Bug 1716931 - Add BailoutKind::Unreachable, and use to prevent potential violation of expectations in Warp compiled AfterYield r=iain

Differential Revision: https://phabricator.services.mozilla.com/D118859
2021-07-08 17:43:38 +00:00 · 2021-07-08 17:43:38 +00:00 · 7e08b2baf8
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@ -4,6 +4,7 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

+#include "mozilla/Assertions.h"
 #include "mozilla/ScopeExit.h"

 #include "builtin/ModuleObject.h"
@ -1805,6 +1806,8 @@ bool jit::FinishBailoutToBaseline(BaselineBailoutInfo* bailoutInfoArg) {
  UniquePtr<BaselineBailoutInfo> bailoutInfo(bailoutInfoArg);
  bailoutInfoArg = nullptr;

+  MOZ_DIAGNOSTIC_ASSERT(*bailoutInfo->bailoutKind != BailoutKind::Unreachable);
+
  JSContext* cx = TlsContext.get();
  BaselineFrame* topFrame = GetTopBaselineFrame(cx);

--- a/js/src/jit/IonTypes.h
+++ b/js/src/jit/IonTypes.h
@ -170,6 +170,9 @@ enum class BailoutKind : uint8_t {
  // We returned to a stack frame after invalidating its IonScript.
  OnStackInvalidation,

+  // We have executed code that should be unreachable, and need to assert.
+  Unreachable,
+
  Limit
 };

@ -209,6 +212,8 @@ inline const char* BailoutKindString(BailoutKind kind) {
      return "IonExceptionDebugMode";
    case BailoutKind::OnStackInvalidation:
      return "OnStackInvalidation";
+    case BailoutKind::Unreachable:
+      return "Unreachable";

    case BailoutKind::Limit:
      break;
--- a/js/src/jit/WarpBuilder.cpp
+++ b/js/src/jit/WarpBuilder.cpp
@ -2170,8 +2170,23 @@ bool WarpBuilder::build_Generator(BytecodeLocation loc) {
 }

 bool WarpBuilder::build_AfterYield(BytecodeLocation loc) {
-  // This comes after a yield, so from the perspective of -warp-
-  // this is unreachable code.
+  // Unreachable blocks don't need to generate a bail.
+  if (hasTerminatedBlock()) {
+    return true;
+  }
+
+  // This comes after a yield, which we generate as a return,
+  // so we know this should be unreachable code.
+  //
+  // We emit an unreachable bail for this, which will assert if we
+  // ever execute this.
+  //
+  // An Unreachable bail, instead of MUnreachable, because MUnreachable
+  // is a control instruction, and injecting it in the middle of a block
+  // causes various graph state assertions to fail.
+  MBail* bail = MBail::New(alloc(), BailoutKind::Unreachable);
+  current->add(bail);
+
  return true;
 }