Modified: trunk/JSTests/ChangeLog (239289 => 239290)
--- trunk/JSTests/ChangeLog 2018-12-17 21:47:53 UTC (rev 239289)
+++ trunk/JSTests/ChangeLog 2018-12-17 22:46:50 UTC (rev 239290)
@@ -1,5 +1,15 @@
2018-12-17 Mark Lam <mark....@apple.com>
+ Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
+ https://bugs.webkit.org/show_bug.cgi?id=192776
+ <rdar://problem/46772368>
+
+ Reviewed by Keith Miller.
+
+ * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
+
+2018-12-17 Mark Lam <mark....@apple.com>
+
Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
https://bugs.webkit.org/show_bug.cgi?id=192770
<rdar://problem/46449037>
Added: trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js (0 => 239290)
--- trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js (rev 0)
+++ trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js 2018-12-17 22:46:50 UTC (rev 239290)
@@ -0,0 +1,14 @@
+//@ requireOptions("--useProbeOSRExit=true", ""--forceEagerCompilation=true"")
+
+// This test passes if it does not crash especially on ASAN builds.
+
+let x = 0;
+function Foo(a) {
+ a === a;
+ '' + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x + x;
+}
+
+for (let i=0; i<8; i++)
+ new Foo(0);
+
+new Foo({});
Modified: trunk/Source/_javascript_Core/ChangeLog (239289 => 239290)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-17 21:47:53 UTC (rev 239289)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-17 22:46:50 UTC (rev 239290)
@@ -1,5 +1,25 @@
2018-12-17 Mark Lam <mark....@apple.com>
+ Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
+ https://bugs.webkit.org/show_bug.cgi?id=192776
+ <rdar://problem/46772368>
+
+ Reviewed by Keith Miller.
+
+ 1. Add some asanUnsafe methods to the Register class.
+ 2. Update the probe-based OSRExit::executeOSRExit() to use these asanUnsafe methods.
+
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::executeOSRExit):
+ * interpreter/Register.h:
+ (JSC::Register::asanUnsafeUnboxedInt32 const):
+ (JSC::Register::asanUnsafeUnboxedInt52 const):
+ (JSC::Register::asanUnsafeUnboxedStrictInt52 const):
+ (JSC::Register::asanUnsafeUnboxedDouble const):
+ (JSC::Register::asanUnsafeUnboxedCell const):
+
+2018-12-17 Mark Lam <mark....@apple.com>
+
Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
https://bugs.webkit.org/show_bug.cgi?id=192770
<rdar://problem/46449037>
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp (239289 => 239290)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2018-12-17 21:47:53 UTC (rev 239289)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2018-12-17 22:46:50 UTC (rev 239290)
@@ -569,7 +569,7 @@
switch (recovery.technique()) {
case DisplacedInJSStack:
- frame.setOperand(operand, exec->r(recovery.virtualRegister()).jsValue());
+ frame.setOperand(operand, exec->r(recovery.virtualRegister()).asanUnsafeJSValue());
break;
case InFPR:
@@ -591,7 +591,7 @@
break;
case CellDisplacedInJSStack:
- frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).unboxedCell()));
+ frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).asanUnsafeUnboxedCell()));
break;
#if USE(JSVALUE32_64)
@@ -602,9 +602,9 @@
case BooleanDisplacedInJSStack:
#if USE(JSVALUE64)
- frame.setOperand(operand, exec->r(recovery.virtualRegister()).jsValue());
+ frame.setOperand(operand, exec->r(recovery.virtualRegister()).asanUnsafeJSValue());
#else
- frame.setOperand(operand, jsBoolean(exec->r(recovery.virtualRegister()).jsValue().payload()));
+ frame.setOperand(operand, jsBoolean(exec->r(recovery.virtualRegister()).asanUnsafeJSValue().payload()));
#endif
break;
@@ -613,7 +613,7 @@
break;
case Int32DisplacedInJSStack:
- frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).unboxedInt32()));
+ frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).asanUnsafeUnboxedInt32()));
break;
#if USE(JSVALUE64)
@@ -622,7 +622,7 @@
break;
case Int52DisplacedInJSStack:
- frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).unboxedInt52()));
+ frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).asanUnsafeUnboxedInt52()));
break;
case UnboxedStrictInt52InGPR:
@@ -630,7 +630,7 @@
break;
case StrictInt52DisplacedInJSStack:
- frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).unboxedStrictInt52()));
+ frame.setOperand(operand, JSValue(exec->r(recovery.virtualRegister()).asanUnsafeUnboxedStrictInt52()));
break;
#endif
@@ -639,7 +639,7 @@
break;
case DoubleDisplacedInJSStack:
- frame.setOperand(operand, JSValue(JSValue::EncodeAsDouble, purifyNaN(exec->r(recovery.virtualRegister()).unboxedDouble())));
+ frame.setOperand(operand, JSValue(JSValue::EncodeAsDouble, purifyNaN(exec->r(recovery.virtualRegister()).asanUnsafeUnboxedDouble())));
break;
case Constant:
Modified: trunk/Source/_javascript_Core/interpreter/Register.h (239289 => 239290)
--- trunk/Source/_javascript_Core/interpreter/Register.h 2018-12-17 21:47:53 UTC (rev 239289)
+++ trunk/Source/_javascript_Core/interpreter/Register.h 2018-12-17 22:46:50 UTC (rev 239290)
@@ -65,11 +65,16 @@
JSObject* object() const;
JSScope* scope() const;
int32_t unboxedInt32() const;
+ int32_t asanUnsafeUnboxedInt32() const;
int64_t unboxedInt52() const;
+ int64_t asanUnsafeUnboxedInt52() const;
int64_t unboxedStrictInt52() const;
+ int64_t asanUnsafeUnboxedStrictInt52() const;
bool unboxedBoolean() const;
double unboxedDouble() const;
+ double asanUnsafeUnboxedDouble() const;
JSCell* unboxedCell() const;
+ JSCell* asanUnsafeUnboxedCell() const;
int32_t payload() const;
int32_t tag() const;
int32_t unsafePayload() const;
@@ -170,16 +175,31 @@
return payload();
}
+ SUPPRESS_ASAN ALWAYS_INLINE int32_t Register::asanUnsafeUnboxedInt32() const
+ {
+ return unsafePayload();
+ }
+
ALWAYS_INLINE int64_t Register::unboxedInt52() const
{
return u.integer >> JSValue::int52ShiftAmount;
}
+ SUPPRESS_ASAN ALWAYS_INLINE int64_t Register::asanUnsafeUnboxedInt52() const
+ {
+ return u.integer >> JSValue::int52ShiftAmount;
+ }
+
ALWAYS_INLINE int64_t Register::unboxedStrictInt52() const
{
return u.integer;
}
+ SUPPRESS_ASAN ALWAYS_INLINE int64_t Register::asanUnsafeUnboxedStrictInt52() const
+ {
+ return u.integer;
+ }
+
ALWAYS_INLINE bool Register::unboxedBoolean() const
{
return !!payload();
@@ -190,6 +210,11 @@
return u.number;
}
+ SUPPRESS_ASAN ALWAYS_INLINE double Register::asanUnsafeUnboxedDouble() const
+ {
+ return u.number;
+ }
+
ALWAYS_INLINE JSCell* Register::unboxedCell() const
{
#if USE(JSVALUE64)
@@ -199,6 +224,15 @@
#endif
}
+ SUPPRESS_ASAN ALWAYS_INLINE JSCell* Register::asanUnsafeUnboxedCell() const
+ {
+#if USE(JSVALUE64)
+ return u.encodedValue.ptr;
+#else
+ return bitwise_cast<JSCell*>(payload());
+#endif
+ }
+
ALWAYS_INLINE void* Register::pointer() const
{
#if USE(JSVALUE64)
