171278 2017-04-25 09:49:08 -0700 lowerStackArgs: check Arg::addr.isValidForm when falling back to SP offsets 2017-04-25 10:36:06 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 170215 1 jfbastien jfbastien commit-queue fpizlo jfbastien keith_miller mark.lam msaboff saam oldest_to_newest 1301074 0 jfbastien 2017-04-25 09:49:08 -0700 lowerStackArgs checks that the FP offsets it tries to generate are valid form, but doesn't check that the fallback is valid form. This leads to stackAddr's assertion being dead, and the MaroAssembler asserting way later on move / add when handed a huge immediate. 1301075 1 308108 jfbastien 2017-04-25 09:51:44 -0700 Created attachment 308108 patch 1301101 2 308108 commit-queue 2017-04-25 10:36:05 -0700 Comment on attachment 308108 patch Clearing flags on attachment: 308108 Committed r215743: <http://trac.webkit.org/changeset/215743> 1301102 3 commit-queue 2017-04-25 10:36:06 -0700 All reviewed patches have been landed. Closing bug. 308108 2017-04-25 09:51:44 -0700 2017-04-25 10:36:05 -0700 patch 0001-lowerStackArgs-check-Arg-addr.isValidForm-when-falli.patch text/plain 1927 jfbastien RnJvbSA4YTUyZGI5NDY5ZGE2ZmVlNzU2MGQwNzFiZjcxNGYwNTRiY2NmOTJiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBKRiBCYXN0aWVuIDxqZmJhc3RpZW5AYXBwbGUuY29tPgpEYXRl OiBUdWUsIDI1IEFwciAyMDE3IDA5OjUxOjIwIC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gbG93ZXJT dGFja0FyZ3M6IGNoZWNrIEFyZzo6YWRkci5pc1ZhbGlkRm9ybSB3aGVuIGZhbGxpbmcgYmFjawog dG8gU1Agb2Zmc2V0cwoKLS0tCiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nICAgICAg ICAgfCAxNiArKysrKysrKysrKysrKysrCiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYjMvYWlyL0Fp ckFyZy5jcHAgfCAgMiArKwogMiBmaWxlcyBjaGFuZ2VkLCAxOCBpbnNlcnRpb25zKCspCgpkaWZm IC0tZ2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9KYXZhU2Ny aXB0Q29yZS9DaGFuZ2VMb2cKaW5kZXggNDIzNzk4Yi4uMGNmMzIwZSAxMDA2NDQKLS0tIGEvU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZworKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUv Q2hhbmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMTctMDQtMjUgIEpGIEJhc3RpZW4gIDxqZmJh c3RpZW5AYXBwbGUuY29tPgorCisgICAgICAgIGxvd2VyU3RhY2tBcmdzOiBjaGVjayBBcmc6OmFk ZHIuaXNWYWxpZEZvcm0gd2hlbiBmYWxsaW5nIGJhY2sgdG8gU1Agb2Zmc2V0cworICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTcxMjc4CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgbG93ZXJTdGFja0FyZ3MgY2hl Y2tlZCB0aGF0IHRoZSBGUCBvZmZzZXRzIGl0IHRyaWVzIHRvIGdlbmVyYXRlCisgICAgICAgIGFy ZSB2YWxpZCBmb3JtLCBidXQgZGlkbid0IGNoZWNrIHRoYXQgdGhlIGZhbGxiYWNrIHdhcyB2YWxp ZAorICAgICAgICBmb3JtLiBUaGlzIGxlYWQgdG8gc3RhY2tBZGRyJ3MgYXNzZXJ0aW9uIGJlaW5n IGRlYWQsIGFuZCB0aGUKKyAgICAgICAgTWFyb0Fzc2VtYmxlciBhc3NlcnRpbmcgd2F5IGxhdGVy IG9uIG1vdmUgLyBhZGQgd2hlbiBoYW5kZWQgYSBodWdlCisgICAgICAgIGltbWVkaWF0ZS4KKwor ICAgICAgICAqIGIzL2Fpci9BaXJBcmcuY3BwOgorICAgICAgICAoSlNDOjpCMzo6QWlyOjpBcmc6 OnN0YWNrQWRkckltcGwpOgorCiAyMDE3LTA0LTI1ICBaYW4gRG9iZXJzZWsgIDx6ZG9iZXJzZWtA aWdhbGlhLmNvbT4KIAogICAgICAgICBbYWFyY2g2NF0gbW92ZUNvbmRpdGlvbmFsbHkzMigpLCBt b3ZlQ29uZGl0aW9uYWxseVRlc3QzMigpIHNob3VsZCBtb3ZlIGZyb20vdG8gNjQtYml0IHJlZ2lz dGVycwpkaWZmIC0tZ2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2IzL2Fpci9BaXJBcmcuY3Bw IGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2IzL2Fpci9BaXJBcmcuY3BwCmluZGV4IGQwZTY5MTIu LjZlOGE1ZGMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9iMy9haXIvQWlyQXJn LmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvYjMvYWlyL0FpckFyZy5jcHAKQEAgLTQ4 LDYgKzQ4LDggQEAgQXJnIEFyZzo6c3RhY2tBZGRySW1wbChpbnQzMl90IG9mZnNldEZyb21GUCwg dW5zaWduZWQgZnJhbWVTaXplLCBXaWR0aCB3aWR0aCkKICAgICAgICAgcmVzdWx0ID0gQXJnOjph ZGRyKAogICAgICAgICAgICAgQWlyOjpUbXAoTWFjcm9Bc3NlbWJsZXI6OnN0YWNrUG9pbnRlclJl Z2lzdGVyKSwKICAgICAgICAgICAgIG9mZnNldEZyb21GUCArIGZyYW1lU2l6ZSk7CisgICAgICAg IGlmICghcmVzdWx0LmlzVmFsaWRGb3JtKHdpZHRoKSkKKyAgICAgICAgICAgIHJlc3VsdCA9IEFy ZygpOwogICAgIH0KICAgICByZXR1cm4gcmVzdWx0OwogfQotLSAKMi45LjMKCg==