search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1874684 - Part 29: Update spec fixme notes. r=mgaudet
[gecko.git] / js / src / jit / Bailouts.cpp
blob3730d8997a554b3f1fdcc7935a9cc8bf382c7253
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "jit/Bailouts.h"
8
9 #include "mozilla/ArrayUtils.h"
10 #include "mozilla/ScopeExit.h"
11
12 #include "gc/GC.h"
13 #include "jit/Assembler.h" // jit::FramePointer
14 #include "jit/BaselineJIT.h"
15 #include "jit/JitFrames.h"
16 #include "jit/JitRuntime.h"
17 #include "jit/JitSpewer.h"
18 #include "jit/JSJitFrameIter.h"
19 #include "jit/SafepointIndex.h"
20 #include "jit/ScriptFromCalleeToken.h"
21 #include "vm/Interpreter.h"
22 #include "vm/JSContext.h"
23 #include "vm/Stack.h"
24
25 #include "vm/JSScript-inl.h"
26 #include "vm/Probes-inl.h"
27 #include "vm/Stack-inl.h"
28
29 using namespace js;
30 using namespace js::jit;
31
32 using mozilla::IsInRange;
33
34 #if defined(_WIN32)
35 # pragma pack(push, 1)
36 #endif
37 class js::jit::BailoutStack {
38 RegisterDump::FPUArray fpregs_;
39 RegisterDump::GPRArray regs_;
40 uintptr_t frameSize_;
41 uintptr_t snapshotOffset_;
42
43 public:
44 MachineState machineState() {
45 return MachineState::FromBailout(regs_, fpregs_);
46 }
47 uint32_t snapshotOffset() const { return snapshotOffset_; }
48 uint32_t frameSize() const { return frameSize_; }
49 uint8_t* parentStackPointer() {
50 return (uint8_t*)this + sizeof(BailoutStack);
51 }
52 };
53 #if defined(_WIN32)
54 # pragma pack(pop)
55 #endif
56
57 // Make sure the compiler doesn't add extra padding on 32-bit platforms.
58 static_assert((sizeof(BailoutStack) % 8) == 0,
59 "BailoutStack should be 8-byte aligned.");
60
61 BailoutFrameInfo::BailoutFrameInfo(const JitActivationIterator& activations,
62 BailoutStack* bailout)
63 : machine_(bailout->machineState()), activation_(nullptr) {
64 uint8_t* sp = bailout->parentStackPointer();
65 framePointer_ = sp + bailout->frameSize();
66 MOZ_RELEASE_ASSERT(uintptr_t(framePointer_) == machine_.read(FramePointer));
67
68 JSScript* script =
69 ScriptFromCalleeToken(((JitFrameLayout*)framePointer_)->calleeToken());
70 topIonScript_ = script->ionScript();
71
72 attachOnJitActivation(activations);
73 snapshotOffset_ = bailout->snapshotOffset();
74 }
75
76 BailoutFrameInfo::BailoutFrameInfo(const JitActivationIterator& activations,
77 InvalidationBailoutStack* bailout)
78 : machine_(bailout->machine()), activation_(nullptr) {
79 framePointer_ = (uint8_t*)bailout->fp();
80 MOZ_RELEASE_ASSERT(uintptr_t(framePointer_) == machine_.read(FramePointer));
81
82 topIonScript_ = bailout->ionScript();
83 attachOnJitActivation(activations);
84
85 uint8_t* returnAddressToFp_ = bailout->osiPointReturnAddress();
86 const OsiIndex* osiIndex = topIonScript_->getOsiIndex(returnAddressToFp_);
87 snapshotOffset_ = osiIndex->snapshotOffset();
88 }
89
90 BailoutFrameInfo::BailoutFrameInfo(const JitActivationIterator& activations,
91 const JSJitFrameIter& frame)
92 : machine_(frame.machineState()) {
93 framePointer_ = (uint8_t*)frame.fp();
94 topIonScript_ = frame.ionScript();
95 attachOnJitActivation(activations);
96
97 const OsiIndex* osiIndex = frame.osiIndex();
98 snapshotOffset_ = osiIndex->snapshotOffset();
99 }
100
101 // This address is a magic number made to cause crashes while indicating that we
102 // are making an attempt to mark the stack during a bailout.
103 static constexpr uint32_t FAKE_EXITFP_FOR_BAILOUT_ADDR = 0xba2;
104 static uint8_t* const FAKE_EXITFP_FOR_BAILOUT =
105 reinterpret_cast<uint8_t*>(FAKE_EXITFP_FOR_BAILOUT_ADDR);
106
107 static_assert(!(FAKE_EXITFP_FOR_BAILOUT_ADDR & wasm::ExitFPTag),
108 "FAKE_EXITFP_FOR_BAILOUT could be mistaken as a low-bit tagged "
109 "wasm exit fp");
110
111 bool jit::Bailout(BailoutStack* sp, BaselineBailoutInfo** bailoutInfo) {
112 JSContext* cx = TlsContext.get();
113 MOZ_ASSERT(bailoutInfo);
114
115 // We don't have an exit frame.
116 MOZ_ASSERT(IsInRange(FAKE_EXITFP_FOR_BAILOUT, 0, 0x1000) &&
117 IsInRange(FAKE_EXITFP_FOR_BAILOUT + sizeof(CommonFrameLayout),
118 0, 0x1000),
119 "Fake exitfp pointer should be within the first page.");
120
121 #ifdef DEBUG
122 // Reset the counter when we bailed after MDebugEnterGCUnsafeRegion, but
123 // before the matching MDebugLeaveGCUnsafeRegion.
124 //
125 // NOTE: EnterJit ensures the counter is zero when we enter JIT code.
126 cx->resetInUnsafeRegion();
127 #endif
128
129 cx->activation()->asJit()->setJSExitFP(FAKE_EXITFP_FOR_BAILOUT);
130
131 JitActivationIterator jitActivations(cx);
132 BailoutFrameInfo bailoutData(jitActivations, sp);
133 JSJitFrameIter frame(jitActivations->asJit());
134 MOZ_ASSERT(!frame.ionScript()->invalidated());
135 JitFrameLayout* currentFramePtr = frame.jsFrame();
136
137 JitSpew(JitSpew_IonBailouts, "Took bailout! Snapshot offset: %u",
138 frame.snapshotOffset());
139
140 MOZ_ASSERT(IsBaselineJitEnabled(cx));
141
142 *bailoutInfo = nullptr;
143 bool success =
144 BailoutIonToBaseline(cx, bailoutData.activation(), frame, bailoutInfo,
145 /*exceptionInfo=*/nullptr, BailoutReason::Normal);
146 MOZ_ASSERT_IF(success, *bailoutInfo != nullptr);
147
148 if (!success) {
149 MOZ_ASSERT(cx->isExceptionPending());
150 JSScript* script = frame.script();
151 probes::ExitScript(cx, script, script->function(),
152 /* popProfilerFrame = */ false);
153 }
154
155 // This condition was wrong when we entered this bailout function, but it
156 // might be true now. A GC might have reclaimed all the Jit code and
157 // invalidated all frames which are currently on the stack. As we are
158 // already in a bailout, we could not switch to an invalidation
159 // bailout. When the code of an IonScript which is on the stack is
160 // invalidated (see InvalidateActivation), we remove references to it and
161 // increment the reference counter for each activation that appear on the
162 // stack. As the bailed frame is one of them, we have to decrement it now.
163 if (frame.ionScript()->invalidated()) {
164 frame.ionScript()->decrementInvalidationCount(cx->gcContext());
165 }
166
167 // NB: Commentary on how |lastProfilingFrame| is set from bailouts.
168 //
169 // Once we return to jitcode, any following frames might get clobbered,
170 // but the current frame will not (as it will be clobbered "in-place"
171 // with a baseline frame that will share the same frame prefix).
172 // However, there may be multiple baseline frames unpacked from this
173 // single Ion frame, which means we will need to once again reset
174 // |lastProfilingFrame| to point to the correct unpacked last frame
175 // in |FinishBailoutToBaseline|.
176 //
177 // In the case of error, the jitcode will jump immediately to an
178 // exception handler, which will unwind the frames and properly set
179 // the |lastProfilingFrame| to point to the frame being resumed into
180 // (see |AutoResetLastProfilerFrameOnReturnFromException|).
181 //
182 // In both cases, we want to temporarily set the |lastProfilingFrame|
183 // to the current frame being bailed out, and then fix it up later.
184 if (cx->runtime()->jitRuntime()->isProfilerInstrumentationEnabled(
185 cx->runtime())) {
186 cx->jitActivation->setLastProfilingFrame(currentFramePtr);
187 }
188
189 return success;
190 }
191
192 bool jit::InvalidationBailout(InvalidationBailoutStack* sp,
193 BaselineBailoutInfo** bailoutInfo) {
194 sp->checkInvariants();
195
196 JSContext* cx = TlsContext.get();
197
198 #ifdef DEBUG
199 // Reset the counter when we bailed after MDebugEnterGCUnsafeRegion, but
200 // before the matching MDebugLeaveGCUnsafeRegion.
201 //
202 // NOTE: EnterJit ensures the counter is zero when we enter JIT code.
203 cx->resetInUnsafeRegion();
204 #endif
205
206 // We don't have an exit frame.
207 cx->activation()->asJit()->setJSExitFP(FAKE_EXITFP_FOR_BAILOUT);
208
209 JitActivationIterator jitActivations(cx);
210 BailoutFrameInfo bailoutData(jitActivations, sp);
211 JSJitFrameIter frame(jitActivations->asJit());
212 JitFrameLayout* currentFramePtr = frame.jsFrame();
213
214 JitSpew(JitSpew_IonBailouts, "Took invalidation bailout! Snapshot offset: %u",
215 frame.snapshotOffset());
216
217 MOZ_ASSERT(IsBaselineJitEnabled(cx));
218
219 *bailoutInfo = nullptr;
220 bool success = BailoutIonToBaseline(cx, bailoutData.activation(), frame,
221 bailoutInfo, /*exceptionInfo=*/nullptr,
222 BailoutReason::Invalidate);
223 MOZ_ASSERT_IF(success, *bailoutInfo != nullptr);
224
225 if (!success) {
226 MOZ_ASSERT(cx->isExceptionPending());
227
228 // If the bailout failed, then bailout trampoline will pop the
229 // current frame and jump straight to exception handling code when
230 // this function returns. Any Gecko Profiler entry pushed for this
231 // frame will be silently forgotten.
232 //
233 // We call ExitScript here to ensure that if the ionScript had Gecko
234 // Profiler instrumentation, then the entry for it is popped.
235 //
236 // However, if the bailout was during argument check, then a
237 // pseudostack frame would not have been pushed in the first
238 // place, so don't pop anything in that case.
239 JSScript* script = frame.script();
240 probes::ExitScript(cx, script, script->function(),
241 /* popProfilerFrame = */ false);
242
243 #ifdef JS_JITSPEW
244 JitFrameLayout* layout = frame.jsFrame();
245 JitSpew(JitSpew_IonInvalidate, "Bailout failed (Fatal Error)");
246 JitSpew(JitSpew_IonInvalidate, " calleeToken %p",
247 (void*)layout->calleeToken());
248 JitSpew(JitSpew_IonInvalidate, " callerFramePtr %p",
249 layout->callerFramePtr());
250 JitSpew(JitSpew_IonInvalidate, " ra %p", (void*)layout->returnAddress());
251 #endif
252 }
253
254 frame.ionScript()->decrementInvalidationCount(cx->gcContext());
255
256 // Make the frame being bailed out the top profiled frame.
257 if (cx->runtime()->jitRuntime()->isProfilerInstrumentationEnabled(
258 cx->runtime())) {
259 cx->jitActivation->setLastProfilingFrame(currentFramePtr);
260 }
261
262 return success;
263 }
264
265 bool jit::ExceptionHandlerBailout(JSContext* cx,
266 const InlineFrameIterator& frame,
267 ResumeFromException* rfe,
268 const ExceptionBailoutInfo& excInfo) {
269 // If we are resuming in a finally block, the exception has already
270 // been captured.
271 // We can also be propagating debug mode exceptions without there being an
272 // actual exception pending. For instance, when we return false from an
273 // operation callback like a timeout handler.
274 MOZ_ASSERT_IF(
275 !cx->isExceptionPending(),
276 excInfo.isFinally() || excInfo.propagatingIonExceptionForDebugMode());
277
278 JS::AutoSaveExceptionState savedExc(cx);
279
280 JitActivation* act = cx->activation()->asJit();
281 uint8_t* prevExitFP = act->jsExitFP();
282 auto restoreExitFP =
283 mozilla::MakeScopeExit([&]() { act->setJSExitFP(prevExitFP); });
284 act->setJSExitFP(FAKE_EXITFP_FOR_BAILOUT);
285
286 gc::AutoSuppressGC suppress(cx);
287
288 JitActivationIterator jitActivations(cx);
289 BailoutFrameInfo bailoutData(jitActivations, frame.frame());
290 JSJitFrameIter frameView(jitActivations->asJit());
291 JitFrameLayout* currentFramePtr = frameView.jsFrame();
292
293 BaselineBailoutInfo* bailoutInfo = nullptr;
294 bool success = BailoutIonToBaseline(cx, bailoutData.activation(), frameView,
295 &bailoutInfo, &excInfo,
296 BailoutReason::ExceptionHandler);
297 if (success) {
298 MOZ_ASSERT(bailoutInfo);
299
300 // Overwrite the kind so HandleException after the bailout returns
301 // false, jumping directly to the exception tail.
302 if (excInfo.propagatingIonExceptionForDebugMode()) {
303 bailoutInfo->bailoutKind =
304 mozilla::Some(BailoutKind::IonExceptionDebugMode);
305 } else if (excInfo.isFinally()) {
306 bailoutInfo->bailoutKind = mozilla::Some(BailoutKind::Finally);
307 }
308
309 rfe->kind = ExceptionResumeKind::Bailout;
310 rfe->stackPointer = bailoutInfo->incomingStack;
311 rfe->bailoutInfo = bailoutInfo;
312 } else {
313 // Drop the exception that triggered the bailout and instead propagate the
314 // failure caused by processing the bailout (eg. OOM).
315 savedExc.drop();
316 MOZ_ASSERT(!bailoutInfo);
317 MOZ_ASSERT(cx->isExceptionPending());
318 }
319
320 // Make the frame being bailed out the top profiled frame.
321 if (cx->runtime()->jitRuntime()->isProfilerInstrumentationEnabled(
322 cx->runtime())) {
323 cx->jitActivation->setLastProfilingFrame(currentFramePtr);
324 }
325
326 return success;
327 }
328
329 // Initialize the NamedLambdaObject and CallObject of the current frame if
330 // needed.
331 bool jit::EnsureHasEnvironmentObjects(JSContext* cx, AbstractFramePtr fp) {
332 // Ion does not compile eval scripts.
333 MOZ_ASSERT(!fp.isEvalFrame());
334
335 if (fp.isFunctionFrame() && !fp.hasInitialEnvironment() &&
336 fp.callee()->needsFunctionEnvironmentObjects()) {
337 if (!fp.initFunctionEnvironmentObjects(cx)) {
338 return false;
339 }
340 }
341
342 return true;
343 }
344
345 void BailoutFrameInfo::attachOnJitActivation(
346 const JitActivationIterator& jitActivations) {
347 MOZ_ASSERT(jitActivations->asJit()->jsExitFP() == FAKE_EXITFP_FOR_BAILOUT);
348 activation_ = jitActivations->asJit();
349 activation_->setBailoutData(this);
350 }
351
352 BailoutFrameInfo::~BailoutFrameInfo() { activation_->cleanBailoutData(); }