259778 – REGRESSION(255736@main): [JSC] Fix FP register offsets in ScratchRegisterAllocator

RESOLVED FIXED 259778

REGRESSION(255736@main): [JSC] Fix FP register offsets in ScratchRegisterAllocator

https://bugs.webkit.org/show_bug.cgi?id=259778

Summary REGRESSION(255736@main): [JSC] Fix FP register offsets in ScratchRegisterAllo...

Loïc Yhuel

Reported 2023-08-03 04:40:37 PDT

I see incorrect stack offsets when saving both integer and float registers on 32-bit ARM, sometimes leading to crashes. Generated JIT code for Access stub for o#CReEl3:[0x8174e690->0x8174e270->0x8339db70, DFGFunctionCall, 782 (DidTryToEnterInLoop) (StrictMode)] bc#187 with return point CodePtr(executable = 0xada7b81b, dataLocation = 0xada7b81a): CustomAccessorGetter: {Generated, ident = 'uid:(bottom),cell:(String (atomic),8Bit:(1),length:(6): bottom)' structure = 0x81730540:[0x81730540/2171798848, DOMRect, (0/0, 0/0){}, NonArray, Proto:0x86abc5b0, Leaf] conditions = [<Object: 0x86abc5b0 with butterfly 0x817507c8(base=0x81750780) (Structure 0x817304f0:[0x817304f0/2171798768, DOMRect, (0/0, 6/8){constructor:64, x:65, y:66, width:67, height:68, Symbol.toStringTag:69}, NonArray, Proto:0x86abc5a0, Has been dictionary, Leaf (Watched)]): Absence of bottom with prototype Object: 0x86abc5a0 with butterfly 0x8327efa8(base=0x8327ef20) (Structure 0x81730400:[0x81730400/2171798528, DOMRectReadOnly, (0/0, 11/16){constructor:64, x:65, y:66, width:67, height:68, top:69, right:70, bottom:71, left:72, toJSON:73, Symbol.toStringTag:74}, NonArray, Proto:0xafa6f498, Has been dictionary, Leaf (Watched)])>, <Object: 0x86abc5a0 with butterfly 0x8327efa8(base=0x8327ef20) (Structure 0x81730400:[0x81730400/2171798528, DOMRectReadOnly, (0/0, 11/16){constructor:64, x:65, y:66, width:67, height:68, top:69, right:70, bottom:71, left:72, toJSON:73, Symbol.toStringTag:74}, NonArray, Proto:0xafa6f498, Has been dictionary, Leaf (Watched)]): Equivalence of bottom with Cell: 0x8322b780 (0x86afc310:[0x86afc310/2259665680, DOMAttributeGetterSetter, (0/0, 0/0){}, NonArray, Leaf])>], viaProxy = false, additionalSet = (nil), customSlotBase = 0x86abc5a0, customAccessor = 0xb510a439}: Code at [0xada7c9e1, 0xada7cb01): ... ... 0xada7ca32: sub sp, #0x30; Preserve registers to stack for call: [%r0, %r1, %r2, %r3, %r4, %r5, %d0?, %d1?]; Extra bytes at top of stack: 0 0xada7ca34: strd r0, r1, [sp]; Execute Spooler: %r0 at 0?; Execute Spooler: %r1 at 4 0xada7ca38: strd r2, r3, [sp, #8]; Execute Spooler: %r2 at 8?; Execute Spooler: %r3 at 12 0xada7ca3c: strd r4, r5, [sp, #0x10]; Execute Spooler: %r4 at 16?; Execute Spooler: %r5 at 20 0xada7ca40: vstr d0, [sp, #0x30]; Execute Spooler: %d0 at 48?; Execute Spooler: %d1 at 56 0xada7ca44: vstr d1, [sp, #0x38] We can see here that d0 and d1 are written at offsets 0x30/0x38 (so overwriting the stack above), instead of 0x18/0x20.

Attachments
Add attachment proposed patch, testcase, etc.

Loïc Yhuel

Comment 1 2023-08-03 04:44:49 PDT

Pull request: https://github.com/WebKit/WebKit/pull/16344

Radar WebKit Bug Importer

Comment 2 2023-08-10 04:41:13 PDT

<rdar://problem/113682305>

EWS

Comment 3 2023-08-24 08:32:48 PDT

Committed 267228@main (cb49ec55ee3b): <https://commits.webkit.org/267228@main> Reviewed commits have been landed. Closing PR #16344 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Other

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2023-08-03 04:40 PDT

Modified

2023-08-24 08:32 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks