Diff
Modified: tags/Safari-605.1.23.1/Source/_javascript_Core/ChangeLog (227163 => 227164)
--- tags/Safari-605.1.23.1/Source/_javascript_Core/ChangeLog 2018-01-18 21:51:42 UTC (rev 227163)
+++ tags/Safari-605.1.23.1/Source/_javascript_Core/ChangeLog 2018-01-18 21:51:45 UTC (rev 227164)
@@ -1,3 +1,31 @@
+2018-01-18 Jason Marcell <[email protected]>
+
+ Cherry-pick r227152. rdar://problem/36628594
+
+ 2018-01-18 Michael Saboff <[email protected]>
+
+ REGRESSION (r226068): [X86] Crash in _javascript_Core ShadowChicken when handling exceptions
+ https://bugs.webkit.org/show_bug.cgi?id=181802
+
+ Reviewed by Filip Pizlo.
+
+ There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
+ Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
+ The other place was when we call into the operationOSRWriteBarrier().
+
+ Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
+ This helped find the other cases beyond the original problem.
+
+ * dfg/DFGOSRExitCompilerCommon.cpp:
+ (JSC::DFG::osrWriteBarrier):
+ * interpreter/FrameTracers.h:
+ (JSC::assertStackPointerIsAligned):
+ (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+ (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
+ * jit/ThunkGenerators.cpp:
+ (JSC::nativeForGenerator):
+ * llint/LowLevelInterpreter32_64.asm:
+
2018-01-12 Jason Marcell <[email protected]>
Apply patch. rdar://problem/36303061
Modified: tags/Safari-605.1.23.1/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp (227163 => 227164)
--- tags/Safari-605.1.23.1/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp 2018-01-18 21:51:42 UTC (rev 227163)
+++ tags/Safari-605.1.23.1/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp 2018-01-18 21:51:45 UTC (rev 227164)
@@ -258,7 +258,7 @@
// We need these extra slots because setupArgumentsWithExecState will use poke on x86.
#if CPU(X86)
- jit.subPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
+ jit.subPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 4), MacroAssembler::stackPointerRegister);
#endif
jit.setupArgumentsWithExecState(owner);
@@ -266,7 +266,7 @@
jit.call(scratch);
#if CPU(X86)
- jit.addPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
+ jit.addPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 4), MacroAssembler::stackPointerRegister);
#endif
ownerIsRememberedOrInEden.link(&jit);
Modified: tags/Safari-605.1.23.1/Source/_javascript_Core/interpreter/FrameTracers.h (227163 => 227164)
--- tags/Safari-605.1.23.1/Source/_javascript_Core/interpreter/FrameTracers.h 2018-01-18 21:51:42 UTC (rev 227163)
+++ tags/Safari-605.1.23.1/Source/_javascript_Core/interpreter/FrameTracers.h 2018-01-18 21:51:45 UTC (rev 227164)
@@ -26,6 +26,7 @@
#pragma once
#include "CatchScope.h"
+#include "StackAlignment.h"
#include "VM.h"
namespace JSC {
@@ -68,6 +69,18 @@
CallFrame* oldCallFrame;
};
+ALWAYS_INLINE static void assertStackPointerIsAligned()
+{
+#ifndef NDEBUG
+#if CPU(X86)
+ uintptr_t stackPointer;
+
+ asm("movl %%esp,%0" : "=r"(stackPointer));
+ ASSERT(!(stackPointer % stackAlignmentBytes()));
+#endif
+#endif
+}
+
class NativeCallFrameTracer {
public:
ALWAYS_INLINE NativeCallFrameTracer(VM* vm, CallFrame* callFrame)
@@ -75,6 +88,7 @@
ASSERT(vm);
ASSERT(callFrame);
ASSERT(reinterpret_cast<void*>(callFrame) < reinterpret_cast<void*>(vm->topEntryFrame));
+ assertStackPointerIsAligned();
vm->topCallFrame = callFrame;
}
};
@@ -86,6 +100,7 @@
{
ASSERT(vm);
ASSERT(callFrame);
+ assertStackPointerIsAligned();
m_savedTopEntryFrame = vm->topEntryFrame;
m_savedTopCallFrame = vm->topCallFrame;
vm->topEntryFrame = EntryFrame;
Modified: tags/Safari-605.1.23.1/Source/_javascript_Core/jit/ThunkGenerators.cpp (227163 => 227164)
--- tags/Safari-605.1.23.1/Source/_javascript_Core/jit/ThunkGenerators.cpp 2018-01-18 21:51:42 UTC (rev 227163)
+++ tags/Safari-605.1.23.1/Source/_javascript_Core/jit/ThunkGenerators.cpp 2018-01-18 21:51:45 UTC (rev 227164)
@@ -400,7 +400,7 @@
jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);
#if CPU(X86) && USE(JSVALUE32_64)
- jit.addPtr(JSInterfaceJIT::TrustedImm32(-12), JSInterfaceJIT::stackPointerRegister);
+ jit.subPtr(JSInterfaceJIT::TrustedImm32(4), JSInterfaceJIT::stackPointerRegister);
jit.move(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::regT0);
jit.push(JSInterfaceJIT::regT0);
#else
@@ -413,7 +413,7 @@
jit.move(JSInterfaceJIT::TrustedImmPtr(FunctionPtr(operationVMHandleException).value()), JSInterfaceJIT::regT3);
jit.call(JSInterfaceJIT::regT3);
#if CPU(X86) && USE(JSVALUE32_64)
- jit.addPtr(JSInterfaceJIT::TrustedImm32(16), JSInterfaceJIT::stackPointerRegister);
+ jit.addPtr(JSInterfaceJIT::TrustedImm32(8), JSInterfaceJIT::stackPointerRegister);
#elif OS(WINDOWS)
jit.addPtr(JSInterfaceJIT::TrustedImm32(4 * sizeof(int64_t)), JSInterfaceJIT::stackPointerRegister);
#endif
Modified: tags/Safari-605.1.23.1/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (227163 => 227164)
--- tags/Safari-605.1.23.1/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-01-18 21:51:42 UTC (rev 227163)
+++ tags/Safari-605.1.23.1/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-01-18 21:51:45 UTC (rev 227164)
@@ -2124,6 +2124,9 @@
ret
.handleException:
+if X86 or X86_WIN
+ subp 8, sp # align stack pointer
+end
storep cfr, VM::topCallFrame[t3]
jmp _llint_throw_from_slow_path_trampoline
end
@@ -2176,6 +2179,9 @@
ret
.handleException:
+if X86 or X86_WIN
+ subp 8, sp # align stack pointer
+end
storep cfr, VM::topCallFrame[t3]
jmp _llint_throw_from_slow_path_trampoline
end
