I see incorrect stack offsets when saving both integer and float registers on 32-bit ARM, sometimes leading to crashes. Generated JIT code for Access stub for o#CReEl3:[0x8174e690->0x8174e270->0x8339db70, DFGFunctionCall, 782 (DidTryToEnterInLoop) (StrictMode)] bc#187 with return point CodePtr(executable = 0xada7b81b, dataLocation = 0xada7b81a): CustomAccessorGetter: {Generated, ident = 'uid:(bottom),cell:(String (atomic),8Bit:(1),length:(6): bottom)' structure = 0x81730540:[0x81730540/2171798848, DOMRect, (0/0, 0/0){}, NonArray, Proto:0x86abc5b0, Leaf] conditions = [<Object: 0x86abc5b0 with butterfly 0x817507c8(base=0x81750780) (Structure 0x817304f0:[0x817304f0/2171798768, DOMRect, (0/0, 6/8){constructor:64, x:65, y:66, width:67, height:68, Symbol.toStringTag:69}, NonArray, Proto:0x86abc5a0, Has been dictionary, Leaf (Watched)]): Absence of bottom with prototype Object: 0x86abc5a0 with butterfly 0x8327efa8(base=0x8327ef20) (Structure 0x81730400:[0x81730400/2171798528, DOMRectReadOnly, (0/0, 11/16){constructor:64, x:65, y:66, width:67, height:68, top:69, right:70, bottom:71, left:72, toJSON:73, Symbol.toStringTag:74}, NonArray, Proto:0xafa6f498, Has been dictionary, Leaf (Watched)])>, <Object: 0x86abc5a0 with butterfly 0x8327efa8(base=0x8327ef20) (Structure 0x81730400:[0x81730400/2171798528, DOMRectReadOnly, (0/0, 11/16){constructor:64, x:65, y:66, width:67, height:68, top:69, right:70, bottom:71, left:72, toJSON:73, Symbol.toStringTag:74}, NonArray, Proto:0xafa6f498, Has been dictionary, Leaf (Watched)]): Equivalence of bottom with Cell: 0x8322b780 (0x86afc310:[0x86afc310/2259665680, DOMAttributeGetterSetter, (0/0, 0/0){}, NonArray, Leaf])>], viaProxy = false, additionalSet = (nil), customSlotBase = 0x86abc5a0, customAccessor = 0xb510a439}: Code at [0xada7c9e1, 0xada7cb01): ... ... 0xada7ca32: sub sp, #0x30; Preserve registers to stack for call: [%r0, %r1, %r2, %r3, %r4, %r5, %d0?, %d1?]; Extra bytes at top of stack: 0 0xada7ca34: strd r0, r1, [sp]; Execute Spooler: %r0 at 0?; Execute Spooler: %r1 at 4 0xada7ca38: strd r2, r3, [sp, #8]; Execute Spooler: %r2 at 8?; Execute Spooler: %r3 at 12 0xada7ca3c: strd r4, r5, [sp, #0x10]; Execute Spooler: %r4 at 16?; Execute Spooler: %r5 at 20 0xada7ca40: vstr d0, [sp, #0x30]; Execute Spooler: %d0 at 48?; Execute Spooler: %d1 at 56 0xada7ca44: vstr d1, [sp, #0x38] We can see here that d0 and d1 are written at offsets 0x30/0x38 (so overwriting the stack above), instead of 0x18/0x20.
Pull request: https://github.com/WebKit/WebKit/pull/16344
<rdar://problem/113682305>
Committed 267228@main (cb49ec55ee3b): <https://commits.webkit.org/267228@main> Reviewed commits have been landed. Closing PR #16344 and removing active labels.