Attachment 342052 Details for Bug 186351 – Patch

[patch] Patch

bug-186351-20180606182701.patch (text/plain), 3.32 KB, created by Guillaume Emont on 2018-06-06 09:27:02 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Guillaume Emont

Created: 2018-06-06 09:27:02 PDT

Size: 3.32 KB

patch

obsolete

>Subversion Revision: 232536
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 6614868fe35d0a4581dde35291c8d7a4934c8044..2e68d47ceed0ad06a0f119c4cda2b7704e246d81 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,13 @@
>+2018-06-06  Guillaume Emont  <guijemont@igalia.com>
>+
>+        ArityFixup should adjust SP first on 32-bit platforms too
>+        https://bugs.webkit.org/show_bug.cgi?id=186351
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * jit/ThunkGenerators.cpp:
>+        (JSC::arityFixupGenerator):
>+
> 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
> 
>         Adjust compile and runtime flags to match shippable state of features
>diff --git a/Source/JavaScriptCore/jit/ThunkGenerators.cpp b/Source/JavaScriptCore/jit/ThunkGenerators.cpp
>index ee35a02cf858d8e0cc689f737d7bdd5bdc708087..dd5d83051ec5780ab0b6186acca0da3096191d65 100644
>--- a/Source/JavaScriptCore/jit/ThunkGenerators.cpp
>+++ b/Source/JavaScriptCore/jit/ThunkGenerators.cpp
>@@ -500,7 +500,7 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
> 
>     // Adjust call frame register and stack pointer to account for missing args.
>     // We need to change the stack pointer first before performing copy/fill loops.
>-    // This stack space below the stack pointer is considered unsed by OS. Therefore,
>+    // This stack space below the stack pointer is considered unused by OS. Therefore,
>     // OS may corrupt this space when constructing a signal stack.
>     jit.move(JSInterfaceJIT::argumentGPR0, extraTemp);
>     jit.lshift64(JSInterfaceJIT::TrustedImm32(3), extraTemp);
>@@ -564,6 +564,17 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
> 
>     jit.neg32(JSInterfaceJIT::argumentGPR0);
> 
>+    // Adjust call frame register and stack pointer to account for missing args.
>+    // We need to change the stack pointer first before performing copy/fill loops.
>+    // This stack space below the stack pointer is considered unused by OS. Therefore,
>+    // OS may corrupt this space when constructing a signal stack.
>+    jit.move(JSInterfaceJIT::argumentGPR0, JSInterfaceJIT::regT5);
>+    jit.lshift32(JSInterfaceJIT::TrustedImm32(3), JSInterfaceJIT::regT5);
>+    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::callFrameRegister);
>+    jit.untagReturnAddress();
>+    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::stackPointerRegister);
>+    jit.tagReturnAddress();
>+
>     // Move current frame down argumentGPR0 number of slots
>     JSInterfaceJIT::Label copyLoop(jit.label());
>     jit.load32(MacroAssembler::Address(JSInterfaceJIT::regT3, PayloadOffset), JSInterfaceJIT::regT5);
>@@ -584,12 +595,6 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
>     jit.addPtr(JSInterfaceJIT::TrustedImm32(8), JSInterfaceJIT::regT3);
>     jit.branchAdd32(MacroAssembler::NonZero, JSInterfaceJIT::TrustedImm32(1), JSInterfaceJIT::argumentGPR2).linkTo(fillUndefinedLoop, &jit);
> 
>-    // Adjust call frame register and stack pointer to account for missing args
>-    jit.move(JSInterfaceJIT::argumentGPR0, JSInterfaceJIT::regT5);
>-    jit.lshift32(JSInterfaceJIT::TrustedImm32(3), JSInterfaceJIT::regT5);
>-    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::callFrameRegister);
>-    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::stackPointerRegister);
>-
>     done.link(&jit);
> 
> #  if CPU(X86)

Actions: View | Formatted Diff | Diff

Attachments on bug 186351: 342052