Changeset 165559 in webkit


Ignore:
Timestamp:
Mar 13, 2014 12:46:48 PM (10 years ago)
Author:
mark.lam@apple.com
Message:

JS benchmarks crash with a bus error on 32-bit x86.
<https://webkit.org/b/130203>

Reviewed by Geoffrey Garen.

The issue is that generateGetByIdStub() can potentially use the same register
for the JSValue base register and the target tag register. After loading the
tag value into the target tag register, the JSValue base address is lost.
The code then proceeds to load the payload value using the base register, and
this results in a crash.

The fix is to check if the base register is the same as the target tag register.
If so, we should make a copy the base register first before loading the tag
value, and use the copy to load the payload value instead.

  • jit/Repatch.cpp:

(JSC::generateGetByIdStub):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r165553 r165559  
     12014-03-13  Mark Lam  <mark.lam@apple.com>
     2
     3        JS benchmarks crash with a bus error on 32-bit x86.
     4        <https://webkit.org/b/130203>
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        The issue is that generateGetByIdStub() can potentially use the same register
     9        for the JSValue base register and the target tag register.  After loading the
     10        tag value into the target tag register, the JSValue base address is lost.
     11        The code then proceeds to load the payload value using the base register, and
     12        this results in a crash.
     13
     14        The fix is to check if the base register is the same as the target tag register.
     15        If so, we should make a copy the base register first before loading the tag
     16        value, and use the copy to load the payload value instead.
     17
     18        * jit/Repatch.cpp:
     19        (JSC::generateGetByIdStub):
     20
    1212014-03-12  Filip Pizlo  <fpizlo@apple.com>
    222

  • trunk/Source/JavaScriptCore/jit/Repatch.cpp

    r165459 r165559  
    302302        stubJit.load64(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset)), loadedValueGPR);
    303303#else
     304        GPRReg copyOfStorageGPR = storageGPR;
     305        if (storageGPR == resultTagGPR) {
     306            copyOfStorageGPR = loadedValueGPR;
     307            stubJit.move(storageGPR, copyOfStorageGPR);
     308        }
    304309        stubJit.load32(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset) + TagOffset), resultTagGPR);
    305         stubJit.load32(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset) + PayloadOffset), loadedValueGPR);
     310        stubJit.load32(MacroAssembler::Address(copyOfStorageGPR, offsetRelativeToBase(offset) + PayloadOffset), loadedValueGPR);
    306311#endif
    307312    }
Note: See TracChangeset for help on using the changeset viewer.