Skip to site navigation (Press enter)

[webkit-changes] [114959] trunk

oliver Mon, 23 Apr 2012 16:07:55 -0700

Title: [114959] trunk

Revision: 114959
Author: oli...@apple.com
Date: 2012-04-23 16:07:45 -0700 (Mon, 23 Apr 2012)

Log Message

Call instruction for the baseline JIT stores origin info in wrong callframe
https://bugs.webkit.org/show_bug.cgi?id=84645


Reviewed by Gavin Barraclough.

Source/_javascript_Core:

The baseline JIT was updating the wrong callframe when making a call.  If the
call failed during dispatch (unable to perform codegen, calling a non-object)
we would attempt to use this information, but it would be completely wrong.

* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):

LayoutTests:

Directly force LLInt, Baseline, and DFG JITs to handle the path where
a call fails during dispatch.

* fast/js/script-tests/stack-trace.js:
(callNonCallable):

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/js/script-tests/stack-trace.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITCall.cpp
trunk/Source/_javascript_Core/jit/JITCall32_64.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (114958 => 114959)


--- trunk/LayoutTests/ChangeLog	2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/LayoutTests/ChangeLog	2012-04-23 23:07:45 UTC (rev 114959)
@@ -1,3 +1,16 @@
+2012-04-23  Oliver Hunt  <oli...@apple.com>
+
+        Call instruction for the baseline JIT stores origin info in wrong callframe
+        https://bugs.webkit.org/show_bug.cgi?id=84645
+
+        Reviewed by Gavin Barraclough.
+
+        Directly force LLInt, Baseline, and DFG JITs to handle the path where
+        a call fails during dispatch.
+
+        * fast/js/script-tests/stack-trace.js:
+        (callNonCallable):
+
 2012-04-23  Victor Carbune  <vcarb...@adobe.com>
 
         Simplify volume slider rendering

Modified: trunk/LayoutTests/fast/js/script-tests/stack-trace.js (114958 => 114959)


--- trunk/LayoutTests/fast/js/script-tests/stack-trace.js	2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/LayoutTests/fast/js/script-tests/stack-trace.js	2012-04-23 23:07:45 UTC (rev 114959)
@@ -211,4 +211,17 @@
     printStack(e.stack);
 }
 
+var someValue = null;
+
+function callNonCallable() {
+    someValue();
+}
+
+for (var i = 0; i < 100; i++) {
+    try {
+        callNonCallable();
+    } catch (e) {
+    }
+}
+
 successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (114958 => 114959)


--- trunk/Source/_javascript_Core/ChangeLog	2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-04-23 23:07:45 UTC (rev 114959)
@@ -1,3 +1,19 @@
+2012-04-23  Oliver Hunt  <oli...@apple.com>
+
+        Call instruction for the baseline JIT stores origin info in wrong callframe
+        https://bugs.webkit.org/show_bug.cgi?id=84645
+
+        Reviewed by Gavin Barraclough.
+
+        The baseline JIT was updating the wrong callframe when making a call.  If the
+        call failed during dispatch (unable to perform codegen, calling a non-object)
+        we would attempt to use this information, but it would be completely wrong.
+
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+
 2012-04-23  Filip Pizlo  <fpi...@apple.com>
 
         DFG must keep alive values that it will perform speculations on

Modified: trunk/Source/_javascript_Core/jit/JITCall.cpp (114958 => 114959)


--- trunk/Source/_javascript_Core/jit/JITCall.cpp	2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/Source/_javascript_Core/jit/JITCall.cpp	2012-04-23 23:07:45 UTC (rev 114959)
@@ -164,7 +164,7 @@
         store32(TrustedImm32(argCount), Address(regT1, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
     } // regT1 holds newCallFrame with ArgumentCount initialized.
     
-    store32(TrustedImm32(instruction - m_codeBlock->instructions().begin()), Address(regT1, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
+    store32(TrustedImm32(instruction - m_codeBlock->instructions().begin()), Address(callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
     emitGetVirtualRegister(callee, regT0); // regT0 holds callee.
 
     storePtr(callFrameRegister, Address(regT1, RegisterFile::CallerFrame * static_cast<int>(sizeof(Register))));

Modified: trunk/Source/_javascript_Core/jit/JITCall32_64.cpp (114958 => 114959)


--- trunk/Source/_javascript_Core/jit/JITCall32_64.cpp	2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/Source/_javascript_Core/jit/JITCall32_64.cpp	2012-04-23 23:07:45 UTC (rev 114959)
@@ -246,7 +246,7 @@
         store32(TrustedImm32(argCount), payloadFor(RegisterFile::ArgumentCount, regT3));
     } // regT3 holds newCallFrame with ArgumentCount initialized.
     
-    storePtr(TrustedImmPtr(instruction), tagFor(RegisterFile::ArgumentCount, regT3));
+    storePtr(TrustedImmPtr(instruction), tagFor(RegisterFile::ArgumentCount, callFrameRegister));
     emitLoad(callee, regT1, regT0); // regT1, regT0 holds callee.
 
     storePtr(callFrameRegister, Address(regT3, RegisterFile::CallerFrame * static_cast<int>(sizeof(Register))));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes