Skip to content

[objects] Take into account the LSB bit in purecap ABI in Code::GetOffsetFromInstructionStart #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 11.5.150.16_cheri_merge
Choose a base branch
from
Open

[objects] Take into account the LSB bit in purecap ABI in Code::GetOffsetFromInstructionStart #5

wants to merge 1 commit into from

Conversation

@RoundofThree
Copy link
Member

@RoundofThree RoundofThree commented Jul 21, 2025

When the PCC is sealed in purecap ABI, the LSB bit is set, leading to an off-by-one error in the computation of the offset from the instruction start to the current PCC address. This can cause errors such as in OptimizedFrame::LookupExceptionHandlerInTable, where the computed offset is used to look up an exception handler table.

Without this patch, executing the following JS code using ./d8 --allow-natives-syntax ~/v8-work/turbofan-exception-missing-code.js:

function a() { try { aaa } catch (e) {} }
a();
%PrepareFunctionForOptimization(a);
a();
%OptimizeFunctionOnNextCall(a);
a();
%GetOptimizationStatus(a);

leads to an exception after the function a() is optimised by Turbofan because OptimizedFrame::LookupExceptionHandlerInTable could not find the exception handler:

/home/zyj20/v8-work/turbofan-exception-missing-code.js:1: ReferenceError: aaa is not defined
function a() { try { aaa } catch (e) {} }
                     ^
ReferenceError: aaa is not defined
    at a (/home/zyj20/v8-work/turbofan-exception-missing-code.js:1:22)
    at /home/zyj20/v8-work/turbofan-exception-missing-code.js:6:1

With the patch, the script doesn't raise an exception as the ReferenceError is caught.

@RoundofThree RoundofThree requested a review from dstolfa July 22, 2025 00:10
dstolfa
dstolfa reviewed Jul 22, 2025
View reviewed changes
@RoundofThree RoundofThree force-pushed the fix-optimised-exception-handler branch from bfa8f2c to 0fa711c Compare July 27, 2025 20:57
@RoundofThree RoundofThree requested a review from dstolfa July 27, 2025 20:59
@dstolfa
Copy link

dstolfa commented Jul 30, 2025
edited
Loading

It appears that there is some discrepancy with test262 in particular with this patch. I haven't dug deeply into it, but here are the numbers:

Without the patch:

===
=== 1107 tests failed
===
>>> 57187 base tests produced 93466 (163%) non-filtered tests
>>> 93466 tests ran

With the patch:

===
=== 1754 tests failed
===
>>> 57187 base tests produced 93466 (163%) non-filtered tests
>>> 93466 tests ran

An example of a failing test with the patch can be seen:

${OUT}/d8 test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js

test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:41: Error: broken promise
    throw new Error('broken promise');
    ^
Error: broken promise
    at Promise.get (test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:41:11)
    at g.return (<anonymous>)
    at test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:45:10

and without the patch:

${OUT}/d8 test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js

test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:54: ReferenceError: $DONE is not defined
  .then($DONE, $DONE);
        ^
ReferenceError: $DONE is not defined
    at test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:54:9

test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:51: ReferenceError: assert is not defined
      assert.sameValue(err.message, 'broken promise');
      ^
ReferenceError: assert is not defined
    at test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:51:7

1 pending unhandled Promise rejection(s) detected.

It may be that without this patch, the test worked accidentally. However, the output of this particular test in the latest commit in upstream V8 as of today seems to match, so I'm inclined to believe that something else is going on:

test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:54: ReferenceError: $DONE is not defined
  .then($DONE, $DONE);
        ^
ReferenceError: $DONE is not defined
    at test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:54:9

test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:51: ReferenceError: assert is not defined
      assert.sameValue(err.message, 'broken promise');
      ^
ReferenceError: assert is not defined
    at test/test262/data/test/built-ins/AsyncGeneratorPrototype/return/return-suspendedStart-broken-promise.js:51:7

1 pending unhandled Promise rejection(s) detected.

@RoundofThree
[objects] Take into account the LSB bit in purecap ABI in Code::GetOf…
e04b2bb 
…fsetFromInstructionStart

When the PCC is sealed in purecap ABI, the LSB bit is set, leading
to an off-by-one error in the computation of the offset from the
instruction start to the current PCC address. This can cause errors
such as in OptimizedFrame::LookupExceptionHandlerInTable, where the
computed offset is used to look up an exception handler table.
@RoundofThree RoundofThree force-pushed the fix-optimised-exception-handler branch from 0fa711c to e04b2bb Compare August 2, 2025 13:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dstolfa dstolfa Awaiting requested review from dstolfa

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RoundofThree @dstolfa