Skip to content

Commit

Permalink
Double counted copy-prop syms hit FailFast
Browse files Browse the repository at this point in the history
- copy prop'd syms can be referenced by key and value
- both key and value can be in the unrestorableSymbols list
- always check for both key and value
- in each case check if the symbol is needed based on the BackEndId being checked 'key' or 'value'
  • Loading branch information
rhuanjl committed Apr 15, 2021
1 parent 54c61a5 commit be5693a
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 4 deletions.
4 changes: 2 additions & 2 deletions lib/Backend/LinearScan.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -5135,13 +5135,13 @@ void LinearScan::GeneratorBailIn::BuildBailInSymbolList(

if (unrestorableSymbols.TestAndClear(value->m_id))
{
if (this->NeedsReloadingSymWhenBailingIn(copyPropSym.Key()))
if (this->NeedsReloadingSymWhenBailingIn(copyPropSym.Value()))
{
BailInSymbol bailInSym(key->m_id /* fromByteCodeRegSlot */, value->m_id /* toBackendId */);
bailInSymbols->PrependNode(this->func->m_alloc, bailInSym);
}
}
else if (unrestorableSymbols.TestAndClear(key->m_id))
if (unrestorableSymbols.TestAndClear(key->m_id))
{
if (this->NeedsReloadingSymWhenBailingIn(copyPropSym.Key()))
{
Expand Down
33 changes: 33 additions & 0 deletions test/es6/async-jit-bugs.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
//-------------------------------------------------------------------------------------------------------
// Copyright (C) Microsoft. All rights reserved.
// Copyright (c) 2021 ChakraCore Project Contributors. All rights reserved.
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------

function main() {
const v2 = [13.37,13.37,13.37,13.37,13.37];
async function v4(v5,v6,v7,v8) {
const v10 = 0;
for (let v14 = 0; v14 < 8; v14++) {
v5["vEBD7ei78q"] = v14;
}
for (let v16 = 1; v16 < 1337; v16++) {
const v17 = v2.__proto__;
const v23 = [13.37,13.37,-2.2250738585072014e-308,13.37,13.37];
const v24 = v23.length;
const v25 = "-4294967296";
const v26 = 7;
function* v28(v29,v30,v31,...v32) {}
let v33 = -2.2250738585072014e-308;
const v34 = v28(v33,Object,Object);
const v35 = 13.37;
const v36 = 2384357829;
const v37 = await "-4294967296";
const v38 = --v33;
}
const v39 = 128;
print("pass")
}
v4("vEBD7ei78q");
}
main();
20 changes: 18 additions & 2 deletions test/es6/generator-jit-bugs.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------

let results = 0;
let test = 0;
// Simpler mini-test harness to avoid any complicating factors when testing these jit bugs
var results = 0;
var test = 0;
const verbose = WScript.Arguments[0] != "summary";

function check(actual, expected) {
Expand Down Expand Up @@ -90,6 +91,7 @@ check(gen4.next().value, 1);
check(gen4.next().value, 2);
check(gen4.next().value, 3);

// Test 5 - scope slots fail to load inside for-in loop
title("Load Scope Slots in presence of for-in");
function* gf5(v1) {
for(v0 in v1) {
Expand All @@ -106,6 +108,7 @@ check(gen5.next().value, undefined);
check(gen5.next().value, undefined);
check(gen5.next().value, undefined);

// Test 6 - scope slots used in loop control have invalid values
title("Load Scope Slots used in loop control");
function* gf6 () {
for (let v1 = 0; v1 < 1000; ++v1) {
Expand All @@ -121,6 +124,7 @@ check(gen6.next().value, 1);
check(gen6.next().value, 2);
check(gen6.next().value, 3);

// Test 7 - storing scoped slot from loop control in array
title("Load Scope Slots used in loop control and captured indirectly");
function* gf7(v1) {
for (const v2 in v1) {
Expand All @@ -136,5 +140,17 @@ check(gen7.next().value, 1);
check(gen7.next().value, 2);
check(gen7.next().value, undefined);

// Test 8 - copy prop'd sym is counted as two values - hits bookkeeping FailFast
title("Copy prop sym double counted in unrestorable symbols hits FailFast");
function* gf8() {
var v8 = 1.1;
yield* [];
yield {v8};
}

check(gf8().next().value.v8, 1.1);
check(gf8().next().value.v8, 1.1);
check(gf8().next().value.v8, 1.1);


print("pass");
21 changes: 21 additions & 0 deletions test/es6/rlexe.xml
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,27 @@
<tags>exclude_nonative, exclude_dynapogo</tags>
</default>
</test>
<test>
<default>
<files>async-jit-bugs.js</files>
<compile-flags>-JitES6Generators -args summary -endargs</compile-flags>
<tags>exclude_nonative</tags>
</default>
</test>
<test>
<default>
<files>async-jit-bugs.js</files>
<compile-flags>-JitES6Generators -off:simplejit -args summary -endargs</compile-flags>
<tags>exclude_nonative</tags>
</default>
</test>
<test>
<default>
<files>async-jit-bugs.js</files>
<compile-flags>-JitES6Generators -off:fulljit -args summary -endargs</compile-flags>
<tags>exclude_nonative, exclude_dynapogo</tags>
</default>
</test>
<test>
<default>
<files>proto_basic.js</files>
Expand Down

0 comments on commit be5693a

Please sign in to comment.