125181 2013-12-03 14:06:14 -0800 ARM64: Crash in JIT code due to improper reuse of cached memory temp register 2013-12-03 15:54:10 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 msaboff msaboff oldest_to_newest 956084 0 msaboff 2013-12-03 14:06:14 -0800 Several of the branchXX() macro assembler functions in MacroAssemblerARM64.h that take an absolute address materialize the address into the memory temp register and then load the result into the same memory temp register without invalidating the corresponding temp register cache. For example consider the code snippet below: [ 167] put_to_scope loc1, maxDepth(@id6), loc2, 65537 0x15b0d1494: ldur x0, [x29, #-24] 0x15b0d1498: movz x17, #24056 0x15b0d149c: movk x17, #11360, lsl #16 0x15b0d14a0: movk x17, #1, lsl #32 0x15b0d14a4: ldrb w1, [x17, xzr] 0x15b0d14a8: cmp w1, #2 0x15b0d14ac: b.eq 0x15b0d14fc 0x15b0d14b0: movz x17, #24064 <= Full address for x17 materialized here and next two instructions 0x15b0d14b4: movk x17, #11360, lsl #16 0x15b0d14b8: movk x17, #1, lsl #32 0x15b0d14bc: ldr x17, [x17, xzr] <= Load into x17, the temp register cache entry for x17 should be invalidated 0x15b0d14c0: cmp x17, x0 0x15b0d14c4: b.eq 0x15b0d14fc 0x15b0d14c8: movk x17, #24057 <= This move changes only the lower 16 bits of x17 assuming the prior materialized contents are valid. 0x15b0d14cc: ldrb w16, [x17, xzr] 0x15b0d14d0: cbnz w16, 0x15b0d2ba8 0x15b0d14d4: mov w16, #0x2 0x15b0d14d8: movz x17, #24056 0x15b0d14dc: movk x17, #11360, lsl #16 0x15b0d14e0: movk x17, #1, lsl #32 0x15b0d14e4: strb w16, [x17] 0x15b0d14e8: movz x1, #0 0x15b0d14ec: movz x17, #24064 0x15b0d14f0: movk x17, #11360, lsl #16 0x15b0d14f4: movk x17, #1, lsl #32 0x15b0d14f8: str x1, [x17, xzr] 0x15b0d14fc: movz x17, #24720 0x15b0d1500: movk x17, #11345, lsl #16 0x15b0d1504: movk x17, #1, lsl #32 0x15b0d1508: str x0, [x17, xzr] One fix is to invalidate the cache when the destination of an absolute load is memory temp register 956133 1 218344 msaboff 2013-12-03 14:44:43 -0800 Created attachment 218344 Patch for landing 956184 2 218344 ggaren 2013-12-03 15:44:07 -0800 Comment on attachment 218344 Patch for landing r=me 956195 3 msaboff 2013-12-03 15:54:10 -0800 Committed r160056: <http://trac.webkit.org/changeset/160056> 218344 2013-12-03 14:44:43 -0800 2013-12-03 15:44:07 -0800 Patch for landing 125181.patch text/plain 4437 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTYwMDQzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI1IEBA CisyMDEzLTEyLTAzICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIEFSTTY0OiBDcmFzaCBpbiBKSVQgY29kZSBkdWUgdG8gaW1wcm9wZXIgcmV1c2Ugb2YgY2Fj aGVkIG1lbW9yeSB0ZW1wIHJlZ2lzdGVyCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0xMjUxODEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBDaGFuZ2VkIGxvYWQ4KCkgYW5kIGxvYWQoKSB0byBpbnZhbGlkYXRl IHRoZSBtZW1vcnkgdGVtcCBDYWNoZWRUZW1wUmVnaXN0ZXIgd2hlbiB0aGUKKyAgICAgICAgZGVz dGluYXRpb24gb2YgYW4gYWJzb2x1dGUgbG9hZCBpcyB0aGUgbWVtb3J5IHRlbXAgcmVnaXN0ZXIg c2luY2UgdGhlIHNvdXJjZSBhZGRyZXNzCisgICAgICAgIGlzIGFsc28gdGhlIG1lbW9yeSB0ZW1w IHJlZ2lzdGVyLiAgQ2hhbmdlIGJyYW5jaHs4LDMyLDY0fSBvZiBhbiBBYnNvbHV0ZUFkZHJlc3Mg d2l0aAorICAgICAgICBhIHJlZ2lzdGVyIHRvIHVzZSB0aGUgZGF0YVRlbXBSZWdpc3RlciBhcyB0 aGUgZGVzdGluYXRlIG9mIHRoZSBhYnNvbHV0ZSBsb2FkIHRvCisgICAgICAgIHJlZHVjZSB0aGUg Y2hhbmNlIHRoYXQgd2UgbmVlZCB0byBpbnZhbGlkYXRlIHRoZSBtZW1vcnkgdGVtcCByZWdpc3Rl ciBjYWNoZS4KKyAgICAgICAgSW4gdGhlIHByb2Nlc3MsIGZvdW5kIGFuZCBmaXhlZCBhbiBvdXRy aWdodCBidWcgaW4gYnJhbmNoOCgpIHdoZXJlIHdlJ2QgbG9hZCBpbnRvCisgICAgICAgIHRoZSBk YXRhIHRlbXAgcmVnaXN0ZXIgYW5kIHRoZW4gY29tcGFyZSBhbmQgYnJhbmNoIG9uIHRoZSBtZW1v cnkgdGVtcCByZWdpc3Rlci4KKworICAgICAgICAqIGFzc2VtYmxlci9NYWNyb0Fzc2VtYmxlckFS TTY0Lmg6CisgICAgICAgIChKU0M6Ok1hY3JvQXNzZW1ibGVyQVJNNjQ6OmxvYWQ4KToKKyAgICAg ICAgKEpTQzo6TWFjcm9Bc3NlbWJsZXJBUk02NDo6YnJhbmNoMzIpOgorICAgICAgICAoSlNDOjpN YWNyb0Fzc2VtYmxlckFSTTY0OjpicmFuY2g2NCk6CisgICAgICAgIChKU0M6Ok1hY3JvQXNzZW1i bGVyQVJNNjQ6OmJyYW5jaDgpOgorICAgICAgICAoSlNDOjpNYWNyb0Fzc2VtYmxlckFSTTY0Ojps b2FkKToKKwogMjAxMy0xMi0wMyAgTWljaGFlbCBTYWJvZmYgIDxtc2Fib2ZmQGFwcGxlLmNvbT4K IAogICAgICAgICBqaXQvSklUQXJpdGhtZXRpYy5jcHAgZG9lc24ndCBidWlsZCBmb3Igbm9uLVg4 NiBwb3J0cwpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2VtYmxlci9NYWNyb0Fzc2Vt YmxlckFSTTY0LmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2VtYmxl ci9NYWNyb0Fzc2VtYmxlckFSTTY0LmgJKHJldmlzaW9uIDE2MDA0MSkKKysrIFNvdXJjZS9KYXZh U2NyaXB0Q29yZS9hc3NlbWJsZXIvTWFjcm9Bc3NlbWJsZXJBUk02NC5oCSh3b3JraW5nIGNvcHkp CkBAIC04OTgsNiArODk4LDggQEAgcHVibGljOgogICAgIHsKICAgICAgICAgbW92ZVRvQ2FjaGVk UmVnKFRydXN0ZWRJbW1QdHIoYWRkcmVzcyksIG1fY2FjaGVkTWVtb3J5VGVtcFJlZ2lzdGVyKTsK ICAgICAgICAgbV9hc3NlbWJsZXIubGRyYihkZXN0LCBtZW1vcnlUZW1wUmVnaXN0ZXIsIEFSTTY0 UmVnaXN0ZXJzOjp6cik7CisgICAgICAgIGlmIChkZXN0ID09IG1lbW9yeVRlbXBSZWdpc3RlcikK KyAgICAgICAgICAgIG1fY2FjaGVkTWVtb3J5VGVtcFJlZ2lzdGVyLmludmFsaWRhdGUoKTsKICAg ICB9CiAKICAgICB2b2lkIGxvYWQ4U2lnbmVkKEJhc2VJbmRleCBhZGRyZXNzLCBSZWdpc3RlcklE IGRlc3QpCkBAIC0xNTcwLDggKzE1NzIsOCBAQCBwdWJsaWM6CiAKICAgICBKdW1wIGJyYW5jaDMy KFJlbGF0aW9uYWxDb25kaXRpb24gY29uZCwgQWJzb2x1dGVBZGRyZXNzIGxlZnQsIFJlZ2lzdGVy SUQgcmlnaHQpCiAgICAgewotICAgICAgICBsb2FkMzIobGVmdC5tX3B0ciwgZ2V0Q2FjaGVkTWVt b3J5VGVtcFJlZ2lzdGVySURBbmRJbnZhbGlkYXRlKCkpOwotICAgICAgICByZXR1cm4gYnJhbmNo MzIoY29uZCwgbWVtb3J5VGVtcFJlZ2lzdGVyLCByaWdodCk7CisgICAgICAgIGxvYWQzMihsZWZ0 Lm1fcHRyLCBnZXRDYWNoZWREYXRhVGVtcFJlZ2lzdGVySURBbmRJbnZhbGlkYXRlKCkpOworICAg ICAgICByZXR1cm4gYnJhbmNoMzIoY29uZCwgZGF0YVRlbXBSZWdpc3RlciwgcmlnaHQpOwogICAg IH0KIAogICAgIEp1bXAgYnJhbmNoMzIoUmVsYXRpb25hbENvbmRpdGlvbiBjb25kLCBBYnNvbHV0 ZUFkZHJlc3MgbGVmdCwgVHJ1c3RlZEltbTMyIHJpZ2h0KQpAQCAtMTYwOCw4ICsxNjEwLDggQEAg cHVibGljOgogCiAgICAgSnVtcCBicmFuY2g2NChSZWxhdGlvbmFsQ29uZGl0aW9uIGNvbmQsIEFi c29sdXRlQWRkcmVzcyBsZWZ0LCBSZWdpc3RlcklEIHJpZ2h0KQogICAgIHsKLSAgICAgICAgbG9h ZDY0KGxlZnQubV9wdHIsIGdldENhY2hlZE1lbW9yeVRlbXBSZWdpc3RlcklEQW5kSW52YWxpZGF0 ZSgpKTsKLSAgICAgICAgcmV0dXJuIGJyYW5jaDY0KGNvbmQsIG1lbW9yeVRlbXBSZWdpc3Rlciwg cmlnaHQpOworICAgICAgICBsb2FkNjQobGVmdC5tX3B0ciwgZ2V0Q2FjaGVkRGF0YVRlbXBSZWdp c3RlcklEQW5kSW52YWxpZGF0ZSgpKTsKKyAgICAgICAgcmV0dXJuIGJyYW5jaDY0KGNvbmQsIGRh dGFUZW1wUmVnaXN0ZXIsIHJpZ2h0KTsKICAgICB9CiAKICAgICBKdW1wIGJyYW5jaDY0KFJlbGF0 aW9uYWxDb25kaXRpb24gY29uZCwgQWRkcmVzcyBsZWZ0LCBSZWdpc3RlcklEIHJpZ2h0KQpAQCAt MTY0MSw3ICsxNjQzLDcgQEAgcHVibGljOgogICAgIEp1bXAgYnJhbmNoOChSZWxhdGlvbmFsQ29u ZGl0aW9uIGNvbmQsIEFic29sdXRlQWRkcmVzcyBsZWZ0LCBUcnVzdGVkSW1tMzIgcmlnaHQpCiAg ICAgewogICAgICAgICBBU1NFUlQoISgweGZmZmZmZjAwICYgcmlnaHQubV92YWx1ZSkpOwotICAg ICAgICBsb2FkOChsZWZ0Lm1fcHRyLCBnZXRDYWNoZWREYXRhVGVtcFJlZ2lzdGVySURBbmRJbnZh bGlkYXRlKCkpOworICAgICAgICBsb2FkOChsZWZ0Lm1fcHRyLCBnZXRDYWNoZWRNZW1vcnlUZW1w UmVnaXN0ZXJJREFuZEludmFsaWRhdGUoKSk7CiAgICAgICAgIHJldHVybiBicmFuY2gzMihjb25k LCBtZW1vcnlUZW1wUmVnaXN0ZXIsIHJpZ2h0KTsKICAgICB9CiAgICAgCkBAIC0yNDkzLDYgKzI0 OTUsOSBAQCBwcml2YXRlOgogICAgICAgICAgICAgaW50cHRyX3QgYWRkcmVzc0FzSW50ID0gcmVp bnRlcnByZXRfY2FzdDxpbnRwdHJfdD4oYWRkcmVzcyk7CiAgICAgICAgICAgICBpbnRwdHJfdCBh ZGRyZXNzRGVsdGEgPSBhZGRyZXNzQXNJbnQgLSBjdXJyZW50UmVnaXN0ZXJDb250ZW50czsKIAor ICAgICAgICAgICAgaWYgKGRlc3QgPT0gbWVtb3J5VGVtcFJlZ2lzdGVyKQorICAgICAgICAgICAg ICAgIG1fY2FjaGVkTWVtb3J5VGVtcFJlZ2lzdGVyLmludmFsaWRhdGUoKTsKKwogICAgICAgICAg ICAgaWYgKGlzSW5JbnRSYW5nZShhZGRyZXNzRGVsdGEpKSB7CiAgICAgICAgICAgICAgICAgaWYg KEFSTTY0QXNzZW1ibGVyOjpjYW5FbmNvZGVTSW1tT2Zmc2V0KGFkZHJlc3NEZWx0YSkpIHsKICAg ICAgICAgICAgICAgICAgICAgbV9hc3NlbWJsZXIubGR1cjxkYXRhc2l6ZT4oZGVzdCwgIG1lbW9y eVRlbXBSZWdpc3RlciwgYWRkcmVzc0RlbHRhKTsKQEAgLTI1MTQsNyArMjUxOSwxMCBAQCBwcml2 YXRlOgogICAgICAgICB9CiAKICAgICAgICAgbW92ZShUcnVzdGVkSW1tUHRyKGFkZHJlc3MpLCBt ZW1vcnlUZW1wUmVnaXN0ZXIpOwotICAgICAgICBtX2NhY2hlZE1lbW9yeVRlbXBSZWdpc3Rlci5z ZXRWYWx1ZShyZWludGVycHJldF9jYXN0PGludHB0cl90PihhZGRyZXNzKSk7CisgICAgICAgIGlm IChkZXN0ID09IG1lbW9yeVRlbXBSZWdpc3RlcikKKyAgICAgICAgICAgIG1fY2FjaGVkTWVtb3J5 VGVtcFJlZ2lzdGVyLmludmFsaWRhdGUoKTsKKyAgICAgICAgZWxzZQorICAgICAgICAgICAgbV9j YWNoZWRNZW1vcnlUZW1wUmVnaXN0ZXIuc2V0VmFsdWUocmVpbnRlcnByZXRfY2FzdDxpbnRwdHJf dD4oYWRkcmVzcykpOwogICAgICAgICBtX2Fzc2VtYmxlci5sZHI8ZGF0YXNpemU+KGRlc3QsIG1l bW9yeVRlbXBSZWdpc3RlciwgQVJNNjRSZWdpc3RlcnM6OnpyKTsKICAgICB9CiAK