[Webkit-unassigned] [Bug 127777] [EFL][GTK][Windows] Fix the regression caused by the jsCStack branch merge

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 29 15:02:29 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=127777





--- Comment #13 from Zan Dobersek <zandobersek at gmail.com>  2014-01-29 14:59:53 PST ---
One of the problems is in operationCallEval.
http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/jit/JITOperations.cpp#L612

Here's the disassembled function for the current code:
Dump of assembler code for function operationCallEval:
=> 0x00007ffff7837840 <+0>:    mov    0x20(%rsi),%rax
   0x00007ffff7837844 <+4>:    mov    0x18(%rdi),%rdx
   0x00007ffff7837848 <+8>:    movabs $0xffff000000000002,%rcx
   0x00007ffff7837852 <+18>:    movq   $0x0,0x10(%rsi)
   0x00007ffff783785a <+26>:    test   %rcx,%rax
   0x00007ffff783785d <+29>:    mov    %rdx,0x18(%rsi)
   0x00007ffff7837861 <+33>:    jne    0x7ffff783786c <operationCallEval+44>
   0x00007ffff7837863 <+35>:    mov    (%rax),%rcx
   0x00007ffff7837866 <+38>:    cmpb   $0x13,0x5c(%rcx)
   0x00007ffff783786a <+42>:    je     0x7ffff7837870 <operationCallEval+48>
   0x00007ffff783786c <+44>:    xor    %eax,%eax
   0x00007ffff783786e <+46>:    retq   
   0x00007ffff783786f <+47>:    nop
   0x00007ffff7837870 <+48>:    mov    0x18(%rax),%rax
   0x00007ffff7837874 <+52>:    mov    0x8(%rax),%ecx
   0x00007ffff7837877 <+55>:    test   %ecx,%ecx
   0x00007ffff7837879 <+57>:    jne    0x7ffff783786c <operationCallEval+44>
   0x00007ffff783787b <+59>:    push   %rbx
   0x00007ffff783787c <+60>:    mov    0x34f6ed(%rip),%rbx        # 0x7ffff7b86f70
   0x00007ffff7837883 <+67>:    cmp    %rbx,0x50(%rax)
   0x00007ffff7837887 <+71>:    jne    0x7ffff78378a5 <operationCallEval+101>
   0x00007ffff7837889 <+73>:    xor    %dx,%dx
   0x00007ffff783788c <+76>:    mov    %rsi,%rdi
   0x00007ffff783788f <+79>:    mov    0x468(%rdx),%rbx
   0x00007ffff7837896 <+86>:    callq  0x7ffff760e790 <_ZN3JSC4evalEPNS_9ExecStateE at plt>
   0x00007ffff783789b <+91>:    cmpq   $0x0,0xbdb0(%rbx)
   0x00007ffff78378a3 <+99>:    je     0x7ffff78378b0 <operationCallEval+112>
   0x00007ffff78378a5 <+101>:    xor    %eax,%eax
   0x00007ffff78378a7 <+103>:    nopw   0x0(%rax,%rax,1)
   0x00007ffff78378b0 <+112>:    pop    %rbx
   0x00007ffff78378b1 <+113>:    retq   
End of assembler dump.

Throwing a simple fprintf() call into the mix, in this case before isHostFunction() call, seems to shift some registers around, and the number of JSC stress test failures drops to 50. Here's the resulting disassembled function:
Dump of assembler code for function operationCallEval:
=> 0x00007ffff78378a0 <+0>:    push   %rbp
   0x00007ffff78378a1 <+1>:    lea    0x26d0b6(%rip),%rdx        # 0x7ffff7aa495e
   0x00007ffff78378a8 <+8>:    push   %rbx
   0x00007ffff78378a9 <+9>:    mov    %rsi,%rbx
   0x00007ffff78378ac <+12>:    sub    $0x8,%rsp
   0x00007ffff78378b0 <+16>:    mov    0x18(%rdi),%rax
   0x00007ffff78378b4 <+20>:    movq   $0x0,0x10(%rsi)
   0x00007ffff78378bc <+28>:    mov    %rax,0x18(%rsi)
   0x00007ffff78378c0 <+32>:    mov    0x34f6a9(%rip),%rax        # 0x7ffff7b86f70
   0x00007ffff78378c7 <+39>:    mov    $0x1,%esi
   0x00007ffff78378cc <+44>:    mov    (%rax),%rdi
   0x00007ffff78378cf <+47>:    xor    %eax,%eax
   0x00007ffff78378d1 <+49>:    callq  0x7ffff760e790 <__fprintf_chk at plt>
   0x00007ffff78378d6 <+54>:    mov    0x20(%rbx),%rax
   0x00007ffff78378da <+58>:    movabs $0xffff000000000002,%rdx
   0x00007ffff78378e4 <+68>:    test   %rdx,%rax
   0x00007ffff78378e7 <+71>:    jne    0x7ffff78378f2 <operationCallEval+82>
   0x00007ffff78378e9 <+73>:    mov    (%rax),%rdx
   0x00007ffff78378ec <+76>:    cmpb   $0x13,0x5c(%rdx)
   0x00007ffff78378f0 <+80>:    je     0x7ffff7837900 <operationCallEval+96>
   0x00007ffff78378f2 <+82>:    add    $0x8,%rsp
   0x00007ffff78378f6 <+86>:    xor    %eax,%eax
   0x00007ffff78378f8 <+88>:    pop    %rbx
   0x00007ffff78378f9 <+89>:    pop    %rbp
   0x00007ffff78378fa <+90>:    retq   
   0x00007ffff78378fb <+91>:    nopl   0x0(%rax,%rax,1)
   0x00007ffff7837900 <+96>:    mov    0x18(%rax),%rax
   0x00007ffff7837904 <+100>:    mov    0x8(%rax),%edx
   0x00007ffff7837907 <+103>:    test   %edx,%edx
   0x00007ffff7837909 <+105>:    jne    0x7ffff78378f2 <operationCallEval+82>
   0x00007ffff783790b <+107>:    mov    0x34f666(%rip),%rcx        # 0x7ffff7b86f78
   0x00007ffff7837912 <+114>:    cmp    %rcx,0x50(%rax)
   0x00007ffff7837916 <+118>:    jne    0x7ffff78378f2 <operationCallEval+82>
   0x00007ffff7837918 <+120>:    mov    0x18(%rbx),%rax
   0x00007ffff783791c <+124>:    mov    %rbx,%rdi
   0x00007ffff783791f <+127>:    xor    %ax,%ax
   0x00007ffff7837922 <+130>:    mov    0x468(%rax),%rbp
   0x00007ffff7837929 <+137>:    callq  0x7ffff760e7a0 <_ZN3JSC4evalEPNS_9ExecStateE at plt>
   0x00007ffff783792e <+142>:    cmpq   $0x0,0xbdb0(%rbp)
   0x00007ffff7837936 <+150>:    jne    0x7ffff78378f2 <operationCallEval+82>
   0x00007ffff7837938 <+152>:    add    $0x8,%rsp
   0x00007ffff783793c <+156>:    pop    %rbx
   0x00007ffff783793d <+157>:    pop    %rbp
   0x00007ffff783793e <+158>:    retq   
End of assembler dump.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list