Crash making a tail call from a getter to a host function
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Oct 2015 00:03:22 +0000 (00:03 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Oct 2015 00:03:22 +0000 (00:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=150663

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.

* jit/JITOperations.cpp:

LayoutTests:

New regression tests.

* js/regress-150663-expected.txt: Added.
* js/regress-150663.html: Added.
* js/script-tests/regress-150663.js: Added.
(Test):
(Test.prototype.get sum):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191765 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/js/regress-150663-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-150663.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-150663.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp

index c4a31cf..3a63065 100644 (file)
@@ -1,3 +1,18 @@
+2015-10-29  Michael Saboff  <msaboff@apple.com>
+
+        Crash making a tail call from a getter to a host function
+        https://bugs.webkit.org/show_bug.cgi?id=150663
+
+        Reviewed by Geoffrey Garen.
+
+        New regression tests.
+
+        * js/regress-150663-expected.txt: Added.
+        * js/regress-150663.html: Added.
+        * js/script-tests/regress-150663.js: Added.
+        (Test):
+        (Test.prototype.get sum):
+
 2015-10-29  Brady Eidson  <beidson@apple.com>
 
         Modern IDB: deleteObjectStore support.
diff --git a/LayoutTests/js/regress-150663-expected.txt b/LayoutTests/js/regress-150663-expected.txt
new file mode 100644 (file)
index 0000000..515022e
--- /dev/null
@@ -0,0 +1,10 @@
+Regression test for 150663
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Able to tail call a native function from a JS callee of C++ code
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/regress-150663.html b/LayoutTests/js/regress-150663.html
new file mode 100644 (file)
index 0000000..c52ebe4
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/regress-150663.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/js/script-tests/regress-150663.js b/LayoutTests/js/script-tests/regress-150663.js
new file mode 100644 (file)
index 0000000..cbc6689
--- /dev/null
@@ -0,0 +1,28 @@
+description("Regression test for 150663");
+
+// We should be able to tail call a native function from a JS callee of C++
+
+"use strict";
+
+class Test {
+    constructor(a, b)
+    {
+        this.a = a;
+        this.b = b;
+    }
+
+    get sum()
+    {
+        return Number(this.a + this.b);
+    }
+}
+
+var testObj = new Test(40, 2);
+
+for (var i = 0; i < 100000; i++) {
+    var result = testObj.sum;
+    if (result != 42)
+        testFailed("Expected 42 from \"sum\" getter, got " + result);
+}
+
+testPassed("Able to tail call a native function from a JS callee of C++ code");
index 71c291e..af6502a 100644 (file)
@@ -1,3 +1,15 @@
+2015-10-29  Michael Saboff  <msaboff@apple.com>
+
+        Crash making a tail call from a getter to a host function
+        https://bugs.webkit.org/show_bug.cgi?id=150663
+
+        Reviewed by Geoffrey Garen.
+
+        Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
+        call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.
+
+        * jit/JITOperations.cpp:
+
 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
 
         B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
index 1f84d66..d873a1d 100644 (file)
@@ -2135,7 +2135,7 @@ asm (
 ".globl " SYMBOL_STRING(getHostCallReturnValue) "\n"
 HIDE_SYMBOL(getHostCallReturnValue) "\n"
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
-    "mov %rbp, %rdi\n"
+    "lea -8(%rsp), %rdi\n"
     "jmp " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
 );
 
@@ -2146,8 +2146,9 @@ asm (
 HIDE_SYMBOL(getHostCallReturnValue) "\n"
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
     "push %ebp\n"
+    "mov %esp, %eax\n"
     "leal -4(%esp), %esp\n"
-    "push %ebp\n"
+    "push %eax\n"
     "call " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
     "leal 8(%esp), %esp\n"
     "pop %ebp\n"
@@ -2163,7 +2164,7 @@ HIDE_SYMBOL(getHostCallReturnValue) "\n"
 ".thumb" "\n"
 ".thumb_func " THUMB_FUNC_PARAM(getHostCallReturnValue) "\n"
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
-    "mov r0, r7" "\n"
+    "sub r0, sp, #8" "\n"
     "b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
 );
 
@@ -2174,7 +2175,7 @@ asm (
 HIDE_SYMBOL(getHostCallReturnValue) "\n"
 INLINE_ARM_FUNCTION(getHostCallReturnValue)
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
-    "mov r0, r11" "\n"
+    "sub r0, sp, #8" "\n"
     "b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
 );
 
@@ -2185,7 +2186,7 @@ asm (
 ".globl " SYMBOL_STRING(getHostCallReturnValue) "\n"
 HIDE_SYMBOL(getHostCallReturnValue) "\n"
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
-     "mov x0, x29" "\n"
+     "sub x0, sp, #16" "\n"
      "b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
 );
 
@@ -2207,7 +2208,7 @@ asm (
 HIDE_SYMBOL(getHostCallReturnValue) "\n"
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
     LOAD_FUNCTION_TO_T9(getHostCallReturnValueWithExecState)
-    "move $a0, $fp" "\n"
+    "subi $a0, $sp, 8" "\n"
     "b " LOCAL_REFERENCE(getHostCallReturnValueWithExecState) "\n"
 );
 
@@ -2220,7 +2221,8 @@ asm (
 ".globl " SYMBOL_STRING(getHostCallReturnValue) "\n"
 HIDE_SYMBOL(getHostCallReturnValue) "\n"
 SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
-    "mov r14, r4" "\n"
+    "mov r15, r4" "\n"
+    "add -8, r4" "\n"
     "mov.l 2f, " SH4_SCRATCH_REGISTER "\n"
     "braf " SH4_SCRATCH_REGISTER "\n"
     "nop" "\n"
@@ -2232,7 +2234,8 @@ SYMBOL_STRING(getHostCallReturnValue) ":" "\n"
 extern "C" {
     __declspec(naked) EncodedJSValue HOST_CALL_RETURN_VALUE_OPTION getHostCallReturnValue()
     {
-        __asm mov [esp + 4], ebp;
+        __asm lea eax, [esp - 4]
+        __asm mov [esp + 4], eax;
         __asm jmp getHostCallReturnValueWithExecState
     }
 }