[webkit-changes] [228491] trunk/Source/JavaScriptCore

[msaboff]

Title: [228491] trunk/Source/_javascript_Core

Revision

228491

Author

msab...@apple.com

Date

2018-02-14 15:31:50 -0800 (Wed, 14 Feb 2018)

Log Message

Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
https://bugs.webkit.org/show_bug.cgi?id=182808

Reviewed by Keith Miller.

Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
thunk.

* wasm/WasmThunks.cpp:
(JSC::Wasm::triggerOMGTierUpThunkGenerator):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/wasm/WasmThunks.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (228490 => 228491)

--- trunk/Source/_javascript_Core/ChangeLog	2018-02-14 23:30:27 UTC (rev 228490)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-02-14 23:31:50 UTC (rev 228491)
@@ -1,3 +1,16 @@
+2018-02-14  Michael Saboff  <msab...@apple.com>
+
+        Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
+        https://bugs.webkit.org/show_bug.cgi?id=182808
+
+        Reviewed by Keith Miller.
+
+        Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
+        thunk.
+
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+
 2018-02-14  Saam Barati  <sbar...@apple.com>
 
         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock

Modified: trunk/Source/_javascript_Core/wasm/WasmThunks.cpp (228490 => 228491)

--- trunk/Source/_javascript_Core/wasm/WasmThunks.cpp	2018-02-14 23:30:27 UTC (rev 228490)
+++ trunk/Source/_javascript_Core/wasm/WasmThunks.cpp	2018-02-14 23:31:50 UTC (rev 228491)
@@ -81,13 +81,11 @@
     // We expect that the user has already put the function index into GPRInfo::argumentGPR1
     CCallHelpers jit;
 
+    jit.emitFunctionPrologue();
+
     const unsigned extraPaddingBytes = 0;
     RegisterSet registersToSpill = RegisterSet::allRegisters();
     registersToSpill.exclude(RegisterSet::registersToNotSaveForCCall());
-#if CPU(ARM64)
-    // We also want to spill x30 since that holds our return pc.
-    registersToSpill.set(ARM64Registers::x30);
-#endif
     unsigned numberOfStackBytesUsedForRegisterPreservation = ScratchRegisterAllocator::preserveRegistersToStackForCall(jit, registersToSpill, extraPaddingBytes);
 
     jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
@@ -98,6 +96,7 @@
 
     ScratchRegisterAllocator::restoreRegistersFromStackForCall(jit, registersToSpill, RegisterSet(), numberOfStackBytesUsedForRegisterPreservation, extraPaddingBytes);
 
+    jit.emitFunctionEpilogue();
     jit.ret();
     LinkBuffer linkBuffer(jit, GLOBAL_THUNK_ID);
     return FINALIZE_CODE(linkBuffer, ("Trigger OMG tier up"));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes