Title: [173131] trunk/Source/_javascript_Core
- Revision
- 173131
- Author
- [email protected]
- Date
- 2014-08-29 17:19:42 -0700 (Fri, 29 Aug 2014)
Log Message
Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
https://bugs.webkit.org/show_bug.cgi?id=136391
Patch by Akos Kiss <[email protected]> on 2014-08-29
Reviewed by Michael Saboff.
Do not rely on calling conventions to fill in the CallerFrame component
of the ExecState* parameter of the called function.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (173130 => 173131)
--- trunk/Source/_javascript_Core/ChangeLog 2014-08-30 00:01:24 UTC (rev 173130)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-08-30 00:19:42 UTC (rev 173131)
@@ -1,3 +1,16 @@
+2014-08-29 Akos Kiss <[email protected]>
+
+ Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
+ https://bugs.webkit.org/show_bug.cgi?id=136391
+
+ Reviewed by Michael Saboff.
+
+ Do not rely on calling conventions to fill in the CallerFrame component
+ of the ExecState* parameter of the called function.
+
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
2014-08-29 Saam Barati <[email protected]>
emit op_profile_type for deconstruction assignments
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (173130 => 173131)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2014-08-30 00:01:24 UTC (rev 173130)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2014-08-30 00:19:42 UTC (rev 173131)
@@ -367,9 +367,9 @@
macro makeHostFunctionCall(entry, temp1, temp2)
move entry, temp1
+ storep cfr, [sp]
if C_LOOP
move sp, a0
- storep cfr, [sp]
storep lr, PtrSize[sp]
cloopCallNative temp1
else
@@ -377,7 +377,6 @@
# Put callee frame pointer on stack as arg0, also put it in ecx for "fastcall" targets
move 0, temp2
move temp2, 4[sp] # put 0 in ReturnPC
- move cfr, [sp] # put caller frame pointer into callee frame since callee prologue can't
move sp, t2 # t2 is ecx
push temp2 # Push dummy arg1
push t2
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (173130 => 173131)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2014-08-30 00:01:24 UTC (rev 173130)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2014-08-30 00:19:42 UTC (rev 173131)
@@ -311,16 +311,11 @@
elsif ARM64 or C_LOOP
move sp, a0
end
+ storep cfr, [sp]
if C_LOOP
- storep cfr, [sp]
storep lr, 8[sp]
cloopCallNative temp
elsif X86_64_WIN
- # For a host function call, JIT relies on that the CallerFrame (frame pointer) is put on the stack,
- # On Win64 we need to manually copy the frame pointer to the stack, since MSVC may not maintain a frame pointer on 64-bit.
- # See http://msdn.microsoft.com/en-us/library/9z1stfyw.aspx where it's stated that rbp MAY be used as a frame pointer.
- storep cfr, [sp]
-
# We need to allocate 32 bytes on the stack for the shadow space.
subp 32, sp
call temp
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
