Title: [229248] releases/WebKitGTK/webkit-2.20
- Revision
- 229248
- Author
- [email protected]
- Date
- 2018-03-05 03:22:28 -0800 (Mon, 05 Mar 2018)
Log Message
Merge r229036 - validateStackAccess should not validate if the offset is within the stack bounds
https://bugs.webkit.org/show_bug.cgi?id=183067
<rdar://problem/37749988>
Reviewed by Mark Lam.
JSTests:
* stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
(assert):
(test.a):
(test.b):
(test):
Source/_javascript_Core:
The validation rule was saying that any load from the stack must be
within the stack bounds of the frame. However, it's natural for a user
of B3 to emit code that may be outside of B3's stack bounds, but guard
such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
B3 is wrong to assert that this is a static property about all stack loads.
* b3/B3Validate.cpp:
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (229247 => 229248)
--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog 2018-03-05 11:22:19 UTC (rev 229247)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog 2018-03-05 11:22:28 UTC (rev 229248)
@@ -1,3 +1,17 @@
+2018-02-26 Saam Barati <[email protected]>
+
+ validateStackAccess should not validate if the offset is within the stack bounds
+ https://bugs.webkit.org/show_bug.cgi?id=183067
+ <rdar://problem/37749988>
+
+ Reviewed by Mark Lam.
+
+ * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
+ (assert):
+ (test.a):
+ (test.b):
+ (test):
+
2018-02-26 Yusuke Suzuki <[email protected]>
Unreviewed, skip FTL tests if FTL is disabled
Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js (0 => 229248)
--- releases/WebKitGTK/webkit-2.20/JSTests/stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js 2018-03-05 11:22:28 UTC (rev 229248)
@@ -0,0 +1,26 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+noInline(assert);
+
+function test() {
+ function a(a1, a2, a3, ...rest) {
+ return [rest.length, rest[0], rest[10]];
+ }
+
+ function b(...rest) {
+ return a.apply(null, rest);
+ }
+ noInline(b);
+
+ for (let i = 0; i < 12000; i++) {
+ b();
+ let r = a(undefined, 0);
+ assert(r[0] === 0);
+ assert(r[1] === undefined);
+ assert(r[2] === undefined);
+ }
+}
+
+test();
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (229247 => 229248)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-03-05 11:22:19 UTC (rev 229247)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-03-05 11:22:28 UTC (rev 229248)
@@ -1,3 +1,19 @@
+2018-02-26 Saam Barati <[email protected]>
+
+ validateStackAccess should not validate if the offset is within the stack bounds
+ https://bugs.webkit.org/show_bug.cgi?id=183067
+ <rdar://problem/37749988>
+
+ Reviewed by Mark Lam.
+
+ The validation rule was saying that any load from the stack must be
+ within the stack bounds of the frame. However, it's natural for a user
+ of B3 to emit code that may be outside of B3's stack bounds, but guard
+ such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
+ B3 is wrong to assert that this is a static property about all stack loads.
+
+ * b3/B3Validate.cpp:
+
2018-02-23 Saam Barati <[email protected]>
Make Number.isInteger an intrinsic
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/b3/B3Validate.cpp (229247 => 229248)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/b3/B3Validate.cpp 2018-03-05 11:22:19 UTC (rev 229247)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/b3/B3Validate.cpp 2018-03-05 11:22:28 UTC (rev 229248)
@@ -608,10 +608,7 @@
if (!slotBase)
return;
- StackSlot* stack = slotBase->slot();
-
VALIDATE(memory->offset() >= 0, ("At ", *value));
- VALIDATE(memory->offset() + memory->accessByteSize() <= stack->byteSize(), ("At ", *value));
}
NO_RETURN_DUE_TO_CRASH void fail(
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
