RESOLVED FIXED 238313
[JSC] JSRemoteFunction thunk should materialize code-pointer 
https://bugs.webkit.org/show_bug.cgi?id=238313
Summary [JSC] JSRemoteFunction thunk should materialize code-pointer
Yusuke Suzuki
Reported 2022-03-23 23:58:45 PDT
[JSC] JSRemoteFunction thunk should materialize code-pointer
Attachments
Patch (7.64 KB, patch)
2022-03-23 23:59 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (8.93 KB, patch)
2022-03-24 00:33 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (424.11 KB, patch)
2022-03-24 16:04 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2022-03-23 23:59:58 PDT
Created attachment 455615 [details] Patch
Yusuke Suzuki
Comment 2 2022-03-24 00:33:13 PDT
Created attachment 455619 [details] Patch
Mark Lam
Comment 3 2022-03-24 14:28:01 PDT
Comment on attachment 455619 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455619&action=review r=me > Source/JavaScriptCore/ChangeLog:10 > + Any GC can jettison CodeBlock's JITCode. It means that it is possible that JITCode is discarded because > + of wrapper creation for arguments of remote function. It causes occasional crashes on JSTests/stress/shadow-realm-evaluate.js > + test. This patch fixes it by materializing code pointer if it is already jettisoned. I suggest rephrasing this as: When invoking a JSRemoteFunction, we must first wrap the arguments passed to it. The wrapping operation may trigger a GC, and GC can jettison JIT code. As a result, even though we know that the target JSFunction has JIT code that we want to execute, the JIT code may be jettisoned (while wrapping the arguments for it) before we get to the call. This resulted in occasional crashes on the JSTests/stress/shadow-realm-evaluate.js test. This patch fixes this by doing a null check on the JIT code just before calling it, and if null (i.e. the JIT code has been jettisoned), re-materializing the JIT code first before making the call. > Source/JavaScriptCore/jit/ThunkGenerators.cpp:1539 > + // Any GC can potentially jettison JIT code in JSFunction. This means that calling operationGetWrappedValueForTarget already discarded > + // the code. We should check and materialize it here. At this point, once we got the code. So, we can always materialize the code. I suggest rephrasing this as: The calls to operationGetWrappedValueForTarget above may GC, and any GC can potentially jettison the JIT code in the target JSFunction. If we find that the JIT code is null (i.e. has been jettisoned), then we need to re-materialize it for the call below. Note that we know that operationMaterializeRemoteFunctionTargetCode should be able to re-materialize the JIT code (except for any OOME) because we only went down this code path after we found a non-null JIT code (in the noCode check) above i.e. it should be possible to materialize the JIT code.
Yusuke Suzuki
Comment 4 2022-03-24 14:40:30 PDT
Sounds good!
Yusuke Suzuki
Comment 5 2022-03-24 14:42:09 PDT
Committed r291815 (248842@trunk): <https://commits.webkit.org/248842@trunk>
Radar WebKit Bug Importer
Comment 6 2022-03-24 14:43:17 PDT
<rdar://problem/90791656>
Chris Dumez
Comment 7 2022-03-24 16:04:14 PDT
Reopening to attach new patch.
Chris Dumez
Comment 8 2022-03-24 16:04:16 PDT
Created attachment 455699 [details] Patch
Chris Dumez
Comment 9 2022-03-24 16:42:57 PDT
Bad webkit-patch upload.
Note You need to log in before you can comment on or make changes to this bug.