Changeset 103294 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Dec 19, 2011, 7:16:21 PM (13 years ago)

Author:

[email protected]

Message:

​https://bugs.webkit.org/show_bug.cgi?id=74903
Exceptions not thrown correctly from DFG JIT on 32bit

Reviewed by Oliver Hunt.

Arguments for lookupExceptionHandler are not setup correctly.
In the case of ARMv7 we rely on lr being preserved over a call,
this in invalid. On x86 we don't should be poking the arguments onto the stack!

Source/JavaScriptCore:

• bytecode/CodeBlock.h:

(JSC::CodeBlock::bytecodeOffsetForCallAtIndex):

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):

• dfg/DFGGPRInfo.h:
• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::compileBody):

• dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::addExceptionCheck):
(JSC::DFG::JITCompiler::addFastExceptionCheck):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:

LayoutTests:

• fast/js/dfg-exception-expected.txt: Added.
• fast/js/dfg-exception.html: Added.
• fast/js/script-tests/dfg-exception.js: Added.

(doesntDFGCompile):
(test):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.h (modified) (1 diff)
• dfg/DFGAssemblyHelpers.h (modified) (2 diffs)
• dfg/DFGGPRInfo.h (modified) (3 diffs)
• dfg/DFGJITCompiler.cpp (modified) (1 diff)
• dfg/DFGJITCompiler.h (modified) (2 diffs)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-12-19  Gavin Barraclough  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=74903
+        Exceptions not thrown correctly from DFG JIT on 32bit
+
+        Reviewed by Oliver Hunt.
+
+        Arguments for lookupExceptionHandler are not setup correctly.
+        In the case of ARMv7 we rely on lr being preserved over a call,
+        this in invalid. On x86 we don't should be poking the arguments onto the stack!
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
+        * dfg/DFGAssemblyHelpers.h:
+        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
+        * dfg/DFGGPRInfo.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileBody):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addExceptionCheck):
+        (JSC::DFG::JITCompiler::addFastExceptionCheck):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+
 2011-12-19  Filip Pizlo  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -371 +371 @@
         }
 
+        unsigned bytecodeOffsetForCallAtIndex(unsigned index)
+        {
+            if (!m_rareData)
+                return 1;
+            Vector<CallReturnOffsetToBytecodeOffset>& callIndices = m_rareData->m_callReturnIndexVector;
+            if (!callIndices.size())
+                return 1;
+            ASSERT(index < m_rareData->m_callReturnIndexVector.size());
+            return m_rareData->m_callReturnIndexVector[index].bytecodeOffset;
+        }
+
         void unlinkCalls();
         

trunk/Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h

@@ -76 +76 @@
         push(address);
     }
-
-    void getPCAfterCall(GPRReg gpr)
-    {
-          peek(gpr, -1);
-    }
 #endif // CPU(X86_64) || CPU(X86)
 
@@ -97 +92 @@
     {
         loadPtr(address, linkRegister);
-    }
-
-    ALWAYS_INLINE void getPCAfterCall(GPRReg gpr)
-    {
-        move(ARMRegisters::lr, gpr);
     }
 #endif

trunk/Source/JavaScriptCore/dfg/DFGGPRInfo.h

@@ -274 +274 @@
     static const GPRReg returnValueGPR = X86Registers::eax; // regT0
     static const GPRReg returnValueGPR2 = X86Registers::edx; // regT1
+    static const GPRReg nonPreservedNonReturnGPR = X86Registers::ecx;
 
     static GPRReg toRegister(unsigned index)
@@ -344 +345 @@
     static const GPRReg returnValueGPR = X86Registers::eax; // regT0
     static const GPRReg returnValueGPR2 = X86Registers::edx; // regT1
+    static const GPRReg nonPreservedNonReturnGPR = X86Registers::esi;
 
     static GPRReg toRegister(unsigned index)
@@ -416 +418 @@
     static const GPRReg returnValueGPR = ARMRegisters::r0; // regT0
     static const GPRReg returnValueGPR2 = ARMRegisters::r1; // regT1
+    static const GPRReg nonPreservedNonReturnGPR = ARMRegisters::r2;
 
     static GPRReg toRegister(unsigned index)

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -96 +96 @@
     if (didLinkExceptionCheck) {
         // lookupExceptionHandler is passed two arguments, exec (the CallFrame*), and
-        // an identifier for the operation that threw the exception, which we can use
-        // to look up handler information. The identifier we use is the return address
-        // of the call out from JIT code that threw the exception; this is still
-        // available on the stack, just below the stack pointer!
+        // the index into the CodeBlock's callReturnIndexVector corresponding to the
+        // call that threw the exception (this was set in nonPreservedNonReturnGPR, when
+        // the exception check was planted).
+        move(GPRInfo::nonPreservedNonReturnGPR, GPRInfo::argumentGPR1);
         move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
-        getPCAfterCall(GPRInfo::argumentGPR1);
+#if CPU(X86)
+        // FIXME: should use the call abstraction, but this is currently in the SpeculativeJIT layer!
+        poke(GPRInfo::argumentGPR0);
+        poke(GPRInfo::argumentGPR1, 1);
+#endif
         m_calls.append(CallLinkRecord(call(), lookupExceptionHandler));
         // lookupExceptionHandler leaves the handler CallFrame* in the returnValueGPR,

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -179 +179 @@
     Call addExceptionCheck(Call functionCall, CodeOrigin codeOrigin)
     {
+        move(TrustedImm32(m_exceptionChecks.size()), GPRInfo::nonPreservedNonReturnGPR);
 #if USE(JSVALUE64)
         Jump exceptionCheck = branchTestPtr(NonZero, AbsoluteAddress(&globalData()->exception));
@@ -191 +192 @@
     Call addFastExceptionCheck(Call functionCall, CodeOrigin codeOrigin)
     {
+        move(TrustedImm32(m_exceptionChecks.size()), GPRInfo::nonPreservedNonReturnGPR);
         Jump exceptionCheck = branchTestPtr(Zero, GPRInfo::returnValueGPR);
         m_exceptionChecks.append(CallExceptionRecord(functionCall, exceptionCheck, codeOrigin));

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -794 +794 @@
 }
 
-DFGHandlerEncoded DFG_OPERATION lookupExceptionHandler(ExecState* exec, ReturnAddressPtr faultLocation)
+DFGHandlerEncoded DFG_OPERATION lookupExceptionHandler(ExecState* exec, uint32_t callIndex)
 {
     JSValue exceptionValue = exec->exception();
     ASSERT(exceptionValue);
 
-    unsigned vPCIndex = exec->codeBlock()->bytecodeOffset(faultLocation);
+    unsigned vPCIndex = exec->codeBlock()->bytecodeOffsetForCallAtIndex(callIndex);
     HandlerInfo* handler = exec->globalData().interpreter->throwException(exec, exceptionValue, vPCIndex);
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -181 +181 @@
 }
 #endif
-DFGHandlerEncoded DFG_OPERATION lookupExceptionHandler(ExecState*, ReturnAddressPtr faultLocation);
+DFGHandlerEncoded DFG_OPERATION lookupExceptionHandler(ExecState*, uint32_t);
 
 // These operations implement the implicitly called ToInt32, ToNumber, and ToBoolean conversions from ES5.