Bug 259778 - REGRESSION(255736@main): [JSC] Fix FP register offsets in ScratchRegisterAllocator
Summary: REGRESSION(255736@main): [JSC] Fix FP register offsets in ScratchRegisterAllo...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Other Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-08-03 04:40 PDT by Loïc Yhuel
Modified: 2023-08-24 08:32 PDT (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Loïc Yhuel 2023-08-03 04:40:37 PDT 
I see incorrect stack offsets when saving both integer and float registers on 32-bit ARM, sometimes leading to crashes.

Generated JIT code for Access stub for o#CReEl3:[0x8174e690->0x8174e270->0x8339db70, DFGFunctionCall, 782 (DidTryToEnterInLoop) (StrictMode)] bc#187 with return point CodePtr(executable = 0xada7b81b, dataLocation = 0xada7b81a): 
CustomAccessorGetter: {Generated, ident = 'uid:(bottom),cell:(String (atomic),8Bit:(1),length:(6): bottom)'
  structure = 0x81730540:[0x81730540/2171798848, DOMRect, (0/0, 0/0){}, NonArray, Proto:0x86abc5b0, Leaf]
  conditions = [<Object: 0x86abc5b0 with butterfly 0x817507c8(base=0x81750780) (Structure 0x817304f0:[0x817304f0/2171798768, DOMRect, (0/0, 6/8){constructor:64, x:65, y:66, width:67, height:68, Symbol.toStringTag:69}, NonArray, Proto:0x86abc5a0, Has been dictionary, Leaf (Watched)]): Absence of bottom with prototype Object: 0x86abc5a0 with butterfly 0x8327efa8(base=0x8327ef20) (Structure 0x81730400:[0x81730400/2171798528, DOMRectReadOnly, (0/0, 11/16){constructor:64, x:65, y:66, width:67, height:68, top:69, right:70, bottom:71, left:72, toJSON:73, Symbol.toStringTag:74}, NonArray, Proto:0xafa6f498, Has been dictionary, Leaf (Watched)])>, <Object: 0x86abc5a0 with butterfly 0x8327efa8(base=0x8327ef20) (Structure 0x81730400:[0x81730400/2171798528, DOMRectReadOnly, (0/0, 11/16){constructor:64, x:65, y:66, width:67, height:68, top:69, right:70, bottom:71, left:72, toJSON:73, Symbol.toStringTag:74}, NonArray, Proto:0xafa6f498, Has been dictionary, Leaf (Watched)]): Equivalence of bottom with Cell: 0x8322b780 (0x86afc310:[0x86afc310/2259665680, DOMAttributeGetterSetter, (0/0, 0/0){}, NonArray, Leaf])>], viaProxy = false, additionalSet = (nil), customSlotBase = 0x86abc5a0, customAccessor = 0xb510a439}:
    Code at [0xada7c9e1, 0xada7cb01):
...
...
          0xada7ca32: sub sp, #0x30; Preserve registers to stack for call: [%r0, %r1, %r2, %r3, %r4, %r5, %d0?, %d1?]; Extra bytes at top of stack: 0
          0xada7ca34: strd r0, r1, [sp]; Execute Spooler: %r0 at 0?; Execute Spooler: %r1 at 4
          0xada7ca38: strd r2, r3, [sp, #8]; Execute Spooler: %r2 at 8?; Execute Spooler: %r3 at 12
          0xada7ca3c: strd r4, r5, [sp, #0x10]; Execute Spooler: %r4 at 16?; Execute Spooler: %r5 at 20
          0xada7ca40: vstr d0, [sp, #0x30]; Execute Spooler: %d0 at 48?; Execute Spooler: %d1 at 56
          0xada7ca44: vstr d1, [sp, #0x38]

We can see here that d0 and d1 are written at offsets 0x30/0x38 (so overwriting the stack above), instead of 0x18/0x20.
Comment 1 Loïc Yhuel 2023-08-03 04:44:49 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/16344
Comment 2 Radar WebKit Bug Importer 2023-08-10 04:41:13 PDT 
<rdar://problem/113682305>
Comment 3 EWS 2023-08-24 08:32:48 PDT 
Committed 267228@main (cb49ec55ee3b): <https://commits.webkit.org/267228@main>

Reviewed commits have been landed. Closing PR #16344 and removing active labels.