Skip to site navigation (Press enter)

[webkit-changes] [216521] branches/safari-603-branch

matthew_hanson Tue, 09 May 2017 11:05:49 -0700

Title: [216521] branches/safari-603-branch

Revision: 216521
Author: matthew_han...@apple.com
Date: 2017-05-09 11:05:07 -0700 (Tue, 09 May 2017)

Log Message

Cherry-pick r215596. rdar://problem/31971150


Modified Paths

branches/safari-603-branch/JSTests/ChangeLog
branches/safari-603-branch/Source/_javascript_Core/ChangeLog
branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp


Added Paths

branches/safari-603-branch/JSTests/stress/regress-171079.js

Diff

Modified: branches/safari-603-branch/JSTests/ChangeLog (216520 => 216521)


--- branches/safari-603-branch/JSTests/ChangeLog	2017-05-09 18:05:04 UTC (rev 216520)
+++ branches/safari-603-branch/JSTests/ChangeLog	2017-05-09 18:05:07 UTC (rev 216521)
@@ -1,5 +1,19 @@
 2017-05-09  Matthew Hanson  <matthew_han...@apple.com>
 
+        Cherry-pick r215596. rdar://problem/31971150
+
+    2017-04-20  Mark Lam  <mark....@apple.com>
+
+            virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+            https://bugs.webkit.org/show_bug.cgi?id=171079
+            <rdar://problem/31684756>
+
+            Reviewed by Saam Barati.
+
+            * stress/regress-171079.js: Added.
+
+2017-05-09  Matthew Hanson  <matthew_han...@apple.com>
+
         Cherry-pick r215351. rdar://problem/31631922
 
     2017-04-13  Mark Lam  <mark....@apple.com>

Added: branches/safari-603-branch/JSTests/stress/regress-171079.js (0 => 216521)


--- branches/safari-603-branch/JSTests/stress/regress-171079.js	                        (rev 0)
+++ branches/safari-603-branch/JSTests/stress/regress-171079.js	2017-05-09 18:05:07 UTC (rev 216521)
@@ -0,0 +1,38 @@
+function assert(actual, expected) {
+    if (actual != expected)
+        throw("FAILED: actual " + actual + ", expected " + expected);
+}
+
+Object.defineProperty(this, "t0", { 
+    get: function() {
+        "use strict";
+        return t2.subarray(4, 7);
+    }
+});
+
+t2 = new Uint16Array();
+
+var exception;
+function test() {
+    exception = void 0;
+    try {
+        return t0;
+    } catch (e) {
+        exception = e;
+    }
+}
+
+for (var i = 0; i < 100; ++i) {
+    test();
+    assert(exception, void 0);
+}
+
+t2.__proto__ = {
+    subarray: 1
+};
+
+test();
+assert(exception, "TypeError: t2.subarray is not a function. (In 't2.subarray(4, 7)', 't2.subarray' is 1)");
+
+test();
+assert(exception, "TypeError: t2.subarray is not a function. (In 't2.subarray(4, 7)', 't2.subarray' is 1)");

Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (216520 => 216521)


--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-05-09 18:05:04 UTC (rev 216520)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-05-09 18:05:07 UTC (rev 216521)
@@ -1,5 +1,23 @@
 2017-05-09  Matthew Hanson  <matthew_han...@apple.com>
 
+        Cherry-pick r215596. rdar://problem/31971150
+
+    2017-04-20  Mark Lam  <mark....@apple.com>
+
+            virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+            https://bugs.webkit.org/show_bug.cgi?id=171079
+            <rdar://problem/31684756>
+
+            Reviewed by Saam Barati.
+
+            This is needed because tail calls would restore callee saved registers (and
+            therefore, potentially clobber the tag registers) before jumping to the thunk.
+
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+
+2017-05-09  Matthew Hanson  <matthew_han...@apple.com>
+
         Cherry-pick r215351. rdar://problem/31631922
 
     2017-04-13  Mark Lam  <mark....@apple.com>

Modified: branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp (216520 => 216521)


--- branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp	2017-05-09 18:05:04 UTC (rev 216520)
+++ branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp	2017-05-09 18:05:07 UTC (rev 216521)
@@ -183,9 +183,16 @@
     // the DFG knows that the value is definitely a cell, or definitely a function.
     
 #if USE(JSVALUE64)
+    GPRReg tagMaskRegister = GPRInfo::tagMaskRegister;
+    if (callLinkInfo.isTailCall()) {
+        // Tail calls could have clobbered the GPRInfo::tagMaskRegister because they
+        // restore callee saved registers before getthing here. So, let's materialize
+        // the TagMask in a temp register and use the temp instead.
+        tagMaskRegister = GPRInfo::regT4;
+        jit.move(CCallHelpers::TrustedImm64(TagMask), tagMaskRegister);
+    }
     slowCase.append(
-        jit.branchTest64(
-            CCallHelpers::NonZero, GPRInfo::regT0, GPRInfo::tagMaskRegister));
+        jit.branchTest64(CCallHelpers::NonZero, GPRInfo::regT0, tagMaskRegister));
 #else
     slowCase.append(
         jit.branch32(

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes