Skip to content
Permalink
Browse files
ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilati…
…onThread()

https://bugs.webkit.org/show_bug.cgi?id=195735

Reviewed by Mark Lam.

JSTests:

New regression test.

* stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

There are two bug fixes here.

The first bug happens due to a race condition when we are compiling on a separate thread while the
main thread is compiling the RegExp at a place where it can run out of stack.  When that happens,
the RegExp becomes invalid due to the out of stack error.  If we check the ASSERT condition in the DFG
compilation thread, we crash.  After the main thread throws an exception, it resets the RegExp as
it might compile successfully the next time we try to execute it on a shallower stack.
The main thread will see the regular expression as valid when it executes the JIT'ed code we are compiling
or any slow path we call out to.  Therefore ASSERTs like this in compilation code can be eliminated.

The second bug is due to incorrect logic when we go to run the regexp in the Strength Reduction phase.
The current check for "do we have code to run the RegExp?" only checks that the RegExp's state
is != NotCompiled.  We also can't run the RegExp if there the state is ParseError.
Changing hasCode() to take this into account fixes the second issue.

(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
* runtime/RegExp.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
* runtime/RegExp.h:


Canonical link: https://commits.webkit.org/210045@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242955 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
msaboff committed Mar 14, 2019
1 parent 7eaa565 commit 8519225f5a674df989299ee68a51462c6c9a8ce0
Showing 6 changed files with 65 additions and 3 deletions.
@@ -1,3 +1,16 @@
2019-03-13 Michael Saboff <msaboff@apple.com>

ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
https://bugs.webkit.org/show_bug.cgi?id=195735

Reviewed by Mark Lam.

New regression test.

* stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
(foo):
(bar):

2019-03-14 Saam barati <sbarati@apple.com>

Fixup uses KnownInt32 incorrectly in some nodes
@@ -0,0 +1,23 @@
//@ runDefault("--jitPolicyScale=0")

let tryCount = 10000;

function foo(a) {
if (tryCount == 0)
return;

tryCount--;

try {
eval('bar(/' + a[0].source + '/)');
} catch(e) {
}
}

function bar(r) {
foo([r]);
foo([r]);
r.exec('x');
}

bar(/((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((x))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/);
@@ -1,3 +1,31 @@
2019-03-14 Michael Saboff <msaboff@apple.com>

ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
https://bugs.webkit.org/show_bug.cgi?id=195735

Reviewed by Mark Lam.

There are two bug fixes here.

The first bug happens due to a race condition when we are compiling on a separate thread while the
main thread is compiling the RegExp at a place where it can run out of stack. When that happens,
the RegExp becomes invalid due to the out of stack error. If we check the ASSERT condition in the DFG
compilation thread, we crash. After the main thread throws an exception, it resets the RegExp as
it might compile successfully the next time we try to execute it on a shallower stack.
The main thread will see the regular expression as valid when it executes the JIT'ed code we are compiling
or any slow path we call out to. Therefore ASSERTs like this in compilation code can be eliminated.

The second bug is due to incorrect logic when we go to run the regexp in the Strength Reduction phase.
The current check for "do we have code to run the RegExp?" only checks that the RegExp's state
is != NotCompiled. We also can't run the RegExp if there the state is ParseError.
Changing hasCode() to take this into account fixes the second issue.

(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
* runtime/RegExp.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
* runtime/RegExp.h:

2019-03-14 Saam barati <sbarati@apple.com>

Fixup uses KnownInt32 incorrectly in some nodes
@@ -9756,7 +9756,6 @@ void SpeculativeJIT::compileNewTypedArrayWithSize(Node* node)
void SpeculativeJIT::compileNewRegexp(Node* node)
{
RegExp* regexp = node->castOperand<RegExp*>();
ASSERT(regexp->isValid());

GPRTemporary result(this);
GPRTemporary scratch1(this);
@@ -11274,7 +11274,6 @@ class LowerDFGToB3 {
FrozenValue* regexp = m_node->cellOperand();
LValue lastIndex = lowJSValue(m_node->child1());
ASSERT(regexp->cell()->inherits<RegExp>(vm()));
ASSERT(m_node->castOperand<RegExp*>()->isValid());

LBasicBlock slowCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
@@ -108,7 +108,7 @@ class RegExp final : public JSCell {

bool hasCode()
{
return m_state != NotCompiled;
return m_state == JITCode || m_state == ByteCode;
}

bool hasCodeFor(Yarr::YarrCharSize);

0 comments on commit 8519225

Please sign in to comment.