[webkit-dev] stack alignment bug

Zoltan Herczeg zherczeg at inf.u-szeged.hu
Thu Jun 4 01:19:17 PDT 2009 

Hi,

actually there was a bug which took me a day to find out what happened. It
was somewhere deep in libc, called by a function in DateMath.cpp. It
seemed that the stack was overwritten. By libc??? I can't belive it.
Finally I realized that gcc's alloca realigned the stack (to 8 bytes on
ARM), so everything was in a wrong place (looked overwritten at first
sight).

My fake stack pointer idea:
fake_sp: any non-volatile general purpose register

JIT_entry:
  mov fake_sp, sp
  sub sp, sp, 32   ; I belive this is enough for the JIT,
                   ; correct me if I am wrong
  ; use fake_sp instead of sp for push/pops

JIT_leava:
  add sp, sp, 32

I hope this even works for PPC (if someone ever wants to port the JIT to
old macs).

Zoltan

> Zoltan,
> I filed a bug here: https://bugs.webkit.org/show_bug.cgi?id=26164
> Stack is originally aligned then jit code destroys it; and, some data
> structure or point to double is not aligned and I'm still trying to find
> where they are.
> I'm not sure how the fake stack would be, would you mind explains a bit
> more?
> Did you face same problem?
> Thanks also for your articles that gives new ideas.
> rgds
> joe
>
> --- On Wed, 6/3/09, Zoltan Herczeg <zherczeg at inf.u-szeged.hu> wrote:
>
>> From: Zoltan Herczeg <zherczeg at inf.u-szeged.hu>
>> Subject: Re: [webkit-dev] stack alignment bug
>> To: "x yz" <lastguy at yahoo.com>
>> Cc: webkit-dev at lists.webkit.org
>> Date: Wednesday, June 3, 2009, 7:35 PM
>> Hi,
>>
>> true, some architectures have strict policies for stack
>> handling. Perhaps
>> the worst one is PowerPC with its organized stack frame
>> (back chains,
>> pre-defined register save areas, etc). I think a fake stack
>> pointer for
>> JIT can solve the x86 compatibility problem.
>>
>> 1) allocate enough aligned stack space for the worst case
>> when you enter
>> to JIT
>> 2) the fake stack pointer should use this pre-allocated
>> stack frame.
>>
>> Zoltan
>>
>> > I don't know how to file bug so I posted here.
>> > In privateCompileCTIMachineTrampolines() there are
>> multiple align() to
>> > align code on 16byte margin, yet, the stack can be put
>> on 32bit margin
>> > that causes crush.
>> > Suppose original stack is aligned to 8/16bytes, the
>> above function
>> > frequently pop/push regT3 that makes stack
>> mis-aligned. Then int to double
>> > conversion uses stack that will fail.
>> > rgds
>> > joe

More information about the webkit-dev mailing list