[webkit-changes] [204016] branches/safari-602-branch

Mon, 01 Aug 2016 23:51:52 -0700

Title: [204016] branches/safari-602-branch

Diff

Added: branches/safari-602-branch/JSTests/Changelog (0 => 204016)


--- branches/safari-602-branch/JSTests/Changelog	                        (rev 0)
+++ branches/safari-602-branch/JSTests/Changelog	2016-08-02 06:51:26 UTC (rev 204016)
@@ -0,0 +1,9 @@
+2016-08-01  Filip Pizlo  <[email protected]>
+
+        Rationalize varargs stack overflow checks
+        https://bugs.webkit.org/show_bug.cgi?id=160425
+
+        Reviewed by Michael Saboff.
+
+        * stress/arity-check-ftl-throw-more-args.js: Added.
+        (catch):

Added: branches/safari-602-branch/JSTests/stress/arity-check-ftl-throw-more-args.js (0 => 204016)


--- branches/safari-602-branch/JSTests/stress/arity-check-ftl-throw-more-args.js	                        (rev 0)
+++ branches/safari-602-branch/JSTests/stress/arity-check-ftl-throw-more-args.js	2016-08-02 06:51:26 UTC (rev 204016)
@@ -0,0 +1,23 @@
+// Require lots of arguments so that arity fixup will need a lot of stack, making
+// it prone to stack overflow.
+var script = "recursionCount, ";
+for (var i = 0; i < 5000; ++i)
+    script += "dummy, "
+script += "dummy";
+var g = new Function(script, "return recursionCount ? g(recursionCount - 1) : 0;"); // Ensure that arguments are observed.
+
+noInline(g);
+
+// Ensure that f and g get optimized.
+for (var i = 0; i < 10000; ++i) {
+    // Recurse once to ensure profiling along all control flow paths.
+    g(1);
+}
+
+try {
+    // Recurse enough times to trigger a stack overflow exception.
+    g(1000000);
+} catch(e) {
+    if (! (e instanceof RangeError))
+        throw "bad value for e";
+}

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (204015 => 204016)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-08-02 06:51:22 UTC (rev 204015)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-08-02 06:51:26 UTC (rev 204016)
@@ -1,3 +1,19 @@
+2016-08-01  Babak Shafiei  <[email protected]>
+
+        Merge r203990. rdar://problem/27534844
+
+    2016-08-01  Filip Pizlo  <[email protected]>
+
+            Rationalize varargs stack overflow checks
+            https://bugs.webkit.org/show_bug.cgi?id=160425
+
+            Reviewed by Michael Saboff.
+
+            * ftl/FTLLink.cpp:
+            (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
+            * runtime/CommonSlowPaths.h:
+            (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
+
 2016-07-28  Babak Shafiei  <[email protected]>
 
         Merge r203851. rdar://problem/27299339

Modified: branches/safari-602-branch/Source/_javascript_Core/ftl/FTLLink.cpp (204015 => 204016)


--- branches/safari-602-branch/Source/_javascript_Core/ftl/FTLLink.cpp	2016-08-02 06:51:22 UTC (rev 204015)
+++ branches/safari-602-branch/Source/_javascript_Core/ftl/FTLLink.cpp	2016-08-02 06:51:26 UTC (rev 204016)
@@ -140,7 +140,7 @@
         jit.storePtr(GPRInfo::callFrameRegister, &vm.topCallFrame);
         CCallHelpers::Call callArityCheck = jit.call();
 
-        auto noException = jit.branch32(CCallHelpers::AboveOrEqual, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
+        auto noException = jit.branch32(CCallHelpers::GreaterThanOrEqual, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
         jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
         jit.move(CCallHelpers::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
         jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
@@ -148,10 +148,10 @@
         jit.jumpToExceptionHandler();
         noException.link(&jit);
 
-#if !ASSERT_DISABLED
-        jit.load64(vm.addressOfException(), GPRInfo::regT1);
-        jit.jitAssertIsNull(GPRInfo::regT1);
-#endif
+        if (!ASSERT_DISABLED) {
+            jit.load64(vm.addressOfException(), GPRInfo::regT1);
+            jit.jitAssertIsNull(GPRInfo::regT1);
+        }
 
         jit.move(GPRInfo::returnValueGPR, GPRInfo::argumentGPR0);
         jit.emitFunctionEpilogue();

Modified: branches/safari-602-branch/Source/_javascript_Core/runtime/CommonSlowPaths.h (204015 => 204016)


--- branches/safari-602-branch/Source/_javascript_Core/runtime/CommonSlowPaths.h	2016-08-02 06:51:22 UTC (rev 204015)
+++ branches/safari-602-branch/Source/_javascript_Core/runtime/CommonSlowPaths.h	2016-08-02 06:51:26 UTC (rev 204016)
@@ -63,8 +63,10 @@
     int alignedFrameSizeForParameters = WTF::roundUpToMultipleOf(stackAlignmentRegisters(),
         newCodeBlock->numParameters() + CallFrame::headerSizeInRegisters);
     int paddedStackSpace = alignedFrameSizeForParameters - frameSize;
+    
+    Register* newStack = exec->registers() - WTF::roundUpToMultipleOf(stackAlignmentRegisters(), paddedStackSpace);
 
-    if (UNLIKELY(!vm.ensureStackCapacityFor(exec->registers() - paddedStackSpace % stackAlignmentRegisters())))
+    if (UNLIKELY(!vm.ensureStackCapacityFor(newStack)))
         return -1;
     return paddedStackSpace;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to