validateStackAccess should not validate if the offset is within the stack bounds
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Feb 2018 20:42:39 +0000 (20:42 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Feb 2018 20:42:39 +0000 (20:42 +0000)
commitaeffcf5dcf308a702d976459f1fd4fd9c5425fcd
tree7c2a3da6b27932165697c4627862eb038fcec936
parent06b36cd061fcbf1aa175c20810315972b01a03e9
validateStackAccess should not validate if the offset is within the stack bounds
https://bugs.webkit.org/show_bug.cgi?id=183067
<rdar://problem/37749988>

Reviewed by Mark Lam.

JSTests:

* stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
(assert):
(test.a):
(test.b):
(test):

Source/JavaScriptCore:

The validation rule was saying that any load from the stack must be
within the stack bounds of the frame. However, it's natural for a user
of B3 to emit code that may be outside of B3's stack bounds, but guard
such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
B3 is wrong to assert that this is a static property about all stack loads.

* b3/B3Validate.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229036 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/b3/B3Validate.cpp