Changeset 200879 in webkit

Timestamp:

May 13, 2016, 1:16:29 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
​https://bugs.webkit.org/show_bug.cgi?id=157537
<rdar://problem/24794845>

Reviewed by Michael Saboff.

Source/JavaScriptCore:

The pre-existing code behaves this way:

1. When JS code throws an exception, it saves callee save registers in the VM calleeSaveRegistersBuffer. These values are meant to be restored to the callee save registers later either at the catch handler or at the uncaught exception handler.

2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect the exception. That C++ code can change the values of the callee save registers.

The inspector code in turn re-enters the VM to execute JS inspector code.

The JS inspector code can run hot enough that we do an enterOptimizationCheck
on it. The enterOptimizationCheck first saves all callee save registers
into the VM calleeSaveRegistersBuffer.

This effectively overwrites the values in the VM calleeSaveRegistersBuffer
from (1).

3. Eventually, execution returns to the catch handler or the uncaught exception handler which restores the overwritten values in the VM calleeSaveRegistersBuffer to the callee save registers.

When execution returns to the C++ code that entered the VM before (1), the
values in the callee registers are not what that code expects, and badness
and/or crashes ensues.

This patch applies the following fix:

1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer. This ensures that each VM entry session has its own buffer to use, and will not corrupt the one from the previous VM entry session.

Delete the VM calleeSaveRegistersBuffer.

2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the calleeSaveRegistersBuffer in the current VMEntryFrame.

3. Renamed all uses of the term "VMCalleeSavesBuffer" to "VMEntryFrameCalleeSavesBuffer".

This fix has been tested on the following configurations:

1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
2. JSC tests on a release ASan build for 32-bit x86.
3. JSC tests on a release normal (non-ASan) build for ARM64.
4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
5. JSC tests on a release ASan CLOOP build for x86_64.

These test runs did not produce any new crashes. The ASan CLOOP has some
pre-existing crashes which are not due to this patch.

This bug can be tested by running the inspector/debugger/regress-133182.html test
on an ASan build.

• bytecode/PolymorphicAccess.cpp:

(JSC::AccessGenerationState::emitExplicitExceptionHandler):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::compileExceptionHandlers):

• dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):

• dfg/DFGOSRExitCompiler.cpp:
• dfg/DFGOSRExitCompiler32_64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGThunks.cpp:

(JSC::DFG::osrEntryThunkGenerator):

• ftl/FTLCompile.cpp:

(JSC::FTL::compile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::lower):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• interpreter/Interpreter.cpp:

(JSC::UnwindFunctor::operator()):
(JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
(JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.

• interpreter/Interpreter.h:

(JSC::NativeCallFrameTracer::NativeCallFrameTracer):

• interpreter/VMEntryRecord.h:

(JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
(JSC::VMEntryRecord::prevTopCallFrame):
(JSC::VMEntryRecord::unsafePrevTopCallFrame):
(JSC::VMEntryFrame::vmEntryRecordOffset):
(JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::emitRandomThunk):
(JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
(JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
(JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.

• jit/JIT.cpp:

(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::privateCompileExceptionHandlers):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emitSlow_op_loop_hint):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_catch):

• jit/ThunkGenerators.cpp:

(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::nativeForGenerator):

• llint/LLIntThunks.cpp:

(JSC::vmEntryRecord):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/VM.h:

(JSC::VM::getCTIStub):
(JSC::VM::calleeSaveRegistersBufferOffset): Deleted.

• wasm/WASMFunctionCompiler.h:

(JSC::WASMFunctionCompiler::endFunction):

LayoutTests:

• inspector/debugger/regress-133182-expected.txt:
• Rebased test results to update line numbers.
• platform/mac/TestExpectations:
• Unskip the test.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/inspector/debugger/regress-133182-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac/TestExpectations (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOSREntry.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGThunks.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCompile.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (3 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.h (modified) (1 diff)
• Source/JavaScriptCore/interpreter/VMEntryRecord.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/AssemblyHelpers.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/ThunkGenerators.cpp (modified) (2 diffs)
• Source/JavaScriptCore/llint/LLIntThunks.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (3 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WASMFunctionCompiler.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-05-13  Mark Lam  <mark.lam@apple.com>
+
+        We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
+        https://bugs.webkit.org/show_bug.cgi?id=157537
+        <rdar://problem/24794845>
+
+        Reviewed by Michael Saboff.
+
+        * inspector/debugger/regress-133182-expected.txt:
+        - Rebased test results to update line numbers.
+        * platform/mac/TestExpectations:
+        - Unskip the test.
+
 2016-05-13  Doug Russell  <d_russell@apple.com>
 

trunk/LayoutTests/inspector/debugger/regress-133182-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 47: [1] Testing statement '({}).a.b.c.d;'
-CONSOLE MESSAGE: line 48: [1] Paused and about to step
-CONSOLE MESSAGE: line 60: [1] Resumed
-CONSOLE MESSAGE: line 52: [1] Paused after stepping
-CONSOLE MESSAGE: line 60: [1] Resumed
+CONSOLE MESSAGE: line 56: [1] Testing statement '({}).a.b.c.d;'
+CONSOLE MESSAGE: line 57: [1] Paused and about to step
+CONSOLE MESSAGE: line 69: [1] Resumed
+CONSOLE MESSAGE: line 61: [1] Paused after stepping
+CONSOLE MESSAGE: line 69: [1] Resumed
 CONSOLE MESSAGE: line 1: TypeError: undefined is not an object (evaluating '({}).a.b')
-CONSOLE MESSAGE: line 47: [2] Testing statement 'exceptionBasic();'
-CONSOLE MESSAGE: line 48: [2] Paused and about to step
-CONSOLE MESSAGE: line 60: [2] Resumed
-CONSOLE MESSAGE: line 52: [2] Paused after stepping
-CONSOLE MESSAGE: line 60: [2] Resumed
+CONSOLE MESSAGE: line 56: [2] Testing statement 'exceptionBasic();'
+CONSOLE MESSAGE: line 57: [2] Paused and about to step
+CONSOLE MESSAGE: line 69: [2] Resumed
+CONSOLE MESSAGE: line 61: [2] Paused after stepping
+CONSOLE MESSAGE: line 69: [2] Resumed
 CONSOLE MESSAGE: line 3: TypeError: undefined is not an object (evaluating '({}).a.b')
-CONSOLE MESSAGE: line 47: [3] Testing statement 'exceptionDOM();'
-CONSOLE MESSAGE: line 48: [3] Paused and about to step
-CONSOLE MESSAGE: line 60: [3] Resumed
-CONSOLE MESSAGE: line 52: [3] Paused after stepping
-CONSOLE MESSAGE: line 60: [3] Resumed
+CONSOLE MESSAGE: line 56: [3] Testing statement 'exceptionDOM();'
+CONSOLE MESSAGE: line 57: [3] Paused and about to step
+CONSOLE MESSAGE: line 69: [3] Resumed
+CONSOLE MESSAGE: line 61: [3] Paused after stepping
+CONSOLE MESSAGE: line 69: [3] Resumed
 CONSOLE MESSAGE: line 8: NotFoundError: DOM Exception 8: An attempt was made to reference a Node in a context where it does not exist.
-CONSOLE MESSAGE: line 47: [4] Testing statement 'exceptionInHostFunction();'
-CONSOLE MESSAGE: line 48: [4] Paused and about to step
-CONSOLE MESSAGE: line 60: [4] Resumed
-CONSOLE MESSAGE: line 52: [4] Paused after stepping
-CONSOLE MESSAGE: line 60: [4] Resumed
+CONSOLE MESSAGE: line 56: [4] Testing statement 'exceptionInHostFunction();'
+CONSOLE MESSAGE: line 57: [4] Paused and about to step
+CONSOLE MESSAGE: line 69: [4] Resumed
+CONSOLE MESSAGE: line 61: [4] Paused after stepping
+CONSOLE MESSAGE: line 69: [4] Resumed
 CONSOLE MESSAGE: line 24: exception in host function
-CONSOLE MESSAGE: line 47: [5] Testing statement 'throwString();'
-CONSOLE MESSAGE: line 48: [5] Paused and about to step
-CONSOLE MESSAGE: line 60: [5] Resumed
-CONSOLE MESSAGE: line 52: [5] Paused after stepping
-CONSOLE MESSAGE: line 60: [5] Resumed
+CONSOLE MESSAGE: line 56: [5] Testing statement 'throwString();'
+CONSOLE MESSAGE: line 57: [5] Paused and about to step
+CONSOLE MESSAGE: line 69: [5] Resumed
+CONSOLE MESSAGE: line 61: [5] Paused after stepping
+CONSOLE MESSAGE: line 69: [5] Resumed
 CONSOLE MESSAGE: line 13: exception string
-CONSOLE MESSAGE: line 47: [6] Testing statement 'throwParam({x:1});'
-CONSOLE MESSAGE: line 48: [6] Paused and about to step
-CONSOLE MESSAGE: line 60: [6] Resumed
-CONSOLE MESSAGE: line 52: [6] Paused after stepping
-CONSOLE MESSAGE: line 60: [6] Resumed
+CONSOLE MESSAGE: line 56: [6] Testing statement 'throwParam({x:1});'
+CONSOLE MESSAGE: line 57: [6] Paused and about to step
+CONSOLE MESSAGE: line 69: [6] Resumed
+CONSOLE MESSAGE: line 61: [6] Paused after stepping
+CONSOLE MESSAGE: line 69: [6] Resumed
 CONSOLE MESSAGE: line 18: [object Object]
-CONSOLE MESSAGE: line 47: [7] Testing statement 'throwParam(new Error('error message'));'
-CONSOLE MESSAGE: line 48: [7] Paused and about to step
-CONSOLE MESSAGE: line 60: [7] Resumed
-CONSOLE MESSAGE: line 52: [7] Paused after stepping
-CONSOLE MESSAGE: line 60: [7] Resumed
+CONSOLE MESSAGE: line 56: [7] Testing statement 'throwParam(new Error('error message'));'
+CONSOLE MESSAGE: line 57: [7] Paused and about to step
+CONSOLE MESSAGE: line 69: [7] Resumed
+CONSOLE MESSAGE: line 61: [7] Paused after stepping
+CONSOLE MESSAGE: line 69: [7] Resumed
 CONSOLE MESSAGE: line 18: Error: error message
 Regression test for https://bugs.webkit.org/show_bug.cgi?id=133182

trunk/LayoutTests/platform/mac/TestExpectations

@@ -732 +732 @@
 inspector/debugger/nested-inspectors.html
 inspector/debugger/pause-reason.html
-inspector/debugger/regress-133182.html
 
 webkit.org/b/124311 compositing/regions/transform-transparent-positioned-video-inside-region.html [ ImageOnlyFailure ]

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-05-13  Mark Lam  <mark.lam@apple.com>
+
+        We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
+        https://bugs.webkit.org/show_bug.cgi?id=157537
+        <rdar://problem/24794845>
+
+        Reviewed by Michael Saboff.
+
+        The pre-existing code behaves this way:
+
+        1. When JS code throws an exception, it saves callee save registers in
+           the VM calleeSaveRegistersBuffer.  These values are meant to be restored
+           to the callee save registers later either at the catch handler or at the
+           uncaught exception handler.
+
+        2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
+           the exception.  That C++ code can change the values of the callee save
+           registers.
+
+           The inspector code in turn re-enters the VM to execute JS inspector code.
+
+           The JS inspector code can run hot enough that we do an enterOptimizationCheck
+           on it.  The enterOptimizationCheck first saves all callee save registers
+           into the VM calleeSaveRegistersBuffer.
+
+           This effectively overwrites the values in the VM calleeSaveRegistersBuffer
+           from (1).
+
+        3. Eventually, execution returns to the catch handler or the uncaught exception
+           handler which restores the overwritten values in the VM
+           calleeSaveRegistersBuffer to the callee save registers.
+
+           When execution returns to the C++ code that entered the VM before (1), the
+           values in the callee registers are not what that code expects, and badness
+           and/or crashes ensues.
+
+        This patch applies the following fix:
+        
+        1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
+           This ensures that each VM entry session has its own buffer to use, and will
+           not corrupt the one from the previous VM entry session.
+
+           Delete the VM calleeSaveRegistersBuffer.
+
+        2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
+           calleeSaveRegistersBuffer in the current VMEntryFrame.
+
+        3. Renamed all uses of the term "VMCalleeSavesBuffer" to
+           "VMEntryFrameCalleeSavesBuffer".
+
+        This fix has been tested on the following configurations:
+        1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
+        2. JSC tests on a release ASan build for 32-bit x86.
+        3. JSC tests on a release normal (non-ASan) build for ARM64.
+        4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
+        5. JSC tests on a release ASan CLOOP build for x86_64.
+
+        These test runs did not produce any new crashes.  The ASan CLOOP has some
+        pre-existing crashes which are not due to this patch.
+
+        This bug can be tested by running the inspector/debugger/regress-133182.html test
+        on an ASan build.
+
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExitCompiler.cpp:
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * interpreter/Interpreter.cpp:
+        (JSC::UnwindFunctor::operator()):
+        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
+        * interpreter/Interpreter.h:
+        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+        * interpreter/VMEntryRecord.h:
+        (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
+        (JSC::VMEntryRecord::prevTopCallFrame):
+        (JSC::VMEntryRecord::unsafePrevTopCallFrame):
+        (JSC::VMEntryFrame::vmEntryRecordOffset):
+        (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitRandomThunk):
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
+        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::nativeForGenerator):
+        * llint/LLIntThunks.cpp:
+        (JSC::vmEntryRecord):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/VM.h:
+        (JSC::VM::getCTIStub):
+        (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
+        * wasm/WASMFunctionCompiler.h:
+        (JSC::WASMFunctionCompiler::endFunction):
+
 2016-05-13  Beth Dakin  <bdakin@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -173 +173 @@
 {
     restoreScratch();
-    jit->copyCalleeSavesToVMCalleeSavesBuffer();
+    jit->copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
     if (needsToRestoreRegistersIfException()) {
         // To the JIT that produces the original exception handling

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -140 +140 @@
         m_exceptionChecksWithCallFrameRollback.link(this);
 
-        copyCalleeSavesToVMCalleeSavesBuffer();
+        copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
         // lookupExceptionHandlerFromCallerFrame is passed two arguments, the VM and the exec (the CallFrame*).
@@ -160 +160 @@
         m_exceptionChecks.link(this);
 
-        copyCalleeSavesToVMCalleeSavesBuffer();
+        copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
         // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013, 2014, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -317 +317 @@
 
     unsigned registerCount = registerSaveLocations->size();
+    VMEntryRecord* record = vmEntryRecord(vm->topVMEntryFrame);
     for (unsigned i = 0; i < registerCount; i++) {
         RegisterAtOffset currentEntry = registerSaveLocations->at(i);
         if (dontSaveRegisters.get(currentEntry.reg()))
             continue;
-        RegisterAtOffset* vmCalleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
-        
-        *(bitwise_cast<intptr_t*>(pivot - 1) - currentEntry.offsetAsIndex()) = vm->calleeSaveRegistersBuffer[vmCalleeSavesEntry->offsetAsIndex()];
+        RegisterAtOffset* calleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
+        
+        *(bitwise_cast<intptr_t*>(pivot - 1) - currentEntry.offsetAsIndex()) = record->calleeSaveRegistersBuffer[calleeSavesEntry->offsetAsIndex()];
     }
 #endif

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp

@@ -152 +152 @@
             // We are acting as a defacto op_catch because we arrive here from genericUnwind().
             // So, we must restore our call frame and stack pointer.
-            jit.restoreCalleeSavesFromVMCalleeSavesBuffer();
+            jit.restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
             jit.loadPtr(vm->addressOfCallFrameForCatch(), GPRInfo::callFrameRegister);
             jit.addPtr(CCallHelpers::TrustedImm32(codeBlock->stackPointerOffset() * sizeof(Register)),

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp

@@ -256 +256 @@
 
     if (exit.isExceptionHandler())
-        m_jit.copyCalleeSavesToVMCalleeSavesBuffer();
+        m_jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
     // Do all data format conversions and store the results into the stack.

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp

@@ -266 +266 @@
 
     if (exit.isExceptionHandler())
-        m_jit.copyCalleeSavesToVMCalleeSavesBuffer();
+        m_jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
     // Do all data format conversions and store the results into the stack.

trunk/Source/JavaScriptCore/dfg/DFGThunks.cpp

@@ -136 +136 @@
 
     ok.link(&jit);
-    jit.restoreCalleeSavesFromVMCalleeSavesBuffer();
+    jit.restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
     jit.emitMaterializeTagCheckRegisters();
 

trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp

@@ -122 +122 @@
     // Emit the exception handler.
     *state.exceptionHandler = jit.label();
-    jit.copyCalleeSavesToVMCalleeSavesBuffer();
+    jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
     jit.move(MacroAssembler::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -207 +207 @@
                 AllowMacroScratchRegisterUsage allowScratch(jit);
                 
-                jit.copyCalleeSavesToVMCalleeSavesBuffer();
+                jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
                 jit.move(CCallHelpers::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
                 jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -187 +187 @@
     if (exit.isGenericUnwindHandler()) {
         RELEASE_ASSERT(vm->callFrameForCatch); // The first time we hit this exit, like at all other times, this field should be non-null.
-        jit.restoreCalleeSavesFromVMCalleeSavesBuffer();
+        jit.restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
         jit.loadPtr(vm->addressOfCallFrameForCatch(), MacroAssembler::framePointerRegister);
         jit.addPtr(CCallHelpers::TrustedImm32(codeBlock->stackPointerOffset() * sizeof(Register)),
@@ -442 +442 @@
     RegisterAtOffsetList* vmCalleeSaves = vm->getAllCalleeSaveRegisterOffsets();
     RegisterSet vmCalleeSavesToSkip = RegisterSet::stackRegisters();
-    if (exit.isExceptionHandler())
-        jit.move(CCallHelpers::TrustedImmPtr(vm->calleeSaveRegistersBuffer), GPRInfo::regT1);
+    if (exit.isExceptionHandler()) {
+        jit.loadPtr(&vm->topVMEntryFrame, GPRInfo::regT1);
+        jit.addPtr(CCallHelpers::TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), GPRInfo::regT1);
+    }
 
     for (Reg reg = Reg::first(); reg <= Reg::last(); reg = reg.next()) {

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -696 +696 @@
                 profiler->exceptionUnwind(m_callFrame);
 
-            copyCalleeSavesToVMCalleeSavesBuffer(visitor);
+            copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(visitor);
 
             return StackVisitor::Done;
         }
 
-        copyCalleeSavesToVMCalleeSavesBuffer(visitor);
+        copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(visitor);
 
         return StackVisitor::Continue;
@@ -707 +707 @@
 
 private:
-    void copyCalleeSavesToVMCalleeSavesBuffer(StackVisitor& visitor) const
+    void copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(StackVisitor& visitor) const
     {
 #if ENABLE(JIT) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
@@ -729 +729 @@
 
         unsigned registerCount = currentCalleeSaves->size();
+        VMEntryRecord* record = vmEntryRecord(vm.topVMEntryFrame);
         for (unsigned i = 0; i < registerCount; i++) {
             RegisterAtOffset currentEntry = currentCalleeSaves->at(i);
             if (dontCopyRegisters.get(currentEntry.reg()))
                 continue;
-            RegisterAtOffset* vmCalleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
+            RegisterAtOffset* calleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
             
-            vm.calleeSaveRegistersBuffer[vmCalleeSavesEntry->offsetAsIndex()] = *(frame + currentEntry.offsetAsIndex());
+            record->calleeSaveRegistersBuffer[calleeSavesEntry->offsetAsIndex()] = *(frame + currentEntry.offsetAsIndex());
         }
 #else

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -146 +146 @@
             ASSERT(vm);
             ASSERT(callFrame);
-            ASSERT(callFrame < vm->topVMEntryFrame);
+            ASSERT(reinterpret_cast<void*>(callFrame) < reinterpret_cast<void*>(vm->topVMEntryFrame));
             vm->topCallFrame = callFrame;
         }

trunk/Source/JavaScriptCore/interpreter/VMEntryRecord.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #define VMEntryRecord_h
 
+#include "GPRInfo.h"
+
 namespace JSC {
 
-typedef void VMEntryFrame;
-
+struct VMEntryFrame;
 class ExecState;
 class VM;
@@ -43 +44 @@
     VMEntryFrame* m_prevTopVMEntryFrame;
 
+#if ENABLE(JIT) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
+    intptr_t calleeSaveRegistersBuffer[NUMBER_OF_CALLEE_SAVES_REGISTERS];
+#endif
+
     ExecState* prevTopCallFrame() { return m_prevTopCallFrame; }
     SUPPRESS_ASAN ExecState* unsafePrevTopCallFrame() { return m_prevTopCallFrame; }
@@ -52 +57 @@
 extern "C" VMEntryRecord* vmEntryRecord(VMEntryFrame*);
 
+struct VMEntryFrame {
+#if ENABLE(JIT) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
+    static ptrdiff_t vmEntryRecordOffset()
+    {
+        VMEntryFrame* fakeVMEntryFrame = reinterpret_cast<VMEntryFrame*>(0x1000);
+        VMEntryRecord* record = vmEntryRecord(fakeVMEntryFrame);
+        return static_cast<ptrdiff_t>(
+            reinterpret_cast<char*>(record) - reinterpret_cast<char*>(fakeVMEntryFrame));
+    }
+
+    static ptrdiff_t calleeSaveRegistersBufferOffset()
+    {
+        return vmEntryRecordOffset() + OBJECT_OFFSETOF(VMEntryRecord, calleeSaveRegistersBuffer);
+    }
+#endif
+};
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -567 +567 @@
 #endif
 
-void AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer()
+void AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer()
 {
 #if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
-    char* sourceBuffer = bitwise_cast<char*>(m_vm->calleeSaveRegistersBuffer);
-
     RegisterAtOffsetList* allCalleeSaves = m_vm->getAllCalleeSaveRegisterOffsets();
     RegisterSet dontRestoreRegisters = RegisterSet::stackRegisters();
     unsigned registerCount = allCalleeSaves->size();
-    
+
+    GPRReg scratch = InvalidGPRReg;
+    unsigned scratchGPREntryIndex = 0;
+
+    // Use the first GPR entry's register as our scratch.
     for (unsigned i = 0; i < registerCount; i++) {
         RegisterAtOffset entry = allCalleeSaves->at(i);
         if (dontRestoreRegisters.get(entry.reg()))
             continue;
-        if (entry.reg().isGPR())
-            loadPtr(static_cast<void*>(sourceBuffer + entry.offset()), entry.reg().gpr());
-        else
-            loadDouble(TrustedImmPtr(sourceBuffer + entry.offset()), entry.reg().fpr());
-    }
+        if (entry.reg().isGPR()) {
+            scratchGPREntryIndex = i;
+            scratch = entry.reg().gpr();
+            break;
+        }
+    }
+    ASSERT(scratch != InvalidGPRReg);
+
+    loadPtr(&m_vm->topVMEntryFrame, scratch);
+    addPtr(TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), scratch);
+
+    // Restore all callee saves except for the scratch.
+    for (unsigned i = 0; i < registerCount; i++) {
+        RegisterAtOffset entry = allCalleeSaves->at(i);
+        if (dontRestoreRegisters.get(entry.reg()))
+            continue;
+        if (entry.reg().isGPR()) {
+            if (i != scratchGPREntryIndex)
+                loadPtr(Address(scratch, entry.offset()), entry.reg().gpr());
+        } else
+            loadDouble(Address(scratch, entry.offset()), entry.reg().fpr());
+    }
+
+    // Restore the callee save value of the scratch.
+    RegisterAtOffset entry = allCalleeSaves->at(scratchGPREntryIndex);
+    ASSERT(!dontRestoreRegisters.get(entry.reg()));
+    ASSERT(entry.reg().isGPR());
+    ASSERT(scratch == entry.reg().gpr());
+    loadPtr(Address(scratch, entry.offset()), scratch);
 #endif
 }

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -314 +314 @@
     }
 
-    void copyCalleeSavesToVMCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
+    void copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
     {
 #if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
         GPRReg temp1 = usedRegisters.getFreeGPR(0);
 
-        move(TrustedImmPtr(m_vm->calleeSaveRegistersBuffer), temp1);
+        loadPtr(&m_vm->topVMEntryFrame, temp1);
+        addPtr(TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), temp1);
 
         RegisterAtOffsetList* allCalleeSaves = m_vm->getAllCalleeSaveRegisterOffsets();
@@ -339 +340 @@
     }
 
-    void restoreCalleeSavesFromVMCalleeSavesBuffer();
-
-    void copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
+    void restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
+
+    void copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
     {
 #if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
@@ -352 +353 @@
 
         // Copy saved calleeSaves on stack or unsaved calleeSaves in register to vm calleeSave buffer
-        move(TrustedImmPtr(m_vm->calleeSaveRegistersBuffer), temp1);
+        loadPtr(&m_vm->topVMEntryFrame, temp1);
+        addPtr(TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), temp1);
 
         RegisterAtOffsetList* allCalleeSaves = m_vm->getAllCalleeSaveRegisterOffsets();

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -97 +97 @@
     ASSERT(!m_bytecodeOffset);
 
-    copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer();
+    copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer();
 
     callOperation(operationOptimize, m_bytecodeOffset);
@@ -786 +786 @@
         m_exceptionChecksWithCallFrameRollback.link(this);
 
-        copyCalleeSavesToVMCalleeSavesBuffer();
+        copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
         // lookupExceptionHandlerFromCallerFrame is passed two arguments, the VM and the exec (the CallFrame*).
@@ -805 +805 @@
         m_exceptionChecks.link(this);
 
-        copyCalleeSavesToVMCalleeSavesBuffer();
+        copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
         // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -443 +443 @@
 {
     ASSERT(regT0 == returnValueGPR);
-    copyCalleeSavesToVMCalleeSavesBuffer();
+    copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
     emitGetVirtualRegister(currentInstruction[1].u.operand, regT0);
     callOperationNoExceptionCheck(operationThrow, regT0);
@@ -519 +519 @@
 void JIT::emit_op_catch(Instruction* currentInstruction)
 {
-    restoreCalleeSavesFromVMCalleeSavesBuffer();
+    restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
 
     move(TrustedImmPtr(m_vm), regT3);
@@ -936 +936 @@
         linkSlowCase(iter);
 
-        copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer();
+        copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer();
 
         callOperation(operationOptimize, m_bytecodeOffset);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -788 +788 @@
 {
     ASSERT(regT0 == returnValueGPR);
-    copyCalleeSavesToVMCalleeSavesBuffer();
+    copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
     emitLoad(currentInstruction[1].u.operand, regT1, regT0);
     callOperationNoExceptionCheck(operationThrow, regT1, regT0);
@@ -848 +848 @@
 void JIT::emit_op_catch(Instruction* currentInstruction)
 {
-    restoreCalleeSavesFromVMCalleeSavesBuffer();
+    restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
 
     move(TrustedImmPtr(m_vm), regT3);

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -67 +67 @@
     jit.preserveReturnAddressAfterCall(GPRInfo::nonPreservedNonReturnGPR);
 
-    jit.copyCalleeSavesToVMCalleeSavesBuffer();
+    jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
     jit.setupArguments(CCallHelpers::TrustedImmPtr(vm), GPRInfo::callFrameRegister);
@@ -356 +356 @@
     exceptionHandler.link(&jit);
 
-    jit.copyCalleeSavesToVMCalleeSavesBuffer();
+    jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
     jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);
 

trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp

@@ -117 +117 @@
     intptr_t stackAlignment = stackAlignmentBytes();
     intptr_t VMEntryTotalFrameSize = (sizeof(VMEntryRecord) + (stackAlignment - 1)) & ~(stackAlignment - 1);
-    return reinterpret_cast<VMEntryRecord*>(static_cast<char*>(entryFrame) - VMEntryTotalFrameSize);
+    return reinterpret_cast<VMEntryRecord*>(reinterpret_cast<char*>(entryFrame) - VMEntryTotalFrameSize);
 }
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -569 +569 @@
 end
 
-macro copyCalleeSavesToVMCalleeSavesBuffer(vm, temp)
+macro copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(vm, temp)
     if ARM64 or X86_64 or X86_64_WIN
-        leap VM::calleeSaveRegistersBuffer[vm], temp
+        loadp VM::topVMEntryFrame[vm], temp
+        vmEntryRecord(temp, temp)
+        leap VMEntryRecord::calleeSaveRegistersBuffer[temp], temp
         if ARM64
             storep csr0, [temp]
@@ -609 +611 @@
 end
 
-macro restoreCalleeSavesFromVMCalleeSavesBuffer(vm, temp)
+macro restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(vm, temp)
     if ARM64 or X86_64 or X86_64_WIN
-        leap VM::calleeSaveRegistersBuffer[vm], temp
+        loadp VM::topVMEntryFrame[vm], temp
+        vmEntryRecord(temp, temp)
+        leap VMEntryRecord::calleeSaveRegistersBuffer[temp], temp
         if ARM64
             loadp [temp], csr0

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -303 +303 @@
     andp MarkedBlockMask, t3
     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
-    restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
+    restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
     loadp VM::callFrameForCatch[t3], cfr
     storep 0, VM::callFrameForCatch[t3]
@@ -1916 +1916 @@
     andp MarkedBlockMask, t3
     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
-    restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
+    restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
     loadp VM::callFrameForCatch[t3], cfr
     storep 0, VM::callFrameForCatch[t3]
@@ -1966 +1966 @@
     andp MarkedBlockMask, t1
     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
-    copyCalleeSavesToVMCalleeSavesBuffer(t1, t2)
+    copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(t1, t2)
     jmp VM::targetMachinePCForThrow[t1]
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -275 +275 @@
     andp MarkedBlockMask, t3
     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
-    restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
+    restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
     loadp VM::callFrameForCatch[t3], cfr
     storep 0, VM::callFrameForCatch[t3]
@@ -1795 +1795 @@
     andp MarkedBlockMask, t3
     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
-    restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
+    restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
     loadp VM::callFrameForCatch[t3], cfr
     storep 0, VM::callFrameForCatch[t3]
@@ -1841 +1841 @@
     andp MarkedBlockMask, t1
     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
-    copyCalleeSavesToVMCalleeSavesBuffer(t1, t2)
+    copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(t1, t2)
 
     callSlowPath(_llint_slow_path_handle_exception)

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -35 +35 @@
 #include "ExecutableAllocator.h"
 #include "FunctionHasExecutedCache.h"
-#if ENABLE(JIT)
-#include "GPRInfo.h"
-#endif
 #include "Heap.h"
 #include "Intrinsic.h"
@@ -385 +382 @@
     Interpreter* interpreter;
 #if ENABLE(JIT)
-#if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
-    intptr_t calleeSaveRegistersBuffer[NUMBER_OF_CALLEE_SAVES_REGISTERS];
-
-    static ptrdiff_t calleeSaveRegistersBufferOffset()
-    {
-        return OBJECT_OFFSETOF(VM, calleeSaveRegistersBuffer);
-    }
-#endif // NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
-
     std::unique_ptr<JITThunks> jitStubs;
     MacroAssemblerCodeRef getCTIStub(ThunkGenerator generator)

trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h

@@ -238 +238 @@
             m_exceptionChecks.link(this);
 
-            copyCalleeSavesToVMCalleeSavesBuffer();
+            copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
 
             // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).