<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[165559] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/165559">165559</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2014-03-13 12:46:48 -0700 (Thu, 13 Mar 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>JS benchmarks crash with a bus error on 32-bit x86.
<https://webkit.org/b/130203>
Reviewed by Geoffrey Garen.
The issue is that generateGetByIdStub() can potentially use the same register
for the JSValue base register and the target tag register. After loading the
tag value into the target tag register, the JSValue base address is lost.
The code then proceeds to load the payload value using the base register, and
this results in a crash.
The fix is to check if the base register is the same as the target tag register.
If so, we should make a copy the base register first before loading the tag
value, and use the copy to load the payload value instead.
* jit/Repatch.cpp:
(JSC::generateGetByIdStub):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchcpp">trunk/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (165558 => 165559)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-03-13 19:45:48 UTC (rev 165558)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-03-13 19:46:48 UTC (rev 165559)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2014-03-13 Mark Lam <mark.lam@apple.com>
+
+ JS benchmarks crash with a bus error on 32-bit x86.
+ <https://webkit.org/b/130203>
+
+ Reviewed by Geoffrey Garen.
+
+ The issue is that generateGetByIdStub() can potentially use the same register
+ for the JSValue base register and the target tag register. After loading the
+ tag value into the target tag register, the JSValue base address is lost.
+ The code then proceeds to load the payload value using the base register, and
+ this results in a crash.
+
+ The fix is to check if the base register is the same as the target tag register.
+ If so, we should make a copy the base register first before loading the tag
+ value, and use the copy to load the payload value instead.
+
+ * jit/Repatch.cpp:
+ (JSC::generateGetByIdStub):
+
</ins><span class="cx"> 2014-03-12 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> WebKit shouldn't crash on uniprocessor machines
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.cpp (165558 => 165559)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.cpp 2014-03-13 19:45:48 UTC (rev 165558)
+++ trunk/Source/JavaScriptCore/jit/Repatch.cpp 2014-03-13 19:46:48 UTC (rev 165559)
</span><span class="lines">@@ -301,8 +301,13 @@
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> stubJit.load64(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset)), loadedValueGPR);
</span><span class="cx"> #else
</span><ins>+ GPRReg copyOfStorageGPR = storageGPR;
+ if (storageGPR == resultTagGPR) {
+ copyOfStorageGPR = loadedValueGPR;
+ stubJit.move(storageGPR, copyOfStorageGPR);
+ }
</ins><span class="cx"> stubJit.load32(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset) + TagOffset), resultTagGPR);
</span><del>- stubJit.load32(MacroAssembler::Address(storageGPR, offsetRelativeToBase(offset) + PayloadOffset), loadedValueGPR);
</del><ins>+ stubJit.load32(MacroAssembler::Address(copyOfStorageGPR, offsetRelativeToBase(offset) + PayloadOffset), loadedValueGPR);
</ins><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>