Title: [216521] branches/safari-603-branch
- Revision
- 216521
- Author
- matthew_han...@apple.com
- Date
- 2017-05-09 11:05:07 -0700 (Tue, 09 May 2017)
Log Message
Cherry-pick r215596. rdar://problem/31971150
Modified Paths
Added Paths
Diff
Modified: branches/safari-603-branch/JSTests/ChangeLog (216520 => 216521)
--- branches/safari-603-branch/JSTests/ChangeLog 2017-05-09 18:05:04 UTC (rev 216520)
+++ branches/safari-603-branch/JSTests/ChangeLog 2017-05-09 18:05:07 UTC (rev 216521)
@@ -1,5 +1,19 @@
2017-05-09 Matthew Hanson <matthew_han...@apple.com>
+ Cherry-pick r215596. rdar://problem/31971150
+
+ 2017-04-20 Mark Lam <mark....@apple.com>
+
+ virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+ https://bugs.webkit.org/show_bug.cgi?id=171079
+ <rdar://problem/31684756>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-171079.js: Added.
+
+2017-05-09 Matthew Hanson <matthew_han...@apple.com>
+
Cherry-pick r215351. rdar://problem/31631922
2017-04-13 Mark Lam <mark....@apple.com>
Added: branches/safari-603-branch/JSTests/stress/regress-171079.js (0 => 216521)
--- branches/safari-603-branch/JSTests/stress/regress-171079.js (rev 0)
+++ branches/safari-603-branch/JSTests/stress/regress-171079.js 2017-05-09 18:05:07 UTC (rev 216521)
@@ -0,0 +1,38 @@
+function assert(actual, expected) {
+ if (actual != expected)
+ throw("FAILED: actual " + actual + ", expected " + expected);
+}
+
+Object.defineProperty(this, "t0", {
+ get: function() {
+ "use strict";
+ return t2.subarray(4, 7);
+ }
+});
+
+t2 = new Uint16Array();
+
+var exception;
+function test() {
+ exception = void 0;
+ try {
+ return t0;
+ } catch (e) {
+ exception = e;
+ }
+}
+
+for (var i = 0; i < 100; ++i) {
+ test();
+ assert(exception, void 0);
+}
+
+t2.__proto__ = {
+ subarray: 1
+};
+
+test();
+assert(exception, "TypeError: t2.subarray is not a function. (In 't2.subarray(4, 7)', 't2.subarray' is 1)");
+
+test();
+assert(exception, "TypeError: t2.subarray is not a function. (In 't2.subarray(4, 7)', 't2.subarray' is 1)");
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (216520 => 216521)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-05-09 18:05:04 UTC (rev 216520)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-05-09 18:05:07 UTC (rev 216521)
@@ -1,5 +1,23 @@
2017-05-09 Matthew Hanson <matthew_han...@apple.com>
+ Cherry-pick r215596. rdar://problem/31971150
+
+ 2017-04-20 Mark Lam <mark....@apple.com>
+
+ virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+ https://bugs.webkit.org/show_bug.cgi?id=171079
+ <rdar://problem/31684756>
+
+ Reviewed by Saam Barati.
+
+ This is needed because tail calls would restore callee saved registers (and
+ therefore, potentially clobber the tag registers) before jumping to the thunk.
+
+ * jit/ThunkGenerators.cpp:
+ (JSC::virtualThunkFor):
+
+2017-05-09 Matthew Hanson <matthew_han...@apple.com>
+
Cherry-pick r215351. rdar://problem/31631922
2017-04-13 Mark Lam <mark....@apple.com>
Modified: branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp (216520 => 216521)
--- branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp 2017-05-09 18:05:04 UTC (rev 216520)
+++ branches/safari-603-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp 2017-05-09 18:05:07 UTC (rev 216521)
@@ -183,9 +183,16 @@
// the DFG knows that the value is definitely a cell, or definitely a function.
#if USE(JSVALUE64)
+ GPRReg tagMaskRegister = GPRInfo::tagMaskRegister;
+ if (callLinkInfo.isTailCall()) {
+ // Tail calls could have clobbered the GPRInfo::tagMaskRegister because they
+ // restore callee saved registers before getthing here. So, let's materialize
+ // the TagMask in a temp register and use the temp instead.
+ tagMaskRegister = GPRInfo::regT4;
+ jit.move(CCallHelpers::TrustedImm64(TagMask), tagMaskRegister);
+ }
slowCase.append(
- jit.branchTest64(
- CCallHelpers::NonZero, GPRInfo::regT0, GPRInfo::tagMaskRegister));
+ jit.branchTest64(CCallHelpers::NonZero, GPRInfo::regT0, tagMaskRegister));
#else
slowCase.append(
jit.branch32(
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes