- Revision
- 183076
- Author
- fpi...@apple.com
- Date
- 2015-04-21 13:55:45 -0700 (Tue, 21 Apr 2015)
Log Message
DFG Call/ConstructForwardVarargs fails to restore the stack pointer
https://bugs.webkit.org/show_bug.cgi?id=144007
Reviewed by Mark Lam.
We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
if isForwardVarargs.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* tests/stress/varargs-then-slow-call.js: Added.
(foo):
(bar):
(fuzz):
(baz):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (183075 => 183076)
--- trunk/Source/_javascript_Core/ChangeLog 2015-04-21 20:37:58 UTC (rev 183075)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-04-21 20:55:45 UTC (rev 183076)
@@ -1,3 +1,23 @@
+2015-04-21 Filip Pizlo <fpi...@apple.com>
+
+ DFG Call/ConstructForwardVarargs fails to restore the stack pointer
+ https://bugs.webkit.org/show_bug.cgi?id=144007
+
+ Reviewed by Mark Lam.
+
+ We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
+ if isForwardVarargs.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ * tests/stress/varargs-then-slow-call.js: Added.
+ (foo):
+ (bar):
+ (fuzz):
+ (baz):
+
2015-04-21 Basile Clement <basile_clem...@apple.com>
Remove AllocationProfileWatchpoint node
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (183075 => 183076)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2015-04-21 20:37:58 UTC (rev 183075)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2015-04-21 20:55:45 UTC (rev 183076)
@@ -835,7 +835,7 @@
m_jit.addJSCall(fastCall, slowCall, targetToCheck, info);
// If we were varargs, then after the calls are done, we need to reestablish our stack pointer.
- if (isVarargs)
+ if (isVarargs || isForwardVarargs)
m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (183075 => 183076)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2015-04-21 20:37:58 UTC (rev 183075)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2015-04-21 20:55:45 UTC (rev 183076)
@@ -799,7 +799,7 @@
m_jit.addJSCall(fastCall, slowCall, targetToCheck, callLinkInfo);
// If we were varargs, then after the calls are done, we need to reestablish our stack pointer.
- if (isVarargs)
+ if (isVarargs || isForwardVarargs)
m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
}
Added: trunk/Source/_javascript_Core/tests/stress/varargs-then-slow-call.js (0 => 183076)
--- trunk/Source/_javascript_Core/tests/stress/varargs-then-slow-call.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/varargs-then-slow-call.js 2015-04-21 20:55:45 UTC (rev 183076)
@@ -0,0 +1,40 @@
+function foo(a, b) {
+ return a + b;
+}
+noInline(foo);
+
+function bar() {
+ return foo.apply(this, arguments);
+}
+
+function fuzz(a, b, c, d, e, f) {
+ return a + b + c + d + e + f;
+}
+noInline(fuzz);
+
+function baz(array) {
+ var a = array[0];
+ var b = array[1];
+ var c = array[2];
+ var d = array[3];
+ var e = array[4];
+ var f = array[5];
+ var g = array[6];
+ var h = array[7];
+ var i = array[8];
+ var j = array[9];
+
+ var x = bar(a, b);
+ var y = fuzz(a, b, c, d, e, f);
+
+ return a + b + c + d + e + f + g + h + i + j + x + y;
+}
+
+noInline(baz);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = baz([0, 1, 2, 3, 4, 5, 6, 7, 8, 9]);
+ if (result != 61)
+ throw "Error: bad result: " + result;
+}
+
