WebKit Bugzilla
Attachment 369434 Details for
Bug 197715
: AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
b-backup.diff (text/plain), 5.28 KB, created by
Saam Barati
on 2019-05-08 15:25:48 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2019-05-08 15:25:48 PDT
Size:
5.28 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 245070) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2019-05-08 Saam barati <sbarati@apple.com> >+ >+ AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register >+ https://bugs.webkit.org/show_bug.cgi?id=197715 >+ <rdar://problem/50399252> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added. >+ (foo): >+ (bar): >+ > 2019-05-08 Robin Morisset <rmorisset@apple.com> > > All prototypes should call didBecomePrototype() >Index: JSTests/stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js >=================================================================== >--- JSTests/stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js (nonexistent) >+++ JSTests/stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js (working copy) >@@ -0,0 +1,22 @@ >+//@ runDefault("--useConcurrentJIT=0", "--useRandomizingFuzzerAgent=1", "--airRandomizeRegs=1", "--airRandomizeRegsSeed=3421187372", "--jitPolicyScale=0") >+ >+function foo() { >+ try { >+ foo.caller; >+ } catch (e) { >+ return Array.of(arguments).join(); >+ } >+ throw new Error(); >+} >+ >+function bar() { >+'use strict'; >+ try { >+ return foo(); >+ } finally { >+ } >+} >+ >+for (var i = 0; i < 10000; ++i) { >+ bar(); >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 245040) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,22 @@ >+2019-05-08 Saam barati <sbarati@apple.com> >+ >+ AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register >+ https://bugs.webkit.org/show_bug.cgi?id=197715 >+ <rdar://problem/50399252> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ AccessGenerationState::emitExplicitExceptionHandler was always clobbering >+ x86's r9 without considering if that register was needed to be preserved >+ by the IC. This leads to bad things when the DFG/FTL need that register when >+ OSR exitting after an exception from a GetById call. >+ >+ * b3/air/AirCode.cpp: >+ (JSC::B3::Air::Code::Code): >+ * bytecode/PolymorphicAccess.cpp: >+ (JSC::AccessGenerationState::emitExplicitExceptionHandler): >+ * runtime/Options.h: >+ > 2019-05-07 Yusuke Suzuki <ysuzuki@apple.com> > > TemplateObject passed to template literal tags are not always identical for the same source location. >Index: Source/JavaScriptCore/b3/air/AirCode.cpp >=================================================================== >--- Source/JavaScriptCore/b3/air/AirCode.cpp (revision 245040) >+++ Source/JavaScriptCore/b3/air/AirCode.cpp (working copy) >@@ -79,8 +79,9 @@ Code::Code(Procedure& proc) > calleeSaveRegs.append(reg); > }); > if (Options::airRandomizeRegs()) { >- shuffleVector(volatileRegs, [&] (unsigned limit) { return m_weakRandom.getUint32(limit); }); >- shuffleVector(calleeSaveRegs, [&] (unsigned limit) { return m_weakRandom.getUint32(limit); }); >+ WeakRandom random(Options::airRandomizeRegsSeed() ? Options::airRandomizeRegsSeed() : m_weakRandom.getUint32()); >+ shuffleVector(volatileRegs, [&] (unsigned limit) { return random.getUint32(limit); }); >+ shuffleVector(calleeSaveRegs, [&] (unsigned limit) { return random.getUint32(limit); }); > } > Vector<Reg> result; > result.appendVector(volatileRegs); >Index: Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp >=================================================================== >--- Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (revision 245040) >+++ Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (working copy) >@@ -179,7 +179,11 @@ CallSiteIndex AccessGenerationState::ori > void AccessGenerationState::emitExplicitExceptionHandler() > { > restoreScratch(); >- jit->copyCalleeSavesToEntryFrameCalleeSavesBuffer(m_vm.topEntryFrame); >+ jit->pushToSave(GPRInfo::regT0); >+ jit->loadPtr(&m_vm.topEntryFrame, GPRInfo::regT0); >+ jit->copyCalleeSavesToEntryFrameCalleeSavesBuffer(GPRInfo::regT0); >+ jit->popToRestore(GPRInfo::regT0); >+ > if (needsToRestoreRegistersIfException()) { > // To the JIT that produces the original exception handling > // call site, they will expect the OSR exit to be arrived >Index: Source/JavaScriptCore/runtime/Options.h >=================================================================== >--- Source/JavaScriptCore/runtime/Options.h (revision 245040) >+++ Source/JavaScriptCore/runtime/Options.h (working copy) >@@ -445,6 +445,7 @@ constexpr bool enableWebAssemblyStreamin > v(bool, airForceBriggsAllocator, false, Normal, nullptr) \ > v(bool, airForceIRCAllocator, false, Normal, nullptr) \ > v(bool, airRandomizeRegs, false, Normal, nullptr) \ >+ v(unsigned, airRandomizeRegsSeed, 0, Normal, nullptr) \ > v(bool, coalesceSpillSlots, true, Normal, nullptr) \ > v(bool, logAirRegisterPressure, false, Normal, nullptr) \ > v(bool, useB3TailDup, true, Normal, nullptr) \
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369434">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197715
: 369434