Changeset 160056 in webkit


Ignore:
Timestamp:
Dec 3, 2013 3:56:31 PM (10 years ago)
Author:
msaboff@apple.com
Message:

ARM64: Crash in JIT code due to improper reuse of cached memory temp register
https://bugs.webkit.org/show_bug.cgi?id=125181

Reviewed by Geoffrey Garen.

Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
destination of an absolute load is the memory temp register since the source address
is also the memory temp register. Change branch{8,32,64} of an AbsoluteAddress with
a register to use the dataTempRegister as the destinate of the absolute load to
reduce the chance that we need to invalidate the memory temp register cache.
In the process, found and fixed an outright bug in branch8() where we'd load into
the data temp register and then compare and branch on the memory temp register.

  • assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::branch32):
(JSC::MacroAssemblerARM64::branch64):
(JSC::MacroAssemblerARM64::branch8):
(JSC::MacroAssemblerARM64::load):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r160042 r160056  
     12013-12-03  Michael Saboff  <msaboff@apple.com>
     2
     3        ARM64: Crash in JIT code due to improper reuse of cached memory temp register
     4        https://bugs.webkit.org/show_bug.cgi?id=125181
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
     9        destination of an absolute load is the memory temp register since the source address
     10        is also the memory temp register.  Change branch{8,32,64} of an AbsoluteAddress with
     11        a register to use the dataTempRegister as the destinate of the absolute load to
     12        reduce the chance that we need to invalidate the memory temp register cache.
     13        In the process, found and fixed an outright bug in branch8() where we'd load into
     14        the data temp register and then compare and branch on the memory temp register.
     15
     16        * assembler/MacroAssemblerARM64.h:
     17        (JSC::MacroAssemblerARM64::load8):
     18        (JSC::MacroAssemblerARM64::branch32):
     19        (JSC::MacroAssemblerARM64::branch64):
     20        (JSC::MacroAssemblerARM64::branch8):
     21        (JSC::MacroAssemblerARM64::load):
     22
    1232013-12-03  Michael Saboff  <msaboff@apple.com>
    224

  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

    r159653 r160056  
    899899        moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
    900900        m_assembler.ldrb(dest, memoryTempRegister, ARM64Registers::zr);
     901        if (dest == memoryTempRegister)
     902            m_cachedMemoryTempRegister.invalidate();
    901903    }
    902904
     
    15711573    Jump branch32(RelationalCondition cond, AbsoluteAddress left, RegisterID right)
    15721574    {
    1573         load32(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
    1574         return branch32(cond, memoryTempRegister, right);
     1575        load32(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
     1576        return branch32(cond, dataTempRegister, right);
    15751577    }
    15761578
     
    16091611    Jump branch64(RelationalCondition cond, AbsoluteAddress left, RegisterID right)
    16101612    {
    1611         load64(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
    1612         return branch64(cond, memoryTempRegister, right);
     1613        load64(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
     1614        return branch64(cond, dataTempRegister, right);
    16131615    }
    16141616
     
    16421644    {
    16431645        ASSERT(!(0xffffff00 & right.m_value));
    1644         load8(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
     1646        load8(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
    16451647        return branch32(cond, memoryTempRegister, right);
    16461648    }
     
    24942496            intptr_t addressDelta = addressAsInt - currentRegisterContents;
    24952497
     2498            if (dest == memoryTempRegister)
     2499                m_cachedMemoryTempRegister.invalidate();
     2500
    24962501            if (isInIntRange(addressDelta)) {
    24972502                if (ARM64Assembler::canEncodeSImmOffset(addressDelta)) {
     
    25152520
    25162521        move(TrustedImmPtr(address), memoryTempRegister);
    2517         m_cachedMemoryTempRegister.setValue(reinterpret_cast<intptr_t>(address));
     2522        if (dest == memoryTempRegister)
     2523            m_cachedMemoryTempRegister.invalidate();
     2524        else
     2525            m_cachedMemoryTempRegister.setValue(reinterpret_cast<intptr_t>(address));
    25182526        m_assembler.ldr<datasize>(dest, memoryTempRegister, ARM64Registers::zr);
    25192527    }
Note: See TracChangeset for help on using the changeset viewer.