[webkit-changes] [160956] branches/jsCStack/Source/JavaScriptCore

[fpizlo]

Title: [160956] branches/jsCStack/Source/_javascript_Core

Revision

160956

Author

fpi...@apple.com

Date

2013-12-20 18:48:50 -0800 (Fri, 20 Dec 2013)

Log Message

Arity check stack restoration should preserve the ArgumentCount in case there is a register restoration thunk below it
https://bugs.webkit.org/show_bug.cgi?id=126106

Not yet reviewed.

* assembler/MacroAssemblerCodeRef.h:
(JSC::ReturnAddressPtr::dump):
* jit/ArityCheckFailReturnThunks.cpp:
(JSC::ArityCheckFailReturnThunks::returnPCsFor):

Modified Paths

• branches/jsCStack/Source/_javascript_Core/ChangeLog
• branches/jsCStack/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h
• branches/jsCStack/Source/_javascript_Core/jit/ArityCheckFailReturnThunks.cpp

Diff

Modified: branches/jsCStack/Source/_javascript_Core/ChangeLog (160955 => 160956)

--- branches/jsCStack/Source/_javascript_Core/ChangeLog	2013-12-21 02:47:10 UTC (rev 160955)
+++ branches/jsCStack/Source/_javascript_Core/ChangeLog	2013-12-21 02:48:50 UTC (rev 160956)
@@ -1,3 +1,15 @@
+2013-12-20  Filip Pizlo  <fpi...@apple.com>
+
+        Arity check stack restoration should preserve the ArgumentCount in case there is a register restoration thunk below it
+        https://bugs.webkit.org/show_bug.cgi?id=126106
+
+        Not yet reviewed.
+
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::ReturnAddressPtr::dump):
+        * jit/ArityCheckFailReturnThunks.cpp:
+        (JSC::ArityCheckFailReturnThunks::returnPCsFor):
+
 2013-12-20  Mark Lam  <mark....@apple.com>
 
         CStack: callToJavaScript should do stack check for incoming args.

Modified: branches/jsCStack/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (160955 => 160956)

--- branches/jsCStack/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h	2013-12-21 02:47:10 UTC (rev 160955)
+++ branches/jsCStack/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h	2013-12-21 02:48:50 UTC (rev 160956)
@@ -254,6 +254,11 @@
     }
 
     void* value() const { return m_value; }
+    
+    void dump(PrintStream& out) const
+    {
+        out.print(RawPointer(m_value));
+    }
 
 private:
     void* m_value;

Modified: branches/jsCStack/Source/_javascript_Core/jit/ArityCheckFailReturnThunks.cpp (160955 => 160956)

--- branches/jsCStack/Source/_javascript_Core/jit/ArityCheckFailReturnThunks.cpp	2013-12-21 02:47:10 UTC (rev 160955)
+++ branches/jsCStack/Source/_javascript_Core/jit/ArityCheckFailReturnThunks.cpp	2013-12-21 02:48:50 UTC (rev 160956)
@@ -68,8 +68,6 @@
     for (unsigned size = m_nextSize; size <= numExpectedArgumentsIncludingThis; size += stackAlignmentRegisters()) {
         labels.append(jit.label());
         
-        jit.nearCall();
-        jit.pop(GPRInfo::regT2);
         jit.load32(
             AssemblyHelpers::Address(
                 AssemblyHelpers::stackPointerRegister,
@@ -79,16 +77,25 @@
         jit.add32(
             AssemblyHelpers::TrustedImm32(
                 JSStack::CallFrameHeaderSize - JSStack::CallerFrameAndPCSize + size - 1),
-            GPRInfo::regT1);
-        jit.lshift32(AssemblyHelpers::TrustedImm32(3), GPRInfo::regT1);
-        jit.addPtr(AssemblyHelpers::stackPointerRegister, GPRInfo::regT1);
-        jit.loadPtr(GPRInfo::regT1, GPRInfo::regT1);
+            GPRInfo::regT1, GPRInfo::regT2);
+        jit.lshift32(AssemblyHelpers::TrustedImm32(3), GPRInfo::regT2);
+        jit.addPtr(AssemblyHelpers::stackPointerRegister, GPRInfo::regT2);
+        jit.loadPtr(GPRInfo::regT2, GPRInfo::regT2);
         
         jit.addPtr(
             AssemblyHelpers::TrustedImm32(size * sizeof(Register)),
             AssemblyHelpers::stackPointerRegister);
         
-        jit.jump(GPRInfo::regT1);
+        // Thunks like ours want to use the return PC to figure out where things
+        // were saved. So, we pay it forward.
+        jit.store32(
+            GPRInfo::regT1,
+            AssemblyHelpers::Address(
+                AssemblyHelpers::stackPointerRegister,
+                (JSStack::ArgumentCount - JSStack::CallerFrameAndPCSize) * sizeof(Register) +
+                PayloadOffset));
+        
+        jit.jump(GPRInfo::regT2);
     }
     
     LinkBuffer linkBuffer(vm, &jit, GLOBAL_THUNK_ID);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes