Changeset 195319 in webkit

Timestamp:

Jan 19, 2016 3:15:53 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

[JSC] fixSpillSlotZDef() crashes on ARM64
​https://bugs.webkit.org/show_bug.cgi?id=153246

Patch by Benjamin Poulain <​bpoulain@apple.com> on 2016-01-19
Reviewed by Geoffrey Garen.

Moving an immediate to memory is not a valid instruction on ARM64.
This patch adds a small workaround for this specific case: an instruction
to zero a chunk of memory.

• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::storeZero32):

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::storeZero32):

• b3/air/AirFixSpillSlotZDef.h:

(JSC::B3::Air::fixSpillSlotZDef):

• b3/air/AirOpcode.opcodes:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/MacroAssemblerARM64.h (modified) (1 diff)
• assembler/MacroAssemblerX86Common.h (modified) (1 diff)
• b3/air/AirAllocateStack.cpp (modified) (1 diff)
• b3/air/AirOpcode.opcodes (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
+
+        [JSC] fixSpillSlotZDef() crashes on ARM64
+        https://bugs.webkit.org/show_bug.cgi?id=153246
+
+        Reviewed by Geoffrey Garen.
+
+        Moving an immediate to memory is not a valid instruction on ARM64.
+        This patch adds a small workaround for this specific case: an instruction
+        to zero a chunk of memory.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::storeZero32):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::storeZero32):
+        * b3/air/AirFixSpillSlotZDef.h:
+        (JSC::B3::Air::fixSpillSlotZDef):
+        * b3/air/AirOpcode.opcodes:
+
 2016-01-19  Enrica Casucci  <enrica@apple.com>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

@@ -1232 +1232 @@
     }
 
+    void storeZero32(ImplicitAddress address)
+    {
+        store32(ARM64Registers::zr, address);
+    }
+
+    void storeZero32(BaseIndex address)
+    {
+        store32(ARM64Registers::zr, address);
+    }
+
     DataLabel32 store32WithAddressOffsetPatch(RegisterID src, Address address)
     {

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -730 +730 @@
     {
         m_assembler.movl_i32m(imm.m_value, address.offset, address.base, address.index, address.scale);
+    }
+
+    void storeZero32(ImplicitAddress address)
+    {
+        store32(TrustedImm32(0), address);
+    }
+
+    void storeZero32(BaseIndex address)
+    {
+        store32(TrustedImm32(0), address);
     }
 

trunk/Source/JavaScriptCore/b3/air/AirAllocateStack.cpp

@@ -297 +297 @@
                             RELEASE_ASSERT(width == Arg::Width32);
 
-                            // We rely on the fact that there must be some way to move zero to a
-                            // memory location without first burning a register. On ARM, we would do
-                            // this using zr.
-                            RELEASE_ASSERT(isValidForm(Move32, Arg::Imm, Arg::Addr));
+                            RELEASE_ASSERT(isValidForm(StoreZero32, Arg::Stack));
                             insertionSet.insert(
-                                instIndex + 1, Move32, inst.origin, Arg::imm(0),
+                                instIndex + 1, StoreZero32, inst.origin,
                                 stackAddr(arg.offset() + 4 + slot->offsetFromFP()));
                         }

trunk/Source/JavaScriptCore/b3/air/AirOpcode.opcodes

@@ -435 +435 @@
     x86: Imm, Index as store32
 
+StoreZero32 U:G:32
+    Addr
+    Index
+
 SignExtend32ToPtr U:G:32, D:G:Ptr
     Tmp, Tmp