::usePollingTraps() || m_graph.m_plan.isUnlinked());
     GPRTemporary unused(this);
     GPRReg unusedGPR = unused.gpr();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1675 +1675 @@
     void speculationCheck(ExitKind, JSValueSource, Edge, MacroAssembler::Jump jumpToFail, const SpeculationRecovery&);
     
-    void emitInvalidationPoint(Node*);
+    void compileInvalidationPoint(Node*);
     
     void unreachable(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4025 +4025 @@
 
     case InvalidationPoint:
-        emitInvalidationPoint(node);
+        compileInvalidationPoint(node);
         break;
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -5435 +5435 @@
         
     case InvalidationPoint:
-        emitInvalidationPoint(node);
+        compileInvalidationPoint(node);
         break;
 

trunk/Source/JavaScriptCore/ftl/FTLJITCode.cpp

@@ -38 +38 @@
 JITCode::JITCode()
     : JSC::JITCode(JITType::FTLJIT)
+    , common(/* isUnlinked */ false)
 {
 }

trunk/Source/JavaScriptCore/ftl/FTLJITCode.h

@@ -70 +70 @@
     void shrinkToFit(const ConcurrentJSLocker&) override;
 
+    bool isUnlinked() const { return common.isUnlinked(); }
+
     PCToCodeOriginMap* pcToCodeOriginMap() override { return common.m_pcToCodeOriginMap.get(); }
 

trunk/Source/JavaScriptCore/ftl/FTLOSREntry.cpp

@@ -49 +49 @@
     ForOSREntryJITCode* entryCode = entryCodeBlock->jitCode()->ftlForOSREntry();
 
-    if (!entryCode->dfgCommon()->isStillValid) {
+    if (!entryCode->dfgCommon()->isStillValid()) {
         dfgCode->clearOSREntryBlockAndResetThresholds(dfgCodeBlock);
         return nullptr;

trunk/Source/JavaScriptCore/jit/JITCode.cpp

@@ -27 +27 @@
 #include "JITCode.h"
 
+#include "DFGJITCode.h"
 #include "FTLJITCode.h"
 
@@ -66 +67 @@
 }
 
+bool JITCode::isUnlinked() const
+{
+    switch (m_jitType) {
+    case JITType::None:
+    case JITType::HostCallThunk:
+    case JITType::InterpreterThunk:
+    case JITType::BaselineJIT:
+        return true;
+    case JITType::DFGJIT:
+#if ENABLE(DFG_JIT)
+        return static_cast<const DFG::JITCode*>(this)->isUnlinked();
+#else
+        return false;
+#endif
+    case JITType::FTLJIT:
+#if ENABLE(FTL_JIT)
+        return static_cast<const FTL::JITCode*>(this)->isUnlinked();
+#else
+        return false;
+#endif
+    }
+    return true;
+}
+
 void JITCode::validateReferences(const TrackedReferences&)
 {

trunk/Source/JavaScriptCore/jit/JITCode.h

@@ -190 +190 @@
         return m_jitType;
     }
+
+    bool isUnlinked() const;
     
     template<typename PointerType>

trunk/Source/JavaScriptCore/runtime/VMTraps.cpp

@@ -146 +146 @@
     }
 
-    if (JITCode::isOptimizingJIT(foundCodeBlock->jitType())) {
+    if (foundCodeBlock->canInstallVMTrapBreakpoints()) {
         if (!m_lock->tryLock())
             return; // Let the SignalSender try again later.
@@ -156 +156 @@
         }
 
-        if (!foundCodeBlock->hasInstalledVMTrapBreakpoints())
+        if (!foundCodeBlock->hasInstalledVMTrapsBreakpoints())
             foundCodeBlock->installVMTrapBreakpoints();
         return;
@@ -223 +223 @@
                     return SignalAction::NotHandled;
                 }
-                ASSERT(currentCodeBlock->hasInstalledVMTrapBreakpoints());
+                ASSERT(currentCodeBlock->hasInstalledVMTrapsBreakpoints());
                 VM& vm = currentCodeBlock->vm();
 
@@ -243 +243 @@
                 vm.heap.forEachCodeBlockIgnoringJITPlans(codeBlockSetLocker, [&] (CodeBlock* codeBlock) {
                     // We want to jettison all code blocks that have vm traps breakpoints, otherwise we could hit them later.
-                    if (codeBlock->hasInstalledVMTrapBreakpoints()) {
+                    if (codeBlock->hasInstalledVMTrapsBreakpoints()) {
                         if (currentCodeBlock == codeBlock)
                             sawCurrentCodeBlock = true;
@@ -380 +380 @@
         vm.heap.forEachCodeBlockIgnoringJITPlans(codeBlockSetLocker, [&] (CodeBlock* codeBlock) {
             // We want to jettison all code blocks that have vm traps breakpoints, otherwise we could hit them later.
-            if (codeBlock->hasInstalledVMTrapBreakpoints())
+            if (codeBlock->hasInstalledVMTrapsBreakpoints())
                 codeBlock->jettison(Profiler::JettisonDueToVMTraps);
         });