Title: [225295] branches/safari-604-branch
- Revision
- 225295
- Author
- jmarc...@apple.com
- Date
- 2017-11-29 13:53:28 -0800 (Wed, 29 Nov 2017)
Log Message
Cherry-pick r224539. rdar://problem/35698788
Modified Paths
Added Paths
Diff
Modified: branches/safari-604-branch/JSTests/ChangeLog (225294 => 225295)
--- branches/safari-604-branch/JSTests/ChangeLog 2017-11-29 21:47:37 UTC (rev 225294)
+++ branches/safari-604-branch/JSTests/ChangeLog 2017-11-29 21:53:28 UTC (rev 225295)
@@ -1,3 +1,17 @@
+2017-11-28 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r224539. rdar://problem/35698788
+
+ 2017-11-07 Mark Lam <mark....@apple.com>
+
+ AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+ https://bugs.webkit.org/show_bug.cgi?id=179355
+ <rdar://problem/35263053>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-179355.js: Added.
+
2017-11-22 Jason Marcell <jmarc...@apple.com>
Cherry-pick r224366. rdar://problem/35329723
Added: branches/safari-604-branch/JSTests/stress/regress-179355.js (0 => 225295)
--- branches/safari-604-branch/JSTests/stress/regress-179355.js (rev 0)
+++ branches/safari-604-branch/JSTests/stress/regress-179355.js 2017-11-29 21:53:28 UTC (rev 225295)
@@ -0,0 +1,25 @@
+var arr0 = [1,2,3,4];
+var arr1 = new Array(1000);
+
+Array.prototype.__defineGetter__(1, function() {
+ [].concat(arr1); //generate to invalid JIT code here?
+});
+
+Array.prototype.__defineGetter__(Symbol.isConcatSpreadable, (function() {
+ for(var i=0;i<10000;i++) {
+ if(i==0)
+ arr1[i];
+ this.x = 1.1;
+ arr1.legnth = 1;
+ }
+}));
+
+var exception;
+try {
+ arr1[1].toString();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw "FAILED";
Modified: branches/safari-604-branch/Source/_javascript_Core/ChangeLog (225294 => 225295)
--- branches/safari-604-branch/Source/_javascript_Core/ChangeLog 2017-11-29 21:47:37 UTC (rev 225294)
+++ branches/safari-604-branch/Source/_javascript_Core/ChangeLog 2017-11-29 21:53:28 UTC (rev 225295)
@@ -1,3 +1,26 @@
+2017-11-28 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r224539. rdar://problem/35698788
+
+ 2017-11-07 Mark Lam <mark....@apple.com>
+
+ AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+ https://bugs.webkit.org/show_bug.cgi?id=179355
+ <rdar://problem/35263053>
+
+ Reviewed by Saam Barati.
+
+ In the Transition case in AccessCase::generateImpl(), we were restoring registers
+ using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
+ where we previously stashed the reallocated butterfly. If the generated code is
+ under heavy register pressure, scratchGPR could have been from the set of preserved
+ registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
+ As a result, the restoration would trash the butterfly result we stored there.
+ This patch fixes the issue by excluding the scratchGPR in the restoration.
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateImpl):
+
2017-11-22 Jason Marcell <jmarc...@apple.com>
Cherry-pick r224426. rdar://problem/35364697
Modified: branches/safari-604-branch/Source/_javascript_Core/bytecode/AccessCase.cpp (225294 => 225295)
--- branches/safari-604-branch/Source/_javascript_Core/bytecode/AccessCase.cpp 2017-11-29 21:47:37 UTC (rev 225294)
+++ branches/safari-604-branch/Source/_javascript_Core/bytecode/AccessCase.cpp 2017-11-29 21:53:28 UTC (rev 225295)
@@ -937,7 +937,9 @@
state.emitExplicitExceptionHandler();
noException.link(&jit);
- state.restoreLiveRegistersFromStackForCall(spillState);
+ RegisterSet resultRegisterToExclude;
+ resultRegisterToExclude.set(scratchGPR);
+ state.restoreLiveRegistersFromStackForCall(spillState, resultRegisterToExclude);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
