Diff
Modified: trunk/JSTests/ChangeLog (245083 => 245084)
--- trunk/JSTests/ChangeLog 2019-05-09 00:32:53 UTC (rev 245083)
+++ trunk/JSTests/ChangeLog 2019-05-09 00:49:35 UTC (rev 245084)
@@ -1,3 +1,15 @@
+2019-05-08 Saam barati <[email protected]>
+
+ AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
+ https://bugs.webkit.org/show_bug.cgi?id=197715
+ <rdar://problem/50399252>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
+ (foo):
+ (bar):
+
2019-05-08 Ryan Haddad <[email protected]>
Unreviewed, rolling out r245068.
Added: trunk/JSTests/stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js (0 => 245084)
--- trunk/JSTests/stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js (rev 0)
+++ trunk/JSTests/stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js 2019-05-09 00:49:35 UTC (rev 245084)
@@ -0,0 +1,22 @@
+//@ runDefault("--useConcurrentJIT=0", "--useRandomizingFuzzerAgent=1", "--airRandomizeRegs=1", "--airRandomizeRegsSeed=3421187372", "--jitPolicyScale=0")
+
+function foo() {
+ try {
+ foo.caller;
+ } catch (e) {
+ return Array.of(arguments).join();
+ }
+ throw new Error();
+}
+
+function bar() {
+'use strict';
+ try {
+ return foo();
+ } finally {
+ }
+}
+
+for (var i = 0; i < 10000; ++i) {
+ bar();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (245083 => 245084)
--- trunk/Source/_javascript_Core/ChangeLog 2019-05-09 00:32:53 UTC (rev 245083)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-05-09 00:49:35 UTC (rev 245084)
@@ -1,3 +1,22 @@
+2019-05-08 Saam barati <[email protected]>
+
+ AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
+ https://bugs.webkit.org/show_bug.cgi?id=197715
+ <rdar://problem/50399252>
+
+ Reviewed by Filip Pizlo.
+
+ AccessGenerationState::emitExplicitExceptionHandler was always clobbering
+ x86's r9 without considering if that register was needed to be preserved
+ by the IC. This leads to bad things when the DFG/FTL need that register when
+ OSR exitting after an exception from a GetById call.
+
+ * b3/air/AirCode.cpp:
+ (JSC::B3::Air::Code::Code):
+ * bytecode/PolymorphicAccess.cpp:
+ (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+ * runtime/Options.h:
+
2019-05-08 Ryan Haddad <[email protected]>
Unreviewed, rolling out r245068.
Modified: trunk/Source/_javascript_Core/b3/air/AirCode.cpp (245083 => 245084)
--- trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2019-05-09 00:32:53 UTC (rev 245083)
+++ trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2019-05-09 00:49:35 UTC (rev 245084)
@@ -79,8 +79,9 @@
calleeSaveRegs.append(reg);
});
if (Options::airRandomizeRegs()) {
- shuffleVector(volatileRegs, [&] (unsigned limit) { return m_weakRandom.getUint32(limit); });
- shuffleVector(calleeSaveRegs, [&] (unsigned limit) { return m_weakRandom.getUint32(limit); });
+ WeakRandom random(Options::airRandomizeRegsSeed() ? Options::airRandomizeRegsSeed() : m_weakRandom.getUint32());
+ shuffleVector(volatileRegs, [&] (unsigned limit) { return random.getUint32(limit); });
+ shuffleVector(calleeSaveRegs, [&] (unsigned limit) { return random.getUint32(limit); });
}
Vector<Reg> result;
result.appendVector(volatileRegs);
Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (245083 => 245084)
--- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2019-05-09 00:32:53 UTC (rev 245083)
+++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2019-05-09 00:49:35 UTC (rev 245084)
@@ -179,7 +179,11 @@
void AccessGenerationState::emitExplicitExceptionHandler()
{
restoreScratch();
- jit->copyCalleeSavesToEntryFrameCalleeSavesBuffer(m_vm.topEntryFrame);
+ jit->pushToSave(GPRInfo::regT0);
+ jit->loadPtr(&m_vm.topEntryFrame, GPRInfo::regT0);
+ jit->copyCalleeSavesToEntryFrameCalleeSavesBuffer(GPRInfo::regT0);
+ jit->popToRestore(GPRInfo::regT0);
+
if (needsToRestoreRegistersIfException()) {
// To the JIT that produces the original exception handling
// call site, they will expect the OSR exit to be arrived
Modified: trunk/Source/_javascript_Core/runtime/Options.h (245083 => 245084)
--- trunk/Source/_javascript_Core/runtime/Options.h 2019-05-09 00:32:53 UTC (rev 245083)
+++ trunk/Source/_javascript_Core/runtime/Options.h 2019-05-09 00:49:35 UTC (rev 245084)
@@ -445,6 +445,7 @@
v(bool, airForceBriggsAllocator, false, Normal, nullptr) \
v(bool, airForceIRCAllocator, false, Normal, nullptr) \
v(bool, airRandomizeRegs, false, Normal, nullptr) \
+ v(unsigned, airRandomizeRegsSeed, 0, Normal, nullptr) \
v(bool, coalesceSpillSlots, true, Normal, nullptr) \
v(bool, logAirRegisterPressure, false, Normal, nullptr) \
v(bool, useB3TailDup, true, Normal, nullptr) \
