Open Bug 1823808 Opened 2 years ago Updated 2 years ago

BaselineCacheIRCompiler::emitCallNativeShared pushes a bogus return address for the native exit frame

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

People

(Reporter: iain, Unassigned)

References

(Blocks 1 open bug)

Details

While removing tail calls from the baseline CacheIR compiler, I noticed that we're using ICTailCallReg here in emitCallNativeShared to push the return address for the native exit frame we create. Further up, we have this code:

  // Push a stub frame so that we can perform a non-tail call.
  // Note that this leaves the return address in TailCallReg.
  AutoStubFrame stubFrame(*this);
  stubFrame.enter(masm, scratch);

The idea is apparently that stubFrame.enter() will put the return address into TailCallReg, and then we can push it later. The only problem is that, on x86, this hasn't been true for six years. In bug 1337871, Jan removed the call to EmitRestoreTailCallReg from EmitBaselineEnterStubFrame. When I migrated call ICs to CacheIR, I dutifully copied over the comment and the implementation. However, looking at the actual generated assembly, we're just pushing whatever happened to be in rsi as a fake return address.

Given that we didn't notice at the time, and this hasn't caused any problems in six years, we obviously don't rely on the return address in that frame. It still might be good to fix this up a bit.

You need to log in before you can comment on or make changes to this bug.