exceptions can't always be checked under silent spill in DFG #28709
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kmiller68
added
the
JavaScriptCore
kmiller68
force-pushed
the
eng/exceptions-cant-always-be-checked-under-silent-spill-in-DFG
branch
from
e26f77b
to
69bd390
Compare
|
EWS run on previous version of this PR (hash 69bd390) |
🛠 ios
🧪 mac-wk1
kmiller68
force-pushed
the
eng/exceptions-cant-always-be-checked-under-silent-spill-in-DFG
branch
from
69bd390
to
c50b46c
Compare
|
EWS run on current version of this PR (hash c50b46c) |
|
EWS run on previous version of this PR (hash e26f77b) |
webkit-commit-queue
force-pushed
the
eng/exceptions-cant-always-be-checked-under-silent-spill-in-DFG
branch
from
c50b46c
to
caea0dc
Compare
https://bugs.webkit.org/show_bug.cgi?id=274291 rdar://128067350 Reviewed by Yusuke Suzuki. If we're catching an exception in the same DFG frame it's potentially not safe to check for exceptions under a silent spill. This is because the OSR exit ramp does not know about the silent spill. So values will not be restored. There were a couple of possible fixes: 1) teach the DFGVariableEventStream about exceptions under silent spill. 2) add extra metadata about the fact we’re under a silent spill and silent fill before hitting the OSR exit ramp. 3) move the exception to an unused gpr until we can silent fill if needed. I went with option 3. 1. has the problem that it's complicated and might be a memory regression. 2. could bloat code size. I also noticed that my `requires (!OperationHasResult<T>)` checks were not properly eliminating overloads. This is because when you do e.g. `requires (!OperationHasResult<int>)` the `OperationHasResult<int>` will fail SFINAE but that just makes the concept false which then becomes true in the requirement. Instead we now have a new `OperationIsVoid<T>` concept. * JSTests/stress/stack-overflow-in-scope-with-catch.js: Added. (foo.catch.Set.Symbol.hasInstance): (foo.finally.bar): (foo.goo.baz): (foo.goo): (foo): * Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h: * Source/JavaScriptCore/dfg/DFGCallArrayAllocatorSlowPathGenerator.h: * Source/JavaScriptCore/dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: * Source/JavaScriptCore/dfg/DFGSaneStringGetByValSlowPathGenerator.h: * Source/JavaScriptCore/dfg/DFGSilentRegisterSavePlan.h: (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan): (JSC::DFG::SilentRegisterSavePlan::reg const): (JSC::DFG::SilentRegisterSavePlan::gpr const): (JSC::DFG::SilentRegisterSavePlan::fpr const): * Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h: (JSC::DFG::CallSlowPathGenerator::setUp): (JSC::DFG::CallSlowPathGenerator::tearDown): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::exceptionCheck): (JSC::DFG::SpeculativeJIT::silentSpillImpl): (JSC::DFG::SpeculativeJIT::silentFillImpl): (JSC::DFG::SpeculativeJIT::compileToLowerCase): (JSC::DFG::SpeculativeJIT::silentSpill): Deleted. (JSC::DFG::SpeculativeJIT::silentFill): Deleted. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::spillPlanInterferesWithReg): (JSC::DFG::SpeculativeJIT::silentSpill): (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl): (JSC::DFG::SpeculativeJIT::silentFillAllRegisters): (JSC::DFG::SpeculativeJIT::operationExceptionCheck): (JSC::DFG::SpeculativeJIT::callOperation): (JSC::DFG::SpeculativeJIT::tryHandleOrGetExceptionUnderSilentSpill): (JSC::DFG::SpeculativeJIT::callOperationWithSilentSpill): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::compileGetByVal): (JSC::DFG::SpeculativeJIT::compile): * Source/JavaScriptCore/jit/GPRInfo.h: (JSC::NoOverlapImpl::noOverlapImpl): * Source/JavaScriptCore/jit/OperationResult.h: * Source/JavaScriptCore/jit/Reg.h: Canonical link: https://commits.webkit.org/279031@main
webkit-commit-queue
force-pushed
the
eng/exceptions-cant-always-be-checked-under-silent-spill-in-DFG
branch
from
caea0dc
to
d1282e0
Compare
|
Committed 279031@main (d1282e0): https://commits.webkit.org/279031@main Reviewed commits have been landed. Closing PR #28709 and removing active labels. |
webkit-commit-queue
removed
the
merge-queue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
d1282e0
c50b46c
🧪 wpe-wk2🧪 wincairo-tests🧪 ios-wk2-wpt🧪 api-ios🧪 gtk-wk2🛠 tv-sim🛠 watch