Title: [114959] trunk
- Revision
- 114959
- Author
- oli...@apple.com
- Date
- 2012-04-23 16:07:45 -0700 (Mon, 23 Apr 2012)
Log Message
Call instruction for the baseline JIT stores origin info in wrong callframe
https://bugs.webkit.org/show_bug.cgi?id=84645
Reviewed by Gavin Barraclough.
Source/_javascript_Core:
The baseline JIT was updating the wrong callframe when making a call. If the
call failed during dispatch (unable to perform codegen, calling a non-object)
we would attempt to use this information, but it would be completely wrong.
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
LayoutTests:
Directly force LLInt, Baseline, and DFG JITs to handle the path where
a call fails during dispatch.
* fast/js/script-tests/stack-trace.js:
(callNonCallable):
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (114958 => 114959)
--- trunk/LayoutTests/ChangeLog 2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/LayoutTests/ChangeLog 2012-04-23 23:07:45 UTC (rev 114959)
@@ -1,3 +1,16 @@
+2012-04-23 Oliver Hunt <oli...@apple.com>
+
+ Call instruction for the baseline JIT stores origin info in wrong callframe
+ https://bugs.webkit.org/show_bug.cgi?id=84645
+
+ Reviewed by Gavin Barraclough.
+
+ Directly force LLInt, Baseline, and DFG JITs to handle the path where
+ a call fails during dispatch.
+
+ * fast/js/script-tests/stack-trace.js:
+ (callNonCallable):
+
2012-04-23 Victor Carbune <vcarb...@adobe.com>
Simplify volume slider rendering
Modified: trunk/LayoutTests/fast/js/script-tests/stack-trace.js (114958 => 114959)
--- trunk/LayoutTests/fast/js/script-tests/stack-trace.js 2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/LayoutTests/fast/js/script-tests/stack-trace.js 2012-04-23 23:07:45 UTC (rev 114959)
@@ -211,4 +211,17 @@
printStack(e.stack);
}
+var someValue = null;
+
+function callNonCallable() {
+ someValue();
+}
+
+for (var i = 0; i < 100; i++) {
+ try {
+ callNonCallable();
+ } catch (e) {
+ }
+}
+
successfullyParsed = true;
Modified: trunk/Source/_javascript_Core/ChangeLog (114958 => 114959)
--- trunk/Source/_javascript_Core/ChangeLog 2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-04-23 23:07:45 UTC (rev 114959)
@@ -1,3 +1,19 @@
+2012-04-23 Oliver Hunt <oli...@apple.com>
+
+ Call instruction for the baseline JIT stores origin info in wrong callframe
+ https://bugs.webkit.org/show_bug.cgi?id=84645
+
+ Reviewed by Gavin Barraclough.
+
+ The baseline JIT was updating the wrong callframe when making a call. If the
+ call failed during dispatch (unable to perform codegen, calling a non-object)
+ we would attempt to use this information, but it would be completely wrong.
+
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileOpCall):
+
2012-04-23 Filip Pizlo <fpi...@apple.com>
DFG must keep alive values that it will perform speculations on
Modified: trunk/Source/_javascript_Core/jit/JITCall.cpp (114958 => 114959)
--- trunk/Source/_javascript_Core/jit/JITCall.cpp 2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/Source/_javascript_Core/jit/JITCall.cpp 2012-04-23 23:07:45 UTC (rev 114959)
@@ -164,7 +164,7 @@
store32(TrustedImm32(argCount), Address(regT1, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
} // regT1 holds newCallFrame with ArgumentCount initialized.
- store32(TrustedImm32(instruction - m_codeBlock->instructions().begin()), Address(regT1, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
+ store32(TrustedImm32(instruction - m_codeBlock->instructions().begin()), Address(callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
emitGetVirtualRegister(callee, regT0); // regT0 holds callee.
storePtr(callFrameRegister, Address(regT1, RegisterFile::CallerFrame * static_cast<int>(sizeof(Register))));
Modified: trunk/Source/_javascript_Core/jit/JITCall32_64.cpp (114958 => 114959)
--- trunk/Source/_javascript_Core/jit/JITCall32_64.cpp 2012-04-23 22:52:13 UTC (rev 114958)
+++ trunk/Source/_javascript_Core/jit/JITCall32_64.cpp 2012-04-23 23:07:45 UTC (rev 114959)
@@ -246,7 +246,7 @@
store32(TrustedImm32(argCount), payloadFor(RegisterFile::ArgumentCount, regT3));
} // regT3 holds newCallFrame with ArgumentCount initialized.
- storePtr(TrustedImmPtr(instruction), tagFor(RegisterFile::ArgumentCount, regT3));
+ storePtr(TrustedImmPtr(instruction), tagFor(RegisterFile::ArgumentCount, callFrameRegister));
emitLoad(callee, regT1, regT0); // regT1, regT0 holds callee.
storePtr(callFrameRegister, Address(regT3, RegisterFile::CallerFrame * static_cast<int>(sizeof(Register))));
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes