Bug 180366 - We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
Summary: We need to leave room on the top of the stack for the FTL TailCall slow path ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-12-04 11:08 PST by Saam Barati
Modified: 2017-12-04 14:00 PST (History)
13 users (show)

See Also:

Attachments
patch (5.23 KB, patch)
2017-12-04 11:46 PST, Saam Barati 		msaboff: review+
Details | Formatted Diff | Diff
patch for landing (4.96 KB, patch)
2017-12-04 12:39 PST, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2017-12-04 11:08:30 PST 
Otherwise, the slow path branch will overwrite things on the stack before calling into the slow path C call. Once we're in the C call, we realize we're actually going to throw an exception because we're trying to call something that isn't callable. Then we'll throw an exception, which does a stack walk. This stack walk will read the stack to recover the callee of inlined frames, which might have been overwritten with garbage already.
Comment 1 Saam Barati 2017-12-04 11:09:02 PST 
I'm wondering if this is needed in the DFG as well. I suspect it is, but I have yet to prove it with a crashing test.
Comment 2 Saam Barati 2017-12-04 11:10:05 PST 
<rdar://problem/35685877>
Comment 3 Saam Barati 2017-12-04 11:15:57 PST 
(In reply to Saam Barati from comment #1)
> I'm wondering if this is needed in the DFG as well. I suspect it is, but I
> have yet to prove it with a crashing test.

The DFG already handles exactly this via Graph's m_parameterSlots which tracks the maximum outgoing call parameter count.
Comment 4 Saam Barati 2017-12-04 11:46:06 PST 
Created attachment 328368 [details]
patch
Comment 5 Mark Lam 2017-12-04 12:00:57 PST 
Comment on attachment 328368 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=328368&action=review

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:6994
> +        m_proc.requestCallArgAreaSizeInBytes(
> +            WTF::roundUpToMultipleOf(stackAlignmentBytes(), (CallFrame::headerSizeInRegisters + numArgs) * sizeof(EncodedJSValue)));

AirCode::requestCallArgAreaSizeInBytes() already takes care of aligning to stackAlignmentBytes().  So, no need to do that here.
Comment 6 Saam Barati 2017-12-04 12:15:44 PST 
Comment on attachment 328368 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=328368&action=review

>> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:6994
>> +            WTF::roundUpToMultipleOf(stackAlignmentBytes(), (CallFrame::headerSizeInRegisters + numArgs) * sizeof(EncodedJSValue)));
> 
> AirCode::requestCallArgAreaSizeInBytes() already takes care of aligning to stackAlignmentBytes().  So, no need to do that here.

I'm going to keep the rounding in to stay consistent w/ other places that do this in FTLLower
Comment 7 Michael Saboff 2017-12-04 12:33:26 PST 
Comment on attachment 328368 [details]
patch

r=me
Comment 8 Saam Barati 2017-12-04 12:39:10 PST 
Created attachment 328376 [details]
patch for landing
Comment 9 WebKit Commit Bot 2017-12-04 14:00:27 PST 
Comment on attachment 328376 [details]
patch for landing

Clearing flags on attachment: 328376

Committed r225492: <https://trac.webkit.org/changeset/225492>
Comment 10 WebKit Commit Bot 2017-12-04 14:00:29 PST 
All reviewed patches have been landed.  Closing bug.