Skip to site navigation (Press enter)

[webkit-changes] [227491] releases/WebKitGTK/webkit-2.18

carlosgc Wed, 24 Jan 2018 01:38:03 -0800

Title: [227491] releases/WebKitGTK/webkit-2.18

Revision: 227491
Author: carlo...@webkit.org
Date: 2018-01-24 01:37:09 -0800 (Wed, 24 Jan 2018)

Log Message

Merge r224539 - AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
https://bugs.webkit.org/show_bug.cgi?id=179355
<rdar://problem/35263053>


Reviewed by Saam Barati.

JSTests:

* stress/regress-179355.js: Added.

Source/_javascript_Core:

In the Transition case in AccessCase::generateImpl(), we were restoring registers
using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
where we previously stashed the reallocated butterfly.  If the generated code is
under heavy register pressure, scratchGPR could have been from the set of preserved
registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
As a result, the restoration would trash the butterfly result we stored there.
This patch fixes the issue by excluding the scratchGPR in the restoration.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):

Modified Paths

releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/bytecode/AccessCase.cpp

Added Paths

releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179355.js

Diff

Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (227490 => 227491)


--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog	2018-01-24 09:37:03 UTC (rev 227490)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog	2018-01-24 09:37:09 UTC (rev 227491)
@@ -1,3 +1,13 @@
+2017-11-07  Mark Lam  <mark....@apple.com>
+
+        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+        https://bugs.webkit.org/show_bug.cgi?id=179355
+        <rdar://problem/35263053>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-179355.js: Added.
+
 2017-11-02  Filip Pizlo  <fpi...@apple.com>
 
         AI does not correctly model the clobber case of ArithClz32

Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179355.js (0 => 227491)


--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179355.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179355.js	2018-01-24 09:37:09 UTC (rev 227491)
@@ -0,0 +1,25 @@
+var arr0 = [1,2,3,4];
+var arr1 = new Array(1000);
+
+Array.prototype.__defineGetter__(1, function() {
+    [].concat(arr1); //generate to invalid JIT code here?
+});
+
+Array.prototype.__defineGetter__(Symbol.isConcatSpreadable, (function() {
+    for(var i=0;i<10000;i++) {
+        if(i==0)
+            arr1[i];
+        this.x = 1.1;
+        arr1.legnth = 1;
+    }
+}));
+
+var exception;
+try {
+    arr1[1].toString();
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+    throw "FAILED";

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (227490 => 227491)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2018-01-24 09:37:03 UTC (rev 227490)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2018-01-24 09:37:09 UTC (rev 227491)
@@ -1,3 +1,22 @@
+2017-11-07  Mark Lam  <mark....@apple.com>
+
+        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+        https://bugs.webkit.org/show_bug.cgi?id=179355
+        <rdar://problem/35263053>
+
+        Reviewed by Saam Barati.
+
+        In the Transition case in AccessCase::generateImpl(), we were restoring registers
+        using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
+        where we previously stashed the reallocated butterfly.  If the generated code is
+        under heavy register pressure, scratchGPR could have been from the set of preserved
+        registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
+        As a result, the restoration would trash the butterfly result we stored there.
+        This patch fixes the issue by excluding the scratchGPR in the restoration.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+
 2017-11-03  Michael Saboff  <msab...@apple.com>
 
         The Abstract Interpreter needs to change similar to clobberize() in r224366

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/bytecode/AccessCase.cpp (227490 => 227491)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/bytecode/AccessCase.cpp	2018-01-24 09:37:03 UTC (rev 227490)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/bytecode/AccessCase.cpp	2018-01-24 09:37:09 UTC (rev 227491)
@@ -945,7 +945,9 @@
                 state.emitExplicitExceptionHandler();
                 
                 noException.link(&jit);
-                state.restoreLiveRegistersFromStackForCall(spillState);
+                RegisterSet resultRegisterToExclude;
+                resultRegisterToExclude.set(scratchGPR);
+                state.restoreLiveRegistersFromStackForCall(spillState, resultRegisterToExclude);
             }
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes