operationStackCheck() (in JITOpereations.cpp) should not be testing the JSStack for overflow. operationStackCheck() is only called when an overflow has been detected by JITted code. Since the C stack is not growable, there's no need to repeat the stack check before throwing a StackOverflowError. Running a small test (the attached test-eval.js), I see that the LLINT failed to detect a stack overflow and crashed after exhausting the stack. The baseline JIT and DFG fared better in detecting the overflow (with the above stack check in operationStackCheck() commented out), but fails to unwind the stack during handling of the StackOverflowError. They ended up in an infinite loop during the unwind. All of these need to be fixed.
Created attachment 219540 [details] a stack overflow test
Also need to search for all places that uses JSStack::grow() to do a stack check. These should either removed or #if ENABLE(LLINT_C_LOOP). In their place, we should be doing a limit check on the C stack.
(In reply to comment #2) > Also need to search for all places that uses JSStack::grow() to do a stack check. These should either removed or #if ENABLE(LLINT_C_LOOP). In their place, we should be doing a limit check on the C stack. Does JSStack::grow() ever make sense when using the stack? Assuming it doesn't we should just put #if ENABLE(LLINT_C_LOOP) around the definition and declaration. That would instantly make it impossible to use it accidetanly
(In reply to comment #3) > Does JSStack::grow() ever make sense when using the stack? Assuming it doesn't we should just put #if ENABLE(LLINT_C_LOOP) around the definition and declaration. That would instantly make it impossible to use it accidetanly FYI, JSStack::grow() was moved into a ENABLE(LLINT_C_LOOP) only section in r160982 <http://trac.webkit.org/r160982> which was landed for https://bugs.webkit.org/show_bug.cgi?id=126140.