[M108-LTS] [osr] Avoid handling interrupts in the middle of OSR

M108 merge issues: src/baseline/baseline-compiler.h: JumpIfRoot and JumpIfNotRoot aren't present in 108 src/baseline/baseline-compiler.cc: UpdateInterruptBudgetAndJumpToLabel: - There's no DCHECK_LT weight check in 108. VisitJumpLoop: - The UpdateInterruptBudgetAndJumpToLabel call at the end of the block doesn't exist in 108 src/interpreter/interpreter-assembler.h/cc: DecreaseInterruptBudget isn't present in 108 test/mjsunit/mjsunit.status: wasm/simd-lane-memory64 and regress/regress-1320641 aren't skipped in 108 .. since interrupts may trigger code deoptimization, which in turn invalidates assumptions we've already checked at the beginning of OnStackReplacement. This CL disables the stack check as part of the bytecode budget interrupt, i.e. we don't call stack_guard()->HandleInterrupts() in Runtime_BytecodeBudgetInterrupt_{Ignition,Sparkplug}. (cherry picked from commit c2eda65) Fixed: chromium:1432470,chromium:1442603 Change-Id: I63dc51812741161cfb2f1cdb67c46e269d37f0f6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4518604 Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#87590} No-Try: true No-Presubmit: true No-Tree-Checks: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4577218 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com> Cr-Commit-Position: refs/branch-heads/10.8@{v8#72} Cr-Branched-From: f1bc03f-refs/heads/10.8.168@{#1} Cr-Branched-From: 237de89-refs/heads/main@{#83672}
hexagon-geo-surv · Jun 29, 2023 · 19e4f18 · 19e4f18
1 parent 700f8cb
commit 19e4f18
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 5 deletions.
diff --git a/src/baseline/baseline-compiler.cc b/src/baseline/baseline-compiler.cc
@@ -597,7 +597,8 @@ INTRINSICS_LIST(DECLARE_VISITOR)
 #undef DECLARE_VISITOR
 
 void BaselineCompiler::UpdateInterruptBudgetAndJumpToLabel(
-    int weight, Label* label, Label* skip_interrupt_label) {
+    int weight, Label* label, Label* skip_interrupt_label,
+    StackCheckBehavior stack_check_behavior) {
   if (weight != 0) {
     ASM_CODE_COMMENT(&masm_);
     __ AddToInterruptBudgetAndJumpIfNotExceeded(weight, skip_interrupt_label);
@@ -606,6 +607,10 @@ void BaselineCompiler::UpdateInterruptBudgetAndJumpToLabel(
       SaveAccumulatorScope accumulator_scope(&basm_);
       CallRuntime(Runtime::kBytecodeBudgetInterruptWithStackCheck_Sparkplug,
                   __ FunctionOperand());
+      CallRuntime(stack_check_behavior == kEnableStackCheck
+                    ? Runtime::kBytecodeBudgetInterruptWithStackCheck_Sparkplug
+                    : Runtime::kBytecodeBudgetInterrupt_Sparkplug,
+                  __ FunctionOperand());
     }
   }
   if (label) __ Jump(label);
@@ -614,7 +619,7 @@ void BaselineCompiler::UpdateInterruptBudgetAndJumpToLabel(
 void BaselineCompiler::UpdateInterruptBudgetAndDoInterpreterJump() {
   int weight = iterator().GetRelativeJumpTargetOffset() -
                iterator().current_bytecode_size_without_prefix();
-  UpdateInterruptBudgetAndJumpToLabel(weight, BuildForwardJumpLabel(), nullptr);
+  UpdateInterruptBudgetAndJumpToLabel(weight, BuildForwardJumpLabel(), nullptr, kEnableStackCheck);
 }
 
 void BaselineCompiler::UpdateInterruptBudgetAndDoInterpreterJumpIfRoot(
@@ -1928,7 +1933,7 @@ void BaselineCompiler::VisitJumpLoop() {
   // We can pass in the same label twice since it's a back edge and thus already
   // bound.
   DCHECK(label->is_bound());
-  UpdateInterruptBudgetAndJumpToLabel(weight, label, label);
+  UpdateInterruptBudgetAndJumpToLabel(weight, label, label, kEnableStackCheck);
 
   {
     ASM_CODE_COMMENT_STRING(&masm_, "OSR Handle Armed");

diff --git a/src/baseline/baseline-compiler.h b/src/baseline/baseline-compiler.h
@@ -102,8 +102,13 @@ class BaselineCompiler {
   // Jump helpers.
   Label* NewLabel();
   Label* BuildForwardJumpLabel();
-  void UpdateInterruptBudgetAndJumpToLabel(int weight, Label* label,
-                                           Label* skip_interrupt_label);
+  enum StackCheckBehavior {
+    kEnableStackCheck,
+    kDisableStackCheck,
+  };
+  void UpdateInterruptBudgetAndJumpToLabel(
+      int weight, Label* label, Label* skip_interrupt_label,
+      StackCheckBehavior stack_check_behavior);
   void UpdateInterruptBudgetAndDoInterpreterJump();
   void UpdateInterruptBudgetAndDoInterpreterJumpIfRoot(RootIndex root);
   void UpdateInterruptBudgetAndDoInterpreterJumpIfNotRoot(RootIndex root);

diff --git a/src/interpreter/interpreter-assembler.cc b/src/interpreter/interpreter-assembler.cc
@@ -1054,6 +1054,7 @@ void InterpreterAssembler::UpdateInterruptBudget(TNode<Int32T> weight,
   // Update budget.
   StoreObjectFieldNoWriteBarrier(
       feedback_cell, FeedbackCell::kInterruptBudgetOffset, new_budget.value());
+
   Goto(&done);
   BIND(&done);
   Comment("] UpdateInterruptBudget");

diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
@@ -492,6 +492,9 @@
   'wasm/huge-memory': [SKIP],
   'wasm/huge-typedarray': [SKIP],
   'wasm/bigint-opt': [SKIP],
+
+  # Needs a huge Uint8Array.
+  'regress/regress-1432470': [SKIP],
 }],  # 'arch in (ia32, arm, riscv32)'
 
 ##############################################################################

diff --git a/test/mjsunit/regress/regress-1432470.js b/test/mjsunit/regress/regress-1432470.js
@@ -0,0 +1,39 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const v2 = new Uint8ClampedArray(216);
+const v5 = new BigInt64Array(5);
+const v8 = new Uint32Array(2);
+for (let v9 = 0; v9 < 5; v9++) {
+  const v12 = new Float32Array(4096);
+  function f13() {
+    return f13;
+  }
+  const v14 = f13();
+  const v16 = 7 * v14;
+  const v17 = +v16;
+  const v18 = 4096 + v14;
+  const v19 = v18 * v17;
+  class C21 extends Array {
+    constructor(a23, a24, a25, a26) {
+      super();
+      v18.toLowerCase(a24, 7, 7, f13);
+    }
+  }
+  const v28 = new C21(v19, v16, 7, C21);
+  const v31 = new Uint8Array(1073741824);
+  for (let i = 0; i < 25; i++) {
+    let v36 = ("valueOf")[216];
+    for (let v37 = 0; v37 < 50; v37++) {
+      for (let v38 = 0; v38 < 50; v38++) {
+        v36 % (4096 >>> 4096);
+        v36++;
+      }
+      0 == 99;
+      class C45 {
+      }
+    }
+  }
+  Array(56393);
+}
diff --git a/test/mjsunit/regress/regress-1442603.js b/test/mjsunit/regress/regress-1442603.js
@@ -0,0 +1,53 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --stress-flush-code
+// Flags: --always-turbofan --always-osr --osr-to-tierup=200
+
+function main() {
+  function f0() {
+    try {
+      var v0 = 0;
+    } catch (v3) { }
+    try {
+      var v1 = new Array(23);
+    } catch (v4) { }
+    try {
+      for (; v0 < v1.length; v0++) {
+        v1[v0] = new Uint32Array(262142);
+        v1[v0] = new Uint32Array(262139);
+        v1[v0] = new Uint32Array(262139);
+      }
+    } catch (v5) { }
+    v0 = -13;
+    try {
+      var v2 = [];
+    } catch (v6) { }
+    try {
+      var v1 = new Array(23);
+    } catch (v7) { }
+    try {
+      v2.xxx = "xxx";
+    } catch (e) { }
+    try {
+      for (var v0 = 0; v0 < 1024; v0++) {
+        v2[v0] = new Array(v0);
+        v2[v0] = new Array(v0);
+        v2[v0] = new Array(v0);
+        v2[v0].xxx = "xxx " + v0;
+        v2[v0].xxx = "xxx " + v0;
+        v2[v0].xxx = "xxx " + v0;
+      }
+    } catch (v8) { }
+    try {
+      gc();
+      a(900000)[b(b(900000), 900000)] = 900000;
+    } catch (v9) { }
+  }
+  gc();
+  f0();
+}
+main();
+main();
+main();