<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200879] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200879">200879</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2016-05-13 13:16:29 -0700 (Fri, 13 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
https://bugs.webkit.org/show_bug.cgi?id=157537
<rdar://problem/24794845>
Reviewed by Michael Saboff.
Source/JavaScriptCore:
The pre-existing code behaves this way:
1. When JS code throws an exception, it saves callee save registers in
the VM calleeSaveRegistersBuffer. These values are meant to be restored
to the callee save registers later either at the catch handler or at the
uncaught exception handler.
2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
the exception. That C++ code can change the values of the callee save
registers.
The inspector code in turn re-enters the VM to execute JS inspector code.
The JS inspector code can run hot enough that we do an enterOptimizationCheck
on it. The enterOptimizationCheck first saves all callee save registers
into the VM calleeSaveRegistersBuffer.
This effectively overwrites the values in the VM calleeSaveRegistersBuffer
from (1).
3. Eventually, execution returns to the catch handler or the uncaught exception
handler which restores the overwritten values in the VM
calleeSaveRegistersBuffer to the callee save registers.
When execution returns to the C++ code that entered the VM before (1), the
values in the callee registers are not what that code expects, and badness
and/or crashes ensues.
This patch applies the following fix:
1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
This ensures that each VM entry session has its own buffer to use, and will
not corrupt the one from the previous VM entry session.
Delete the VM calleeSaveRegistersBuffer.
2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
calleeSaveRegistersBuffer in the current VMEntryFrame.
3. Renamed all uses of the term "VMCalleeSavesBuffer" to
"VMEntryFrameCalleeSavesBuffer".
This fix has been tested on the following configurations:
1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
2. JSC tests on a release ASan build for 32-bit x86.
3. JSC tests on a release normal (non-ASan) build for ARM64.
4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
5. JSC tests on a release ASan CLOOP build for x86_64.
These test runs did not produce any new crashes. The ASan CLOOP has some
pre-existing crashes which are not due to this patch.
This bug can be tested by running the inspector/debugger/regress-133182.html test
on an ASan build.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* interpreter/Interpreter.cpp:
(JSC::UnwindFunctor::operator()):
(JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
(JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
* interpreter/Interpreter.h:
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
* interpreter/VMEntryRecord.h:
(JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
(JSC::VMEntryRecord::prevTopCallFrame):
(JSC::VMEntryRecord::unsafePrevTopCallFrame):
(JSC::VMEntryFrame::vmEntryRecordOffset):
(JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitRandomThunk):
(JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
(JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
(JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
(JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_catch):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::nativeForGenerator):
* llint/LLIntThunks.cpp:
(JSC::vmEntryRecord):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/VM.h:
(JSC::VM::getCTIStub):
(JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
* wasm/WASMFunctionCompiler.h:
(JSC::WASMFunctionCompiler::endFunction):
LayoutTests:
* inspector/debugger/regress-133182-expected.txt:
- Rebased test results to update line numbers.
* platform/mac/TestExpectations:
- Unskip the test.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsinspectordebuggerregress133182expectedtxt">trunk/LayoutTests/inspector/debugger/regress-133182-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformmacTestExpectations">trunk/LayoutTests/platform/mac/TestExpectations</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp">trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSREntrycpp">trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompiler32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompiler64cpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGThunkscpp">trunk/Source/JavaScriptCore/dfg/DFGThunks.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCompilecpp">trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp">trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpreterh">trunk/Source/JavaScriptCore/interpreter/Interpreter.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterVMEntryRecordh">trunk/Source/JavaScriptCore/interpreter/VMEntryRecord.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitAssemblyHelperscpp">trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitAssemblyHelpersh">trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitThunkGeneratorscpp">trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntThunkscpp">trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmWASMFunctionCompilerh">trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/LayoutTests/ChangeLog 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-05-13 Mark Lam <mark.lam@apple.com>
+
+ We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
+ https://bugs.webkit.org/show_bug.cgi?id=157537
+ <rdar://problem/24794845>
+
+ Reviewed by Michael Saboff.
+
+ * inspector/debugger/regress-133182-expected.txt:
+ - Rebased test results to update line numbers.
+ * platform/mac/TestExpectations:
+ - Unskip the test.
+
</ins><span class="cx"> 2016-05-13 Doug Russell <d_russell@apple.com>
</span><span class="cx">
</span><span class="cx"> AX: Regressions in undo/redo accessibility from Bug 153361
</span></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggerregress133182expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/inspector/debugger/regress-133182-expected.txt (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/regress-133182-expected.txt 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/LayoutTests/inspector/debugger/regress-133182-expected.txt 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -1,44 +1,44 @@
</span><del>-CONSOLE MESSAGE: line 47: [1] Testing statement '({}).a.b.c.d;'
-CONSOLE MESSAGE: line 48: [1] Paused and about to step
-CONSOLE MESSAGE: line 60: [1] Resumed
-CONSOLE MESSAGE: line 52: [1] Paused after stepping
-CONSOLE MESSAGE: line 60: [1] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [1] Testing statement '({}).a.b.c.d;'
+CONSOLE MESSAGE: line 57: [1] Paused and about to step
+CONSOLE MESSAGE: line 69: [1] Resumed
+CONSOLE MESSAGE: line 61: [1] Paused after stepping
+CONSOLE MESSAGE: line 69: [1] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 1: TypeError: undefined is not an object (evaluating '({}).a.b')
</span><del>-CONSOLE MESSAGE: line 47: [2] Testing statement 'exceptionBasic();'
-CONSOLE MESSAGE: line 48: [2] Paused and about to step
-CONSOLE MESSAGE: line 60: [2] Resumed
-CONSOLE MESSAGE: line 52: [2] Paused after stepping
-CONSOLE MESSAGE: line 60: [2] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [2] Testing statement 'exceptionBasic();'
+CONSOLE MESSAGE: line 57: [2] Paused and about to step
+CONSOLE MESSAGE: line 69: [2] Resumed
+CONSOLE MESSAGE: line 61: [2] Paused after stepping
+CONSOLE MESSAGE: line 69: [2] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 3: TypeError: undefined is not an object (evaluating '({}).a.b')
</span><del>-CONSOLE MESSAGE: line 47: [3] Testing statement 'exceptionDOM();'
-CONSOLE MESSAGE: line 48: [3] Paused and about to step
-CONSOLE MESSAGE: line 60: [3] Resumed
-CONSOLE MESSAGE: line 52: [3] Paused after stepping
-CONSOLE MESSAGE: line 60: [3] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [3] Testing statement 'exceptionDOM();'
+CONSOLE MESSAGE: line 57: [3] Paused and about to step
+CONSOLE MESSAGE: line 69: [3] Resumed
+CONSOLE MESSAGE: line 61: [3] Paused after stepping
+CONSOLE MESSAGE: line 69: [3] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 8: NotFoundError: DOM Exception 8: An attempt was made to reference a Node in a context where it does not exist.
</span><del>-CONSOLE MESSAGE: line 47: [4] Testing statement 'exceptionInHostFunction();'
-CONSOLE MESSAGE: line 48: [4] Paused and about to step
-CONSOLE MESSAGE: line 60: [4] Resumed
-CONSOLE MESSAGE: line 52: [4] Paused after stepping
-CONSOLE MESSAGE: line 60: [4] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [4] Testing statement 'exceptionInHostFunction();'
+CONSOLE MESSAGE: line 57: [4] Paused and about to step
+CONSOLE MESSAGE: line 69: [4] Resumed
+CONSOLE MESSAGE: line 61: [4] Paused after stepping
+CONSOLE MESSAGE: line 69: [4] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 24: exception in host function
</span><del>-CONSOLE MESSAGE: line 47: [5] Testing statement 'throwString();'
-CONSOLE MESSAGE: line 48: [5] Paused and about to step
-CONSOLE MESSAGE: line 60: [5] Resumed
-CONSOLE MESSAGE: line 52: [5] Paused after stepping
-CONSOLE MESSAGE: line 60: [5] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [5] Testing statement 'throwString();'
+CONSOLE MESSAGE: line 57: [5] Paused and about to step
+CONSOLE MESSAGE: line 69: [5] Resumed
+CONSOLE MESSAGE: line 61: [5] Paused after stepping
+CONSOLE MESSAGE: line 69: [5] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 13: exception string
</span><del>-CONSOLE MESSAGE: line 47: [6] Testing statement 'throwParam({x:1});'
-CONSOLE MESSAGE: line 48: [6] Paused and about to step
-CONSOLE MESSAGE: line 60: [6] Resumed
-CONSOLE MESSAGE: line 52: [6] Paused after stepping
-CONSOLE MESSAGE: line 60: [6] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [6] Testing statement 'throwParam({x:1});'
+CONSOLE MESSAGE: line 57: [6] Paused and about to step
+CONSOLE MESSAGE: line 69: [6] Resumed
+CONSOLE MESSAGE: line 61: [6] Paused after stepping
+CONSOLE MESSAGE: line 69: [6] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 18: [object Object]
</span><del>-CONSOLE MESSAGE: line 47: [7] Testing statement 'throwParam(new Error('error message'));'
-CONSOLE MESSAGE: line 48: [7] Paused and about to step
-CONSOLE MESSAGE: line 60: [7] Resumed
-CONSOLE MESSAGE: line 52: [7] Paused after stepping
-CONSOLE MESSAGE: line 60: [7] Resumed
</del><ins>+CONSOLE MESSAGE: line 56: [7] Testing statement 'throwParam(new Error('error message'));'
+CONSOLE MESSAGE: line 57: [7] Paused and about to step
+CONSOLE MESSAGE: line 69: [7] Resumed
+CONSOLE MESSAGE: line 61: [7] Paused after stepping
+CONSOLE MESSAGE: line 69: [7] Resumed
</ins><span class="cx"> CONSOLE MESSAGE: line 18: Error: error message
</span><span class="cx"> Regression test for https://bugs.webkit.org/show_bug.cgi?id=133182
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsplatformmacTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac/TestExpectations (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/TestExpectations 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -731,7 +731,6 @@
</span><span class="cx"> inspector/debugger/didSampleProbe-multiple-probes.html
</span><span class="cx"> inspector/debugger/nested-inspectors.html
</span><span class="cx"> inspector/debugger/pause-reason.html
</span><del>-inspector/debugger/regress-133182.html
</del><span class="cx">
</span><span class="cx"> webkit.org/b/124311 compositing/regions/transform-transparent-positioned-video-inside-region.html [ ImageOnlyFailure ]
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -1,3 +1,131 @@
</span><ins>+2016-05-13 Mark Lam <mark.lam@apple.com>
+
+ We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
+ https://bugs.webkit.org/show_bug.cgi?id=157537
+ <rdar://problem/24794845>
+
+ Reviewed by Michael Saboff.
+
+ The pre-existing code behaves this way:
+
+ 1. When JS code throws an exception, it saves callee save registers in
+ the VM calleeSaveRegistersBuffer. These values are meant to be restored
+ to the callee save registers later either at the catch handler or at the
+ uncaught exception handler.
+
+ 2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
+ the exception. That C++ code can change the values of the callee save
+ registers.
+
+ The inspector code in turn re-enters the VM to execute JS inspector code.
+
+ The JS inspector code can run hot enough that we do an enterOptimizationCheck
+ on it. The enterOptimizationCheck first saves all callee save registers
+ into the VM calleeSaveRegistersBuffer.
+
+ This effectively overwrites the values in the VM calleeSaveRegistersBuffer
+ from (1).
+
+ 3. Eventually, execution returns to the catch handler or the uncaught exception
+ handler which restores the overwritten values in the VM
+ calleeSaveRegistersBuffer to the callee save registers.
+
+ When execution returns to the C++ code that entered the VM before (1), the
+ values in the callee registers are not what that code expects, and badness
+ and/or crashes ensues.
+
+ This patch applies the following fix:
+
+ 1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
+ This ensures that each VM entry session has its own buffer to use, and will
+ not corrupt the one from the previous VM entry session.
+
+ Delete the VM calleeSaveRegistersBuffer.
+
+ 2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
+ calleeSaveRegistersBuffer in the current VMEntryFrame.
+
+ 3. Renamed all uses of the term "VMCalleeSavesBuffer" to
+ "VMEntryFrameCalleeSavesBuffer".
+
+ This fix has been tested on the following configurations:
+ 1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
+ 2. JSC tests on a release ASan build for 32-bit x86.
+ 3. JSC tests on a release normal (non-ASan) build for ARM64.
+ 4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
+ 5. JSC tests on a release ASan CLOOP build for x86_64.
+
+ These test runs did not produce any new crashes. The ASan CLOOP has some
+ pre-existing crashes which are not due to this patch.
+
+ This bug can be tested by running the inspector/debugger/regress-133182.html test
+ on an ASan build.
+
+ * bytecode/PolymorphicAccess.cpp:
+ (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::compileExceptionHandlers):
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareOSREntry):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGThunks.cpp:
+ (JSC::DFG::osrEntryThunkGenerator):
+ * ftl/FTLCompile.cpp:
+ (JSC::FTL::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lower):
+ * ftl/FTLOSRExitCompiler.cpp:
+ (JSC::FTL::compileStub):
+ * interpreter/Interpreter.cpp:
+ (JSC::UnwindFunctor::operator()):
+ (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+ (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
+ * interpreter/Interpreter.h:
+ (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+ * interpreter/VMEntryRecord.h:
+ (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
+ (JSC::VMEntryRecord::prevTopCallFrame):
+ (JSC::VMEntryRecord::unsafePrevTopCallFrame):
+ (JSC::VMEntryFrame::vmEntryRecordOffset):
+ (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::emitRandomThunk):
+ (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+ (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
+ (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+ (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
+ (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
+ (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
+ * jit/JIT.cpp:
+ (JSC::JIT::emitEnterOptimizationCheck):
+ (JSC::JIT::privateCompileExceptionHandlers):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_throw):
+ (JSC::JIT::emit_op_catch):
+ (JSC::JIT::emitSlow_op_loop_hint):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_throw):
+ (JSC::JIT::emit_op_catch):
+ * jit/ThunkGenerators.cpp:
+ (JSC::throwExceptionFromCallSlowPathGenerator):
+ (JSC::nativeForGenerator):
+ * llint/LLIntThunks.cpp:
+ (JSC::vmEntryRecord):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/VM.h:
+ (JSC::VM::getCTIStub):
+ (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
+ * wasm/WASMFunctionCompiler.h:
+ (JSC::WASMFunctionCompiler::endFunction):
+
</ins><span class="cx"> 2016-05-13 Beth Dakin <bdakin@apple.com>
</span><span class="cx">
</span><span class="cx"> Add dyldSPI.h for linked on or after checks, and add one for link preview
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -172,7 +172,7 @@
</span><span class="cx"> void AccessGenerationState::emitExplicitExceptionHandler()
</span><span class="cx"> {
</span><span class="cx"> restoreScratch();
</span><del>- jit->copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ jit->copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> if (needsToRestoreRegistersIfException()) {
</span><span class="cx"> // To the JIT that produces the original exception handling
</span><span class="cx"> // call site, they will expect the OSR exit to be arrived
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -139,7 +139,7 @@
</span><span class="cx"> if (!m_exceptionChecksWithCallFrameRollback.empty()) {
</span><span class="cx"> m_exceptionChecksWithCallFrameRollback.link(this);
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // lookupExceptionHandlerFromCallerFrame is passed two arguments, the VM and the exec (the CallFrame*).
</span><span class="cx"> move(TrustedImmPtr(vm()), GPRInfo::argumentGPR0);
</span><span class="lines">@@ -159,7 +159,7 @@
</span><span class="cx"> if (!m_exceptionChecks.empty()) {
</span><span class="cx"> m_exceptionChecks.link(this);
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).
</span><span class="cx"> move(TrustedImmPtr(vm()), GPRInfo::argumentGPR0);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSREntrycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013, 2014, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -316,13 +316,14 @@
</span><span class="cx"> RegisterSet dontSaveRegisters = RegisterSet(RegisterSet::stackRegisters(), RegisterSet::allFPRs());
</span><span class="cx">
</span><span class="cx"> unsigned registerCount = registerSaveLocations->size();
</span><ins>+ VMEntryRecord* record = vmEntryRecord(vm->topVMEntryFrame);
</ins><span class="cx"> for (unsigned i = 0; i < registerCount; i++) {
</span><span class="cx"> RegisterAtOffset currentEntry = registerSaveLocations->at(i);
</span><span class="cx"> if (dontSaveRegisters.get(currentEntry.reg()))
</span><span class="cx"> continue;
</span><del>- RegisterAtOffset* vmCalleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
</del><ins>+ RegisterAtOffset* calleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
</ins><span class="cx">
</span><del>- *(bitwise_cast<intptr_t*>(pivot - 1) - currentEntry.offsetAsIndex()) = vm->calleeSaveRegistersBuffer[vmCalleeSavesEntry->offsetAsIndex()];
</del><ins>+ *(bitwise_cast<intptr_t*>(pivot - 1) - currentEntry.offsetAsIndex()) = record->calleeSaveRegistersBuffer[calleeSavesEntry->offsetAsIndex()];
</ins><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -151,7 +151,7 @@
</span><span class="cx"> if (exit.m_kind == GenericUnwind) {
</span><span class="cx"> // We are acting as a defacto op_catch because we arrive here from genericUnwind().
</span><span class="cx"> // So, we must restore our call frame and stack pointer.
</span><del>- jit.restoreCalleeSavesFromVMCalleeSavesBuffer();
</del><ins>+ jit.restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> jit.loadPtr(vm->addressOfCallFrameForCatch(), GPRInfo::callFrameRegister);
</span><span class="cx"> jit.addPtr(CCallHelpers::TrustedImm32(codeBlock->stackPointerOffset() * sizeof(Register)),
</span><span class="cx"> GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompiler32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -255,7 +255,7 @@
</span><span class="cx"> m_jit.emitSaveCalleeSavesFor(m_jit.baselineCodeBlock());
</span><span class="cx">
</span><span class="cx"> if (exit.isExceptionHandler())
</span><del>- m_jit.copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ m_jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // Do all data format conversions and store the results into the stack.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompiler64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -265,7 +265,7 @@
</span><span class="cx"> m_jit.emitMaterializeTagCheckRegisters();
</span><span class="cx">
</span><span class="cx"> if (exit.isExceptionHandler())
</span><del>- m_jit.copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ m_jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // Do all data format conversions and store the results into the stack.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGThunkscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGThunks.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGThunks.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/dfg/DFGThunks.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -135,7 +135,7 @@
</span><span class="cx"> jit.abortWithReason(DFGUnreasonableOSREntryJumpDestination);
</span><span class="cx">
</span><span class="cx"> ok.link(&jit);
</span><del>- jit.restoreCalleeSavesFromVMCalleeSavesBuffer();
</del><ins>+ jit.restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> jit.emitMaterializeTagCheckRegisters();
</span><span class="cx">
</span><span class="cx"> jit.jump(GPRInfo::regT1);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCompilecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -121,7 +121,7 @@
</span><span class="cx">
</span><span class="cx"> // Emit the exception handler.
</span><span class="cx"> *state.exceptionHandler = jit.label();
</span><del>- jit.copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> jit.move(MacroAssembler::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
</span><span class="cx"> jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
</span><span class="cx"> CCallHelpers::Call call = jit.call();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -206,7 +206,7 @@
</span><span class="cx"> // clobber scratch.
</span><span class="cx"> AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx">
</span><del>- jit.copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> jit.move(CCallHelpers::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
</span><span class="cx"> jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
</span><span class="cx"> CCallHelpers::Call call = jit.call();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx"> // The first thing we need to do is restablish our frame in the case of an exception.
</span><span class="cx"> if (exit.isGenericUnwindHandler()) {
</span><span class="cx"> RELEASE_ASSERT(vm->callFrameForCatch); // The first time we hit this exit, like at all other times, this field should be non-null.
</span><del>- jit.restoreCalleeSavesFromVMCalleeSavesBuffer();
</del><ins>+ jit.restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> jit.loadPtr(vm->addressOfCallFrameForCatch(), MacroAssembler::framePointerRegister);
</span><span class="cx"> jit.addPtr(CCallHelpers::TrustedImm32(codeBlock->stackPointerOffset() * sizeof(Register)),
</span><span class="cx"> MacroAssembler::framePointerRegister, CCallHelpers::stackPointerRegister);
</span><span class="lines">@@ -441,8 +441,10 @@
</span><span class="cx"> RegisterAtOffsetList* baselineCalleeSaves = baselineCodeBlock->calleeSaveRegisters();
</span><span class="cx"> RegisterAtOffsetList* vmCalleeSaves = vm->getAllCalleeSaveRegisterOffsets();
</span><span class="cx"> RegisterSet vmCalleeSavesToSkip = RegisterSet::stackRegisters();
</span><del>- if (exit.isExceptionHandler())
- jit.move(CCallHelpers::TrustedImmPtr(vm->calleeSaveRegistersBuffer), GPRInfo::regT1);
</del><ins>+ if (exit.isExceptionHandler()) {
+ jit.loadPtr(&vm->topVMEntryFrame, GPRInfo::regT1);
+ jit.addPtr(CCallHelpers::TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), GPRInfo::regT1);
+ }
</ins><span class="cx">
</span><span class="cx"> for (Reg reg = Reg::first(); reg <= Reg::last(); reg = reg.next()) {
</span><span class="cx"> if (!allFTLCalleeSaves.get(reg)) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -695,18 +695,18 @@
</span><span class="cx"> if (LegacyProfiler* profiler = vm.enabledProfiler())
</span><span class="cx"> profiler->exceptionUnwind(m_callFrame);
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer(visitor);
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(visitor);
</ins><span class="cx">
</span><span class="cx"> return StackVisitor::Done;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer(visitor);
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(visitor);
</ins><span class="cx">
</span><span class="cx"> return StackVisitor::Continue;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- void copyCalleeSavesToVMCalleeSavesBuffer(StackVisitor& visitor) const
</del><ins>+ void copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(StackVisitor& visitor) const
</ins><span class="cx"> {
</span><span class="cx"> #if ENABLE(JIT) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
</span><span class="cx">
</span><span class="lines">@@ -728,13 +728,14 @@
</span><span class="cx"> intptr_t* frame = reinterpret_cast<intptr_t*>(m_callFrame->registers());
</span><span class="cx">
</span><span class="cx"> unsigned registerCount = currentCalleeSaves->size();
</span><ins>+ VMEntryRecord* record = vmEntryRecord(vm.topVMEntryFrame);
</ins><span class="cx"> for (unsigned i = 0; i < registerCount; i++) {
</span><span class="cx"> RegisterAtOffset currentEntry = currentCalleeSaves->at(i);
</span><span class="cx"> if (dontCopyRegisters.get(currentEntry.reg()))
</span><span class="cx"> continue;
</span><del>- RegisterAtOffset* vmCalleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
</del><ins>+ RegisterAtOffset* calleeSavesEntry = allCalleeSaves->find(currentEntry.reg());
</ins><span class="cx">
</span><del>- vm.calleeSaveRegistersBuffer[vmCalleeSavesEntry->offsetAsIndex()] = *(frame + currentEntry.offsetAsIndex());
</del><ins>+ record->calleeSaveRegistersBuffer[calleeSavesEntry->offsetAsIndex()] = *(frame + currentEntry.offsetAsIndex());
</ins><span class="cx"> }
</span><span class="cx"> #else
</span><span class="cx"> UNUSED_PARAM(visitor);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpreterh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.h (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.h 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.h 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -145,7 +145,7 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(vm);
</span><span class="cx"> ASSERT(callFrame);
</span><del>- ASSERT(callFrame < vm->topVMEntryFrame);
</del><ins>+ ASSERT(reinterpret_cast<void*>(callFrame) < reinterpret_cast<void*>(vm->topVMEntryFrame));
</ins><span class="cx"> vm->topCallFrame = callFrame;
</span><span class="cx"> }
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterVMEntryRecordh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/VMEntryRecord.h (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/VMEntryRecord.h 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/interpreter/VMEntryRecord.h 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,10 +26,11 @@
</span><span class="cx"> #ifndef VMEntryRecord_h
</span><span class="cx"> #define VMEntryRecord_h
</span><span class="cx">
</span><ins>+#include "GPRInfo.h"
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-typedef void VMEntryFrame;
-
</del><ins>+struct VMEntryFrame;
</ins><span class="cx"> class ExecState;
</span><span class="cx"> class VM;
</span><span class="cx">
</span><span class="lines">@@ -42,6 +43,10 @@
</span><span class="cx"> ExecState* m_prevTopCallFrame;
</span><span class="cx"> VMEntryFrame* m_prevTopVMEntryFrame;
</span><span class="cx">
</span><ins>+#if ENABLE(JIT) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
+ intptr_t calleeSaveRegistersBuffer[NUMBER_OF_CALLEE_SAVES_REGISTERS];
+#endif
+
</ins><span class="cx"> ExecState* prevTopCallFrame() { return m_prevTopCallFrame; }
</span><span class="cx"> SUPPRESS_ASAN ExecState* unsafePrevTopCallFrame() { return m_prevTopCallFrame; }
</span><span class="cx">
</span><span class="lines">@@ -51,6 +56,23 @@
</span><span class="cx">
</span><span class="cx"> extern "C" VMEntryRecord* vmEntryRecord(VMEntryFrame*);
</span><span class="cx">
</span><ins>+struct VMEntryFrame {
+#if ENABLE(JIT) && NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
+ static ptrdiff_t vmEntryRecordOffset()
+ {
+ VMEntryFrame* fakeVMEntryFrame = reinterpret_cast<VMEntryFrame*>(0x1000);
+ VMEntryRecord* record = vmEntryRecord(fakeVMEntryFrame);
+ return static_cast<ptrdiff_t>(
+ reinterpret_cast<char*>(record) - reinterpret_cast<char*>(fakeVMEntryFrame));
+ }
+
+ static ptrdiff_t calleeSaveRegistersBufferOffset()
+ {
+ return vmEntryRecordOffset() + OBJECT_OFFSETOF(VMEntryRecord, calleeSaveRegistersBuffer);
+ }
+#endif
+};
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // VMEntryRecord_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitAssemblyHelperscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -566,24 +566,50 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>-void AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer()
</del><ins>+void AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer()
</ins><span class="cx"> {
</span><span class="cx"> #if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
</span><del>- char* sourceBuffer = bitwise_cast<char*>(m_vm->calleeSaveRegistersBuffer);
-
</del><span class="cx"> RegisterAtOffsetList* allCalleeSaves = m_vm->getAllCalleeSaveRegisterOffsets();
</span><span class="cx"> RegisterSet dontRestoreRegisters = RegisterSet::stackRegisters();
</span><span class="cx"> unsigned registerCount = allCalleeSaves->size();
</span><del>-
</del><ins>+
+ GPRReg scratch = InvalidGPRReg;
+ unsigned scratchGPREntryIndex = 0;
+
+ // Use the first GPR entry's register as our scratch.
</ins><span class="cx"> for (unsigned i = 0; i < registerCount; i++) {
</span><span class="cx"> RegisterAtOffset entry = allCalleeSaves->at(i);
</span><span class="cx"> if (dontRestoreRegisters.get(entry.reg()))
</span><span class="cx"> continue;
</span><del>- if (entry.reg().isGPR())
- loadPtr(static_cast<void*>(sourceBuffer + entry.offset()), entry.reg().gpr());
- else
- loadDouble(TrustedImmPtr(sourceBuffer + entry.offset()), entry.reg().fpr());
</del><ins>+ if (entry.reg().isGPR()) {
+ scratchGPREntryIndex = i;
+ scratch = entry.reg().gpr();
+ break;
+ }
</ins><span class="cx"> }
</span><ins>+ ASSERT(scratch != InvalidGPRReg);
+
+ loadPtr(&m_vm->topVMEntryFrame, scratch);
+ addPtr(TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), scratch);
+
+ // Restore all callee saves except for the scratch.
+ for (unsigned i = 0; i < registerCount; i++) {
+ RegisterAtOffset entry = allCalleeSaves->at(i);
+ if (dontRestoreRegisters.get(entry.reg()))
+ continue;
+ if (entry.reg().isGPR()) {
+ if (i != scratchGPREntryIndex)
+ loadPtr(Address(scratch, entry.offset()), entry.reg().gpr());
+ } else
+ loadDouble(Address(scratch, entry.offset()), entry.reg().fpr());
+ }
+
+ // Restore the callee save value of the scratch.
+ RegisterAtOffset entry = allCalleeSaves->at(scratchGPREntryIndex);
+ ASSERT(!dontRestoreRegisters.get(entry.reg()));
+ ASSERT(entry.reg().isGPR());
+ ASSERT(scratch == entry.reg().gpr());
+ loadPtr(Address(scratch, entry.offset()), scratch);
</ins><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -313,12 +313,13 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void copyCalleeSavesToVMCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
</del><ins>+ void copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
</ins><span class="cx"> {
</span><span class="cx"> #if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
</span><span class="cx"> GPRReg temp1 = usedRegisters.getFreeGPR(0);
</span><span class="cx">
</span><del>- move(TrustedImmPtr(m_vm->calleeSaveRegistersBuffer), temp1);
</del><ins>+ loadPtr(&m_vm->topVMEntryFrame, temp1);
+ addPtr(TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), temp1);
</ins><span class="cx">
</span><span class="cx"> RegisterAtOffsetList* allCalleeSaves = m_vm->getAllCalleeSaveRegisterOffsets();
</span><span class="cx"> RegisterSet dontCopyRegisters = RegisterSet::stackRegisters();
</span><span class="lines">@@ -338,9 +339,9 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void restoreCalleeSavesFromVMCalleeSavesBuffer();
</del><ins>+ void restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><del>- void copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
</del><ins>+ void copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer(const TempRegisterSet& usedRegisters = { RegisterSet::stubUnavailableRegisters() })
</ins><span class="cx"> {
</span><span class="cx"> #if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
</span><span class="cx"> GPRReg temp1 = usedRegisters.getFreeGPR(0);
</span><span class="lines">@@ -351,7 +352,8 @@
</span><span class="cx"> ASSERT(codeBlock());
</span><span class="cx">
</span><span class="cx"> // Copy saved calleeSaves on stack or unsaved calleeSaves in register to vm calleeSave buffer
</span><del>- move(TrustedImmPtr(m_vm->calleeSaveRegistersBuffer), temp1);
</del><ins>+ loadPtr(&m_vm->topVMEntryFrame, temp1);
+ addPtr(TrustedImm32(VMEntryFrame::calleeSaveRegistersBufferOffset()), temp1);
</ins><span class="cx">
</span><span class="cx"> RegisterAtOffsetList* allCalleeSaves = m_vm->getAllCalleeSaveRegisterOffsets();
</span><span class="cx"> RegisterAtOffsetList* currentCalleeSaves = codeBlock()->calleeSaveRegisters();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -96,7 +96,7 @@
</span><span class="cx"> skipOptimize.append(branchAdd32(Signed, TrustedImm32(Options::executionCounterIncrementForEntry()), AbsoluteAddress(m_codeBlock->addressOfJITExecuteCounter())));
</span><span class="cx"> ASSERT(!m_bytecodeOffset);
</span><span class="cx">
</span><del>- copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> callOperation(operationOptimize, m_bytecodeOffset);
</span><span class="cx"> skipOptimize.append(branchTestPtr(Zero, returnValueGPR));
</span><span class="lines">@@ -785,7 +785,7 @@
</span><span class="cx"> if (!m_exceptionChecksWithCallFrameRollback.empty()) {
</span><span class="cx"> m_exceptionChecksWithCallFrameRollback.link(this);
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // lookupExceptionHandlerFromCallerFrame is passed two arguments, the VM and the exec (the CallFrame*).
</span><span class="cx">
</span><span class="lines">@@ -804,7 +804,7 @@
</span><span class="cx"> if (!m_exceptionChecks.empty()) {
</span><span class="cx"> m_exceptionChecks.link(this);
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).
</span><span class="cx"> move(TrustedImmPtr(vm()), GPRInfo::argumentGPR0);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -442,7 +442,7 @@
</span><span class="cx"> void JIT::emit_op_throw(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(regT0 == returnValueGPR);
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> emitGetVirtualRegister(currentInstruction[1].u.operand, regT0);
</span><span class="cx"> callOperationNoExceptionCheck(operationThrow, regT0);
</span><span class="cx"> jumpToExceptionHandler();
</span><span class="lines">@@ -518,7 +518,7 @@
</span><span class="cx">
</span><span class="cx"> void JIT::emit_op_catch(Instruction* currentInstruction)
</span><span class="cx"> {
</span><del>- restoreCalleeSavesFromVMCalleeSavesBuffer();
</del><ins>+ restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> move(TrustedImmPtr(m_vm), regT3);
</span><span class="cx"> load64(Address(regT3, VM::callFrameForCatchOffset()), callFrameRegister);
</span><span class="lines">@@ -935,7 +935,7 @@
</span><span class="cx"> if (canBeOptimized()) {
</span><span class="cx"> linkSlowCase(iter);
</span><span class="cx">
</span><del>- copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> callOperation(operationOptimize, m_bytecodeOffset);
</span><span class="cx"> Jump noOptimizedEntry = branchTestPtr(Zero, returnValueGPR);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -787,7 +787,7 @@
</span><span class="cx"> void JIT::emit_op_throw(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(regT0 == returnValueGPR);
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> emitLoad(currentInstruction[1].u.operand, regT1, regT0);
</span><span class="cx"> callOperationNoExceptionCheck(operationThrow, regT1, regT0);
</span><span class="cx"> jumpToExceptionHandler();
</span><span class="lines">@@ -847,7 +847,7 @@
</span><span class="cx">
</span><span class="cx"> void JIT::emit_op_catch(Instruction* currentInstruction)
</span><span class="cx"> {
</span><del>- restoreCalleeSavesFromVMCalleeSavesBuffer();
</del><ins>+ restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> move(TrustedImmPtr(m_vm), regT3);
</span><span class="cx"> // operationThrow returns the callFrame for the handler.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitThunkGeneratorscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -66,7 +66,7 @@
</span><span class="cx"> // even though we won't use it.
</span><span class="cx"> jit.preserveReturnAddressAfterCall(GPRInfo::nonPreservedNonReturnGPR);
</span><span class="cx">
</span><del>- jit.copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> jit.setupArguments(CCallHelpers::TrustedImmPtr(vm), GPRInfo::callFrameRegister);
</span><span class="cx"> jit.move(CCallHelpers::TrustedImmPtr(bitwise_cast<void*>(lookupExceptionHandler)), GPRInfo::nonArgGPR0);
</span><span class="lines">@@ -355,7 +355,7 @@
</span><span class="cx"> // Handle an exception
</span><span class="cx"> exceptionHandler.link(&jit);
</span><span class="cx">
</span><del>- jit.copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx"> jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);
</span><span class="cx">
</span><span class="cx"> #if CPU(X86) && USE(JSVALUE32_64)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntThunkscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -116,7 +116,7 @@
</span><span class="cx"> // The C Loop doesn't have any callee save registers, so the VMEntryRecord is allocated at the base of the frame.
</span><span class="cx"> intptr_t stackAlignment = stackAlignmentBytes();
</span><span class="cx"> intptr_t VMEntryTotalFrameSize = (sizeof(VMEntryRecord) + (stackAlignment - 1)) & ~(stackAlignment - 1);
</span><del>- return reinterpret_cast<VMEntryRecord*>(static_cast<char*>(entryFrame) - VMEntryTotalFrameSize);
</del><ins>+ return reinterpret_cast<VMEntryRecord*>(reinterpret_cast<char*>(entryFrame) - VMEntryTotalFrameSize);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -568,9 +568,11 @@
</span><span class="cx"> end
</span><span class="cx"> end
</span><span class="cx">
</span><del>-macro copyCalleeSavesToVMCalleeSavesBuffer(vm, temp)
</del><ins>+macro copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(vm, temp)
</ins><span class="cx"> if ARM64 or X86_64 or X86_64_WIN
</span><del>- leap VM::calleeSaveRegistersBuffer[vm], temp
</del><ins>+ loadp VM::topVMEntryFrame[vm], temp
+ vmEntryRecord(temp, temp)
+ leap VMEntryRecord::calleeSaveRegistersBuffer[temp], temp
</ins><span class="cx"> if ARM64
</span><span class="cx"> storep csr0, [temp]
</span><span class="cx"> storep csr1, 8[temp]
</span><span class="lines">@@ -608,9 +610,11 @@
</span><span class="cx"> end
</span><span class="cx"> end
</span><span class="cx">
</span><del>-macro restoreCalleeSavesFromVMCalleeSavesBuffer(vm, temp)
</del><ins>+macro restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(vm, temp)
</ins><span class="cx"> if ARM64 or X86_64 or X86_64_WIN
</span><del>- leap VM::calleeSaveRegistersBuffer[vm], temp
</del><ins>+ loadp VM::topVMEntryFrame[vm], temp
+ vmEntryRecord(temp, temp)
+ leap VMEntryRecord::calleeSaveRegistersBuffer[temp], temp
</ins><span class="cx"> if ARM64
</span><span class="cx"> loadp [temp], csr0
</span><span class="cx"> loadp 8[temp], csr1
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -302,7 +302,7 @@
</span><span class="cx"> loadp Callee + PayloadOffset[cfr], t3
</span><span class="cx"> andp MarkedBlockMask, t3
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
</span><del>- restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
</del><ins>+ restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
</ins><span class="cx"> loadp VM::callFrameForCatch[t3], cfr
</span><span class="cx"> storep 0, VM::callFrameForCatch[t3]
</span><span class="cx">
</span><span class="lines">@@ -1915,7 +1915,7 @@
</span><span class="cx"> loadp Callee + PayloadOffset[cfr], t3
</span><span class="cx"> andp MarkedBlockMask, t3
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
</span><del>- restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
</del><ins>+ restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
</ins><span class="cx"> loadp VM::callFrameForCatch[t3], cfr
</span><span class="cx"> storep 0, VM::callFrameForCatch[t3]
</span><span class="cx"> restoreStackPointerAfterCall()
</span><span class="lines">@@ -1965,7 +1965,7 @@
</span><span class="cx"> loadp Callee[cfr], t1
</span><span class="cx"> andp MarkedBlockMask, t1
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer(t1, t2)
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(t1, t2)
</ins><span class="cx"> jmp VM::targetMachinePCForThrow[t1]
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -274,7 +274,7 @@
</span><span class="cx"> loadp Callee[cfr], t3
</span><span class="cx"> andp MarkedBlockMask, t3
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
</span><del>- restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
</del><ins>+ restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
</ins><span class="cx"> loadp VM::callFrameForCatch[t3], cfr
</span><span class="cx"> storep 0, VM::callFrameForCatch[t3]
</span><span class="cx">
</span><span class="lines">@@ -1794,7 +1794,7 @@
</span><span class="cx"> loadp Callee[cfr], t3
</span><span class="cx"> andp MarkedBlockMask, t3
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
</span><del>- restoreCalleeSavesFromVMCalleeSavesBuffer(t3, t0)
</del><ins>+ restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer(t3, t0)
</ins><span class="cx"> loadp VM::callFrameForCatch[t3], cfr
</span><span class="cx"> storep 0, VM::callFrameForCatch[t3]
</span><span class="cx"> restoreStackPointerAfterCall()
</span><span class="lines">@@ -1840,7 +1840,7 @@
</span><span class="cx"> loadp Callee[cfr], t1
</span><span class="cx"> andp MarkedBlockMask, t1
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer(t1, t2)
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer(t1, t2)
</ins><span class="cx">
</span><span class="cx"> callSlowPath(_llint_slow_path_handle_exception)
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/runtime/VM.h 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -34,9 +34,6 @@
</span><span class="cx"> #include "DateInstanceCache.h"
</span><span class="cx"> #include "ExecutableAllocator.h"
</span><span class="cx"> #include "FunctionHasExecutedCache.h"
</span><del>-#if ENABLE(JIT)
-#include "GPRInfo.h"
-#endif
</del><span class="cx"> #include "Heap.h"
</span><span class="cx"> #include "Intrinsic.h"
</span><span class="cx"> #include "JITThunks.h"
</span><span class="lines">@@ -384,15 +381,6 @@
</span><span class="cx"> SourceProviderCacheMap sourceProviderCacheMap;
</span><span class="cx"> Interpreter* interpreter;
</span><span class="cx"> #if ENABLE(JIT)
</span><del>-#if NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
- intptr_t calleeSaveRegistersBuffer[NUMBER_OF_CALLEE_SAVES_REGISTERS];
-
- static ptrdiff_t calleeSaveRegistersBufferOffset()
- {
- return OBJECT_OFFSETOF(VM, calleeSaveRegistersBuffer);
- }
-#endif // NUMBER_OF_CALLEE_SAVES_REGISTERS > 0
-
</del><span class="cx"> std::unique_ptr<JITThunks> jitStubs;
</span><span class="cx"> MacroAssemblerCodeRef getCTIStub(ThunkGenerator generator)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmWASMFunctionCompilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h (200878 => 200879)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h 2016-05-13 19:42:38 UTC (rev 200878)
+++ trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h 2016-05-13 20:16:29 UTC (rev 200879)
</span><span class="lines">@@ -237,7 +237,7 @@
</span><span class="cx"> if (!m_exceptionChecks.empty()) {
</span><span class="cx"> m_exceptionChecks.link(this);
</span><span class="cx">
</span><del>- copyCalleeSavesToVMCalleeSavesBuffer();
</del><ins>+ copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
</ins><span class="cx">
</span><span class="cx"> // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).
</span><span class="cx"> move(TrustedImmPtr(vm()), GPRInfo::argumentGPR0);
</span></span></pre>
</div>
</div>
</body>
</html>