JavaScript functions should restore the stack pointer after a call
authorbasile_clement@apple.com <basile_clement@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 Sep 2015 00:25:19 +0000 (00:25 +0000)
committerbasile_clement@apple.com <basile_clement@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 Sep 2015 00:25:19 +0000 (00:25 +0000)
commit4d11094bbeee1a7955611a97cd5be4d993dc7729
treef3b837fd0dc1b41747302397334dfdd18e248624
parent3316db78d4625f76fe6114dbf5e3a55c4bcb45eb
JavaScript functions should restore the stack pointer after a call
https://bugs.webkit.org/show_bug.cgi?id=148659

Reviewed by Michael Saboff.

This patch makes it so that the various places where we are making a
JS-to-JS call restore the stack pointer afterwards. This allows us to
no longer rely on the stack pointer still being valid after a call, and
is a prerequisite for getting rid of the arity fixup return thunk.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* ftl/FTLCompile.cpp:
(JSC::FTL::mmAllocateDataSection):
* ftl/FTLInlineCacheSize.cpp:
(JSC::FTL::sizeOfCall):
* ftl/FTLJSCall.cpp:
(JSC::FTL::JSCall::emit):
* ftl/FTLJSCall.h:
* ftl/FTLStackMaps.h:
(JSC::FTL::StackMaps::stackSizeForLocals):
* jit/Repatch.cpp:
(JSC::generateByIdStub):
* tests/stress/tail-call-in-inline-cache.js: Added.
(tail):
(obj.get x):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@189325 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/ftl/FTLCompile.cpp
Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp
Source/JavaScriptCore/ftl/FTLJSCall.cpp
Source/JavaScriptCore/ftl/FTLJSCall.h
Source/JavaScriptCore/ftl/FTLStackMaps.h
Source/JavaScriptCore/jit/Repatch.cpp
Source/JavaScriptCore/tests/stress/tail-call-in-inline-cache.js [new file with mode: 0644]