Changeset 189103 in webkit

Timestamp:

Aug 28, 2015, 10:52:35 AM (10 years ago)

Author:

mark.lam@apple.com

Message:

ScratchRegisterAllocator::preserveReusedRegistersByPushing() should allow room for C helper calls and keep sp properly aligned.
​https://bugs.webkit.org/show_bug.cgi?id=148564

Reviewed by Saam Barati.

ScratchRegisterAllocator::preserveReusedRegistersByPushing() pushes registers on
the stack in order to preserve them. But emitPutTransitionStub() (which uses
preserveReusedRegistersByPushing()) may also emit a call to a C helper function
to flush the heap write barrier buffer. The code for emitting a C helper call
expects the stack pointer (sp) to already be pointing to a location on the stack
where there's adequate space reserved for storing the arguments to the C helper,
and that space is expected to be at the top of the stack. Hence, there is a
conflict of expectations. As a result, the arguments for the C helper will
overwrite and corrupt the values that are pushed on the stack by
preserveReusedRegistersByPushing().

In addition, JIT compiled functions always position the sp such that it will be
aligned (according to platform ABI dictates) after a C call is made (i.e. after
the frame pointer and return address is pushed on to the stack).
preserveReusedRegistersByPushing()'s arbitrary pushing of a number of saved
register values may mess up this alignment.

The fix is to have preserveReusedRegistersByPushing(), after it has pushed the
saved register values, adjust the sp to reserve an additional amount of stack
space needed for C call helpers plus any padding needed to restore proper sp
alignment. The stack's ReservedZone will ensure that we have enough stack space
for this. ScratchRegisterAllocator::restoreReusedRegistersByPopping() also
needs to be updated to perform the complement of this behavior.

• jit/Repatch.cpp:

(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStub):

• jit/ScratchRegisterAllocator.cpp:

(JSC::ScratchRegisterAllocator::allocateScratchGPR):
(JSC::ScratchRegisterAllocator::allocateScratchFPR):
(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):

• jit/ScratchRegisterAllocator.h:

(JSC::ScratchRegisterAllocator::numberOfReusedRegisters):

• tests/stress/regress-148564.js: Added.

(test):
(runTest):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• jit/Repatch.cpp (modified) (5 diffs)
• jit/ScratchRegisterAllocator.cpp (modified) (2 diffs)
• jit/ScratchRegisterAllocator.h (modified) (1 diff)
• tests/stress/regress-148564.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-08-28  Mark Lam  <mark.lam@apple.com>
+
+        ScratchRegisterAllocator::preserveReusedRegistersByPushing() should allow room for C helper calls and keep sp properly aligned.
+        https://bugs.webkit.org/show_bug.cgi?id=148564
+
+        Reviewed by Saam Barati.
+
+        ScratchRegisterAllocator::preserveReusedRegistersByPushing() pushes registers on
+        the stack in order to preserve them.  But emitPutTransitionStub() (which uses
+        preserveReusedRegistersByPushing()) may also emit a call to a C helper function
+        to flush the heap write barrier buffer.  The code for emitting a C helper call
+        expects the stack pointer (sp) to already be pointing to a location on the stack
+        where there's adequate space reserved for storing the arguments to the C helper,
+        and that space is expected to be at the top of the stack.  Hence, there is a
+        conflict of expectations.  As a result, the arguments for the C helper will
+        overwrite and corrupt the values that are pushed on the stack by
+        preserveReusedRegistersByPushing().
+
+        In addition, JIT compiled functions always position the sp such that it will be
+        aligned (according to platform ABI dictates) after a C call is made (i.e. after
+        the frame pointer and return address is pushed on to the stack).
+        preserveReusedRegistersByPushing()'s arbitrary pushing of a number of saved
+        register values may mess up this alignment.
+
+        The fix is to have preserveReusedRegistersByPushing(), after it has pushed the
+        saved register values, adjust the sp to reserve an additional amount of stack
+        space needed for C call helpers plus any padding needed to restore proper sp
+        alignment.  The stack's ReservedZone will ensure that we have enough stack space
+        for this.  ScratchRegisterAllocator::restoreReusedRegistersByPopping() also
+        needs to be updated to perform the complement of this behavior.
+
+        * jit/Repatch.cpp:
+        (JSC::emitPutReplaceStub):
+        (JSC::emitPutTransitionStub):
+        * jit/ScratchRegisterAllocator.cpp:
+        (JSC::ScratchRegisterAllocator::allocateScratchGPR):
+        (JSC::ScratchRegisterAllocator::allocateScratchFPR):
+        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
+        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
+        * jit/ScratchRegisterAllocator.h:
+        (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
+        * tests/stress/regress-148564.js: Added.
+        (test):
+        (runTest):
+
 2015-08-28  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -917 +917 @@
     CCallHelpers stubJit(vm, exec->codeBlock());
 
-    allocator.preserveReusedRegistersByPushing(stubJit);
+    size_t numberOfPaddingBytes = allocator.preserveReusedRegistersByPushing(stubJit);
 
     MacroAssembler::Jump badStructure = branchStructure(stubJit,
@@ -946 +946 @@
     
     if (allocator.didReuseRegisters()) {
-        allocator.restoreReusedRegistersByPopping(stubJit);
+        allocator.restoreReusedRegistersByPopping(stubJit, numberOfPaddingBytes);
         success = stubJit.jump();
         
         badStructure.link(&stubJit);
-        allocator.restoreReusedRegistersByPopping(stubJit);
+        allocator.restoreReusedRegistersByPopping(stubJit, numberOfPaddingBytes);
         failure = stubJit.jump();
     } else {
@@ -1054 +1054 @@
         scratchGPR3 = InvalidGPRReg;
     
-    allocator.preserveReusedRegistersByPushing(stubJit);
+    size_t numberOfPaddingBytes = allocator.preserveReusedRegistersByPushing(stubJit);
 
     MacroAssembler::JumpList failureCases;
@@ -1170 +1170 @@
             
     if (allocator.didReuseRegisters()) {
-        allocator.restoreReusedRegistersByPopping(stubJit);
+        allocator.restoreReusedRegistersByPopping(stubJit, numberOfPaddingBytes);
         success = stubJit.jump();
 
         failureCases.link(&stubJit);
-        allocator.restoreReusedRegistersByPopping(stubJit);
+        allocator.restoreReusedRegistersByPopping(stubJit, numberOfPaddingBytes);
         failure = stubJit.jump();
     } else
@@ -1185 +1185 @@
         slowPath.link(&stubJit);
         
-        allocator.restoreReusedRegistersByPopping(stubJit);
+        allocator.restoreReusedRegistersByPopping(stubJit, numberOfPaddingBytes);
         if (!scratchBuffer)
             scratchBuffer = vm->scratchBufferForSize(allocator.desiredScratchBufferSizeForCall());

trunk/Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp

@@ -30 +30 @@
 
 #include "JSCInlines.h"
+#include "MaxFrameExtentForSlowPathCall.h"
 #include "VM.h"
 
@@ -92 +93 @@
 FPRReg ScratchRegisterAllocator::allocateScratchFPR() { return allocateScratch<FPRInfo>(); }
 
-void ScratchRegisterAllocator::preserveReusedRegistersByPushing(MacroAssembler& jit)
+size_t ScratchRegisterAllocator::preserveReusedRegistersByPushing(MacroAssembler& jit)
 {
     if (!didReuseRegisters())
-        return;
-        
+        return 0;
+
+    size_t numberOfBytesPushed = 0;
+
     for (unsigned i = 0; i < FPRInfo::numberOfRegisters; ++i) {
         FPRReg reg = FPRInfo::toRegister(i);
-        if (m_scratchRegisters.getFPRByIndex(i) && m_usedRegisters.get(reg))
+        if (m_scratchRegisters.getFPRByIndex(i) && m_usedRegisters.get(reg)) {
             jit.pushToSave(reg);
+            numberOfBytesPushed += sizeof(double);
+        }
     }
     for (unsigned i = 0; i < GPRInfo::numberOfRegisters; ++i) {
         GPRReg reg = GPRInfo::toRegister(i);
-        if (m_scratchRegisters.getGPRByIndex(i) && m_usedRegisters.get(reg))
+        if (m_scratchRegisters.getGPRByIndex(i) && m_usedRegisters.get(reg)) {
             jit.pushToSave(reg);
-    }
-}
-
-void ScratchRegisterAllocator::restoreReusedRegistersByPopping(MacroAssembler& jit)
+            numberOfBytesPushed += sizeof(uintptr_t);
+        }
+    }
+
+    size_t totalStackAdjustmentBytes = numberOfBytesPushed + maxFrameExtentForSlowPathCall;
+    totalStackAdjustmentBytes = WTF::roundUpToMultipleOf(stackAlignmentBytes(), totalStackAdjustmentBytes);
+
+    size_t numberOfPaddingBytes = totalStackAdjustmentBytes - numberOfBytesPushed;
+    jit.subPtr(MacroAssembler::TrustedImm32(numberOfPaddingBytes), MacroAssembler::stackPointerRegister);
+
+    return numberOfPaddingBytes;
+}
+
+void ScratchRegisterAllocator::restoreReusedRegistersByPopping(MacroAssembler& jit, size_t numberOfPaddingBytes)
 {
     if (!didReuseRegisters())
         return;
-        
+
+    jit.addPtr(MacroAssembler::TrustedImm32(numberOfPaddingBytes), MacroAssembler::stackPointerRegister);
+
     for (unsigned i = GPRInfo::numberOfRegisters; i--;) {
         GPRReg reg = GPRInfo::toRegister(i);

trunk/Source/JavaScriptCore/jit/ScratchRegisterAllocator.h

@@ -63 +63 @@
     }
     
-    void preserveReusedRegistersByPushing(MacroAssembler& jit);
-    void restoreReusedRegistersByPopping(MacroAssembler& jit);
+    // preserveReusedRegistersByPushing() returns the number of padding bytes used to keep the stack
+    // pointer properly aligned and to reserve room for calling a C helper. This number of padding
+    // bytes must be provided to restoreReusedRegistersByPopping() in order to reverse the work done
+    // by preserveReusedRegistersByPushing().
+    size_t preserveReusedRegistersByPushing(MacroAssembler& jit);
+    void restoreReusedRegistersByPopping(MacroAssembler& jit, size_t numberOfPaddingBytes);
     
     RegisterSet usedRegistersForCall() const;