Title: [218673] trunk
- Revision
- 218673
- Author
- [email protected]
- Date
- 2017-06-21 18:54:45 -0700 (Wed, 21 Jun 2017)
Log Message
eval virtual call is incorrect in the baseline JIT
https://bugs.webkit.org/show_bug.cgi?id=173587
<rdar://problem/32867897>
Reviewed by Michael Saboff.
JSTests:
* stress/do-eval-virtual-call-correctly.js: Added.
(assert):
(f):
(i.test):
(catch):
Source/_javascript_Core:
When making a virtual call for call_eval, e.g, when the thing
we're calling isn't actually eval, we end up calling the caller
instead of the callee. This is clearly wrong. The code ends up
issuing a load for the Callee in the callers frame instead of
the callee we're calling. The fix is simple, we just need to
load the real callee. Only the 32-bit baseline JIT had this bug.
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEvalSlowCase):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (218672 => 218673)
--- trunk/JSTests/ChangeLog 2017-06-22 01:41:36 UTC (rev 218672)
+++ trunk/JSTests/ChangeLog 2017-06-22 01:54:45 UTC (rev 218673)
@@ -1,3 +1,17 @@
+2017-06-21 Saam Barati <[email protected]>
+
+ eval virtual call is incorrect in the baseline JIT
+ https://bugs.webkit.org/show_bug.cgi?id=173587
+ <rdar://problem/32867897>
+
+ Reviewed by Michael Saboff.
+
+ * stress/do-eval-virtual-call-correctly.js: Added.
+ (assert):
+ (f):
+ (i.test):
+ (catch):
+
2017-06-20 Ryan Haddad <[email protected]>
Update test262 test expectations after r218581.
Added: trunk/JSTests/stress/do-eval-virtual-call-correctly.js (0 => 218673)
--- trunk/JSTests/stress/do-eval-virtual-call-correctly.js (rev 0)
+++ trunk/JSTests/stress/do-eval-virtual-call-correctly.js 2017-06-22 01:54:45 UTC (rev 218673)
@@ -0,0 +1,27 @@
+function assert(b) {
+ if (!b) {
+ abort();
+ }
+}
+noInline(assert);
+
+let test;
+
+function f(eval) {
+ assert(eval === test);
+ eval(0x0);
+ f(test);
+}
+
+for (let i = 0; i < 20; ++i) {
+ test = function test() { return i; }
+}
+
+let error;
+try {
+ f(test);
+} catch(e) {
+ error = e;
+}
+assert(!!error);
+assert(error instanceof RangeError);
Modified: trunk/Source/_javascript_Core/ChangeLog (218672 => 218673)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-22 01:41:36 UTC (rev 218672)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-22 01:54:45 UTC (rev 218673)
@@ -1,3 +1,21 @@
+2017-06-21 Saam Barati <[email protected]>
+
+ eval virtual call is incorrect in the baseline JIT
+ https://bugs.webkit.org/show_bug.cgi?id=173587
+ <rdar://problem/32867897>
+
+ Reviewed by Michael Saboff.
+
+ When making a virtual call for call_eval, e.g, when the thing
+ we're calling isn't actually eval, we end up calling the caller
+ instead of the callee. This is clearly wrong. The code ends up
+ issuing a load for the Callee in the callers frame instead of
+ the callee we're calling. The fix is simple, we just need to
+ load the real callee. Only the 32-bit baseline JIT had this bug.
+
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileCallEvalSlowCase):
+
2017-06-21 Joseph Pecoraro <[email protected]>
Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
Modified: trunk/Source/_javascript_Core/jit/JITCall32_64.cpp (218672 => 218673)
--- trunk/Source/_javascript_Core/jit/JITCall32_64.cpp 2017-06-22 01:41:36 UTC (rev 218672)
+++ trunk/Source/_javascript_Core/jit/JITCall32_64.cpp 2017-06-22 01:54:45 UTC (rev 218673)
@@ -208,12 +208,13 @@
linkSlowCase(iter);
int registerOffset = -instruction[4].u.operand;
+ int callee = instruction[2].u.operand;
addPtr(TrustedImm32(registerOffset * sizeof(Register) + sizeof(CallerFrameAndPC)), callFrameRegister, stackPointerRegister);
move(TrustedImmPtr(info), regT2);
- emitLoad(CallFrameSlot::callee, regT1, regT0);
+ emitLoad(callee, regT1, regT0);
MacroAssemblerCodeRef virtualThunk = virtualThunkFor(m_vm, *info);
info->setSlowStub(createJITStubRoutine(virtualThunk, *m_vm, nullptr, true));
emitNakedCall(virtualThunk.code());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
