[webkit-changes] [168535] trunk/Source/JavaScriptCore

[commit-queue]

Title: [168535] trunk/Source/_javascript_Core

Revision

168535

Author

commit-qu...@webkit.org

Date

2014-05-09 09:29:41 -0700 (Fri, 09 May 2014)

Log Message

[Win] Crash when enabling DFG JIT.
https://bugs.webkit.org/show_bug.cgi?id=132683

Patch by pe...@outlook.com <pe...@outlook.com> on 2014-05-09
Reviewed by Geoffrey Garen.

On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
This causes the register to be written to address 0, hence the crash.

* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Ditto.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp
• trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (168534 => 168535)

--- trunk/Source/_javascript_Core/ChangeLog	2014-05-09 16:15:59 UTC (rev 168534)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-05-09 16:29:41 UTC (rev 168535)
@@ -1,3 +1,20 @@
+2014-05-09  pe...@outlook.com  <pe...@outlook.com>
+
+        [Win] Crash when enabling DFG JIT.
+        https://bugs.webkit.org/show_bug.cgi?id=132683
+
+        Reviewed by Geoffrey Garen.
+
+        On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
+        results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
+        where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
+        This causes the register to be written to address 0, hence the crash.
+
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
+
 2014-05-09  Martin Hodovan <mhodovan.u-sze...@partner.samsung.com>
 
         REGRESSION(r167094): JSC crashes on ARM Traditional

Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp (168534 => 168535)

--- trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp	2014-05-09 16:15:59 UTC (rev 168534)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp	2014-05-09 16:29:41 UTC (rev 168535)
@@ -287,7 +287,7 @@
         case InFPR:
         case DoubleDisplacedInJSStack:
             m_jit.move(AssemblyHelpers::TrustedImmPtr(scratch + index), GPRInfo::regT0);
-            m_jit.loadDouble(GPRInfo::regT0, FPRInfo::fpRegT0);
+            m_jit.loadDouble(MacroAssembler::Address(GPRInfo::regT0), FPRInfo::fpRegT0);
             m_jit.purifyNaN(FPRInfo::fpRegT0);
             m_jit.storeDouble(FPRInfo::fpRegT0, AssemblyHelpers::addressFor(operand));
             break;

Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp (168534 => 168535)

--- trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp	2014-05-09 16:15:59 UTC (rev 168534)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp	2014-05-09 16:29:41 UTC (rev 168535)
@@ -217,7 +217,7 @@
         switch (recovery.technique()) {
         case InFPR:
             m_jit.move(AssemblyHelpers::TrustedImmPtr(scratch + index), GPRInfo::regT0);
-            m_jit.storeDouble(recovery.fpr(), GPRInfo::regT0);
+            m_jit.storeDouble(recovery.fpr(), MacroAssembler::Address(GPRInfo::regT0));
             break;
             
         default:
@@ -296,7 +296,7 @@
         case InFPR:
         case DoubleDisplacedInJSStack:
             m_jit.move(AssemblyHelpers::TrustedImmPtr(scratch + index), GPRInfo::regT0);
-            m_jit.loadDouble(GPRInfo::regT0, FPRInfo::fpRegT0);
+            m_jit.loadDouble(MacroAssembler::Address(GPRInfo::regT0), FPRInfo::fpRegT0);
             m_jit.purifyNaN(FPRInfo::fpRegT0);
             m_jit.boxDouble(FPRInfo::fpRegT0, GPRInfo::regT0);
             m_jit.store64(GPRInfo::regT0, AssemblyHelpers::addressFor(operand));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes