Title: [204403] trunk
- Revision
- 204403
- Author
- [email protected]
- Date
- 2016-08-11 20:38:54 -0700 (Thu, 11 Aug 2016)
Log Message
OverridesHasInstance should not branch across register allocations.
https://bugs.webkit.org/show_bug.cgi?id=160792
<rdar://problem/27361778>
Reviewed by Benjamin Poulain.
JSTests:
* stress/OverrideHasInstance-should-not-branch-across-register-allocations.js: Added.
Source/_javascript_Core:
The OverrideHasInstance node has a branch test that is emitted conditionally.
It also has a bug where it allocated a register after this branch, which is not
allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
>From the ChangeLog for r145931:
"This [assertion that register allocations are not branched around] protects
against the case where an allocation could have spilled register contents to free
up a register and that spill only occurs on one path of many through the code.
A subsequent fill of the spilled register may load garbage."
Because the branch isn't always emitted, this bug has gone unnoticed until now.
This patch fixes this issue by pre-allocating the registers before emitting the
branch in OverrideHasInstance.
Note: this issue is only present in DFGSpeculativeJIT64.cpp. The 32-bit version
is doing it right.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (204402 => 204403)
--- trunk/JSTests/ChangeLog 2016-08-12 01:33:48 UTC (rev 204402)
+++ trunk/JSTests/ChangeLog 2016-08-12 03:38:54 UTC (rev 204403)
@@ -1,5 +1,15 @@
2016-08-11 Mark Lam <[email protected]>
+ OverridesHasInstance should not branch across register allocations.
+ https://bugs.webkit.org/show_bug.cgi?id=160792
+ <rdar://problem/27361778>
+
+ Reviewed by Benjamin Poulain.
+
+ * stress/OverrideHasInstance-should-not-branch-across-register-allocations.js: Added.
+
+2016-08-11 Mark Lam <[email protected]>
+
The jsc shell's Element host constructor should throw if it fails to construct an object.
https://bugs.webkit.org/show_bug.cgi?id=160773
<rdar://problem/27328608>
Added: trunk/JSTests/stress/OverrideHasInstance-should-not-branch-across-register-allocations.js (0 => 204403)
--- trunk/JSTests/stress/OverrideHasInstance-should-not-branch-across-register-allocations.js (rev 0)
+++ trunk/JSTests/stress/OverrideHasInstance-should-not-branch-across-register-allocations.js 2016-08-12 03:38:54 UTC (rev 204403)
@@ -0,0 +1,16 @@
+//@ runDefault
+
+// This test should not crash.
+
+delete this.Function;
+
+var test = function() {
+ Math.cos("0" instanceof arguments)
+}
+
+for (var k = 0; k < 10000; ++k) {
+ try {
+ test();
+ } catch (e) {
+ }
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (204402 => 204403)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-12 01:33:48 UTC (rev 204402)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-12 03:38:54 UTC (rev 204403)
@@ -1,3 +1,31 @@
+2016-08-11 Mark Lam <[email protected]>
+
+ OverridesHasInstance should not branch across register allocations.
+ https://bugs.webkit.org/show_bug.cgi?id=160792
+ <rdar://problem/27361778>
+
+ Reviewed by Benjamin Poulain.
+
+ The OverrideHasInstance node has a branch test that is emitted conditionally.
+ It also has a bug where it allocated a register after this branch, which is not
+ allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
+ From the ChangeLog for r145931:
+
+ "This [assertion that register allocations are not branched around] protects
+ against the case where an allocation could have spilled register contents to free
+ up a register and that spill only occurs on one path of many through the code.
+ A subsequent fill of the spilled register may load garbage."
+
+ Because the branch isn't always emitted, this bug has gone unnoticed until now.
+ This patch fixes this issue by pre-allocating the registers before emitting the
+ branch in OverrideHasInstance.
+
+ Note: this issue is only present in DFGSpeculativeJIT64.cpp. The 32-bit version
+ is doing it right.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2016-08-11 Benjamin Poulain <[email protected]>
[JSC] Make B3 Return opcode work without arguments
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (204402 => 204403)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-08-12 01:33:48 UTC (rev 204402)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-08-12 03:38:54 UTC (rev 204403)
@@ -4575,15 +4575,18 @@
GPRTemporary result(this);
GPRReg resultGPR = result.gpr();
+ GPRReg baseGPR = base.gpr();
// It would be great if constant folding handled automatically the case where we knew the hasInstance function
// was a constant. Unfortunately, the folding rule for OverridesHasInstance is in the strength reduction phase
// since it relies on OSR information. https://bugs.webkit.org/show_bug.cgi?id=154832
- if (!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction != hasInstanceValueNode->asCell())
- notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction));
+ if (!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction != hasInstanceValueNode->asCell()) {
+ GPRReg hasInstanceValueGPR = hasInstanceValue.gpr();
+ notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueGPR, TrustedImmPtr(defaultHasInstanceFunction));
+ }
// Check that base 'ImplementsDefaultHasInstance'.
- m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+ m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
MacroAssembler::Jump done = m_jit.jump();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
