[webkit-changes] [256850] trunk/Source/JavaScriptCore

Tue, 18 Feb 2020 12:11:07 -0800

Title: [256850] trunk/Source/_javascript_Core
Revision
256850
Author
commit-qu...@webkit.org
Date
2020-02-18 12:09:29 -0800 (Tue, 18 Feb 2020)

Log Message

Fix order (in MIPS) under which CS-registers are saved/restored
https://bugs.webkit.org/show_bug.cgi?id=207752

Patch by Paulo Matos <pma...@igalia.com> on 2020-02-18
Reviewed by Keith Miller.

This has been causing several segfaults on MIPS with JIT enabled
because during an OSR to baseline, the order in which LLInt was
saving the registers was not in sync with the way baseline was
restoring them.

* llint/LowLevelInterpreter.asm:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (256849 => 256850)


--- trunk/Source/_javascript_Core/ChangeLog	2020-02-18 20:06:35 UTC (rev 256849)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-02-18 20:09:29 UTC (rev 256850)
@@ -1,3 +1,17 @@
+2020-02-18  Paulo Matos  <pma...@igalia.com>
+
+        Fix order (in MIPS) under which CS-registers are saved/restored
+        https://bugs.webkit.org/show_bug.cgi?id=207752
+
+        Reviewed by Keith Miller.
+
+        This has been causing several segfaults on MIPS with JIT enabled
+        because during an OSR to baseline, the order in which LLInt was
+        saving the registers was not in sync with the way baseline was
+        restoring them.
+
+        * llint/LowLevelInterpreter.asm:
+
 2020-02-18  Ross Kirsling  <ross.kirsl...@sony.com>
 
         [JSC] Computed function properties compute their keys twice

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (256849 => 256850)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2020-02-18 20:06:35 UTC (rev 256849)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2020-02-18 20:09:29 UTC (rev 256850)
@@ -791,9 +791,20 @@
     subp CalleeSaveSpaceStackAligned, sp
     if C_LOOP or C_LOOP_WIN
         storep metadataTable, -PtrSize[cfr]
-    elsif ARMv7 or MIPS
+
+    # Next ARMv7 and MIPS differ in how we store metadataTable and PB,
+    # because this codes needs to be in sync with how registers are
+    # restored in Baseline JIT (specifically in emitRestoreCalleeSavesFor).
+    # emitRestoreCalleeSavesFor restores registers in order instead of by name.
+    # However, ARMv7 and MIPS differ in the order in which registers are assigned
+    # to metadataTable and PB, therefore they can also not have the same saving
+    # order.
+    elsif ARMv7
         storep metadataTable, -4[cfr]
         storep PB, -8[cfr]
+    elsif MIPS
+        storep PB, -4[cfr]
+        storep metadataTable, -8[cfr]
     elsif ARM64 or ARM64E
         emit "stp x27, x28, [x29, #-16]"
         emit "stp x25, x26, [x29, #-32]"
@@ -815,9 +826,14 @@
 macro restoreCalleeSavesUsedByLLInt()
     if C_LOOP or C_LOOP_WIN
         loadp -PtrSize[cfr], metadataTable
-    elsif ARMv7 or MIPS
+    # To understand why ARMv7 and MIPS differ in restore order,
+    # see comment in preserveCalleeSavesUsedByLLInt
+    elsif ARMv7
         loadp -4[cfr], metadataTable
         loadp -8[cfr], PB
+    elsif MIPS
+        loadp -4[cfr], PB
+        loadp -8[cfr], metadataTable
     elsif ARM64 or ARM64E
         emit "ldp x25, x26, [x29, #-32]"
         emit "ldp x27, x28, [x29, #-16]"

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to