Title: [245350] branches/safari-607-branch
- Revision
- 245350
- Author
- [email protected]
- Date
- 2019-05-15 14:44:48 -0700 (Wed, 15 May 2019)
Log Message
Cherry-pick r244865. rdar://problem/50753937
Baseline JIT should do argument value profiling after checking for stack overflow
https://bugs.webkit.org/show_bug.cgi?id=197052
<rdar://problem/50009602>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
Source/_javascript_Core:
Otherwise, we may do value profiling without running a write barrier, which
is against the rules of how we do value profiling.
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244865 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-607-branch/JSTests/ChangeLog (245349 => 245350)
--- branches/safari-607-branch/JSTests/ChangeLog 2019-05-15 21:44:46 UTC (rev 245349)
+++ branches/safari-607-branch/JSTests/ChangeLog 2019-05-15 21:44:48 UTC (rev 245350)
@@ -1,5 +1,41 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r244865. rdar://problem/50753937
+
+ Baseline JIT should do argument value profiling after checking for stack overflow
+ https://bugs.webkit.org/show_bug.cgi?id=197052
+ <rdar://problem/50009602>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
+
+ Source/_javascript_Core:
+
+ Otherwise, we may do value profiling without running a write barrier, which
+ is against the rules of how we do value profiling.
+
+ * jit/JIT.cpp:
+ (JSC::JIT::compileWithoutLinking):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244865 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-01 Saam barati <[email protected]>
+
+ Baseline JIT should do argument value profiling after checking for stack overflow
+ https://bugs.webkit.org/show_bug.cgi?id=197052
+ <rdar://problem/50009602>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r244314. rdar://problem/50753930
SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
Added: branches/safari-607-branch/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js (0 => 245350)
--- branches/safari-607-branch/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/check-stack-overflow-before-value-profiling-arguments.js 2019-05-15 21:44:48 UTC (rev 245350)
@@ -0,0 +1,41 @@
+//@ runDefault("--useConcurrentJIT=0", "--thresholdForJITAfterWarmUp=10", "--slowPathAllocsBetweenGCs=10", "--useConcurrentGC=0")
+
+function fullGC() {
+ for (var i = 0; i < 10; i++) {
+ new Float64Array(0x1000000);
+ }
+}
+
+function outer() {
+ function f() {
+ try {
+ const r = f();
+ } catch(e) {
+ const o = Object();
+ function inner(a1, a2, a3) {
+ try {
+ const r1 = new Uint32Array();
+ const r2 = r1.values();
+ } catch(e2) {
+ }
+ }
+ const result = inner();
+ }
+ }
+
+ f();
+
+ function edenGC() {
+ for (let i = 0; i < 100; i++) {
+ const floatArray = new Float64Array(0x10000);
+ }
+ }
+ edenGC();
+}
+
+for (let i = 0; i < 100; i++) {
+ const result = outer();
+}
+
+fullGC();
+
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (245349 => 245350)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-05-15 21:44:46 UTC (rev 245349)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-05-15 21:44:48 UTC (rev 245350)
@@ -1,5 +1,45 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r244865. rdar://problem/50753937
+
+ Baseline JIT should do argument value profiling after checking for stack overflow
+ https://bugs.webkit.org/show_bug.cgi?id=197052
+ <rdar://problem/50009602>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
+
+ Source/_javascript_Core:
+
+ Otherwise, we may do value profiling without running a write barrier, which
+ is against the rules of how we do value profiling.
+
+ * jit/JIT.cpp:
+ (JSC::JIT::compileWithoutLinking):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244865 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-01 Saam barati <[email protected]>
+
+ Baseline JIT should do argument value profiling after checking for stack overflow
+ https://bugs.webkit.org/show_bug.cgi?id=197052
+ <rdar://problem/50009602>
+
+ Reviewed by Yusuke Suzuki.
+
+ Otherwise, we may do value profiling without running a write barrier, which
+ is against the rules of how we do value profiling.
+
+ * jit/JIT.cpp:
+ (JSC::JIT::compileWithoutLinking):
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r244314. rdar://problem/50753930
SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
Modified: branches/safari-607-branch/Source/_javascript_Core/jit/JIT.cpp (245349 => 245350)
--- branches/safari-607-branch/Source/_javascript_Core/jit/JIT.cpp 2019-05-15 21:44:46 UTC (rev 245349)
+++ branches/safari-607-branch/Source/_javascript_Core/jit/JIT.cpp 2019-05-15 21:44:48 UTC (rev 245350)
@@ -680,6 +680,22 @@
sampleInstruction(m_codeBlock->instructions().begin());
#endif
+ int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
+ unsigned maxFrameSize = -frameTopOffset;
+ addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
+ JumpList stackOverflow;
+ if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
+ stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
+ stackOverflow.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfSoftStackLimit()), regT1));
+
+ move(regT1, stackPointerRegister);
+ checkStackPointerAlignment();
+ if (Options::zeroStackFrame())
+ clearStackFrame(callFrameRegister, stackPointerRegister, regT0, maxFrameSize);
+
+ emitSaveCalleeSaves();
+ emitMaterializeTagCheckRegisters();
+
if (m_codeBlock->codeType() == FunctionCode) {
ASSERT(m_bytecodeOffset == std::numeric_limits<unsigned>::max());
if (shouldEmitProfiling()) {
@@ -699,22 +715,6 @@
}
}
}
-
- int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
- unsigned maxFrameSize = -frameTopOffset;
- addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
- JumpList stackOverflow;
- if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
- stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
- stackOverflow.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfSoftStackLimit()), regT1));
-
- move(regT1, stackPointerRegister);
- checkStackPointerAlignment();
- if (Options::zeroStackFrame())
- clearStackFrame(callFrameRegister, stackPointerRegister, regT0, maxFrameSize);
-
- emitSaveCalleeSaves();
- emitMaterializeTagCheckRegisters();
RELEASE_ASSERT(!JITCode::isJIT(m_codeBlock->jitType()));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
