Title: [253416] tags/Safari-609.1.12
- Revision
- 253416
- Author
- [email protected]
- Date
- 2019-12-11 18:24:29 -0800 (Wed, 11 Dec 2019)
Log Message
Cherry-pick r253280. rdar://problem/57733405
[WebAssembly] Fix LLIntGenerator's checkConsistency contract
https://bugs.webkit.org/show_bug.cgi?id=204998
<rdar://problem/57733405>
Reviewed by Mark Lam.
JSTests:
* wasm/regress/stack-consistency.js: Added.
Source/_javascript_Core:
We check the consistency of the WebAssembly parser's _expression_ stack every time the LLIntGenerator calls
push to allocate a new stack value. However, if we call push more than once (e.g. in a loop), the stack
is no longer consistent, since those values have not yet been placed in the parser's _expression_ stack, so
the generator and parser's stacks are out of sync. Instead, whenever we need to push multiple values, we
should first manually call checkConsistency before any pushes, and all pushes after that should be replaced
with push(NoConsistencyCheck).
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::callInformationForCaller):
(JSC::Wasm::LLIntGenerator::addArguments):
(JSC::Wasm::LLIntGenerator::addLocal):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: tags/Safari-609.1.12/JSTests/ChangeLog (253415 => 253416)
--- tags/Safari-609.1.12/JSTests/ChangeLog 2019-12-12 02:22:49 UTC (rev 253415)
+++ tags/Safari-609.1.12/JSTests/ChangeLog 2019-12-12 02:24:29 UTC (rev 253416)
@@ -1,3 +1,44 @@
+2019-12-11 Alan Coon <[email protected]>
+
+ Cherry-pick r253280. rdar://problem/57733405
+
+ [WebAssembly] Fix LLIntGenerator's checkConsistency contract
+ https://bugs.webkit.org/show_bug.cgi?id=204998
+ <rdar://problem/57733405>
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * wasm/regress/stack-consistency.js: Added.
+
+ Source/_javascript_Core:
+
+ We check the consistency of the WebAssembly parser's _expression_ stack every time the LLIntGenerator calls
+ push to allocate a new stack value. However, if we call push more than once (e.g. in a loop), the stack
+ is no longer consistent, since those values have not yet been placed in the parser's _expression_ stack, so
+ the generator and parser's stacks are out of sync. Instead, whenever we need to push multiple values, we
+ should first manually call checkConsistency before any pushes, and all pushes after that should be replaced
+ with push(NoConsistencyCheck).
+
+ * wasm/WasmLLIntGenerator.cpp:
+ (JSC::Wasm::LLIntGenerator::callInformationForCaller):
+ (JSC::Wasm::LLIntGenerator::addArguments):
+ (JSC::Wasm::LLIntGenerator::addLocal):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-12-08 Tadeu Zagallo <[email protected]>
+
+ [WebAssembly] Fix LLIntGenerator's checkConsistency contract
+ https://bugs.webkit.org/show_bug.cgi?id=204998
+ <rdar://problem/57733405>
+
+ Reviewed by Mark Lam.
+
+ * wasm/regress/stack-consistency.js: Added.
+
2019-12-06 Mark Lam <[email protected]>
The compiler thread should not adjust Identifier refCounts.
Added: tags/Safari-609.1.12/JSTests/wasm/regress/stack-consistency.js (0 => 253416)
--- tags/Safari-609.1.12/JSTests/wasm/regress/stack-consistency.js (rev 0)
+++ tags/Safari-609.1.12/JSTests/wasm/regress/stack-consistency.js 2019-12-12 02:24:29 UTC (rev 253416)
@@ -0,0 +1,12 @@
+import { instantiate } from "../wabt-wrapper.js";
+
+instantiate(`
+(module
+ (func $foo (result i32 i32) unreachable)
+ (func (param i32) (result i32 i32 i32)
+ (local.get 0)
+ (loop (param i32) (result i32 i32 i32)
+ call $foo)
+ )
+ )
+`);
Modified: tags/Safari-609.1.12/Source/_javascript_Core/ChangeLog (253415 => 253416)
--- tags/Safari-609.1.12/Source/_javascript_Core/ChangeLog 2019-12-12 02:22:49 UTC (rev 253415)
+++ tags/Safari-609.1.12/Source/_javascript_Core/ChangeLog 2019-12-12 02:24:29 UTC (rev 253416)
@@ -1,45 +1,191 @@
-2019-12-07 Saam Barati <[email protected]>
-
- Unreviewed. Roll out r253201. It was not a progression on any benchmarks, and was 8% slower on JetStream 2 ML.
-
- * _javascript_Core.xcodeproj/project.pbxproj:
- * bytecode/BytecodeList.rb:
- * bytecode/GetByValHistory.h: Added.
- (JSC::GetByValHistory::observeNonUID):
- (JSC::GetByValHistory::observe):
- (JSC::GetByValHistory::count const):
- (JSC::GetByValHistory::filter const):
- (JSC::GetByValHistory::update):
- * bytecode/PointerHistory.h: Removed.
- * dfg/DFGByteCodeParser.cpp:
- (JSC::DFG::ByteCodeParser::parseGetById):
- (JSC::DFG::ByteCodeParser::parseBlock):
- * dfg/DFGGraph.h:
- * dfg/DFGSpeculativeJIT.cpp:
- (JSC::DFG::SpeculativeJIT::compileGetById):
- * dfg/DFGSpeculativeJIT32_64.cpp:
- (JSC::DFG::SpeculativeJIT::compile):
- * dfg/DFGSpeculativeJIT64.cpp:
- (JSC::DFG::SpeculativeJIT::compile):
- * ftl/FTLLowerDFGToB3.cpp:
- (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
- (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
- * generator/DSL.rb:
- * jit/JITPropertyAccess.cpp:
- (JSC::JIT::emit_op_try_get_by_id):
- (JSC::JIT::emitSlow_op_try_get_by_id):
- (JSC::JIT::emit_op_get_by_id_direct):
- (JSC::JIT::emitSlow_op_get_by_id_direct):
- (JSC::JIT::emit_op_get_by_id):
- (JSC::JIT::emitSlow_op_get_by_id):
- * llint/LLIntSlowPaths.cpp:
- (JSC::LLInt::LLINT_SLOW_PATH_DECL):
- * runtime/OptionsList.h:
-
-2019-12-07 Mark Lam <[email protected]>
-
- Remove invalid assertion in FTL's allocateJSArray().
- https://bugs.webkit.org/show_bug.cgi?id=204987
+llfineartgallery.com
+www.mitchellglass.co.uk
+www.mitchellgolf.com
+www.mitchellgroup.co.uk
+www.mitchellhanberg.com
+www.mitchellhistoricproperties.com
+www.mitchellinstrument.com
+www.mitchellk-photos.com
+www.mitchell-lawfirm.com
+www.mitchellmartin.com
+www.mitchell-mazda.co.uk
+www.mitchellmedicalgroup.com
+www.mitchellpest.com
+www.mitchellrealty.net
+www.mitchellroadchristian.org
+www.mitchellroad.org
+www.mitchellsadventure.com
+www.mitchellsd.com
+www.mitchellseligford.com
+www.mitchellsfruit.com.au
+www.mitchellshire.vic.gov.au
+www.mitchells-jewelry.com
+www.mitchellsny.com
+www.mitchellsplumbing.com
+www.mitchellsrenault.co.uk
+www.mitchellstreetpub.com
+www.mitchells.uk.com
+www.mitchelltech.edu
+www.mitchelltoyota.com
+www.mitchellville.org
+www.mitchell-vineyard.com
+www.mitchellvw.com
+www.mitchellwhite2018.com
+www.mitchellwilliamslaw.com
+www.mitchellwreathrings.com
+www.mitchemtire.net
+www.mitchglassmanart.com
+www.mitchlandrieu.com
+www.mitchlyons.com
+www.mitchmedical.us
+www.mitch.nl
+www.mitchrosen.com
+www.mitchstl.com
+www.mitconsulting.ca
+www.mit-dem-rad-zur-arbeit.de
+www.mit-dir-festival.de
+www.miteam.adidas.com
+www.mitechdirect.com
+www.mi-techmetals.com
+www.mitechtrading.com
+www.mitefnorthwest.org
+www.mitegen.com
+www.miteinander.com
+www.miteinander-esslingen.de
+www.miteinander-ev.de
+www.miteinanderlernen.de
+www.miteksystems.com
+www.mitekusa.com
+www.mitek-us.com
+www.mitelcel.com
+www.mitel.com
+www.mitele.es
+www.mitenedor.es
+www.mitenergyconference.org
+www.mitera.gr
+www.miterassa.ee
+www.miterbaru.com
+www.mitersawreviews.biz
+www.mitesoff.com.au
+www.mitesser24.de
+www.mitesser-nase.de
+www.miteyfresh.com.au
+www.mitezapper.com
+www.mitfahren.de
+www.mitfcu.org
+www.mitfintech.com
+www.mitganzemherzenheilen.de
+www.mitgas.de
+www.mitgliederangebot.de
+www.mitgruenden.at
+www.mithaaprilia.com
+www.mithaas.com
+www.mithasonntag.de
+www.mithilanchalnews.in
+www.mitho-cha.com
+www.mithra.com
+www.mithrilandmages.com
+www.mithril.ie
+www.mithunvp.com
+www.miticketwallet.mx
+www.miticobikes.com
+www.mitie.com
+www.mitiemisteri.it
+www.mitiendaevangelica.com
+www.mitierracafe.com
+www.mitifc.com
+www.mitigare.com
+www.mitihoon.com
+www.mitikotec.com
+www.mitimitinyc.com
+www.mitinclusiveinnovation.com
+www.m-iti.org
+www.mitkinderaugen.com
+www.mit-kindern-wachsen.de
+www.mitkindimrucksack.de
+www.mitland.nl
+www.mitliebeohnegluten.de
+www.mit-lille-danmark.com
+www.mitliv.dk
+www.mitls.org
+www.mitmach-kinderlieder.de
+www.mitmachrepublik.de
+www.mitmequipmentsales.com
+www.mitmischen.de
+www.mitnetz-gas.de
+www.mitnetz-gas-hd.de
+www.mitnetz-strom.de
+www.mitnorm.de
+www.mitocare.de
+www.mitocaya.com
+www.mitochondriopathien.de
+www.mitocorp.com
+www.mitoffcampus.com
+www.mitohnekochen.com
+www.mitologia.info
+www.mitologiaonline.com
+www.mito-pharma.pl
+www.mitoq.com
+www.mitortuga.es
+www.mitos-cortos.com
+www.mitostudios.com
+www.mitosynergy.com
+www.mitotechpharma.com
+www.mitoucamisetas.com.br
+www.mitoura.com
+www.mitportugal.org
+www.mitpowdercoatings.com
+www.mitpressjournals.org
+www.mitradel.gob.pa
+www.mitradriver.com
+www.mitrais.com
+www.mitrakesehatan.com
+www.mitrakosmetik.com
+www.mitralvalverepair.org
+www.mitranelson.com
+www.mitra.nl
+www.mitrapura.com
+www.mitre10.com.au
+www.mitre10.co.nz
+www.mitre.com
+www.mitrees.com
+www.mitrehamptoncourt.com
+www.mitrelinen.co.uk
+www.mitre.org
+www.mitresawzone.com
+www.mitrisinc.com
+www.mitrofanoffsupport.org.uk
+www.mitropower.com
+www.mitrosverkoopt.nl
+www.mitrowskiwelding.com
+www.mitschke-m.de
+www.mitsegeln-familie.de
+www.mitsegeln-griechenland.net
+www.mitsegeln-kroatien.net
+www.mitsegeln-segeltoern.org
+www.mitsegeln-wismar.de
+www.mitsegler-gesucht.de
+www.mitsicherheitbesser.de
+www.mitsonnenbrillen.de
+www.mitsuba-renderer.org
+www.mitsubishi-aircon.ru
+www.mitsubishi-bandung.org
+www.mitsubishicarbide.com
+www.mitsubishicars.com
+www.mitsubishi.com.cy
+www.mitsubishicomfort.com
+www.mitsubishicredit.com
+www.mitsubishidirectparts.com
+www.mitsubishi.dk
+www.mitsubishi-edm.de
+www.mitsubishi.ee
+www.mitsubishi-electric.be
+www.mitsubishi-electric.co.nz
+www.mitsubishi-electric-halle.de
+www.mitsubishielectric-printing.com
+www.mitsubishielevator.com
+www.mitsubishi.fi
+www.mitsubishi-frg/show_bug.cgi?id=204987
<rdar://problem/57280725>
Reviewed by Saam Barati.
Modified: tags/Safari-609.1.12/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp (253415 => 253416)
--- tags/Safari-609.1.12/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp 2019-12-12 02:22:49 UTC (rev 253415)
+++ tags/Safari-609.1.12/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp 2019-12-12 02:24:29 UTC (rev 253416)
@@ -591,8 +591,9 @@
m_stackSize = initialStackSize;
auto commitResults = [this, temporaryResults = WTFMove(temporaryResults)](ResultList& results) {
+ checkConsistency();
for (auto temporaryResult : temporaryResults) {
- ExpressionType result = push();
+ ExpressionType result = push(NoConsistencyCheck);
WasmMov::emit(this, result, temporaryResult);
results.append(result);
}
@@ -647,6 +648,8 @@
auto LLIntGenerator::addArguments(const Signature& signature) -> PartialResult
{
+ checkConsistency();
+
m_codeBlock->m_numArguments = signature.argumentCount();
m_normalizedArguments.resize(m_codeBlock->m_numArguments);
@@ -661,7 +664,7 @@
Vector<VirtualRegister> registerArguments(gprCount + fprCount);
for (uint32_t i = 0; i < gprCount + fprCount; i++)
- registerArguments[i] = push();
+ registerArguments[i] = push(NoConsistencyCheck);
const auto addArgument = [&](uint32_t index, uint32_t& count, uint32_t max) {
if (count < max)
@@ -695,12 +698,14 @@
auto LLIntGenerator::addLocal(Type type, uint32_t count) -> PartialResult
{
+ checkConsistency();
+
m_codeBlock->m_numVars += count;
switch (type) {
case Type::Anyref:
case Type::Funcref:
while (count--)
- m_unitializedLocals.append(push());
+ m_unitializedLocals.append(push(NoConsistencyCheck));
break;
default:
m_stackSize += count;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
