[webkit-changes] [222417] trunk/Source/JavaScriptCore

[commit-queue]

Title: [222417] trunk/Source/_javascript_Core

Revision

222417

Author

commit-qu...@webkit.org

Date

2017-09-22 17:27:47 -0700 (Fri, 22 Sep 2017)

Log Message

[Win64] Crashes in Yarr JIT compiled code
https://bugs.webkit.org/show_bug.cgi?id=177293

Patch by Fujii Hironori <hironori.fu...@sony.com> on 2017-09-22
Reviewed by Yusuke Suzuki.

In x64 Windows, rcx register is used for the address of allocated
space for the return value. But, rcx is used for regT1 since
r221052. Save rcx in the stack.

* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
(JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/yarr/YarrJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (222416 => 222417)

--- trunk/Source/_javascript_Core/ChangeLog	2017-09-23 00:27:38 UTC (rev 222416)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-09-23 00:27:47 UTC (rev 222417)
@@ -1,3 +1,18 @@
+2017-09-22  Fujii Hironori  <hironori.fu...@sony.com>
+
+        [Win64] Crashes in Yarr JIT compiled code
+        https://bugs.webkit.org/show_bug.cgi?id=177293
+
+        Reviewed by Yusuke Suzuki.
+
+        In x64 Windows, rcx register is used for the address of allocated
+        space for the return value. But, rcx is used for regT1 since
+        r221052. Save rcx in the stack.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
+        (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
+
 2017-09-22  Saam Barati  <sbar...@apple.com>
 
         Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector

Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (222416 => 222417)

--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp	2017-09-23 00:27:38 UTC (rev 222416)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp	2017-09-23 00:27:47 UTC (rev 222417)
@@ -2852,6 +2852,8 @@
 #if OS(WINDOWS)
         if (compileMode == IncludeSubpatterns)
             loadPtr(Address(X86Registers::ebp, 6 * sizeof(void*)), output);
+        // rcx is the pointer to the allocated space for result in x64 Windows.
+        push(X86Registers::ecx);
 #endif
 #elif CPU(X86)
         push(X86Registers::ebp);
@@ -2901,6 +2903,7 @@
 #if CPU(X86_64)
 #if OS(WINDOWS)
         // Store the return value in the allocated space pointed by rcx.
+        pop(X86Registers::ecx);
         store64(returnRegister, Address(X86Registers::ecx));
         store64(returnRegister2, Address(X86Registers::ecx, sizeof(void*)));
         move(X86Registers::ecx, returnRegister);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes