153536 – [JSC] adjustFrameAndStackInOSRExitCompilerThunk() can trash values in FTL

Bug 153536 - [JSC] adjustFrameAndStackInOSRExitCompilerThunk() can trash values in FTL

Summary: [JSC] adjustFrameAndStackInOSRExitCompilerThunk() can trash values in FTL

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Benjamin Poulain

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-01-26 22:31 PST by Benjamin Poulain
Modified:	2016-01-27 16:29 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (4.91 KB, patch) 2016-01-26 22:34 PST, Benjamin Poulain	no flags	Details \| Formatted Diff \| Diff
Patch for landing (5.10 KB, patch) 2016-01-27 15:37 PST, Benjamin Poulain	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benjamin Poulain 2016-01-26 22:31:23 PST

[JSC] adjustFrameAndStackInOSRExitCompilerThunk() can trash values in FTL

Comment 1 Benjamin Poulain 2016-01-26 22:34:11 PST

Created attachment 269982 [details]
Patch

Comment 2 Saam Barati 2016-01-27 00:21:20 PST

Comment on attachment 269982 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=269982&action=review

r=me

> Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h:48
> +

It might be worth adding a comment here saying we can't trash the macro assembler scratch registers in the code we emit here.

> Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h:107
> +    if (isFTLOSRExit)
> +        jit.pushToSave(GPRInfo::regT1);

It might be worth a comment saying that we do this because the previous push will be overwritten by the old top-of-the-stack.
Or you could make it explicit by doing something like:
unsigned stackOffset = MacroAssembler::pushToSaveByteOffset * (isFTLOSRExit ? 2 : 1)
subPtr(offset, SP)
storePtr(regT1, SP)

Comment 3 Saam Barati 2016-01-27 00:35:25 PST

also see discussion here for potential alternative implementations
that take into account generic unwind exits and utilize volatile
registers in situations where we know we've arrived at OSR exit
code from the genericUnwind path and therefore can use volatile
registers:

https://bugs.webkit.org/show_bug.cgi?id=151406

Comment 4 Benjamin Poulain 2016-01-27 15:37:11 PST

Created attachment 270053 [details]
Patch for landing

Comment 5 WebKit Commit Bot 2016-01-27 16:29:18 PST

Comment on attachment 270053 [details]
Patch for landing

Clearing flags on attachment: 270053

Committed r195707: <http://trac.webkit.org/changeset/195707>

Comment 6 WebKit Commit Bot 2016-01-27 16:29:22 PST

All reviewed patches have been landed.  Closing bug.