Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (260221 => 260222)
--- trunk/Source/_javascript_Core/ChangeLog 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-04-16 21:40:23 UTC (rev 260222)
@@ -1,3 +1,25 @@
+2020-04-16 Mark Lam <[email protected]>
+
+ Rolling out r259897: Causing crashes on iOS.
+ https://bugs.webkit.org/show_bug.cgi?id=210252
+
+ Not reviewed.
+
+ * assembler/MacroAssembler.cpp:
+ (JSC::MacroAssembler::probe):
+ * assembler/MacroAssemblerARM64.cpp:
+ (JSC::MacroAssembler::probe):
+ * assembler/MacroAssemblerPrinter.h:
+ (JSC::MacroAssembler::print):
+ * assembler/ProbeContext.h:
+ * runtime/JSCPtrTag.h:
+ * tools/JSDollarVM.cpp:
+ (JSC::callWithStackSizeProbeFunction):
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
+
2020-04-16 Yusuke Suzuki <[email protected]>
[JSC] Implement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl
Modified: trunk/Source/_javascript_Core/assembler/MacroAssembler.cpp (260221 => 260222)
--- trunk/Source/_javascript_Core/assembler/MacroAssembler.cpp 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/assembler/MacroAssembler.cpp 2020-04-16 21:40:23 UTC (rev 260222)
@@ -28,7 +28,6 @@
#if ENABLE(ASSEMBLER)
-#include "JSCPtrTag.h"
#include "Options.h"
#include "ProbeContext.h"
#include <wtf/PrintStream.h>
@@ -56,9 +55,8 @@
void MacroAssembler::probe(Function<void(Probe::Context&)> func)
{
- probe(tagCFunction<JITProbePtrTag>(stdFunctionCallback), new Function<void(Probe::Context&)>(WTFMove(func)));
+ probe(stdFunctionCallback, new Function<void(Probe::Context&)>(WTFMove(func)));
}
-
#endif // ENABLE(MASM_PROBE)
} // namespace JSC
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp (260221 => 260222)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-04-16 21:40:23 UTC (rev 260222)
@@ -28,7 +28,6 @@
#if ENABLE(ASSEMBLER) && CPU(ARM64)
#include "MacroAssembler.h"
-#include "JSCPtrTag.h"
#include "ProbeContext.h"
#include <wtf/InlineASM.h>
@@ -298,13 +297,6 @@
static_assert(LR_RESTORATION_SIZE == sizeof(LRRestorationRecord), "LR_RESTORATION_SIZE is incorrect");
static_assert(!(sizeof(LRRestorationRecord) & 0xf), "LRRestorationRecord must be 16-byte aligned");
-#if CPU(ARM64E)
-#define JIT_PROBE_EXECUTOR_PTR_TAG 0x28de
-#define JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG 0x315c
-static_assert(JIT_PROBE_EXECUTOR_PTR_TAG == JITProbeExecutorPtrTag);
-static_assert(JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG == JITProbeStackInitializationFunctionPtrTag);
-#endif
-
// We use x29 and x30 instead of fp and lr because GCC's inline assembler does not recognize fp and lr.
// See https://bugs.webkit.org/show_bug.cgi?id=175512 for details.
asm (
@@ -390,8 +382,7 @@
// the caller of the probe (which is what we want in order to play nice with debuggers e.g. lldb).
"mov x0, sp" "\n" // Set the Probe::State* arg.
#if CPU(ARM64E)
- "movz lr, #" STRINGIZE_VALUE_OF(JIT_PROBE_EXECUTOR_PTR_TAG) "\n"
- "blrab x28, lr" "\n" // Call the probe handler.
+ "blraaz x28" "\n" // Call the probe handler.
#else
"blr x28" "\n" // Call the probe handler.
#endif
@@ -431,8 +422,7 @@
"mov x0, x27" "\n" // Set the Probe::State* arg.
#if CPU(ARM64E)
- "movz lr, #" STRINGIZE_VALUE_OF(JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG) "\n"
- "blrab x2, lr" "\n" // Call the initializeStackFunction (loaded into x2 above).all the probe handler.
+ "blraaz x2" "\n" // Call the initializeStackFunction (loaded into x2 above).
#else
"blr x2" "\n" // Call the initializeStackFunction (loaded into x2 above).
#endif
@@ -541,12 +531,11 @@
storePair64(x24, x25, sp, TrustedImm32(offsetof(IncomingProbeRecord, x24)));
storePair64(x26, x27, sp, TrustedImm32(offsetof(IncomingProbeRecord, x26)));
storePair64(x28, x30, sp, TrustedImm32(offsetof(IncomingProbeRecord, x28))); // Note: x30 is lr.
- move(TrustedImmPtr(tagCFunction<JITProbeTrampolinePtrTag>(ctiMasmProbeTrampoline)), x26);
- move(TrustedImmPtr(tagCFunction<JITProbeExecutorPtrTag>(Probe::executeProbe)), x28);
- ASSERT(isTaggedWith(function, JITProbePtrTag));
+ move(TrustedImmPtr(reinterpret_cast<void*>(ctiMasmProbeTrampoline)), x26);
+ move(TrustedImmPtr(reinterpret_cast<void*>(Probe::executeProbe)), x28);
move(TrustedImmPtr(reinterpret_cast<void*>(function)), x24);
move(TrustedImmPtr(arg), x25);
- call(x26, JITProbeTrampolinePtrTag);
+ call(x26, CFunctionPtrTag);
// ctiMasmProbeTrampoline should have restored every register except for lr and the sp.
load64(Address(sp, offsetof(LRRestorationRecord, lr)), lr);
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerPrinter.h (260221 => 260222)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerPrinter.h 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerPrinter.h 2020-04-16 21:40:23 UTC (rev 260222)
@@ -25,7 +25,6 @@
#pragma once
-#include "JSCPtrTag.h"
#include "MacroAssembler.h"
#include "Printer.h"
#include "ProbeContext.h"
@@ -233,12 +232,12 @@
inline void MacroAssembler::print(Arguments&&... arguments)
{
auto printRecordList = Printer::makePrintRecordList(std::forward<Arguments>(arguments)...);
- probe(tagCFunction<JITProbePtrTag>(Printer::printCallback), printRecordList);
+ probe(Printer::printCallback, printRecordList);
}
inline void MacroAssembler::print(Printer::PrintRecordList* printRecordList)
{
- probe(tagCFunction<JITProbePtrTag>(Printer::printCallback), printRecordList);
+ probe(Printer::printCallback, printRecordList);
}
#endif // ENABLE(MASM_PROBE)
Modified: trunk/Source/_javascript_Core/assembler/ProbeContext.h (260221 => 260222)
--- trunk/Source/_javascript_Core/assembler/ProbeContext.h 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/assembler/ProbeContext.h 2020-04-16 21:40:23 UTC (rev 260222)
@@ -175,18 +175,10 @@
struct State;
typedef void (*StackInitializationFunction)(State*);
-#if CPU(ARM64E)
-#define PROBE_FUNCTION_PTRAUTH __ptrauth(ptrauth_key_process_dependent_code, 0, JITProbePtrTag)
-#define PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH __ptrauth(ptrauth_key_process_dependent_code, 0, JITProbeStackInitializationFunctionPtrTag)
-#else
-#define PROBE_FUNCTION_PTRAUTH
-#define PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH
-#endif
-
struct State {
- Probe::Function PROBE_FUNCTION_PTRAUTH probeFunction;
+ Probe::Function probeFunction;
void* arg;
- StackInitializationFunction PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH initializeStackFunction;
+ StackInitializationFunction initializeStackFunction;
void* initializeStackArg;
CPUState cpu;
};
Modified: trunk/Source/_javascript_Core/runtime/JSCPtrTag.h (260221 => 260222)
--- trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2020-04-16 21:40:23 UTC (rev 260222)
@@ -39,10 +39,6 @@
v(DisassemblyPtrTag) \
v(ExceptionHandlerPtrTag) \
v(ExecutableMemoryPtrTag) \
- v(JITProbePtrTag) \
- v(JITProbeTrampolinePtrTag) \
- v(JITProbeExecutorPtrTag) \
- v(JITProbeStackInitializationFunctionPtrTag) \
v(JITThunkPtrTag) \
v(JITStubRoutinePtrTag) \
v(JSEntryPtrTag) \
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (260221 => 260222)
--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-04-16 21:40:23 UTC (rev 260222)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -2136,10 +2136,7 @@
static void callWithStackSizeProbeFunction(Probe::State* state)
{
JSGlobalObject* globalObject = bitwise_cast<JSGlobalObject*>(state->arg);
- // The bits loaded from state->probeFunction will be tagged like
- // a C function. So, we'll need to untag it to extract the bits
- // for the JSFunction*.
- JSFunction* function = bitwise_cast<JSFunction*>(untagCodePtr<CFunctionPtrTag>(state->probeFunction));
+ JSFunction* function = bitwise_cast<JSFunction*>(state->probeFunction);
state->initializeStackFunction = nullptr;
state->initializeStackArg = nullptr;
Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (260221 => 260222)
--- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2020-04-16 21:40:23 UTC (rev 260222)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1826,7 +1826,7 @@
forceOSREntry.link(&jit);
tierUp.link(&jit);
- jit.probe(tagCFunction<JITProbePtrTag>(operationWasmTriggerOSREntryNow), osrEntryDataPtr);
+ jit.probe(operationWasmTriggerOSREntryNow, osrEntryDataPtr);
jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::argumentGPR0).linkTo(tierUpResume, &jit);
jit.farJump(GPRInfo::argumentGPR1, WasmEntryPtrTag);
});
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (260221 => 260222)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2020-04-16 20:54:30 UTC (rev 260221)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2020-04-16 21:40:23 UTC (rev 260222)
@@ -1338,7 +1338,7 @@
forceOSREntry.link(&jit);
tierUp.link(&jit);
- jit.probe(tagCFunction<JITProbePtrTag>(operationWasmTriggerOSREntryNow), osrEntryDataPtr);
+ jit.probe(operationWasmTriggerOSREntryNow, osrEntryDataPtr);
jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::argumentGPR0).linkTo(tierUpResume, &jit);
jit.farJump(GPRInfo::argumentGPR1, WasmEntryPtrTag);
});
