Bug 198770

Summary: [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch saam: review+

Description Yusuke Suzuki 2019-06-11 16:03:13 PDT 
When linkPolymorphicCall gives up compiling polymorphic call, we fall back to virtual call. But `linkVirtualCall` does not restore the callee saves before calling the tail call, while polymorphic call does it.
If the caller CodeBlock clobbers the callee saves (e.g. FTL), we forget restoring it, and caller's caller will see garbage in callee saves.
Comment 1 Yusuke Suzuki 2019-06-11 16:49:34 PDT 
And polymorphic call stub's slow path seems not restoring it too.
Comment 2 Yusuke Suzuki 2019-06-11 17:29:40 PDT 
<rdar://problem/51260313>
Comment 3 Yusuke Suzuki 2019-06-11 19:42:49 PDT 
Created attachment 371914 [details]
Patch
Comment 4 Yusuke Suzuki 2019-06-11 23:31:40 PDT 
The change of virtual call is not necessary. Only polymorphic call is problematic.
Comment 5 Yusuke Suzuki 2019-06-12 00:19:40 PDT 
Created attachment 371934 [details]
Patch
Comment 6 Yusuke Suzuki 2019-06-12 01:03:59 PDT 
Created attachment 371935 [details]
Patch
Comment 7 Saam Barati 2019-06-12 01:16:21 PDT 
Comment on attachment 371934 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=371934&action=review

> Source/JavaScriptCore/ChangeLog:30
> +        This patch does that skips after restoring callee saves.

“does that skips” => “makes branches to the slow path happen”

> JSTests/stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js:5
> +        var a = WeakSet.bind();

Maybe also two other tests:
- One where the poly call is in the test itself instead of a built in (in case we change the built in in the future)
- A test with a non cell callee
Comment 8 Saam Barati 2019-06-12 01:16:57 PDT 
Comment on attachment 371935 [details]
Patch

r=me with comments from previous patch
Comment 9 Yusuke Suzuki 2019-06-12 13:25:50 PDT 
Comment on attachment 371934 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=371934&action=review

Thanks!

>> Source/JavaScriptCore/ChangeLog:30
>> +        This patch does that skips after restoring callee saves.
> 
> “does that skips” => “makes branches to the slow path happen”

Fixed.

>> JSTests/stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js:5
>> +        var a = WeakSet.bind();
> 
> Maybe also two other tests:
> - One where the poly call is in the test itself instead of a built in (in case we change the built in in the future)
> - A test with a non cell callee

Nice, added.
Comment 10 Yusuke Suzuki 2019-06-12 13:31:18 PDT 
Committed r246372: <https://trac.webkit.org/changeset/246372>