[webkit-changes] [293041] trunk/Source/JavaScriptCore

Tue, 19 Apr 2022 15:33:29 -0700

Title: [293041] trunk/Source/_javascript_Core
Revision
293041
Author
ysuz...@apple.com
Date
2022-04-19 15:32:38 -0700 (Tue, 19 Apr 2022)

Log Message

REGRESSION(r292372): cloop crashes on s390x
https://bugs.webkit.org/show_bug.cgi?id=238956

Reviewed by Mark Lam.

* Source/_javascript_Core/jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall):
(JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall):
* Source/_javascript_Core/jit/ThunkGenerators.cpp:
(JSC::boundFunctionCallGenerator):
(JSC::remoteFunctionCallGenerator):
* Source/_javascript_Core/llint/LowLevelInterpreter.asm:

Canonical link: https://commits.webkit.org/249780@main

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (293040 => 293041)


--- trunk/Source/_javascript_Core/ChangeLog	2022-04-19 22:10:15 UTC (rev 293040)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-04-19 22:32:38 UTC (rev 293041)
@@ -1,5 +1,22 @@
 2022-04-19  Yusuke Suzuki  <ysuz...@apple.com>
 
+        REGRESSION(r292372): cloop crashes on s390x
+        https://bugs.webkit.org/show_bug.cgi?id=238956
+
+        Reviewed by Mark Lam.
+
+        CodeBlock* is stored without tags. So we should just put it as a pointer without PayloadOffset.
+
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall):
+        (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::boundFunctionCallGenerator):
+        (JSC::remoteFunctionCallGenerator):
+        * llint/LowLevelInterpreter.asm:
+
+2022-04-19  Yusuke Suzuki  <ysuz...@apple.com>
+
         Unreviewed, disable UnlinkedDFG code in x64
         https://bugs.webkit.org/show_bug.cgi?id=237863

Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (293040 => 293041)


--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h	2022-04-19 22:10:15 UTC (rev 293040)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h	2022-04-19 22:32:38 UTC (rev 293041)
@@ -1259,13 +1259,13 @@
 
     static Address calleeFrameCodeBlockBeforeCall()
     {
-        return calleeFramePayloadSlot(CallFrameSlot::codeBlock);
+        return calleeFrameSlot(CallFrameSlot::codeBlock);
     }
 
     static Address calleeFrameCodeBlockBeforeTailCall()
     {
         // The stackPointerRegister state is "after the call, but before the function prologue".
-        return calleeFramePayloadSlot(CallFrameSlot::codeBlock).withOffset(sizeof(CallerFrameAndPC) - prologueStackPointerDelta());
+        return calleeFrameSlot(CallFrameSlot::codeBlock).withOffset(sizeof(CallerFrameAndPC) - prologueStackPointerDelta());
     }
 
     static GPRReg selectScratchGPR(RegisterSet preserved)

Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (293040 => 293041)


--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2022-04-19 22:10:15 UTC (rev 293040)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2022-04-19 22:32:38 UTC (rev 293041)
@@ -1405,7 +1405,7 @@
         CCallHelpers::Address(
             GPRInfo::regT0, FunctionExecutable::offsetOfCodeBlockForCall()),
         GPRInfo::regT2);
-    jit.storeCell(GPRInfo::regT2, CCallHelpers::calleeFrameCodeBlockBeforeCall());
+    jit.storePtr(GPRInfo::regT2, CCallHelpers::calleeFrameCodeBlockBeforeCall());
 
     isNative.link(&jit);
     
@@ -1566,7 +1566,7 @@
     emitPointerValidation(jit, GPRInfo::nonArgGPR0, OperationPtrTag);
     jit.call(GPRInfo::nonArgGPR0, OperationPtrTag);
     exceptionChecks.append(jit.emitJumpIfException(vm));
-    jit.storeCell(GPRInfo::returnValueGPR2, CCallHelpers::calleeFrameCodeBlockBeforeCall());
+    jit.storePtr(GPRInfo::returnValueGPR2, CCallHelpers::calleeFrameCodeBlockBeforeCall());
     jit.move(GPRInfo::returnValueGPR, GPRInfo::regT2);
     auto materialized = jit.jump();
 
@@ -1576,7 +1576,7 @@
         CCallHelpers::Address(
             GPRInfo::regT1, FunctionExecutable::offsetOfCodeBlockForCall()),
         GPRInfo::regT3);
-    jit.storeCell(GPRInfo::regT3, CCallHelpers::calleeFrameCodeBlockBeforeCall());
+    jit.storePtr(GPRInfo::regT3, CCallHelpers::calleeFrameCodeBlockBeforeCall());
 
     isNative.link(&jit);
     materialized.link(&jit);

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (293040 => 293041)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2022-04-19 22:10:15 UTC (rev 293040)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2022-04-19 22:32:38 UTC (rev 293041)
@@ -1195,7 +1195,7 @@
 end
 
 macro prepareForRegularCall(temp1, temp2, temp3, temp4, storeCodeBlock)
-    storeCodeBlock(CodeBlock + PayloadOffset - CallerFrameAndPCSize[sp])
+    storeCodeBlock(CodeBlock - CallerFrameAndPCSize[sp])
 end
 
 macro invokeForRegularCall(opcodeName, size, opcodeStruct, valueProfileName, dstVirtualRegister, dispatch, callee, maybeOldCFR, callPtrTag)
@@ -1267,7 +1267,7 @@
 
     move temp1, sp
 
-    storeCodeBlock(CodeBlock + PayloadOffset - PrologueStackPointerDelta[sp])
+    storeCodeBlock(CodeBlock - PrologueStackPointerDelta[sp])
 end
 
 macro invokeForTailCall(opcodeName, size, opcodeStruct, valueProfileName, dstVirtualRegister, dispatch, callee, maybeOldCFR, callPtrTag)
@@ -2520,7 +2520,7 @@
     loadp offsetOfCodeBlock[t5], t0
 .callCode:
     prepareCall(t5, t2, t3, t4)
-    storep t0, CodeBlock + PayloadOffset - PrologueStackPointerDelta[sp]
+    storep t0, CodeBlock - PrologueStackPointerDelta[sp]
     jmp t1, JSEntryPtrTag
 .notJSFunction:
     bbneq JSCell::m_type[t0], InternalFunctionType, slowCase

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to