Open Bug 1229586 Opened 9 years ago Updated 1 month ago

Function.call and Function.apply screw up stack-searching in value decompiler

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: shu, Unassigned)

References

(Blocks 1 open bug)

Details

mrrrgn reported this. We implement Function.call by shifting CallArg values in-place "left" by 1. That is, suppose we have |f.call(arg1, arg2)|. At the point of calling into Function.call, SP[-1] is arg2, SP[-2] is arg1. js::fun_call then shifts these: SP[-3] is now arg2, SP[-2] == SP[-1] is arg1. Then we call f, and everything works. The problem is that if f throws and asks the value decompiler to decompile an argument value, it'll report the wrong PC since the value is at a slot lower. Not sure how to best fix these cases. Perhaps the decompiler has to know if it's trying to decompile a Function.call or a Function.apply frame. I thought we could copy CallArgs inside js::fun_call, but I don't think that's possible since we need it to store rval.
(In reply to Shu-yu Guo [:shu] from comment #0) > mrrrgn reported this. > > We implement Function.call by shifting CallArg values in-place "left" by 1. > That is, suppose we have |f.call(arg1, arg2)|. At the point of calling into > Function.call, SP[-1] is arg2, SP[-2] is arg1. js::fun_call then shifts > these: SP[-3] is now arg2, SP[-2] == SP[-1] is arg1. Then we call f, and > everything works. Argh I got the "js::fun_call then shifts ..." line wrong. It should be: js::fun_call then shifts these: SP[-3] is now arg1, SP[-2] == SP[-1] is arg2.
I don't know if this can help, but this is something that we had to work-around during Ion inlined stack frame iterations [1]. [1] https://dxr.mozilla.org/mozilla-central/source/js/src/jit/JitFrames.cpp#2468
Severity: normal → S3
Blocks: sm-frontend
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.