Changeset 158208 in webkit


Ignore:
Timestamp:
Oct 29, 2013 12:34:19 PM (10 years ago)
Author:
commit-queue@webkit.org
Message:

[arm] Fix lots of crashes because of 4th argument register trampling.
https://bugs.webkit.org/show_bug.cgi?id=123421

Patch by Julien Brianceau <jbriance@cisco.com> on 2013-10-29
Reviewed by Michael Saboff.

r3 register is the 4th argument register for ARM and also a scratch
register in the baseline JIT for this architecture. We can use r6
instead, as this used to be the timeoutCheckRegister and it is no
longer used since r148119.

  • assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
  • assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
  • jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.

(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):

  • jit/JITStubsARM.h:

(JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.

  • jit/JITStubsARMv7.h:

(JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.

  • jit/JSInterfaceJIT.h: Remove useless stuff.
  • yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.

(JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
(JSC::Yarr::YarrGenerator::generateReturn):

Location:
trunk/Source/JavaScriptCore
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r158205 r158208  
     12013-10-29  Julien Brianceau  <jbriance@cisco.com>
     2
     3        [arm] Fix lots of crashes because of 4th argument register trampling.
     4        https://bugs.webkit.org/show_bug.cgi?id=123421
     5
     6        Reviewed by Michael Saboff.
     7
     8        r3 register is the 4th argument register for ARM and also a scratch
     9        register in the baseline JIT for this architecture. We can use r6
     10        instead, as this used to be the timeoutCheckRegister and it is no
     11        longer used since r148119.
     12
     13        * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
     14        * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
     15        * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
     16        (JSC::GPRInfo::toRegister):
     17        (JSC::GPRInfo::toIndex):
     18        * jit/JITStubsARM.h:
     19        (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
     20        * jit/JITStubsARMv7.h:
     21        (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
     22        * jit/JSInterfaceJIT.h: Remove useless stuff.
     23        * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
     24        (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
     25        (JSC::Yarr::YarrGenerator::generateReturn):
     26
    1272013-10-29  Julien Brianceau  <jbriance@cisco.com>
    228
  • trunk/Source/JavaScriptCore/assembler/ARMAssembler.h

    r158205 r158208  
    4242            r1,
    4343            r2,
    44             r3, S0 = r3, /* Same as thumb assembler. */
     44            r3,
    4545            r4,
    4646            r5, fp = r5, // frame pointer
    47             r6,
     47            r6, S0 = r6,
    4848            r7,
    4949            r8,
  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

    r157618 r158208  
    3636
    3737class MacroAssemblerARMv7 : public AbstractMacroAssembler<ARMv7Assembler> {
    38     // FIXME: switch dataTempRegister & addressTempRegister, or possibly use r7?
    39     //        - dTR is likely used more than aTR, and we'll get better instruction
    40     //        encoding if it's in the low 8 registers.
    4138    static const RegisterID dataTempRegister = ARMRegisters::ip;
    42     static const RegisterID addressTempRegister = ARMRegisters::r3;
     39    static const RegisterID addressTempRegister = ARMRegisters::r6;
    4340
    4441    static const ARMRegisters::FPDoubleRegisterID fpTempRegister = ARMRegisters::d7;
  • trunk/Source/JavaScriptCore/jit/GPRInfo.h

    r157872 r158208  
    429429public:
    430430    typedef GPRReg RegisterType;
    431     static const unsigned numberOfRegisters = 8;
     431    static const unsigned numberOfRegisters = 9;
    432432    static const unsigned numberOfArgumentRegisters = NUMBER_OF_ARGUMENT_REGISTERS;
    433433
     
    441441    static const GPRReg regT6 = ARMRegisters::r10;
    442442    static const GPRReg regT7 = ARMRegisters::r11;
     443    static const GPRReg regT8 = ARMRegisters::r3;
    443444    // These registers match the baseline JIT.
    444445    static const GPRReg cachedResultRegister = regT0;
     
    449450    static const GPRReg argumentGPR1 = ARMRegisters::r1; // regT1
    450451    static const GPRReg argumentGPR2 = ARMRegisters::r2; // regT2
    451     // FIXME: r3 is currently used be the MacroAssembler as a temporary - it seems
    452     // This could threoretically be a problem if this is used in code generation
    453     // between the arguments being set up, and the call being made. That said,
    454     // any change introducing a problem here is likely to be immediately apparent!
    455     static const GPRReg argumentGPR3 = ARMRegisters::r3; // FIXME!
     452    static const GPRReg argumentGPR3 = ARMRegisters::r3; // regT8
    456453    static const GPRReg nonArgGPR0 = ARMRegisters::r4; // regT3
    457454    static const GPRReg nonArgGPR1 = ARMRegisters::r8; // regT4
     
    464461    {
    465462        ASSERT(index < numberOfRegisters);
    466         static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regT6, regT7 };
     463        static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regT6, regT7, regT8 };
    467464        return registerForIndex[index];
    468465    }
     
    472469        ASSERT(static_cast<unsigned>(reg) != InvalidGPRReg);
    473470        ASSERT(static_cast<unsigned>(reg) < 16);
    474         static const unsigned indexForRegister[16] = { 0, 1, 2, InvalidIndex, 3, InvalidIndex, InvalidIndex, InvalidIndex, 4, 5, 6, 7, InvalidIndex, InvalidIndex, InvalidIndex, InvalidIndex };
     471        static const unsigned indexForRegister[16] = { 0, 1, 2, 8, 3, InvalidIndex, InvalidIndex, InvalidIndex, 4, 5, 6, 7, InvalidIndex, InvalidIndex, InvalidIndex, InvalidIndex };
    475472        unsigned result = indexForRegister[reg];
    476473        ASSERT(result != InvalidIndex);
  • trunk/Source/JavaScriptCore/jit/JITStubsARM.h

    r157795 r158208  
    162162    "sub sp, sp, #" STRINGIZE_VALUE_OF(PRESERVEDR4_OFFSET) "\n"
    163163    "mov r5, r2" "\n"
    164     "mov r6, #512" "\n"
    165164    // r0 contains the code
    166165    "blx r0" "\n"
     
    358357    sub sp, sp, # PRESERVEDR4_OFFSET
    359358    mov r5, r2
    360     mov r6, #512
    361359    mov lr, pc
    362360    bx r0
     
    423421MSVC_BEGIN(    sub sp, sp, #68 ; sync with PRESERVEDR4_OFFSET)
    424422MSVC_BEGIN(    mov r5, r2)
    425 MSVC_BEGIN(    mov r6, #512)
    426423MSVC_BEGIN(    ; r0 contains the code)
    427424MSVC_BEGIN(    mov lr, pc)
  • trunk/Source/JavaScriptCore/jit/JITStubsARMv7.h

    r157795 r158208  
    222222    "str r1, [sp, #" STRINGIZE_VALUE_OF(REGISTER_FILE_OFFSET) "]" "\n"
    223223    "mov r5, r2" "\n"
    224     "mov r6, #512" "\n"
    225224    "blx r0" "\n"
    226225    "ldr r11, [sp, #" STRINGIZE_VALUE_OF(PRESERVED_R11_OFFSET) "]" "\n"
     
    457456    str r1, [sp, # REGISTER_FILE_OFFSET ]
    458457    mov r5, r2
    459     mov r6, #512
    460458    blx r0
    461459    ldr r11, [sp, # PRESERVED_R11_OFFSET ]
  • trunk/Source/JavaScriptCore/jit/JSInterfaceJIT.h

    r157604 r158208  
    118118        static const RegisterID secondArgumentRegister = ARMRegisters::r1;
    119119
    120 #if ENABLE(VALUE_PROFILER)
    121 #endif
    122 
    123120        static const RegisterID regT0 = ARMRegisters::r0;
    124121        static const RegisterID regT1 = ARMRegisters::r1;
  • trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

    r157653 r158208  
    4747    static const RegisterID index = ARMRegisters::r1;
    4848    static const RegisterID length = ARMRegisters::r2;
    49     static const RegisterID output = ARMRegisters::r4;
    50 
    51     static const RegisterID regT0 = ARMRegisters::r5;
    52     static const RegisterID regT1 = ARMRegisters::r6;
     49    static const RegisterID output = ARMRegisters::r3;
     50
     51    static const RegisterID regT0 = ARMRegisters::r4;
     52    static const RegisterID regT1 = ARMRegisters::r5;
    5353
    5454    static const RegisterID returnRegister = ARMRegisters::r0;
     
    25792579        push(ARMRegisters::r5);
    25802580        push(ARMRegisters::r6);
    2581 #if CPU(ARM_TRADITIONAL)
    2582         push(ARMRegisters::r8); // scratch register
    2583 #endif
    2584         if (compileMode == IncludeSubpatterns)
    2585             move(ARMRegisters::r3, output);
    25862581#elif CPU(SH4)
    25872582        push(SH4Registers::r11);
     
    26092604        pop(X86Registers::ebp);
    26102605#elif CPU(ARM)
    2611 #if CPU(ARM_TRADITIONAL)
    2612         pop(ARMRegisters::r8); // scratch register
    2613 #endif
    26142606        pop(ARMRegisters::r6);
    26152607        pop(ARMRegisters::r5);
Note: See TracChangeset for help on using the changeset viewer.