[webkit-changes] [203990] trunk

[fpizlo]

Title: [203990] trunk

Revision

203990

Author

fpi...@apple.com

Date

2016-08-01 15:20:49 -0700 (Mon, 01 Aug 2016)

Log Message

Rationalize varargs stack overflow checks
https://bugs.webkit.org/show_bug.cgi?id=160425

Reviewed by Michael Saboff.

* ftl/FTLLink.cpp:
(JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.

Modified Paths

• trunk/JSTests/Changelog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/ftl/FTLLink.cpp
• trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h

Added Paths

• trunk/JSTests/stress/arity-check-ftl-throw-more-args.js

Diff

Modified: trunk/JSTests/Changelog (203989 => 203990)

--- trunk/JSTests/Changelog	2016-08-01 21:32:50 UTC (rev 203989)
+++ trunk/JSTests/Changelog	2016-08-01 22:20:49 UTC (rev 203990)
@@ -1,3 +1,13 @@
+2016-08-01  Filip Pizlo  <fpi...@apple.com>
+
+        Rationalize varargs stack overflow checks
+        https://bugs.webkit.org/show_bug.cgi?id=160425
+
+        Reviewed by Michael Saboff.
+
+        * stress/arity-check-ftl-throw-more-args.js: Added.
+        (catch):
+
 2016-08-01  Keith Miller  <keith_mil...@apple.com>
 
         We should not keep the _javascript_ tests inside the Source/_javascript_Core/ directory.

Added: trunk/JSTests/stress/arity-check-ftl-throw-more-args.js (0 => 203990)

--- trunk/JSTests/stress/arity-check-ftl-throw-more-args.js	                        (rev 0)
+++ trunk/JSTests/stress/arity-check-ftl-throw-more-args.js	2016-08-01 22:20:49 UTC (rev 203990)
@@ -0,0 +1,23 @@
+// Require lots of arguments so that arity fixup will need a lot of stack, making
+// it prone to stack overflow.
+var script = "recursionCount, ";
+for (var i = 0; i < 5000; ++i)
+    script += "dummy, "
+script += "dummy";
+var g = new Function(script, "return recursionCount ? g(recursionCount - 1) : 0;"); // Ensure that arguments are observed.
+
+noInline(g);
+
+// Ensure that f and g get optimized.
+for (var i = 0; i < 10000; ++i) {
+    // Recurse once to ensure profiling along all control flow paths.
+    g(1);
+}
+
+try {
+    // Recurse enough times to trigger a stack overflow exception.
+    g(1000000);
+} catch(e) {
+    if (! (e instanceof RangeError))
+        throw "bad value for e";
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (203989 => 203990)

--- trunk/Source/_javascript_Core/ChangeLog	2016-08-01 21:32:50 UTC (rev 203989)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-08-01 22:20:49 UTC (rev 203990)
@@ -1,3 +1,15 @@
+2016-08-01  Filip Pizlo  <fpi...@apple.com>
+
+        Rationalize varargs stack overflow checks
+        https://bugs.webkit.org/show_bug.cgi?id=160425
+
+        Reviewed by Michael Saboff.
+
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
+
 2016-08-01  Saam Barati  <sbar...@apple.com>
 
         Sub should be a Math IC

Modified: trunk/Source/_javascript_Core/ftl/FTLLink.cpp (203989 => 203990)

--- trunk/Source/_javascript_Core/ftl/FTLLink.cpp	2016-08-01 21:32:50 UTC (rev 203989)
+++ trunk/Source/_javascript_Core/ftl/FTLLink.cpp	2016-08-01 22:20:49 UTC (rev 203990)
@@ -140,7 +140,7 @@
         jit.storePtr(GPRInfo::callFrameRegister, &vm.topCallFrame);
         CCallHelpers::Call callArityCheck = jit.call();
 
-        auto noException = jit.branch32(CCallHelpers::AboveOrEqual, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
+        auto noException = jit.branch32(CCallHelpers::GreaterThanOrEqual, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
         jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
         jit.move(CCallHelpers::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
         jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
@@ -148,10 +148,10 @@
         jit.jumpToExceptionHandler();
         noException.link(&jit);
 
-#if !ASSERT_DISABLED
-        jit.load64(vm.addressOfException(), GPRInfo::regT1);
-        jit.jitAssertIsNull(GPRInfo::regT1);
-#endif
+        if (!ASSERT_DISABLED) {
+            jit.load64(vm.addressOfException(), GPRInfo::regT1);
+            jit.jitAssertIsNull(GPRInfo::regT1);
+        }
 
         jit.move(GPRInfo::returnValueGPR, GPRInfo::argumentGPR0);
         jit.emitFunctionEpilogue();

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h (203989 => 203990)

--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h	2016-08-01 21:32:50 UTC (rev 203989)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h	2016-08-01 22:20:49 UTC (rev 203990)
@@ -63,8 +63,10 @@
     int alignedFrameSizeForParameters = WTF::roundUpToMultipleOf(stackAlignmentRegisters(),
         newCodeBlock->numParameters() + CallFrame::headerSizeInRegisters);
     int paddedStackSpace = alignedFrameSizeForParameters - frameSize;
+    
+    Register* newStack = exec->registers() - WTF::roundUpToMultipleOf(stackAlignmentRegisters(), paddedStackSpace);
 
-    if (UNLIKELY(!vm.ensureStackCapacityFor(exec->registers() - paddedStackSpace % stackAlignmentRegisters())))
+    if (UNLIKELY(!vm.ensureStackCapacityFor(newStack)))
         return -1;
     return paddedStackSpace;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes