Context Navigation

← Previous Changeset
Next Changeset →

Changeset 191175 in webkit

Timestamp:

Oct 16, 2015 7:43:02 AM (9 years ago)

Author:

msaboff@apple.com

Message:

REGRESSION (r190289): Repro crash clicking back button on netflix.com
https://bugs.webkit.org/show_bug.cgi?id=150220

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Since constructors check for a valid new "this" object and return it, we can't make
a tail call to another function from within a constructor.

Re-enabled the tail calls and the related tail call tests.

Did some other miscellaneous clean up in the tail call code as part of the debugging.

bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):

ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):

interpreter/Interpreter.h:

(JSC::calleeFrameForVarargs):

runtime/Options.h:
tests/es6.yaml:
tests/stress/dfg-tail-calls.js:

(nonInlinedTailCall.callee):

tests/stress/mutual-tail-call-no-stack-overflow.js:

(shouldThrow):

tests/stress/tail-call-in-inline-cache.js:

(tail):

tests/stress/tail-call-no-stack-overflow.js:

(shouldThrow):

tests/stress/tail-call-recognize.js:

(callerMustBeRun):

tests/stress/tail-call-varargs-no-stack-overflow.js:

(shouldThrow):

LayoutTests:

Added a new regression test. Changed the expected output of caller-property
to correspond with tail calls enabled.

js/caller-property-expected.txt:
js/regress-150220-expected.tx: Added.
js/regress-150220.html: Added.
js/script-tests/regress-150220.js: Added.

(Obj):
(SubObj):

Location:

trunk

Files:

: 2 added
: 14 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/js/caller-property-expected.txt (modified) (2 diffs)
LayoutTests/js/regress-150220.html (added)
LayoutTests/js/script-tests/regress-150220.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (1 diff)
Source/JavaScriptCore/interpreter/Interpreter.h (modified) (2 diffs)
Source/JavaScriptCore/runtime/Options.h (modified) (1 diff)
Source/JavaScriptCore/tests/es6.yaml (modified) (1 diff)
Source/JavaScriptCore/tests/stress/dfg-tail-calls.js (modified) (1 diff)
Source/JavaScriptCore/tests/stress/mutual-tail-call-no-stack-overflow.js (modified) (1 diff)
Source/JavaScriptCore/tests/stress/tail-call-in-inline-cache.js (modified) (1 diff)
Source/JavaScriptCore/tests/stress/tail-call-no-stack-overflow.js (modified) (1 diff)
Source/JavaScriptCore/tests/stress/tail-call-recognize.js (modified) (1 diff)
Source/JavaScriptCore/tests/stress/tail-call-varargs-no-stack-overflow.js (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r191173
+                      r191175
+-10-15  Michael Saboff  <msaboff@apple.com>
+        REGRESSION (r190289): Repro crash clicking back button on netflix.com
+        https://bugs.webkit.org/show_bug.cgi?id=150220
+        Reviewed by Geoffrey Garen.
+        Added a new regression test.  Changed the expected output of caller-property
+        to correspond with tail calls enabled.
+        * js/caller-property-expected.txt:
+        * js/regress-150220-expected.tx: Added.
+        * js/regress-150220.html: Added.
+        * js/script-tests/regress-150220.js: Added.
+        (Obj):
+        (SubObj):
 -10-16  Hunseop Jeong  <hs85.jeong@samsung.com>

trunk/LayoutTests/js/caller-property-expected.txt

-                      r190695
+                      r191175
 PASS strictCaller(nonStrictCallee) threw exception TypeError: Function.caller used to retrieve strict caller.
 PASS strictCaller(strictCallee) threw exception TypeError: Type error.
+FAIL strictTailCaller(nonStrictCallee) should be null. Threw exception TypeError: Function.caller used to retrieve strict caller
+PASS strictTailCaller(nonStrictCallee) is null
 PASS strictTailCaller(strictCallee) threw exception TypeError: Type error.
 PASS nonStrictCaller(boundNonStrictCallee) is nonStrictCaller
 …
 PASS strictCaller(boundNonStrictCallee) threw exception TypeError: Function.caller used to retrieve strict caller.
 PASS strictCaller(boundStrictCallee) threw exception TypeError: Type error.
+FAIL strictTailCaller(boundNonStrictCallee) should be null. Threw exception TypeError: Function.caller used to retrieve strict caller
+PASS strictTailCaller(boundNonStrictCallee) is null
 PASS strictTailCaller(boundStrictCallee) threw exception TypeError: Type error.
 PASS nonStrictGetter(nonStrictAccessor) is nonStrictGetter

trunk/Source/JavaScriptCore/ChangeLog

-                      r191165
+                      r191175
+-10-15  Michael Saboff  <msaboff@apple.com>
+        REGRESSION (r190289): Repro crash clicking back button on netflix.com
+        https://bugs.webkit.org/show_bug.cgi?id=150220
+        Reviewed by Geoffrey Garen.
+        Since constructors check for a valid new "this" object and return it, we can't make
+        a tail call to another function from within a constructor.
+        Re-enabled the tail calls and the related tail call tests.
+        Did some other miscellaneous clean up in the tail call code as part of the debugging.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
+        * interpreter/Interpreter.h:
+        (JSC::calleeFrameForVarargs):
+        * runtime/Options.h:
+        * tests/es6.yaml:
+        * tests/stress/dfg-tail-calls.js:
+        (nonInlinedTailCall.callee):
+        * tests/stress/mutual-tail-call-no-stack-overflow.js:
+        (shouldThrow):
+        * tests/stress/tail-call-in-inline-cache.js:
+        (tail):
+        * tests/stress/tail-call-no-stack-overflow.js:
+        (shouldThrow):
+        * tests/stress/tail-call-recognize.js:
+        (callerMustBeRun):
+        * tests/stress/tail-call-varargs-no-stack-overflow.js:
+        (shouldThrow):
 -10-15  Joseph Pecoraro  <pecoraro@apple.com>

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

r191058	r191175
199	199	// compatible with tail calls (we have no way of emitting op_did_call).
200	200	// https://bugs.webkit.org/show_bug.cgi?id=148819
201		, m_inTailPosition(Options::useTailCalls() && constructorKind() == ConstructorKind::None && isStrictMode() && !m_shouldEmitProfileHooks)
	201	, m_inTailPosition(Options::useTailCalls() && !isConstructor() && constructorKind() == ConstructorKind::None && isStrictMode() && !m_shouldEmitProfileHooks)
202	202	{
203	203	for (auto& constantRegister : m_linkTimeConstantRegisters)

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

r191058	r191175
8617	8617	\|\| m_node->op() == TailCallVarargsInlinedCaller
8618	8618	\|\| m_node->op() == TailCallForwardVarargsInlinedCaller)
8619		codeOrigin =*codeOrigin.inlineCallFrame->getCallerSkippingDeadFrames();
	8619	codeOrigin = *codeOrigin.inlineCallFrame->getCallerSkippingDeadFrames();
8620	8620
8621	8621	callPreflight(codeOrigin);

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

-                      r189920
+                      r191175
     inline CallFrame* calleeFrameForVarargs(CallFrame* callFrame, unsigned numUsedStackSlots, unsigned argumentCountIncludingThis)
+    {
-#if 1
         // We want the new frame to be allocated on a stack aligned offset with a stack
         // aligned size. Align the size here.
 …
         // Align the frame offset here.
-#endif
         unsigned paddedCalleeFrameOffset = WTF::roundUpToMultipleOf(
             stackAlignmentRegisters(),

trunk/Source/JavaScriptCore/runtime/Options.h

r191058	r191175
132	132	\
133	133	v(bool, useFunctionDotArguments, true, nullptr) \
134		v(bool, useTailCalls, ~~fals~~e, nullptr) \
	134	v(bool, useTailCalls, true, nullptr) \
135	135	\
136	136	/* dumpDisassembly implies dumpDFGDisassembly. */ \

trunk/Source/JavaScriptCore/tests/es6.yaml

-                      r191110
+                      r191175
   cmd: runES6 :fail
 - path: es6/proper_tail_calls_tail_call_optimisation_direct_recursion.js
   cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/proper_tail_calls_tail_call_optimisation_mutual_recursion.js
   cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/prototype_of_bound_functions_arrow_functions.js
   cmd: runES6 :fail

trunk/Source/JavaScriptCore/tests/stress/dfg-tail-calls.js

r190699	r191175
1		~~//@ skip~~
2	1	(function nonInlinedTailCall() {
3	2	function callee() { if (callee.caller != nonInlinedTailCall) throw new Error(); }

trunk/Source/JavaScriptCore/tests/stress/mutual-tail-call-no-stack-overflow.js

r190699	r191175
1		~~//@ skip~~
2	1	function shouldThrow(func, errorMessage) {
3	2	var errorThrown = false;

trunk/Source/JavaScriptCore/tests/stress/tail-call-in-inline-cache.js

r190699	r191175
1		~~//@ skip~~
2	1	"use strict";
3	2

trunk/Source/JavaScriptCore/tests/stress/tail-call-no-stack-overflow.js

r190699	r191175
1		~~//@ skip~~
2	1	function shouldThrow(func, errorMessage) {
3	2	var errorThrown = false;

trunk/Source/JavaScriptCore/tests/stress/tail-call-recognize.js

r190699	r191175
1		~~//@ skip~~
2	1	function callerMustBeRun() {
3	2	if (!Object.is(callerMustBeRun.caller, runTests))

trunk/Source/JavaScriptCore/tests/stress/tail-call-varargs-no-stack-overflow.js

r190699	r191175
1		~~//@ skip~~
2	1	function shouldThrow(func, errorMessage) {
3	2	var errorThrown = false;

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 191175 in webkit

Legend:

Download in other formats: