<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[213791] releases/WebKitGTK/webkit-2.16</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/213791">213791</a></dd>

<dt>Author</dt> <dd>carlosgc@webkit.org</dd>

<dt>Date</dt> <dd>2017-03-13 02:33:36 -0700 (Mon, 13 Mar 2017)</dd>

</dl>

<h3>Log Message</h3>

<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/213631">r213631</a> - [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot

https://bugs.webkit.org/show_bug.cgi?id=160124

Reviewed by Mark Lam.

JSTests:

* stress/spread-forward-call-varargs-stack-overflow.js:

Source/JavaScriptCore:

When performing CallVarargs, we will copy values to the stack.

Before actually copying values, we need to adjust the stackPointerRegister

to ensure copied values are in the allocated stack area.

If we do not that, OS can break the values that is stored beyond the stack

pointer. For example, signal stack can be constructed on these area, and

breaks values.

This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js

in Linux port. Since Linux ports use signal to suspend and resume threads,

signal handler is frequently called when enabling sampling profiler. Thus this

crash occurs.

* dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

* dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

* ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):

(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):

* jit/SetupVarargsFrame.cpp:

(JSC::emitSetupVarargsFrameFastCase):

* jit/SetupVarargsFrame.h:</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit216JSTestsChangeLog">releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoreftlFTLLowerDFGToB3cpp">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCorejitSetupVarargsFramecpp">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCorejitSetupVarargsFrameh">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.h</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="releasesWebKitGTKwebkit216JSTestsChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -1,3 +1,12 @@

</span><ins>+2017-03-08  Yusuke Suzuki  &lt;utatane.tea@gmail.com&gt;

+

+        [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot

+        https://bugs.webkit.org/show_bug.cgi?id=160124

+

+        Reviewed by Mark Lam.

+

+        * stress/spread-forward-call-varargs-stack-overflow.js:

+

</ins><span class="cx"> 2017-02-22  Yusuke Suzuki  &lt;utatane.tea@gmail.com&gt;

</span><span class="cx"> 

</span><span class="cx">         JSModuleNamespace object should have IC

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoreChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -1,3 +1,33 @@

</span><ins>+2017-03-08  Yusuke Suzuki  &lt;utatane.tea@gmail.com&gt;

+

+        [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot

+        https://bugs.webkit.org/show_bug.cgi?id=160124

+

+        Reviewed by Mark Lam.

+

+        When performing CallVarargs, we will copy values to the stack.

+        Before actually copying values, we need to adjust the stackPointerRegister

+        to ensure copied values are in the allocated stack area.

+        If we do not that, OS can break the values that is stored beyond the stack

+        pointer. For example, signal stack can be constructed on these area, and

+        breaks values.

+

+        This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js

+        in Linux port. Since Linux ports use signal to suspend and resume threads,

+        signal handler is frequently called when enabling sampling profiler. Thus this

+        crash occurs.

+

+        * dfg/DFGSpeculativeJIT32_64.cpp:

+        (JSC::DFG::SpeculativeJIT::emitCall):

+        * dfg/DFGSpeculativeJIT64.cpp:

+        (JSC::DFG::SpeculativeJIT::emitCall):

+        * ftl/FTLLowerDFGToB3.cpp:

+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):

+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):

+        * jit/SetupVarargsFrame.cpp:

+        (JSC::emitSetupVarargsFrameFastCase):

+        * jit/SetupVarargsFrame.h:

+

</ins><span class="cx"> 2017-02-23  Filip Pizlo  &lt;fpizlo@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -754,7 +754,6 @@

</span><span class="cx">         RELEASE_ASSERT(!isDirect);

</span><span class="cx">         CallVarargsData* data = node-&gt;callVarargsData();

</span><span class="cx"> 

</span><del>-        GPRReg resultGPR;

</del><span class="cx">         unsigned numUsedStackSlots = m_jit.graph().m_nextMachineLocal;

</span><span class="cx">         

</span><span class="cx">         if (isForwardVarargs) {

</span><span class="lines">@@ -777,6 +776,7 @@

</span><span class="cx">                 inlineCallFrame = node-&gt;child3()-&gt;origin.semantic.inlineCallFrame;

</span><span class="cx">             else

</span><span class="cx">                 inlineCallFrame = node-&gt;origin.semantic.inlineCallFrame;

<ins>+            // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.

</ins><span class="cx">             emitSetupVarargsFrameFastCase(m_jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data-&gt;firstVarArgOffset, slowCase);

</span><span class="cx">             JITCompiler::Jump done = m_jit.jump();

</span><span class="cx">             slowCase.link(&amp;m_jit);

</span><span class="lines">@@ -784,7 +784,6 @@

</span><span class="cx">             m_jit.exceptionCheck();

</span><span class="cx">             m_jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);

</span><span class="cx">             done.link(&amp;m_jit);

</span><del>-            resultGPR = scratchGPR2;

</del><span class="cx">         } else {

</span><span class="cx">             GPRReg argumentsPayloadGPR;

</span><span class="cx">             GPRReg argumentsTagGPR;

</span><span class="lines">@@ -825,10 +824,8 @@

</span><span class="cx">             

</span><span class="cx">             callOperation(operationSetupVarargsFrame, GPRInfo::returnValueGPR, scratchGPR1, JSValueRegs(argumentsTagGPR, argumentsPayloadGPR), data-&gt;firstVarArgOffset, GPRInfo::returnValueGPR);

</span><span class="cx">             m_jit.exceptionCheck();

</span><del>-            resultGPR = GPRInfo::returnValueGPR;

</del><ins>+            m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::returnValueGPR, JITCompiler::stackPointerRegister);

</ins><span class="cx">         }

</span><del>-            

-        m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), resultGPR, JITCompiler::stackPointerRegister);

</del><span class="cx">         

</span><span class="cx">         DFG_ASSERT(m_jit.graph(), node, isFlushed());

</span><span class="cx">         

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -730,7 +730,6 @@

</span><span class="cx">         RELEASE_ASSERT(!isDirect);

</span><span class="cx">         CallVarargsData* data = node-&gt;callVarargsData();

</span><span class="cx"> 

</span><del>-        GPRReg resultGPR;

</del><span class="cx">         unsigned numUsedStackSlots = m_jit.graph().m_nextMachineLocal;

</span><span class="cx">         

</span><span class="cx">         if (isForwardVarargs) {

</span><span class="lines">@@ -753,6 +752,7 @@

</span><span class="cx">                 inlineCallFrame = node-&gt;child3()-&gt;origin.semantic.inlineCallFrame;

</span><span class="cx">             else

</span><span class="cx">                 inlineCallFrame = node-&gt;origin.semantic.inlineCallFrame;

<ins>+            // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.

</ins><span class="cx">             emitSetupVarargsFrameFastCase(m_jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data-&gt;firstVarArgOffset, slowCase);

</span><span class="cx">             JITCompiler::Jump done = m_jit.jump();

</span><span class="cx">             slowCase.link(&amp;m_jit);

</span><span class="lines">@@ -760,7 +760,6 @@

</span><span class="cx">             m_jit.exceptionCheck();

</span><span class="cx">             m_jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);

</span><span class="cx">             done.link(&amp;m_jit);

</span><del>-            resultGPR = scratchGPR2;

</del><span class="cx">         } else {

</span><span class="cx">             GPRReg argumentsGPR;

</span><span class="cx">             GPRReg scratchGPR1;

</span><span class="lines">@@ -798,11 +797,9 @@

</span><span class="cx">             

</span><span class="cx">             callOperation(operationSetupVarargsFrame, GPRInfo::returnValueGPR, scratchGPR1, argumentsGPR, data-&gt;firstVarArgOffset, GPRInfo::returnValueGPR);

</span><span class="cx">             m_jit.exceptionCheck();

</span><del>-            resultGPR = GPRInfo::returnValueGPR;

</del><ins>+            m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::returnValueGPR, JITCompiler::stackPointerRegister);

</ins><span class="cx">         }

</span><span class="cx">         

</span><del>-        m_jit.addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), resultGPR, JITCompiler::stackPointerRegister);

-        

</del><span class="cx">         DFG_ASSERT(m_jit.graph(), node, isFlushed());

</span><span class="cx">         

<span class="cx">         // We don't need the arguments array anymore.

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -6392,10 +6392,6 @@

</span><span class="cx">                     exceptions-&gt;append(jit.emitExceptionCheck(AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));

</span><span class="cx">                 };

</span><span class="cx"> 

</span><del>-                auto adjustStack = [&amp;] (GPRReg amount) {

-                    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), amount, CCallHelpers::stackPointerRegister);

-                };

-

</del><span class="cx">                 CCallHelpers::JumpList slowCase;

</span><span class="cx">                 unsigned originalStackHeight = params.proc().frameSize();

</span><span class="cx"> 

</span><span class="lines">@@ -6415,6 +6411,9 @@

</span><span class="cx">                     jit.lshiftPtr(CCallHelpers::Imm32(3), scratchGPR1);

</span><span class="cx">                     jit.addPtr(GPRInfo::callFrameRegister, scratchGPR1);

</span><span class="cx"> 

<ins>+                    // Before touching stack values, we should update the stack pointer to protect them from signal stack.

+                    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), scratchGPR1, CCallHelpers::stackPointerRegister);

+

</ins><span class="cx">                     jit.store32(scratchGPR2, CCallHelpers::Address(scratchGPR1, CallFrameSlot::argumentCount * static_cast&lt;int&gt;(sizeof(Register)) + PayloadOffset));

</span><span class="cx"> 

</span><span class="cx">                     int storeOffset = CallFrame::thisArgumentOffset() * static_cast&lt;int&gt;(sizeof(Register));

</span><span class="lines">@@ -6461,8 +6460,6 @@

</span><span class="cx">                     

</span><span class="cx">                     dontThrow.link(&amp;jit);

</span><span class="cx">                 }

</span><del>-

-                adjustStack(scratchGPR1);

</del><span class="cx">                 

</span><span class="cx">                 ASSERT(calleeGPR == GPRInfo::regT0);

</span><span class="cx">                 jit.store64(calleeGPR, CCallHelpers::calleeFrameSlot(CallFrameSlot::callee));

</span><span class="lines">@@ -6702,10 +6699,6 @@

</span><span class="cx">                     exceptions-&gt;append(jit.emitExceptionCheck(AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));

</span><span class="cx">                 };

</span><span class="cx"> 

</span><del>-                auto adjustStack = [&amp;] (GPRReg amount) {

-                    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), amount, CCallHelpers::stackPointerRegister);

-                };

-

</del><span class="cx">                 unsigned originalStackHeight = params.proc().frameSize();

</span><span class="cx"> 

</span><span class="cx">                 if (forwarding) {

</span><span class="lines">@@ -6717,6 +6710,8 @@

</span><span class="cx">                         inlineCallFrame = node-&gt;child3()-&gt;origin.semantic.inlineCallFrame;

</span><span class="cx">                     else

</span><span class="cx">                         inlineCallFrame = node-&gt;origin.semantic.inlineCallFrame;

</span><ins>+

+                    // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.

</ins><span class="cx">                     emitSetupVarargsFrameFastCase(jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data-&gt;firstVarArgOffset, slowCase);

</span><span class="cx"> 

</span><span class="cx">                     CCallHelpers::Jump done = jit.jump();

</span><span class="lines">@@ -6726,8 +6721,6 @@

</span><span class="cx">                     jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);

</span><span class="cx">                     

</span><span class="cx">                     done.link(&amp;jit);

</span><del>-

-                    adjustStack(scratchGPR2);

</del><span class="cx">                 } else {

</span><span class="cx">                     jit.move(CCallHelpers::TrustedImm32(originalStackHeight / sizeof(EncodedJSValue)), scratchGPR1);

</span><span class="cx">                     jit.setupArgumentsWithExecState(argumentsGPR, scratchGPR1, CCallHelpers::TrustedImm32(data-&gt;firstVarArgOffset));

</span><span class="lines">@@ -6741,7 +6734,7 @@

</span><span class="cx">                     jit.setupArgumentsWithExecState(scratchGPR2, argumentsGPR, CCallHelpers::TrustedImm32(data-&gt;firstVarArgOffset), scratchGPR1);

</span><span class="cx">                     callWithExceptionCheck(bitwise_cast&lt;void*&gt;(operationSetupVarargsFrame));

</span><span class="cx">                     

</span><del>-                    adjustStack(GPRInfo::returnValueGPR);

</del><ins>+                    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::returnValueGPR, CCallHelpers::stackPointerRegister);

</ins><span class="cx"> 

</span><span class="cx">                     calleeLateRep.emitRestore(jit, GPRInfo::regT0);

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit216SourceJavaScriptCorejitSetupVarargsFramecpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.cpp (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.cpp        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.cpp        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -60,7 +60,7 @@

</span><span class="cx">     jit.addPtr(GPRInfo::callFrameRegister, resultGPR);

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-void emitSetupVarargsFrameFastCase(CCallHelpers&amp; jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, ValueRecovery argCountRecovery, VirtualRegister firstArgumentReg, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase)

</del><ins>+static void emitSetupVarargsFrameFastCase(CCallHelpers&amp; jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, ValueRecovery argCountRecovery, VirtualRegister firstArgumentReg, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase)

</ins><span class="cx"> {

</span><span class="cx">     CCallHelpers::JumpList end;

</span><span class="cx">     

</span><span class="lines">@@ -84,6 +84,9 @@

</span><span class="cx"> 

</span><span class="cx">     slowCase.append(jit.branchPtr(CCallHelpers::Above, CCallHelpers::AbsoluteAddress(jit.vm()-&gt;addressOfSoftStackLimit()), scratchGPR2));

</span><span class="cx"> 

<ins>+    // Before touching stack values, we should update the stack pointer to protect them from signal stack.

+    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), scratchGPR2, CCallHelpers::stackPointerRegister);

+

</ins><span class="cx">     // Initialize ArgumentCount.

</span><span class="cx">     jit.store32(scratchGPR1, CCallHelpers::Address(scratchGPR2, CallFrameSlot::argumentCount * static_cast&lt;int&gt;(sizeof(Register)) + PayloadOffset));

</span><span class="cx"> 

</span><span class="lines">@@ -108,11 +111,6 @@

</span><span class="cx">     done.link(&amp;jit);

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-void emitSetupVarargsFrameFastCase(CCallHelpers&amp; jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase)

-{

-    emitSetupVarargsFrameFastCase(jit, numUsedSlotsGPR, scratchGPR1, scratchGPR2, scratchGPR3, nullptr, firstVarArgOffset, slowCase);

-}

-

</del><span class="cx"> void emitSetupVarargsFrameFastCase(CCallHelpers&amp; jit, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, InlineCallFrame* inlineCallFrame, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase)

</span><span class="cx"> {

</span><span class="cx">     ValueRecovery argumentCountRecovery;

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit216SourceJavaScriptCorejitSetupVarargsFrameh"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.h (213790 => 213791)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.h        2017-03-13 09:21:34 UTC (rev 213790)

+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/SetupVarargsFrame.h        2017-03-13 09:33:36 UTC (rev 213791)

</span><span class="lines">@@ -36,12 +36,6 @@

</span><span class="cx"> 

</span><span class="cx"> // Assumes that SP refers to the last in-use stack location, and after this returns SP will point to

<span class="cx"> // the newly created frame plus the native header. scratchGPR2 may be the same as numUsedSlotsGPR.

</span><del>-void emitSetupVarargsFrameFastCase(CCallHelpers&amp;, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, ValueRecovery argCountRecovery, VirtualRegister firstArgumentReg, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase);

-

-// Variant that assumes normal stack frame.

-void emitSetupVarargsFrameFastCase(CCallHelpers&amp;, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase);

-

-// Variant for potentially inlined stack frames.

</del><span class="cx"> void emitSetupVarargsFrameFastCase(CCallHelpers&amp;, GPRReg numUsedSlotsGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, GPRReg scratchGPR3, InlineCallFrame*, unsigned firstVarArgOffset, CCallHelpers::JumpList&amp; slowCase);

</span><span class="cx"> 

</span><span class="cx"> } // namespace JSC

</span></span></pre>

</div>

</div>

</body>

</html>