ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilati…

…onThread()

https://bugs.webkit.org/show_bug.cgi?id=195735

Reviewed by Mark Lam.

JSTests:

New regression test.

* stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

There are two bug fixes here.

The first bug happens due to a race condition when we are compiling on a separate thread while the
main thread is compiling the RegExp at a place where it can run out of stack.  When that happens,
the RegExp becomes invalid due to the out of stack error.  If we check the ASSERT condition in the DFG
compilation thread, we crash.  After the main thread throws an exception, it resets the RegExp as
it might compile successfully the next time we try to execute it on a shallower stack.
The main thread will see the regular expression as valid when it executes the JIT'ed code we are compiling
or any slow path we call out to.  Therefore ASSERTs like this in compilation code can be eliminated.

The second bug is due to incorrect logic when we go to run the regexp in the Strength Reduction phase.
The current check for "do we have code to run the RegExp?" only checks that the RegExp's state
is != NotCompiled.  We also can't run the RegExp if there the state is ParseError.
Changing hasCode() to take this into account fixes the second issue.

(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
* runtime/RegExp.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
* runtime/RegExp.h:


Canonical link: https://commits.webkit.org/210045@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242955 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog

@@ -1,3 +1,16 @@
+2019-03-13  Michael Saboff  <msaboff@apple.com>
+
+        ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
+        https://bugs.webkit.org/show_bug.cgi?id=195735
+
+        Reviewed by Mark Lam.
+
+        New regression test.
+
+        * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
+        (foo):
+        (bar):
+
 2019-03-14  Saam barati  <sbarati@apple.com>
 
         Fixup uses KnownInt32 incorrectly in some nodes

JSTests/stress/dont-strength-reduce-regexp-with-compile-error.js

@@ -0,0 +1,23 @@
+//@ runDefault("--jitPolicyScale=0")
+
+let tryCount = 10000;
+
+function foo(a) {
+  if (tryCount == 0)
+     return;
+
+  tryCount--;
+
+  try {
+    eval('bar(/' + a[0].source + '/)');
+  } catch(e) {
+  }
+}
+
+function bar(r) {
+  foo([r]);
+  foo([r]);
+  r.exec('x');
+}
+
+bar(/((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((x))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/);

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,31 @@
+2019-03-14  Michael Saboff  <msaboff@apple.com>
+
+        ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
+        https://bugs.webkit.org/show_bug.cgi?id=195735
+
+        Reviewed by Mark Lam.
+
+        There are two bug fixes here.
+
+        The first bug happens due to a race condition when we are compiling on a separate thread while the
+        main thread is compiling the RegExp at a place where it can run out of stack.  When that happens,
+        the RegExp becomes invalid due to the out of stack error.  If we check the ASSERT condition in the DFG
+        compilation thread, we crash.  After the main thread throws an exception, it resets the RegExp as
+        it might compile successfully the next time we try to execute it on a shallower stack.
+        The main thread will see the regular expression as valid when it executes the JIT'ed code we are compiling
+        or any slow path we call out to.  Therefore ASSERTs like this in compilation code can be eliminated.
+
+        The second bug is due to incorrect logic when we go to run the regexp in the Strength Reduction phase.
+        The current check for "do we have code to run the RegExp?" only checks that the RegExp's state
+        is != NotCompiled.  We also can't run the RegExp if there the state is ParseError.
+        Changing hasCode() to take this into account fixes the second issue.
+
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+        * runtime/RegExp.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewRegexp):
+        * runtime/RegExp.h:
+
 2019-03-14  Saam barati  <sbarati@apple.com>
 
         Fixup uses KnownInt32 incorrectly in some nodes

Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -9756,7 +9756,6 @@ void SpeculativeJIT::compileNewTypedArrayWithSize(Node* node)
 void SpeculativeJIT::compileNewRegexp(Node* node)
 {
     RegExp* regexp = node->castOperand<RegExp*>();
-    ASSERT(regexp->isValid());
 
     GPRTemporary result(this);
     GPRTemporary scratch1(this);

Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11274,7 +11274,6 @@ class LowerDFGToB3 {
         FrozenValue* regexp = m_node->cellOperand();
         LValue lastIndex = lowJSValue(m_node->child1());
         ASSERT(regexp->cell()->inherits<RegExp>(vm()));
-        ASSERT(m_node->castOperand<RegExp*>()->isValid());
 
         LBasicBlock slowCase = m_out.newBlock();
         LBasicBlock continuation = m_out.newBlock();

Source/JavaScriptCore/runtime/RegExp.h

@@ -108,7 +108,7 @@ class RegExp final : public JSCell {
 
     bool hasCode()
     {
-        return m_state != NotCompiled;
+        return m_state == JITCode || m_state == ByteCode;
     }
 
     bool hasCodeFor(Yarr::YarrCharSize);