Diff
Modified: releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog 2017-03-13 09:33:36 UTC (rev 213791)
@@ -1,3 +1,12 @@
+2017-03-08 Yusuke Suzuki <[email protected]>
+
+ [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot
+ https://bugs.webkit.org/show_bug.cgi?id=160124
+
+ Reviewed by Mark Lam.
+
+ * stress/spread-forward-call-varargs-stack-overflow.js:
+
2017-02-22 Yusuke Suzuki <[email protected]>
JSModuleNamespace object should have IC
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-03-13 09:33:36 UTC (rev 213791)
@@ -1,3 +1,33 @@
+2017-03-08 Yusuke Suzuki <[email protected]>
+
+ [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot
+ https://bugs.webkit.org/show_bug.cgi?id=160124
+
+ Reviewed by Mark Lam.
+
+ When performing CallVarargs, we will copy values to the stack.
+ Before actually copying values, we need to adjust the stackPointerRegister
+ to ensure copied values are in the allocated stack area.
+ If we do not that, OS can break the values that is stored beyond the stack
+ pointer. For example, signal stack can be constructed on these area, and
+ breaks values.
+
+ This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js
+ in Linux port. Since Linux ports use signal to suspend and resume threads,
+ signal handler is frequently called when enabling sampling profiler. Thus this
+ crash occurs.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+ * jit/SetupVarargsFrame.cpp:
+ (JSC::emitSetupVarargsFrameFastCase):
+ * jit/SetupVarargsFrame.h:
+
2017-02-23 Filip Pizlo <[email protected]>
SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-03-13 09:33:36 UTC (rev 213791)
@@ -754,7 +754,6 @@
RELEASE_ASSERT(!isDirect);
CallVarargsData* data = ""
- GPRReg resultGPR;
unsigned numUsedStackSlots = m_jit.graph().m_nextMachineLocal;
if (isForwardVarargs) {
@@ -777,6 +776,7 @@
inlineCallFrame = node->child3()->origin.semantic.inlineCallFrame;
else
inlineCallFrame = node->origin.semantic.inlineCallFrame;
+ // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.
emitSetupVarargsFrameFastCase(m_jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data->firstVarArgOffset, slowCase);
JITCompiler::Jump done = m_jit.jump();
slowCase.link(&m_jit);
@@ -784,7 +784,6 @@
m_jit.exceptionCheck();
m_jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);
done.link(&m_jit);
- resultGPR = scratchGPR2;
} else {
GPRReg argumentsPayloadGPR;
GPRReg argumentsTagGPR;
@@ -825,10 +824,8 @@
callOperation(operationSetupVarargsFrame, GPRInfo::returnValueGPR, scratchGPR1, JSValueRegs(argumentsTagGPR, argumentsPayloadGPR), data->firstVarArgOffset, GPRInfo::returnValueGPR);
m_jit.exceptionCheck();
- resultGPR = GPRInfo::returnValueGPR;
+ m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::returnValueGPR, JITCompiler::stackPointerRegister);
}
-
- m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), resultGPR, JITCompiler::stackPointerRegister);
DFG_ASSERT(m_jit.graph(), node, isFlushed());
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-03-13 09:33:36 UTC (rev 213791)
@@ -730,7 +730,6 @@
RELEASE_ASSERT(!isDirect);
CallVarargsData* data = ""
- GPRReg resultGPR;
unsigned numUsedStackSlots = m_jit.graph().m_nextMachineLocal;
if (isForwardVarargs) {
@@ -753,6 +752,7 @@
inlineCallFrame = node->child3()->origin.semantic.inlineCallFrame;
else
inlineCallFrame = node->origin.semantic.inlineCallFrame;
+ // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.
emitSetupVarargsFrameFastCase(m_jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data->firstVarArgOffset, slowCase);
JITCompiler::Jump done = m_jit.jump();
slowCase.link(&m_jit);
@@ -760,7 +760,6 @@
m_jit.exceptionCheck();
m_jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);
done.link(&m_jit);
- resultGPR = scratchGPR2;
} else {
GPRReg argumentsGPR;
GPRReg scratchGPR1;
@@ -798,11 +797,9 @@
callOperation(operationSetupVarargsFrame, GPRInfo::returnValueGPR, scratchGPR1, argumentsGPR, data->firstVarArgOffset, GPRInfo::returnValueGPR);
m_jit.exceptionCheck();
- resultGPR = GPRInfo::returnValueGPR;
+ m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::returnValueGPR, JITCompiler::stackPointerRegister);
}
- m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), resultGPR, JITCompiler::stackPointerRegister);
-
DFG_ASSERT(m_jit.graph(), node, isFlushed());
// We don't need the arguments array anymore.
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-03-13 09:33:36 UTC (rev 213791)
@@ -6392,10 +6392,6 @@
exceptions->append(jit.emitExceptionCheck(AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));
};
- auto adjustStack = [&] (GPRReg amount) {
- jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), amount, CCallHelpers::stackPointerRegister);
- };
-
CCallHelpers::JumpList slowCase;
unsigned originalStackHeight = params.proc().frameSize();
@@ -6415,6 +6411,9 @@
jit.lshiftPtr(CCallHelpers::Imm32(3), scratchGPR1);
jit.addPtr(GPRInfo::callFrameRegister, scratchGPR1);
+ // Before touching stack values, we should update the stack pointer to protect them from signal stack.
+ jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), scratchGPR1, CCallHelpers::stackPointerRegister);
+
jit.store32(scratchGPR2, CCallHelpers::Address(scratchGPR1, CallFrameSlot::argumentCount * static_cast<int>(sizeof(Register)) + PayloadOffset));
int storeOffset = CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register));
@@ -6461,8 +6460,6 @@
dontThrow.link(&jit);
}
-
- adjustStack(scratchGPR1);
ASSERT(calleeGPR == GPRInfo::regT0);
jit.store64(calleeGPR, CCallHelpers::calleeFrameSlot(CallFrameSlot::callee));
@@ -6702,10 +6699,6 @@
exceptions->append(jit.emitExceptionCheck(AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));
};
- auto adjustStack = [&] (GPRReg amount) {
- jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), amount, CCallHelpers::stackPointerRegister);
- };
-
unsigned originalStackHeight = params.proc().frameSize();
if (forwarding) {
@@ -6717,6 +6710,8 @@
inlineCallFrame = node->child3()->origin.semantic.inlineCallFrame;
else
inlineCallFrame = node->origin.semantic.inlineCallFrame;
+
+ // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.
emitSetupVarargsFrameFastCase(jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data->firstVarArgOffset, slowCase);
CCallHelpers::Jump done = jit.jump();
@@ -6726,8 +6721,6 @@
jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);
done.link(&jit);
-
- adjustStack(scratchGPR2);
} else {
jit.move(CCallHelpers::TrustedImm32(originalStackHeight / sizeof(EncodedJSValue)), scratchGPR1);
jit.setupArgumentsWithExecState(argumentsGPR, scratchGPR1, CCallHelpers::TrustedImm32(data->firstVarArgOffset));
@@ -6741,7 +6734,7 @@
jit.setupArgumentsWithExecState(scratchGPR2, argumentsGPR, CCallHelpers::TrustedImm32(data->firstVarArgOffset), scratchGPR1);
callWithExceptionCheck(bitwise_cast<void*>(operationSetupVarargsFrame));
- adjustStack(GPRInfo::returnValueGPR);
+ jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::returnValueGPR, CCallHelpers::stackPointerRegister);
calleeLateRep.emitRestore(jit, GPRInfo::regT0);
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/jit/SetupVarargsFrame.cpp (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/jit/SetupVarargsFrame.cpp 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/jit/SetupVarargsFrame.cpp 2017-03-13 09:33:36 UTC (rev 213791)
@@ -60,7 +60,7 @@
jit.addPtr(GPRInfo::callFrameRegister, resultGPR);
}
-void emitSetupVarargsFrameFastCase(CCallHelpers& jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, ValueRecovery argCountRecovery, VirtualRegister firstArgumentReg, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase)
+static void emitSetupVarargsFrameFastCase(CCallHelpers& jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, ValueRecovery argCountRecovery, VirtualRegister firstArgumentReg, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase)
{
CCallHelpers::JumpList end;
@@ -84,6 +84,9 @@
slowCase.append(jit.branchPtr(CCallHelpers::Above, CCallHelpers::AbsoluteAddress(jit.vm()->addressOfSoftStackLimit()), scratchGPR2));
+ // Before touching stack values, we should update the stack pointer to protect them from signal stack.
+ jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), scratchGPR2, CCallHelpers::stackPointerRegister);
+
// Initialize ArgumentCount.
jit.store32(scratchGPR1, CCallHelpers::Address(scratchGPR2, CallFrameSlot::argumentCount * static_cast<int>(sizeof(Register)) + PayloadOffset));
@@ -108,11 +111,6 @@
done.link(&jit);
}
-void emitSetupVarargsFrameFastCase(CCallHelpers& jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase)
-{
- emitSetupVarargsFrameFastCase(jit, numUsedSlotsGPR, scratchGPR1, scratchGPR2, scratchGPR3, nullptr, firstVarArgOffset, slowCase);
-}
-
void emitSetupVarargsFrameFastCase(CCallHelpers& jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, InlineCallFrame* inlineCallFrame, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase)
{
ValueRecovery argumentCountRecovery;
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/jit/SetupVarargsFrame.h (213790 => 213791)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/jit/SetupVarargsFrame.h 2017-03-13 09:21:34 UTC (rev 213790)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/jit/SetupVarargsFrame.h 2017-03-13 09:33:36 UTC (rev 213791)
@@ -36,12 +36,6 @@
// Assumes that SP refers to the last in-use stack location, and after this returns SP will point to
// the newly created frame plus the native header. scratchGPR2 may be the same as numUsedSlotsGPR.
-void emitSetupVarargsFrameFastCase(CCallHelpers&, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, ValueRecovery argCountRecovery, VirtualRegister firstArgumentReg, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase);
-
-// Variant that assumes normal stack frame.
-void emitSetupVarargsFrameFastCase(CCallHelpers&, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase);
-
-// Variant for potentially inlined stack frames.
void emitSetupVarargsFrameFastCase(CCallHelpers&, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, InlineCallFrame*, unsigned firstVarArgOffset, CCallHelpers::JumpList& slowCase);
} // namespace JSC
