Skip to site navigation (Press enter)

[webkit-changes] [210276] trunk

sbarati Wed, 04 Jan 2017 11:11:26 -0800

Title: [210276] trunk

Revision: 210276
Author: [email protected]
Date: 2017-01-04 11:11:23 -0800 (Wed, 04 Jan 2017)

Log Message

We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
https://bugs.webkit.org/show_bug.cgi?id=163720


Reviewed by Mark Lam.

JSTests:

* stress/bound-function-tail-call-with-exception.js: Added.
(bar):
(foo):
(catch):

Source/_javascript_Core:

In the LLInt, we were incorrectly doing the exception check after the call.
Before the exception check, we were unwinding to our caller's
frame under the assumption that our caller was always a JS frame.
This is incorrect, however, because our caller might be a C frame.
One way that it can be a C frame is when C calls to JS, and JS tail
calls to native. This patch fixes this bug by doing unwinding from
the native callee's frame instead of its callers.

* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm
trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm

Added Paths

trunk/JSTests/stress/bound-function-tail-call-with-exception.js

Diff

Modified: trunk/JSTests/ChangeLog (210275 => 210276)


--- trunk/JSTests/ChangeLog	2017-01-04 17:48:58 UTC (rev 210275)
+++ trunk/JSTests/ChangeLog	2017-01-04 19:11:23 UTC (rev 210276)
@@ -1,3 +1,15 @@
+2017-01-04  Saam Barati  <[email protected]>
+
+        We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=163720
+
+        Reviewed by Mark Lam.
+
+        * stress/bound-function-tail-call-with-exception.js: Added.
+        (bar):
+        (foo):
+        (catch):
+
 2017-01-03  JF Bastien  <[email protected]>
 
         WebAssembly JS API: check and test in-call / out-call values

Added: trunk/JSTests/stress/bound-function-tail-call-with-exception.js (0 => 210276)


--- trunk/JSTests/stress/bound-function-tail-call-with-exception.js	                        (rev 0)
+++ trunk/JSTests/stress/bound-function-tail-call-with-exception.js	2017-01-04 19:11:23 UTC (rev 210276)
@@ -0,0 +1,23 @@
+//@ runNoJIT
+
+function bar(a, idx)
+{
+    "use strict";
+    if (idx > 0)
+      throw "Hello";
+    return a;
+}
+
+boundBar = bar.bind(null, 42);
+
+function foo(a, idx)
+{
+    "use strict";
+    return boundBar(idx);
+}
+
+boundFoo = foo.bind(null, 41);
+
+try {
+    boundFoo(1);
+} catch(e) {}

Modified: trunk/Source/_javascript_Core/ChangeLog (210275 => 210276)


--- trunk/Source/_javascript_Core/ChangeLog	2017-01-04 17:48:58 UTC (rev 210275)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-01-04 19:11:23 UTC (rev 210276)
@@ -1,3 +1,21 @@
+2017-01-04  Saam Barati  <[email protected]>
+
+        We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=163720
+
+        Reviewed by Mark Lam.
+
+        In the LLInt, we were incorrectly doing the exception check after the call.
+        Before the exception check, we were unwinding to our caller's
+        frame under the assumption that our caller was always a JS frame.
+        This is incorrect, however, because our caller might be a C frame.
+        One way that it can be a C frame is when C calls to JS, and JS tail
+        calls to native. This patch fixes this bug by doing unwinding from
+        the native callee's frame instead of its callers.
+
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
 2017-01-03  JF Bastien  <[email protected]>
 
         REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (210275 => 210276)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm	2017-01-04 17:48:58 UTC (rev 210275)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm	2017-01-04 19:11:23 UTC (rev 210276)
@@ -2068,13 +2068,13 @@
         error
     end
     
+    btinz VM::m_exception[t3], .handleException
+
     functionEpilogue()
-    btinz VM::m_exception[t3], .handleException
     ret
 
 .handleException:
     storep cfr, VM::topCallFrame[t3]
-    restoreStackPointerAfterCall()
     jmp _llint_throw_from_slow_path_trampoline
 end

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (210275 => 210276)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2017-01-04 17:48:58 UTC (rev 210275)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2017-01-04 19:11:23 UTC (rev 210276)
@@ -2021,18 +2021,18 @@
             addp 32, sp
         end
     end
+
     loadp Callee[cfr], t3
     andp MarkedBlockMask, t3
     loadp MarkedBlock::m_vm[t3], t3
 
+    btqnz VM::m_exception[t3], .handleException
+
     functionEpilogue()
-
-    btqnz VM::m_exception[t3], .handleException
     ret
 
 .handleException:
     storep cfr, VM::topCallFrame[t3]
-    restoreStackPointerAfterCall()
     jmp _llint_throw_from_slow_path_trampoline
 end

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes