[Webkit-unassigned] [Bug 127902] Fix the remaining regression caused by the jsCStack branch merge on Linux platforms
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 25 09:27:25 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=127902
--- Comment #8 from Michael Saboff <msaboff at apple.com> 2014-02-25 09:24:32 PST ---
You didn't say what kind of fault you're taking, but I'll assume some kind of set or bus fault.
A quick look at the source (JITCall.cpp::compileLoadVarargs) and disassembly and I'd say we are in the "if (canOptimize)" case since we are using arguments. I've mixed the source and assembly together. The faulting line is when we set the callee's arg count from the caller's arg count. Before that, we have made space on the stack for the callee frame (in rdx / regT1) by subtracting the size of the new frame from bp. The difference between the caller frame pointer (rbp) and callee frame pointer (rdx) is slightly more than .5MB. I wonder if the stack limit check is working as intended. If it isn't, you could be exceeding the stack. For example on Mac, we expect that this particular test, g.apply(null, new Array(65537)) to throw a stack size exceeded exception.
I'll also agree that function-apply-many-args.js needs work. The array sizes that are elected to work and those that we expect to exceed the stake are now dependent on the native stack size of each platform and not on the stack size we allocate. Saying that, JSC shouldn't crash on but throw the exception.
Look at what is in VM::m_jsStackLimit (0x44e828 for this code block, but different for each VM). Looking at this, I see a minor bug, but I don't think it affects you. We are using m_jsStackLimit and not m_stackLimit for the stack check. This is fine if you use the standard LLInt, but is broken if you use the LLInt C Loop. I'll file another bug and take care of that.
[ 36] call_varargs loc4, loc5, Null(@k0), loc1, -7 predicting None
if (canOptimize) {
emitGetVirtualRegister(arguments, regT0);
0x7fffb2b0fa77: mov -0x10(%rbp), %rax
slowCase.append(branch64(NotEqual, regT0, TrustedImm64(JSValue::encode(JSValue()))));
0x7fffb2b0fa7b: test %rax, %rax
0x7fffb2b0fa7e: jnz 0x7fffb2b0faf3
emitGetFromCallFrameHeader32(JSStack::ArgumentCount, regT0);
0x7fffb2b0fa84: mov 0x28(%rbp), %eax
slowCase.append(branch32(Above, regT0, TrustedImm32(Arguments::MaxArguments + 1)));
0x7fffb2b0fa87: cmp $0x10001, %eax
0x7fffb2b0fa8d: ja 0x7fffb2b0faf3
// regT0: argumentCountIncludingThis
move(regT0, regT1);
0x7fffb2b0fa93: mov %rax, %rdx
add64(TrustedImm32(-firstFreeRegister + JSStack::CallFrameHeaderSize), regT1);
0x7fffb2b0fa96: add $0xd, %rdx
// regT1 now has the required frame size in Register units
// Round regT1 to next multiple of stackAlignmentRegisters()
add64(TrustedImm32(stackAlignmentRegisters() - 1), regT1);
0x7fffb2b0fa9a: inc %rdx
and64(TrustedImm32(~(stackAlignmentRegisters() - 1)), regT1);
0x7fffb2b0fa9d: and $0xfffffffffffffffe, %rdx
neg64(regT1);
0x7fffb2b0faa1: neg %rdx
lshift64(TrustedImm32(3), regT1);
0x7fffb2b0faa4: shl $0x3, %rdx
addPtr(callFrameRegister, regT1);
0x7fffb2b0faa8: add %rbp, %rdx
// regT1: newCallFrame
slowCase.append(branchPtr(Above, AbsoluteAddress(m_vm->addressOfJSStackLimit()), regT1));
0x7fffb2b0faab: mov $0x44e828, %r11
0x7fffb2b0fab5: cmp %rdx, (%r11)
0x7fffb2b0fab8: ja 0x7fffb2b0faf3
// Initialize ArgumentCount.
store32(regT0, Address(regT1, JSStack::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
========> 0x7fffb2b0fabe: mov %eax, 0x28(%rdx)
// Initialize 'this'.
emitGetVirtualRegister(thisValue, regT2);
0x7fffb2b0fac1: mov $0x2, %rcx
store64(regT2, Address(regT1, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))));
0x7fffb2b0facb: mov %rcx, 0x30(%rdx)
...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list