Fix inline exception handler deopt stack mismatch

SonicField · SonicField · commit 28b4ee14b30c · 2026-03-30T15:34:19.000-07:00
The JIT's inline exception handler skips PUSH_EXC_INFO as an
optimization, but handler body bytecodes (SWAP, POP_EXCEPT) still
expect the previous exception on the stack. When the handler body
hit an unsupported opcode and deopted, the interpreter found garbage
where prev_exc should be. POP_EXCEPT then wrote garbage into
tstate-&gt;exc_info-&gt;exc_value, corrupting the exception context chain.

Fix: push Py_None as a prev_exc placeholder before handler body
bytecodes. This ensures all deopts have a valid stack layout.
Also handle SWAP inline and make POP_EXCEPT pop the placeholder.

Fixes both emitInlineExceptionMatch and emitCallExceptionHandler.
diff --git a/Python/jit/hir/builder.cpp b/Python/jit/hir/builder.cpp
@@ -713,19 +713,41 @@ void HIRBuilder::emitInlineExceptionMatch(
       TranslationContext match_tc{match_block, exc_tc.frame};
       match_tc.frame.cur_instr_offs = info.except_body;
 
+      // Push Py_None as the "previous exception" placeholder.
+      // In CPython's interpreter, PUSH_EXC_INFO pushes the old
+      // exc_info->exc_value onto the stack so POP_EXCEPT can restore
+      // it. The JIT skips PUSH_EXC_INFO but the handler body bytecodes
+      // (SWAP, POP_EXCEPT) still expect prev_exc on the stack. If the
+      // handler body hits an unsupported opcode and deopts, the
+      // interpreter must find a valid prev_exc here — otherwise
+      // POP_EXCEPT writes a garbage pointer into exc_info->exc_value,
+      // corrupting the exception context chain.
+      Register* prev_exc_reg = temps_.AllocateStack();
+      match_tc.emit<LoadConst>(prev_exc_reg, TNoneType);
+      match_tc.frame.stack.push(prev_exc_reg);
+
       BytecodeInstruction ebc{code_, info.except_body};
       bool emitted_terminator = false;
 
       while (!emitted_terminator) {
         switch (ebc.opcode()) {
           case POP_EXCEPT:
-            // No-op for B2: we never pushed exc_info in the JIT.
+            // Pop the prev_exc placeholder we pushed above.
+            // In CPython, POP_EXCEPT pops the saved exception and
+            // restores it to exc_info->exc_value. Our placeholder is
+            // Py_None, which is correct: there was no active exception
+            // before the JIT's inline handler.
+            match_tc.frame.stack.pop();
             break;
 
           case POP_TOP:
             match_tc.frame.stack.pop();
             break;
 
+          case SWAP:
+            emitSwap(match_tc, ebc.oparg());
+            break;
+
           case LOAD_FAST:
           case LOAD_FAST_CHECK:
           case LOAD_FAST_AND_CLEAR:
@@ -872,18 +894,30 @@ void HIRBuilder::emitCallExceptionHandler(
       TranslationContext match_tc{match_block, exc_tc.frame};
       match_tc.frame.cur_instr_offs = info.except_body;
 
+      // Push Py_None as "previous exception" placeholder — see comment
+      // in the first emitInlineExceptionMatch for full rationale.
+      Register* prev_exc_reg = temps_.AllocateStack();
+      match_tc.emit<LoadConst>(prev_exc_reg, TNoneType);
+      match_tc.frame.stack.push(prev_exc_reg);
+
       BytecodeInstruction ebc{code_, info.except_body};
       bool emitted_terminator = false;
 
       while (!emitted_terminator) {
         switch (ebc.opcode()) {
           case POP_EXCEPT:
+            // Pop the prev_exc placeholder.
+            match_tc.frame.stack.pop();
             break;
 
           case POP_TOP:
             match_tc.frame.stack.pop();
             break;
 
+          case SWAP:
+            emitSwap(match_tc, ebc.oparg());
+            break;
+
           case LOAD_FAST:
           case LOAD_FAST_CHECK:
           case LOAD_FAST_AND_CLEAR:
