[Webkit-unassigned] [Bug 123421] New: ARMv7: third argument gets clobbered during storePtr call in JIT::updateTopCallFrame

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 28 14:16:25 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=123421

           Summary: ARMv7: third argument gets clobbered during storePtr
                    call in JIT::updateTopCallFrame
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mandeep.baines at gmail.com


R3 is used as the third argument register. R3 is also used as the addressTempRegister.

JIT::callOperation() first setups up the arguments and then appends the call:

ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(C_JITOperation_E operation)
{
    setupArgumentsExecState();
    return appendCallWithExceptionCheck(operation);
}

appendCall calls updateTopCallFrame:

ALWAYS_INLINE MacroAssembler::Call JIT::appendCallWithExceptionCheck(const FunctionPtr& function)
{
    updateTopCallFrame();
    MacroAssembler::Call call = appendCall(function);
    exceptionCheck();
    return call;
}

updateTopCallFrame then does a storePtr which uses addressTempRegister and clobbers R3, corrupting the third argument.

ALWAYS_INLINE void JIT::updateTopCallFrame()
{
    ASSERT(static_cast<int>(m_bytecodeOffset) >= 0);
#if USE(JSVALUE32_64)
    Instruction* instruction = m_codeBlock->instructions().begin() + m_bytecodeOffset + 1;
    uint32_t locationBits = CallFrame::Location::encodeAsBytecodeInstruction(instruction);
#else
    uint32_t locationBits = CallFrame::Location::encodeAsBytecodeOffset(m_bytecodeOffset + 1);                                                                   
#endif
    store32(TrustedImm32(locationBits), intTagFor(JSStack::ArgumentCount));
    storePtr(callFrameRegister, &m_vm->topCallFrame);
}

There is a comment describing this potential bug (now real) in GPRInfo.h:

    // FIXME: r3 is currently used be the MacroAssembler as a temporary - it seems                                                                               
    // This could threoretically be a problem if this is used in code generation                                                                                 
    // between the arguments being set up, and the call being made. That said,                                                                                   
    // any change introducing a problem here is likely to be immediately apparent!                                                                               
    static const GPRReg argumentGPR3 = ARMRegisters::r3; // FIXME!                    

One potential fix would be to use something like the claimScratch() technique used in SH4Assembler.h or update topCallFrame before setting up the argument registers.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list