Cherry-pick 259548.856@safari-7615-branch (c3d2e36). https://bugs.web…

…kit.org/show_bug.cgi?id=259231 CallVarargs should identify that it can read inline call frame arguments. rdar://111361499 Reviewed by Yusuke Suzuki. Call already does this, but CallVarargs has a special case that forgot. We should not be allowed to push PutStacks below a call of any kind, since it might access our call frame's arguments via foo.arguments, unless we are strict. The only exception is TailCall (but not TailCallForwardVarargsInlinedCaller), because it will destroy the entire frame. We do not un-pessimize TailCall yet to reduce risk, but it could be made to match TailCallForwardVarargs in the future. * Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): Canonical link: https://commits.webkit.org/259548.856@safari-7615-branch Canonical link: https://commits.webkit.org/260527.380@webkitglib/2.40
WebKit · Jul 18, 2023 · 4f99c06 · 4f99c06
1 parent f16cf5a
commit 4f99c06
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h b/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h
@@ -191,13 +191,19 @@ class PreciseLocalClobberizeAdaptor {
         case CreateRest: {
             bool isForwardingNode = false;
             bool isPhantomNode = false;
+            bool mayReadArguments = false;
             switch (m_node->op()) {
             case ForwardVarargs:
+            // This is used iff allInlineFramesAreTailCalls, so we will
+            // actually do a real tail call and destroy our frame.
+            case TailCallForwardVarargs:
+                isForwardingNode = true;
+                break;
             case CallForwardVarargs:
             case ConstructForwardVarargs:
-            case TailCallForwardVarargs:
             case TailCallForwardVarargsInlinedCaller:
                 isForwardingNode = true;
+                mayReadArguments = true;
                 break;
             case PhantomDirectArguments:
             case PhantomClonedArguments:
@@ -209,7 +215,10 @@ class PreciseLocalClobberizeAdaptor {
 
             if (isPhantomNode && m_graph.m_plan.isFTL())
                 break;
-
+
+            if (mayReadArguments)
+                readWorld(m_node);
+
             if (isForwardingNode && m_node->hasArgumentsChild() && m_node->argumentsChild()
                 && (m_node->argumentsChild()->op() == PhantomNewArrayWithSpread || m_node->argumentsChild()->op() == PhantomSpread)) {
                 if (m_node->argumentsChild()->op() == PhantomNewArrayWithSpread)