<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[191625] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/191625">191625</a></dd>
<dt>Author</dt> <dd>msaboff@apple.com</dd>
<dt>Date</dt> <dd>2015-10-27 10:48:51 -0700 (Tue, 27 Oct 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>REGRESSION (<a href="http://trac.webkit.org/projects/webkit/changeset/191360">r191360</a>): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386
https://bugs.webkit.org/show_bug.cgi?id=150580
Reviewed by Mark Lam.
Source/JavaScriptCore:
Changed code to box 32 bit integers and booleans arguments when generating the call instead of boxing
them in the shuffler.
The ASSERT in CallFrameShuffler::extendFrameIfNeeded is wrong when called from CallFrameShuffler::spill(),
as we could be making space to spill a register so that we have a spare that we can use for the new
frame's base pointer.
* ftl/FTLJSTailCall.cpp:
(JSC::FTL::DFG::recoveryFor): Added RELEASE_ASSERT to check that we never see unboxed 32 bit
arguments stored in the stack.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::extendFrameIfNeeded): Removed unneeded ASSERT.
LayoutTests:
New regression test.
* js/regress-150580-expected.txt: Added.
* js/regress-150580.html: Added.
* js/script-tests/regress-150580.js: Added.
(addEmUp):
(sumVector):
(test):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLJSTailCallcpp">trunk/Source/JavaScriptCore/ftl/FTLJSTailCall.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitCallFrameShufflercpp">trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregress150580expectedtxt">trunk/LayoutTests/js/regress-150580-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregress150580html">trunk/LayoutTests/js/regress-150580.html</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsregress150580js">trunk/LayoutTests/js/script-tests/regress-150580.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (191624 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-10-27 17:27:53 UTC (rev 191624)
+++ trunk/LayoutTests/ChangeLog 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2015-10-27 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386
+ https://bugs.webkit.org/show_bug.cgi?id=150580
+
+ Reviewed by Mark Lam.
+
+ New regression test.
+
+ * js/regress-150580-expected.txt: Added.
+ * js/regress-150580.html: Added.
+ * js/script-tests/regress-150580.js: Added.
+ (addEmUp):
+ (sumVector):
+ (test):
+
</ins><span class="cx"> 2015-10-20 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Subpixel layout: Convert RenderTable* and AutoTableLayout to use LayoutUnit.
</span></span></pre></div>
<a id="trunkLayoutTestsjsregress150580expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress-150580-expected.txt (0 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress-150580-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-150580-expected.txt 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+Regression test for https://webkit.org/b/150580. - This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Properly handled tail calls with 32 bit integer arguments when all registers are used.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregress150580html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress-150580.html (0 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress-150580.html (rev 0)
+++ trunk/LayoutTests/js/regress-150580.html 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/regress-150580.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsregress150580js"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/script-tests/regress-150580.js (0 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/regress-150580.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-150580.js 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+description("Regression test for https://webkit.org/b/150580. - This test should not crash.");
+
+// Verify that tail calls in the FTL properly handle 32 bit integer arguments when all registers are used.
+
+function addEmUp(a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20, a21, a22, a23, a24, a25, a26, a27, a28, a29, a30, a31, a32)
+{
+ "use strict";
+ return a1 + a2 + a3 + a4 + a5 + a6 + a7 + a8 + a9 + a10 + a11 + a12 + a13 + a14 + a15 + a16 + a17 + a18 + a19 + a20 + a21 + a22 + a23 + a24 + a25 + a26 + a27 + a28 + a29 + a30 + a31 + a32;
+}
+
+noInline(addEmUp);
+
+function sumVector(v)
+{
+ "use strict";
+ return addEmUp(v[0], v[1], v[2], v[3], v[4], v[5], v[6], v[7], v[8], v[9], v[10], v[11], v[12], v[13], v[14], v[15], v[16], v[17], v[18], v[19], v[20], v[21], v[22], v[23], v[24], v[25], v[26], v[27], v[28], v[29], v[30], v[31]);
+}
+
+noInline(sumVector);
+
+function test()
+{
+ var buffer = new ArrayBuffer(128);
+ var intValuesArray = new Int32Array(buffer);
+
+ for (var i = 0; i < intValuesArray.length; i++)
+ intValuesArray[i] = i + 1;
+
+ for (var i = 0; i < 200000; i++) {
+ if (sumVector(intValuesArray) != 528)
+ testFailed("Didn't properly add elements of vector");
+ }
+
+ testPassed("Properly handled tail calls with 32 bit integer arguments when all registers are used.");
+}
+
+test();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (191624 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-10-27 17:27:53 UTC (rev 191624)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2015-10-27 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386
+ https://bugs.webkit.org/show_bug.cgi?id=150580
+
+ Reviewed by Mark Lam.
+
+ Changed code to box 32 bit integers and booleans arguments when generating the call instead of boxing
+ them in the shuffler.
+
+ The ASSERT in CallFrameShuffler::extendFrameIfNeeded is wrong when called from CallFrameShuffler::spill(),
+ as we could be making space to spill a register so that we have a spare that we can use for the new
+ frame's base pointer.
+
+ * ftl/FTLJSTailCall.cpp:
+ (JSC::FTL::DFG::recoveryFor): Added RELEASE_ASSERT to check that we never see unboxed 32 bit
+ arguments stored in the stack.
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
+ * jit/CallFrameShuffler.cpp:
+ (JSC::CallFrameShuffler::extendFrameIfNeeded): Removed unneeded ASSERT.
+
</ins><span class="cx"> 2015-10-26 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> [ES6] Add DFG/FTL support for accessor put operations
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLJSTailCallcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLJSTailCall.cpp (191624 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLJSTailCall.cpp 2015-10-27 17:27:53 UTC (rev 191624)
+++ trunk/Source/JavaScriptCore/ftl/FTLJSTailCall.cpp 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -77,6 +77,8 @@
</span><span class="cx"> // Oh LLVM, you crazy...
</span><span class="cx"> RELEASE_ASSERT(location.dwarfReg().reg() == Reg(MacroAssembler::framePointerRegister));
</span><span class="cx"> RELEASE_ASSERT(!(location.offset() % sizeof(void*)));
</span><ins>+ // DataFormatInt32 and DataFormatBoolean should be already be boxed.
+ RELEASE_ASSERT(format != DataFormatInt32 && format != DataFormatBoolean);
</ins><span class="cx"> return ValueRecovery::displacedInJSStack(VirtualRegister { static_cast<int>(location.offset() / sizeof(void*)) }, format);
</span><span class="cx">
</span><span class="cx"> case Location::Constant:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (191624 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-10-27 17:27:53 UTC (rev 191624)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -9007,13 +9007,11 @@
</span><span class="cx">
</span><span class="cx"> value = m_int32Values.get(node);
</span><span class="cx"> if (isValid(value))
</span><del>- return exitArgument(arguments, DataFormatInt32, value.value());
</del><ins>+ return exitArgument(arguments, DataFormatJS, boxInt32(value.value()));
</ins><span class="cx">
</span><span class="cx"> value = m_booleanValues.get(node);
</span><del>- if (isValid(value)) {
- LValue valueToPass = m_out.zeroExt(value.value(), m_out.int32);
- return exitArgument(arguments, DataFormatBoolean, valueToPass);
- }
</del><ins>+ if (isValid(value))
+ return exitArgument(arguments, DataFormatJS, boxBoolean(value.value()));
</ins><span class="cx">
</span><span class="cx"> // Doubles and Int52 have been converted by ValueRep()
</span><span class="cx"> DFG_CRASH(m_graph, m_node, toCString("Cannot find value for node: ", node).data());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitCallFrameShufflercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp (191624 => 191625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp 2015-10-27 17:27:53 UTC (rev 191624)
+++ trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp 2015-10-27 17:48:51 UTC (rev 191625)
</span><span class="lines">@@ -306,7 +306,6 @@
</span><span class="cx"> void CallFrameShuffler::extendFrameIfNeeded()
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!m_didExtendFrame);
</span><del>- ASSERT(!isUndecided());
</del><span class="cx">
</span><span class="cx"> VirtualRegister firstRead { firstOld() };
</span><span class="cx"> for (; firstRead <= virtualRegisterForLocal(0); firstRead += 1) {
</span></span></pre>
</div>
</div>
</body>
</html>