Bug 126020

Summary: CStack Branch: Fix call eval in baseline JIT
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Michael Saboff
Reported 2013-12-19 14:44:15 PST
Currently the baseline JIT doesn't handle eval calls due to the stack pointer not being set up for the callee.
Attachments
Patch (8.28 KB, patch)
2013-12-19 14:52 PST, Michael Saboff
ggaren: review+
Michael Saboff
Comment 1 2013-12-19 14:52:34 PST
Geoffrey Garen
Comment 2 2013-12-19 15:10:34 PST
Comment on attachment 219684 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=219684&action=review r=me > Source/JavaScriptCore/jit/JITCall.cpp:126 > + addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister); Why do we need to move SP like this before the call to operationCallEval? I thought that calls to helper functions didn't need to adjust the stack. > Source/JavaScriptCore/jit/JITCall.cpp:130 > + addPtr(TrustedImm32(-frameRegisterCountFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister); You should use stackPointerOffsetFor() here. But same question here: why are we adjusting SP? > Source/JavaScriptCore/jit/JITCall.cpp:145 > + addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister); Why do we need to move SP like this before the call to operationCallEval? > Source/JavaScriptCore/jit/JITCall.cpp:147 > + addPtr(TrustedImm32(-frameRegisterCountFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister); You should use stackPointerOffsetFor() here.
Geoffrey Garen
Comment 3 2013-12-19 15:10:56 PST
Comment on attachment 219684 [details] Patch r=me because this patch looks not incorrect, but I think it needs some refinement.
Michael Saboff
Comment 4 2013-12-19 15:20:05 PST
(In reply to comment #2) > (From update of attachment 219684 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=219684&action=review > > r=me > > > Source/JavaScriptCore/jit/JITCall.cpp:126 > > + addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister); > > Why do we need to move SP like this before the call to operationCallEval? I thought that calls to helper functions didn't need to adjust the stack. We need to move the stack down because that is where the calleeFrame is. regT1 is the calleeFrame. This is just like the normal call processing. > > Source/JavaScriptCore/jit/JITCall.cpp:130 > > + addPtr(TrustedImm32(-frameRegisterCountFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister); > > You should use stackPointerOffsetFor() here. I will make the change. > But same question here: why are we adjusting SP? Same reason. > > Source/JavaScriptCore/jit/JITCall.cpp:145 > > + addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister); > > Why do we need to move SP like this before the call to operationCallEval? Ditto. > > Source/JavaScriptCore/jit/JITCall.cpp:147 > > + addPtr(TrustedImm32(-frameRegisterCountFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister); > > You should use stackPointerOffsetFor() here. Will do.
Michael Saboff
Comment 5 2013-12-19 15:34:30 PST
Geoffrey Garen
Comment 6 2013-12-19 15:42:09 PST
I see: operationCallEval is a helper function, which normally wouldn't adjust the stack for, but it calls back into the VM, so we do want to adjust the stack as if we were calling another JS function.
Michael Saboff
Comment 7 2013-12-19 15:45:21 PST
(In reply to comment #6) > I see: operationCallEval is a helper function, which normally wouldn't adjust the stack for, but it calls back into the VM, so we do want to adjust the stack as if we were calling another JS function. Actually we have to adjust even if it didn't call back into the VM. Otherwise the locals in operationCallEval() and its callees will step on the callee frame.
Geoffrey Garen
Comment 8 2013-12-19 16:21:51 PST
> Actually we have to adjust even if it didn't call back into the VM. Otherwise the locals in operationCallEval() and its callees will step on the callee frame. The adjustment moves SP up before calling operationCallEval(). How does that prevent anything from being stepped on? It seems to do the opposite, and expose two slots to be stepped on by operationCallEval()'s ReturnPC and ReturnBP.
Michael Saboff
Comment 9 2013-12-19 16:27:05 PST
(In reply to comment #8) > > Actually we have to adjust even if it didn't call back into the VM. Otherwise the locals in operationCallEval() and its callees will step on the callee frame. > > The adjustment moves SP up before calling operationCallEval(). How does that prevent anything from being stepped on? It seems to do the opposite, and expose two slots to be stepped on by operationCallEval()'s ReturnPC and ReturnBP. My bad on the prior comment. Your comment #7 is right.
Note You need to log in before you can comment on or make changes to this bug.