- Revision
- 235684
- Author
- [email protected]
- Date
- 2018-09-05 13:21:15 -0700 (Wed, 05 Sep 2018)
Log Message
Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
https://bugs.webkit.org/show_bug.cgi?id=189300
<rdar://problem/39681779>
Reviewed by Saam Barati.
At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set. The
DeferredSourceDump is later used to dump source even if the compilation fails.
This is intentional so that we can use this tool to see what source fails to
compile as well.
The DFG::Plan may have been destructed by then, and since the compilation failed,
the InlineCallFrame is also destructed. This means DeferredSourceDump::dump()
may be end up accessing freed memory.
DeferredSourceDump doesn't really need a CodeOrigin. All it wants is the caller
bytecodeIndex for the call to an inlined function. Hence, we can fix this issue
by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
to be Strong references to ensure that the CodeBlocks are kept alive until they
can be dumped.
* bytecode/DeferredCompilationCallback.cpp:
(JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
* bytecode/DeferredSourceDump.cpp:
(JSC::DeferredSourceDump::DeferredSourceDump):
(JSC::DeferredSourceDump::dump):
* bytecode/DeferredSourceDump.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseCodeBlock):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235683 => 235684)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-05 19:03:09 UTC (rev 235683)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-05 20:21:15 UTC (rev 235684)
@@ -1,3 +1,38 @@
+2018-09-05 Mark Lam <[email protected]>
+
+ Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
+ https://bugs.webkit.org/show_bug.cgi?id=189300
+ <rdar://problem/39681779>
+
+ Reviewed by Saam Barati.
+
+ At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
+ which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set. The
+ DeferredSourceDump is later used to dump source even if the compilation fails.
+ This is intentional so that we can use this tool to see what source fails to
+ compile as well.
+
+ The DFG::Plan may have been destructed by then, and since the compilation failed,
+ the InlineCallFrame is also destructed. This means DeferredSourceDump::dump()
+ may be end up accessing freed memory.
+
+ DeferredSourceDump doesn't really need a CodeOrigin. All it wants is the caller
+ bytecodeIndex for the call to an inlined function. Hence, we can fix this issue
+ by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
+
+ In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
+ to be Strong references to ensure that the CodeBlocks are kept alive until they
+ can be dumped.
+
+ * bytecode/DeferredCompilationCallback.cpp:
+ (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
+ * bytecode/DeferredSourceDump.cpp:
+ (JSC::DeferredSourceDump::DeferredSourceDump):
+ (JSC::DeferredSourceDump::dump):
+ * bytecode/DeferredSourceDump.h:
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+
2018-09-05 David Kilzer <[email protected]>
REGRESSION (r235419): DFGCFG.h is missing from _javascript_Core Xcode project
Modified: trunk/Source/_javascript_Core/bytecode/DeferredCompilationCallback.cpp (235683 => 235684)
--- trunk/Source/_javascript_Core/bytecode/DeferredCompilationCallback.cpp 2018-09-05 19:03:09 UTC (rev 235683)
+++ trunk/Source/_javascript_Core/bytecode/DeferredCompilationCallback.cpp 2018-09-05 20:21:15 UTC (rev 235684)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -65,6 +65,7 @@
dataLog("[", ++index, "] ");
info.dump();
}
+ dataLog("\n");
}
} // JSC
Modified: trunk/Source/_javascript_Core/bytecode/DeferredSourceDump.cpp (235683 => 235684)
--- trunk/Source/_javascript_Core/bytecode/DeferredSourceDump.cpp 2018-09-05 19:03:09 UTC (rev 235683)
+++ trunk/Source/_javascript_Core/bytecode/DeferredSourceDump.cpp 2018-09-05 20:21:15 UTC (rev 235684)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,21 +28,21 @@
#include "CodeBlock.h"
#include "CodeBlockWithJITType.h"
+#include "StrongInlines.h"
namespace JSC {
DeferredSourceDump::DeferredSourceDump(CodeBlock* codeBlock)
- : m_codeBlock(codeBlock)
- , m_rootCodeBlock(nullptr)
+ : m_codeBlock(*codeBlock->vm(), codeBlock)
, m_rootJITType(JITCode::None)
{
}
-DeferredSourceDump::DeferredSourceDump(CodeBlock* codeBlock, CodeBlock* rootCodeBlock, JITCode::JITType rootJITType, CodeOrigin callerCodeOrigin)
- : m_codeBlock(codeBlock)
- , m_rootCodeBlock(rootCodeBlock)
+DeferredSourceDump::DeferredSourceDump(CodeBlock* codeBlock, CodeBlock* rootCodeBlock, JITCode::JITType rootJITType, unsigned callerBytecodeIndex)
+ : m_codeBlock(*codeBlock->vm(), codeBlock)
+ , m_rootCodeBlock(*codeBlock->vm(), rootCodeBlock)
, m_rootJITType(rootJITType)
- , m_callerCodeOrigin(callerCodeOrigin)
+ , m_callerBytecodeIndex(callerBytecodeIndex)
{
}
@@ -56,7 +56,7 @@
dataLog(*m_codeBlock);
if (isInlinedFrame)
- dataLog(" at ", CodeBlockWithJITType(m_rootCodeBlock, m_rootJITType), " ", m_callerCodeOrigin);
+ dataLog(" at ", CodeBlockWithJITType(*m_rootCodeBlock, m_rootJITType), " ", "bc#", m_callerBytecodeIndex);
dataLog("\n'''");
m_codeBlock->dumpSource();
Modified: trunk/Source/_javascript_Core/bytecode/DeferredSourceDump.h (235683 => 235684)
--- trunk/Source/_javascript_Core/bytecode/DeferredSourceDump.h 2018-09-05 19:03:09 UTC (rev 235683)
+++ trunk/Source/_javascript_Core/bytecode/DeferredSourceDump.h 2018-09-05 20:21:15 UTC (rev 235684)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
#include "CodeOrigin.h"
#include "JITCode.h"
+#include "Strong.h"
namespace JSC {
@@ -35,15 +36,15 @@
class DeferredSourceDump {
public:
DeferredSourceDump(CodeBlock*);
- DeferredSourceDump(CodeBlock*, CodeBlock* rootCodeBlock, JITCode::JITType rootJITType, CodeOrigin callerCodeOrigin);
+ DeferredSourceDump(CodeBlock*, CodeBlock* rootCodeBlock, JITCode::JITType rootJITType, unsigned callerBytecodeIndex);
void dump();
private:
- CodeBlock* m_codeBlock;
- CodeBlock* m_rootCodeBlock;
+ Strong<CodeBlock> m_codeBlock;
+ Strong<CodeBlock> m_rootCodeBlock;
JITCode::JITType m_rootJITType;
- CodeOrigin m_callerCodeOrigin;
+ unsigned m_callerBytecodeIndex { UINT_MAX };
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (235683 => 235684)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-09-05 19:03:09 UTC (rev 235683)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-09-05 20:21:15 UTC (rev 235684)
@@ -6952,7 +6952,7 @@
if (UNLIKELY(Options::dumpSourceAtDFGTime())) {
Vector<DeferredSourceDump>& deferredSourceDump = m_graph.m_plan.callback()->ensureDeferredSourceDump();
if (inlineCallFrame()) {
- DeferredSourceDump dump(codeBlock->baselineVersion(), m_codeBlock, JITCode::DFGJIT, inlineCallFrame()->directCaller);
+ DeferredSourceDump dump(codeBlock->baselineVersion(), m_codeBlock, JITCode::DFGJIT, inlineCallFrame()->directCaller.bytecodeIndex);
deferredSourceDump.append(dump);
} else
deferredSourceDump.append(DeferredSourceDump(codeBlock->baselineVersion()));
