Ignore:
Timestamp:
Dec 12, 2016, 1:46:45 PM (9 years ago)
Author:
[email protected]
Message:

REGRESSION(r209653): speedometer crashes making virtual slow path tailcalls
https://bugs.webkit.org/show_bug.cgi?id=165748

Reviewed by Filip Pizlo.

JSTests:

New regression test.

  • stress/regress-165748.js: Added.

(sum1):
(sum2):
(sum3):
(sum4):
(sum5):
(sum6):
(tailCaller):
(test):

Source/JavaScriptCore:

The virtual slow path for tailcalls always passes arguments on the stack.
The fix here is to link to the stack argument entrypoint instead of a register
argument entrypoint.

While fixing this bug, I found that we weren't clearing the code origin when
shuffling the call frame for a register argument tailcall.

Also rolling back in r209653, r209654, r209663, and r209673.

  • jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::prepareAny):

  • jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):

Source/WTF:

Rolling back in r209653, r209654, r209663, and r209673.

  • wtf/Platform.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp

    r209696 r209725  
    298298            bool isTailDeleted = false;
    299299            JSScope* scope = nullptr;
     300            JSValue thisValue = jsUndefined();
    300301            CodeBlock* codeBlock = callFrame->codeBlock();
    301             if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) {
    302                 scope = callFrame->scope(codeBlock->scopeRegister().offset());
    303                 RELEASE_ASSERT(scope->inherits(JSScope::info()));
     302            if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes()) {
     303                if (codeBlock->scopeRegister().isValid()) {
     304                    scope = callFrame->scope(codeBlock->scopeRegister().offset());
     305                    RELEASE_ASSERT(scope->inherits(JSScope::info()));
     306                }
     307                thisValue = callFrame->thisValue();
    304308            } else if (foundFrame) {
    305                 scope = m_log[indexInLog].scope;
    306                 if (scope)
    307                     RELEASE_ASSERT(scope->inherits(JSScope::info()));
    308             }
    309             toPush.append(Frame(jsCast<JSObject*>(visitor->callee()), callFrame, isTailDeleted, callFrame->thisValue(), scope, codeBlock, callFrame->callSiteIndex()));
     309                if (!scope) {
     310                    scope = m_log[indexInLog].scope;
     311                    if (scope)
     312                        RELEASE_ASSERT(scope->inherits(JSScope::info()));
     313                }
     314                if (thisValue.isUndefined())
     315                    thisValue = m_log[indexInLog].thisValue;
     316            }
     317            toPush.append(Frame(jsCast<JSObject*>(visitor->callee()), callFrame, isTailDeleted, thisValue, scope, codeBlock, callFrame->callSiteIndex()));
    310318
    311319            if (indexInLog < logCursorIndex
Note: See TracChangeset for help on using the changeset viewer.