[webkit-changes] [187761] branches/jsc-tailcall/Source/JavaScriptCore

Mon, 03 Aug 2015 13:57:02 -0700

Title: [187761] branches/jsc-tailcall/Source/_javascript_Core
Revision
187761
Author
basile_clem...@apple.com
Date
2015-08-03 13:56:15 -0700 (Mon, 03 Aug 2015)

Log Message

jsc-tailcall: Get and put inline caches are not properly restoring the stack pointer
https://bugs.webkit.org/show_bug.cgi?id=147583

Reviewed by Michael Saboff.

If there is a tail call in a getter, we can't rely on the stack pointer
being valid after returning from the call.

* jit/Repatch.cpp:
(JSC::generateByIdStub):
* tests/stress/tail-call-in-inline-cache.js: Added.
(tail):
(obj.get x):

Modified Paths

Added Paths

Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187760 => 187761)


--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-03 20:47:54 UTC (rev 187760)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-03 20:56:15 UTC (rev 187761)
@@ -1,3 +1,19 @@
+2015-08-03  Basile Clement  <basile_clem...@apple.com>
+
+        jsc-tailcall: Get and put inline caches are not properly restoring the stack pointer
+        https://bugs.webkit.org/show_bug.cgi?id=147583
+
+        Reviewed by Michael Saboff.
+
+        If there is a tail call in a getter, we can't rely on the stack pointer
+        being valid after returning from the call.
+
+        * jit/Repatch.cpp:
+        (JSC::generateByIdStub):
+        * tests/stress/tail-call-in-inline-cache.js: Added.
+        (tail):
+        (obj.get x):
+
 2015-08-03  Michael Saboff  <msab...@apple.com>
 
         jsc-tailcall: Callee save registers should be saved after the stack pointer is set up

Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp (187760 => 187761)


--- branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp	2015-08-03 20:47:54 UTC (rev 187760)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp	2015-08-03 20:56:15 UTC (rev 187761)
@@ -513,9 +513,10 @@
                 MacroAssembler::TrustedImmPtr(0));
             
             fastPathCall = stubJit.nearCall();
-            
+
             stubJit.addPtr(
-                MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
+                MacroAssembler::TrustedImm32(JIT::stackPointerOffsetFor(codeBlock) * sizeof(Register)),
+                GPRInfo::callFrameRegister,
                 MacroAssembler::stackPointerRegister);
             if (kind == CallGetter)
                 stubJit.setupResults(valueRegs);
@@ -531,7 +532,8 @@
             slowPathCall = stubJit.nearCall();
             
             stubJit.addPtr(
-                MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
+                MacroAssembler::TrustedImm32(JIT::stackPointerOffsetFor(codeBlock) * sizeof(Register)),
+                GPRInfo::callFrameRegister,
                 MacroAssembler::stackPointerRegister);
             if (kind == CallGetter)
                 stubJit.setupResults(valueRegs);

Added: branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js (0 => 187761)


--- branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js	                        (rev 0)
+++ branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js	2015-08-03 20:56:15 UTC (rev 187761)
@@ -0,0 +1,10 @@
+"use strict";
+
+function tail() { }
+
+var obj = {
+    get x() { return tail(0); }
+};
+
+for (var i = 0; i < 10; ++i)
+    obj.x;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to