[webkit-changes] [224539] trunk

[mark . lam]

Title: [224539] trunk

Revision

224539

Author

mark....@apple.com

Date

2017-11-07 11:33:22 -0800 (Tue, 07 Nov 2017)

Log Message

AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
https://bugs.webkit.org/show_bug.cgi?id=179355
<rdar://problem/35263053>

Reviewed by Saam Barati.

JSTests:

* stress/regress-179355.js: Added.

Source/_javascript_Core:

In the Transition case in AccessCase::generateImpl(), we were restoring registers
using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
where we previously stashed the reallocated butterfly.  If the generated code is
under heavy register pressure, scratchGPR could have been from the set of preserved
registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
As a result, the restoration would trash the butterfly result we stored there.
This patch fixes the issue by excluding the scratchGPR in the restoration.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/AccessCase.cpp

Added Paths

• trunk/JSTests/stress/regress-179355.js

Diff

Modified: trunk/JSTests/ChangeLog (224538 => 224539)

--- trunk/JSTests/ChangeLog	2017-11-07 19:29:31 UTC (rev 224538)
+++ trunk/JSTests/ChangeLog	2017-11-07 19:33:22 UTC (rev 224539)
@@ -1,3 +1,13 @@
+2017-11-07  Mark Lam  <mark....@apple.com>
+
+        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+        https://bugs.webkit.org/show_bug.cgi?id=179355
+        <rdar://problem/35263053>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-179355.js: Added.
+
 2017-11-05  Yusuke Suzuki  <utatane....@gmail.com>
 
         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps

Added: trunk/JSTests/stress/regress-179355.js (0 => 224539)

--- trunk/JSTests/stress/regress-179355.js	                        (rev 0)
+++ trunk/JSTests/stress/regress-179355.js	2017-11-07 19:33:22 UTC (rev 224539)
@@ -0,0 +1,25 @@
+var arr0 = [1,2,3,4];
+var arr1 = new Array(1000);
+
+Array.prototype.__defineGetter__(1, function() {
+    [].concat(arr1); //generate to invalid JIT code here?
+});
+
+Array.prototype.__defineGetter__(Symbol.isConcatSpreadable, (function() {
+    for(var i=0;i<10000;i++) {
+        if(i==0)
+            arr1[i];
+        this.x = 1.1;
+        arr1.legnth = 1;
+    }
+}));
+
+var exception;
+try {
+    arr1[1].toString();
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+    throw "FAILED";

Modified: trunk/Source/_javascript_Core/ChangeLog (224538 => 224539)

--- trunk/Source/_javascript_Core/ChangeLog	2017-11-07 19:29:31 UTC (rev 224538)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-07 19:33:22 UTC (rev 224539)
@@ -1,3 +1,22 @@
+2017-11-07  Mark Lam  <mark....@apple.com>
+
+        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+        https://bugs.webkit.org/show_bug.cgi?id=179355
+        <rdar://problem/35263053>
+
+        Reviewed by Saam Barati.
+
+        In the Transition case in AccessCase::generateImpl(), we were restoring registers
+        using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
+        where we previously stashed the reallocated butterfly.  If the generated code is
+        under heavy register pressure, scratchGPR could have been from the set of preserved
+        registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
+        As a result, the restoration would trash the butterfly result we stored there.
+        This patch fixes the issue by excluding the scratchGPR in the restoration.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+
 2017-11-06  Robin Morisset  <rmoris...@apple.com>
 
         CodeBlock::usesOpcode() is dead code

Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (224538 => 224539)

--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp	2017-11-07 19:29:31 UTC (rev 224538)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp	2017-11-07 19:33:22 UTC (rev 224539)
@@ -1042,7 +1042,9 @@
                 state.emitExplicitExceptionHandler();
                 
                 noException.link(&jit);
-                state.restoreLiveRegistersFromStackForCall(spillState);
+                RegisterSet resultRegisterToExclude;
+                resultRegisterToExclude.set(scratchGPR);
+                state.restoreLiveRegistersFromStackForCall(spillState, resultRegisterToExclude);
             }
         }
         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes