Changeset 95707 in webkit


Ignore:
Timestamp:
Sep 22, 2011 4:05:41 AM (13 years ago)
Author:
Csaba Osztrogonác
Message:

32-bit call code clobbers the function cell tag
https://bugs.webkit.org/show_bug.cgi?id=68606

Patch by Filip Pizlo <fpizlo@apple.com> on 2011-09-22
Reviewed by Csaba Osztrogonác.

This is a minimalistic fix: it simply emits code to restore the
cell tag on the slow path, if we know that we failed due to
emitCallIfNotType.

  • jit/JITCall32_64.cpp:

(JSC::JIT::compileOpCallVarargsSlowCase):
(JSC::JIT::compileOpCallSlowCase):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r95693 r95707  
     12011-09-22  Filip Pizlo  <fpizlo@apple.com>
     2
     3        32-bit call code clobbers the function cell tag
     4        https://bugs.webkit.org/show_bug.cgi?id=68606
     5
     6        Reviewed by Csaba Osztrogonác.
     7       
     8        This is a minimalistic fix: it simply emits code to restore the
     9        cell tag on the slow path, if we know that we failed due to
     10        emitCallIfNotType.
     11
     12        * jit/JITCall32_64.cpp:
     13        (JSC::JIT::compileOpCallVarargsSlowCase):
     14        (JSC::JIT::compileOpCallSlowCase):
     15
    1162011-09-21  Gavin Barraclough  <barraclough@apple.com>
    217
  • trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp

    r95666 r95707  
    9494
    9595    linkSlowCaseIfNotJSCell(iter, callee);
     96    Jump notCell = jump();
    9697    linkSlowCase(iter);
     98    move(TrustedImm32(JSValue::CellTag), regT1); // Need to restore cell tag in regT1 because it was clobbered.
     99    notCell.link(this);
    97100
    98101    JITStubCall stubCall(this, cti_op_call_NotJSFunction);
     
    273276
    274277    // This handles host functions
     278    callLinkFailNotJSFunction.link(this);
     279    move(TrustedImm32(JSValue::CellTag), regT1); // Restore cell tag since it was clobbered.
    275280    callLinkFailNotObject.link(this);
    276     callLinkFailNotJSFunction.link(this);
    277281
    278282    JITStubCall stubCall(this, opcodeID == op_construct ? cti_op_construct_NotJSConstruct : cti_op_call_NotJSFunction);
Note: See TracChangeset for help on using the changeset viewer.