[webkit-changes] [281638] trunk/Source/JavaScriptCore

Thu, 26 Aug 2021 11:45:28 -0700

Title: [281638] trunk/Source/_javascript_Core
Revision
281638
Author
[email protected]
Date
2021-08-26 11:44:38 -0700 (Thu, 26 Aug 2021)

Log Message

[JSC] Segfault in stress/typedarray-every.js (32bit)
https://bugs.webkit.org/show_bug.cgi?id=229546

Reviewed by Saam Barati.

ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (281637 => 281638)


--- trunk/Source/_javascript_Core/ChangeLog	2021-08-26 18:40:02 UTC (rev 281637)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-08-26 18:44:38 UTC (rev 281638)
@@ -1,5 +1,17 @@
 2021-08-26  Yusuke Suzuki  <[email protected]>
 
+        [JSC] Segfault in stress/typedarray-every.js (32bit)
+        https://bugs.webkit.org/show_bug.cgi?id=229546
+
+        Reviewed by Saam Barati.
+
+        ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+
+2021-08-26  Yusuke Suzuki  <[email protected]>
+
         [JSC] DataIC should not embed StructureStubInfo pointer
         https://bugs.webkit.org/show_bug.cgi?id=229541

Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (281637 => 281638)


--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp	2021-08-26 18:40:02 UTC (rev 281637)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp	2021-08-26 18:44:38 UTC (rev 281638)
@@ -1606,9 +1606,6 @@
             allocator.lock(stubInfo.m_arrayProfileGPR);
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
-        GPRReg scratch3GPR = InvalidGPRReg;
-        if (isClamped(type))
-            scratch3GPR = allocator.allocateScratchGPR();
 
         ScratchRegisterAllocator::PreservedState preservedState = allocator.preserveReusedRegistersByPushing(
             jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
@@ -1621,16 +1618,17 @@
             if (isClamped(type)) {
                 ASSERT(elementSize(type) == 1);
                 ASSERT(!JSC::isSigned(type));
-                jit.move(valueRegs.payloadGPR(), scratch3GPR);
-                auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
-                auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
-                jit.xor32(scratch3GPR, scratch3GPR);
+                jit.getEffectiveAddress(CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne), scratch2GPR);
+                jit.move(valueRegs.payloadGPR(), scratchGPR);
+                auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratchGPR, CCallHelpers::TrustedImm32(0xff));
+                auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratchGPR, CCallHelpers::TrustedImm32(0xff));
+                jit.xor32(scratchGPR, scratchGPR);
                 auto clamped = jit.jump();
                 tooBig.link(&jit);
-                jit.move(CCallHelpers::TrustedImm32(0xff), scratch3GPR);
+                jit.move(CCallHelpers::TrustedImm32(0xff), scratchGPR);
                 clamped.link(&jit);
                 inBounds.link(&jit);
-                jit.store8(scratch3GPR, CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne));
+                jit.store8(scratchGPR, CCallHelpers::Address(scratch2GPR));
             } else {
                 switch (elementSize(type)) {
                 case 1:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to