Changeset 249577 in webkit


Ignore:
Timestamp:
Sep 6, 2019 10:03:28 AM (5 years ago)
Author:
Ryan Haddad
Message:

Unreviewed, rolling out r249566.

Causes inspector layout test crashes under GuardMalloc

Reverted changeset:

"Tail Deleted Frames shown in Web Inspector are sometimes
incorrect (Shadow Chicken)"
https://bugs.webkit.org/show_bug.cgi?id=201366
https://trac.webkit.org/changeset/249566

Location:
trunk
Files:
4 added
1 deleted
5 edited
2 copied

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r249572 r249577  
     12019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
     2
     3        Unreviewed, rolling out r249566.
     4
     5        Causes inspector layout test crashes under GuardMalloc
     6
     7        Reverted changeset:
     8
     9        "Tail Deleted Frames shown in Web Inspector are sometimes
     10        incorrect (Shadow Chicken)"
     11        https://bugs.webkit.org/show_bug.cgi?id=201366
     12        https://trac.webkit.org/changeset/249566
     13
    1142019-09-06  Rob Buis  <rbuis@igalia.com>
    215
  • trunk/LayoutTests/inspector/debugger/evaluateOnCallFrame-exception.html

    r249566 r249577  
    1414    const returnByValue = true;
    1515
     16    InspectorTest.debug();
    1617    let suite = InspectorTest.createAsyncSuite("Debugger.evaluateOnCallFrame.Exception");
    1718
  • trunk/LayoutTests/inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js

    r249576 r249577  
    66    if (i > 0)
    77        return bar(i - 1);
    8     debugger;
    9     return 99;
     8    return 25;
    109}
  • trunk/LayoutTests/inspector/debugger/resources/tail-deleted-frames.js

    r249576 r249577  
    22function a() {
    33    let x = 20;
    4     debugger;
     4    x;
    55    return x;
    66}
     
    1111function c() {
    1212    let z = 60;
    13     return b();
     13    return b(); 
    1414}
    1515function startABC() {
  • trunk/LayoutTests/platform/mac/TestExpectations

    r249566 r249577  
    10601060webkit.org/b/167711 [ Debug ] inspector/debugger/probe-manager-add-remove-actions.html [ Slow ]
    10611061webkit.org/b/168399 [ Debug ] inspector/debugger/search-scripts.html [ Pass Timeout ]
    1062 webkit.org/b/181952 [ Debug ] inspector/debugger/tail-deleted-frames/tail-deleted-frames-vm-entry.html [ Slow ]
     1062webkit.org/b/181952 [ Debug ] inspector/debugger/tail-deleted-frames-from-vm-entry.html [ Slow ]
     1063webkit.org/b/169119 [ Debug ] inspector/debugger/tail-deleted-frames-this-value.html [ Pass Timeout ]
    10631064webkit.org/b/168387 [ Debug ] inspector/debugger/tail-recursion.html [ Pass Timeout ]
    10641065webkit.org/b/170127 inspector/dom-debugger/dom-breakpoints.html [ Pass Timeout ]
  • trunk/Source/JavaScriptCore/ChangeLog

    r249576 r249577  
     12019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
     2
     3        Unreviewed, rolling out r249566.
     4
     5        Causes inspector layout test crashes under GuardMalloc
     6
     7        Reverted changeset:
     8
     9        "Tail Deleted Frames shown in Web Inspector are sometimes
     10        incorrect (Shadow Chicken)"
     11        https://bugs.webkit.org/show_bug.cgi?id=201366
     12        https://trac.webkit.org/changeset/249566
     13
    1142019-09-06  Guillaume Emont  <guijemont@igalia.com>
    215
  • trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp

    r249566 r249577  
    4646   
    4747    if (isPrologue()) {
    48         String name = "?"_s;
    49         if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee)) {
    50             name = function->name(callee->vm());
    51             if (name.isEmpty())
    52                 name = "?"_s;
    53         }
    54 
    5548        out.print(
    5649            "{callee = ", RawPointer(callee), ", frame = ", RawPointer(frame), ", callerFrame = ",
    57             RawPointer(callerFrame), ", name = ", name, "}");
     50            RawPointer(callerFrame), "}");
    5851        return;
    5952    }
     
    7063void ShadowChicken::Frame::dump(PrintStream& out) const
    7164{
    72     String name = "?"_s;
    73     if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee)) {
    74         name = function->name(callee->vm());
    75         if (name.isEmpty())
    76             name = "?"_s;
    77     }
    78 
    7965    out.print(
    80         "{callee = ", *callee, ", frame = ", RawPointer(frame), ", isTailDeleted = ",
    81         isTailDeleted, ", name = ", name, "}");
     66        "{callee = ", RawPointer(callee), ", frame = ", RawPointer(frame), ", isTailDeleted = ",
     67        isTailDeleted, "}");
    8268}
    8369
     
    8571    : m_logSize(Options::shadowChickenLogSize())
    8672{
    87     // Allow one additional packet beyond m_logEnd. This is useful for the moment we
    88     // log a packet when the log is full and force an update. At that moment the packet
    89     // that is being logged should be included in the update because it may be
    90     // a critical prologue needed to rationalize the current machine stack with the
    91     // shadow stack.
    92     m_log = static_cast<Packet*>(fastZeroedMalloc(sizeof(Packet) * m_logSize + 1));
     73    m_log = static_cast<Packet*>(fastZeroedMalloc(sizeof(Packet) * m_logSize));
    9374    m_logCursor = m_log;
    9475    m_logEnd = m_log + m_logSize;
     
    10283void ShadowChicken::log(VM& vm, ExecState* exec, const Packet& packet)
    10384{
    104     // This write is allowed because we construct the log with space for 1 additional packet.
     85    update(vm, exec);
    10586    *m_logCursor++ = packet;
    106     update(vm, exec);
    10787}
    10888
     
    163143    }
    164144
     145   
    165146    if (ShadowChickenInternal::verbose)
    166147        dataLog("    Revised stack: ", listDump(m_stack), "\n");
     
    308289
    309290            CallFrame* callFrame = visitor->callFrame();
    310             if (ShadowChickenInternal::verbose) {
    311                 dataLog("    Examining callFrame:", RawPointer(callFrame), ", callee:", RawPointer(callFrame->jsCallee()), ", callerFrame:", RawPointer(callFrame->callerFrame()), "\n");
    312                 JSObject* callee = callFrame->jsCallee();
    313                 if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee))
    314                     dataLog("      Function = ", function->name(callee->vm()), "\n");
    315             }
    316 
     291            if (ShadowChickenInternal::verbose)
     292                dataLog("    Examining ", RawPointer(callFrame), "\n");
    317293            if (callFrame == highestPointSinceLastTime) {
    318294                if (ShadowChickenInternal::verbose)
    319                     dataLog("    Bailing at ", RawPointer(callFrame), " because it's the highest point since last time\n");
    320 
    321                 // FIXME: At this point the shadow stack may still have tail deleted frames
    322                 // that do not run into the current call frame but are left in the shadow stack.
    323                 // Those tail deleted frames should be validated somehow.
    324 
     295                    dataLog("    Bailing at ", RawPointer(callFrame), " because it's the highest point since last time.\n");
    325296                return StackVisitor::Done;
    326297            }
     
    348319                && m_log[indexInLog].frame == toPush.last().frame) {
    349320                if (ShadowChickenInternal::verbose)
    350                     dataLog("    Going to loop through to find tail deleted frames using ", RawPointer(callFrame), " with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
     321                    dataLog("    Going to loop through to find tail deleted frames with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
    351322                for (;;) {
    352323                    ASSERT(m_log[indexInLog].frame == toPush.last().frame);
     
    370341                    }
    371342                    indexInLog--; // Skip over the tail packet.
    372 
    373                     // FIXME: After a few iterations the tail packet referenced frame may not be the
    374                     // same as the original callFrame for the real stack frame we started with.
    375                     // It is unclear when we should break.
    376343                   
    377344                    if (!advanceIndexInLogTo(tailPacket.frame, nullptr, nullptr)) {
     
    413380
    414381    if (ShadowChickenInternal::verbose)
    415         dataLog("    After pushing: ", listDump(m_stack), "\n");
     382        dataLog("    After pushing: ", *this, "\n");
    416383
    417384    // Remove tail frames until the number of tail deleted frames is small enough.
     
    481448    out.print("\n");
    482449    for (unsigned i = 0; i < limit; ++i)
    483         out.print("\t", comma, "[", i, "] ", m_log[i], "\n");
     450        out.print("\t", comma, m_log[i], "\n");
    484451    out.print("]}");
    485452}
Note: See TracChangeset for help on using the changeset viewer.