Modified: trunk/LayoutTests/ChangeLog (191764 => 191765)
--- trunk/LayoutTests/ChangeLog 2015-10-29 23:52:16 UTC (rev 191764)
+++ trunk/LayoutTests/ChangeLog 2015-10-30 00:03:22 UTC (rev 191765)
@@ -1,3 +1,18 @@
+2015-10-29 Michael Saboff <[email protected]>
+
+ Crash making a tail call from a getter to a host function
+ https://bugs.webkit.org/show_bug.cgi?id=150663
+
+ Reviewed by Geoffrey Garen.
+
+ New regression tests.
+
+ * js/regress-150663-expected.txt: Added.
+ * js/regress-150663.html: Added.
+ * js/script-tests/regress-150663.js: Added.
+ (Test):
+ (Test.prototype.get sum):
+
2015-10-29 Brady Eidson <[email protected]>
Modern IDB: deleteObjectStore support.
Added: trunk/LayoutTests/js/regress-150663-expected.txt (0 => 191765)
--- trunk/LayoutTests/js/regress-150663-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-150663-expected.txt 2015-10-30 00:03:22 UTC (rev 191765)
@@ -0,0 +1,10 @@
+Regression test for 150663
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Able to tail call a native function from a JS callee of C++ code
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-150663.html (0 => 191765)
--- trunk/LayoutTests/js/regress-150663.html (rev 0)
+++ trunk/LayoutTests/js/regress-150663.html 2015-10-30 00:03:22 UTC (rev 191765)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-150663.js (0 => 191765)
--- trunk/LayoutTests/js/script-tests/regress-150663.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-150663.js 2015-10-30 00:03:22 UTC (rev 191765)
@@ -0,0 +1,28 @@
+description("Regression test for 150663");
+
+// We should be able to tail call a native function from a JS callee of C++
+
+"use strict";
+
+class Test {
+ constructor(a, b)
+ {
+ this.a = a;
+ this.b = b;
+ }
+
+ get sum()
+ {
+ return Number(this.a + this.b);
+ }
+}
+
+var testObj = new Test(40, 2);
+
+for (var i = 0; i < 100000; i++) {
+ var result = testObj.sum;
+ if (result != 42)
+ testFailed("Expected 42 from \"sum\" getter, got " + result);
+}
+
+testPassed("Able to tail call a native function from a JS callee of C++ code");
Modified: trunk/Source/_javascript_Core/ChangeLog (191764 => 191765)
--- trunk/Source/_javascript_Core/ChangeLog 2015-10-29 23:52:16 UTC (rev 191764)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-10-30 00:03:22 UTC (rev 191765)
@@ -1,3 +1,15 @@
+2015-10-29 Michael Saboff <[email protected]>
+
+ Crash making a tail call from a getter to a host function
+ https://bugs.webkit.org/show_bug.cgi?id=150663
+
+ Reviewed by Geoffrey Garen.
+
+ Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
+ call frame to getHostCallReturnValueWithExecState(). We were passing the caller's frame address.
+
+ * jit/JITOperations.cpp:
+
2015-10-29 Filip Pizlo <[email protected]>
B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (191764 => 191765)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2015-10-29 23:52:16 UTC (rev 191764)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2015-10-30 00:03:22 UTC (rev 191765)
@@ -2135,7 +2135,7 @@
".globl " SYMBOL_STRING(getHostCallReturnValue) "\n"
HIDE_SYMBOL(getHostCallReturnValue) "\n"
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
- "mov %rbp, %rdi\n"
+ "lea -8(%rsp), %rdi\n"
"jmp " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
);
@@ -2146,8 +2146,9 @@
HIDE_SYMBOL(getHostCallReturnValue) "\n"
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
"push %ebp\n"
+ "mov %esp, %eax\n"
"leal -4(%esp), %esp\n"
- "push %ebp\n"
+ "push %eax\n"
"call " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
"leal 8(%esp), %esp\n"
"pop %ebp\n"
@@ -2163,7 +2164,7 @@
".thumb" "\n"
".thumb_func " THUMB_FUNC_PARAM(getHostCallReturnValue) "\n"
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
- "mov r0, r7" "\n"
+ "sub r0, sp, #8" "\n"
"b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
);
@@ -2174,7 +2175,7 @@
HIDE_SYMBOL(getHostCallReturnValue) "\n"
INLINE_ARM_FUNCTION(getHostCallReturnValue)
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
- "mov r0, r11" "\n"
+ "sub r0, sp, #8" "\n"
"b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
);
@@ -2185,7 +2186,7 @@
".globl " SYMBOL_STRING(getHostCallReturnValue) "\n"
HIDE_SYMBOL(getHostCallReturnValue) "\n"
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
- "mov x0, x29" "\n"
+ "sub x0, sp, #16" "\n"
"b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
);
@@ -2207,7 +2208,7 @@
HIDE_SYMBOL(getHostCallReturnValue) "\n"
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
LOAD_FUNCTION_TO_T9(getHostCallReturnValueWithExecState)
- "move $a0, $fp" "\n"
+ "subi $a0, $sp, 8" "\n"
"b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
);
@@ -2220,7 +2221,8 @@
".globl " SYMBOL_STRING(getHostCallReturnValue) "\n"
HIDE_SYMBOL(getHostCallReturnValue) "\n"
SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
- "mov r14, r4" "\n"
+ "mov r15, r4" "\n"
+ "add -8, r4" "\n"
"mov.l 2f, " SH4_SCRATCH_REGISTER "\n"
"braf " SH4_SCRATCH_REGISTER "\n"
"nop" "\n"
@@ -2232,7 +2234,8 @@
extern "C" {
__declspec(naked) EncodedJSValue HOST_CALL_RETURN_VALUE_OPTION getHostCallReturnValue()
{
- __asm mov [esp + 4], ebp;
+ __asm lea eax, [esp - 4]
+ __asm mov [esp + 4], eax;
__asm jmp getHostCallReturnValueWithExecState
}
}
