Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (281893 => 281894)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-09-02 01:04:50 UTC (rev 281893)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-09-02 01:04:52 UTC (rev 281894)
@@ -1,5 +1,34 @@
2021-09-01 Russell Epstein <[email protected]>
+ Cherry-pick r281638. rdar://problem/82651129
+
+ [JSC] Segfault in stress/typedarray-every.js (32bit)
+ https://bugs.webkit.org/show_bug.cgi?id=229546
+
+ Reviewed by Saam Barati.
+
+ ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateWithGuard):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281638 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-08-26 Yusuke Suzuki <[email protected]>
+
+ [JSC] Segfault in stress/typedarray-every.js (32bit)
+ https://bugs.webkit.org/show_bug.cgi?id=229546
+
+ Reviewed by Saam Barati.
+
+ ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateWithGuard):
+
+2021-09-01 Russell Epstein <[email protected]>
+
Cherry-pick r281618. rdar://problem/82650928
[JSC] DataIC should not embed StructureStubInfo pointer
Modified: branches/safari-612-branch/Source/_javascript_Core/bytecode/AccessCase.cpp (281893 => 281894)
--- branches/safari-612-branch/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-09-02 01:04:50 UTC (rev 281893)
+++ branches/safari-612-branch/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-09-02 01:04:52 UTC (rev 281894)
@@ -1606,9 +1606,6 @@
allocator.lock(stubInfo.m_arrayProfileGPR);
allocator.lock(scratchGPR);
GPRReg scratch2GPR = allocator.allocateScratchGPR();
- GPRReg scratch3GPR = InvalidGPRReg;
- if (isClamped(type))
- scratch3GPR = allocator.allocateScratchGPR();
ScratchRegisterAllocator::PreservedState preservedState = allocator.preserveReusedRegistersByPushing(
jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
@@ -1621,16 +1618,17 @@
if (isClamped(type)) {
ASSERT(elementSize(type) == 1);
ASSERT(!JSC::isSigned(type));
- jit.move(valueRegs.payloadGPR(), scratch3GPR);
- auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
- auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
- jit.xor32(scratch3GPR, scratch3GPR);
+ jit.getEffectiveAddress(CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne), scratch2GPR);
+ jit.move(valueRegs.payloadGPR(), scratchGPR);
+ auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratchGPR, CCallHelpers::TrustedImm32(0xff));
+ auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratchGPR, CCallHelpers::TrustedImm32(0xff));
+ jit.xor32(scratchGPR, scratchGPR);
auto clamped = jit.jump();
tooBig.link(&jit);
- jit.move(CCallHelpers::TrustedImm32(0xff), scratch3GPR);
+ jit.move(CCallHelpers::TrustedImm32(0xff), scratchGPR);
clamped.link(&jit);
inBounds.link(&jit);
- jit.store8(scratch3GPR, CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne));
+ jit.store8(scratchGPR, CCallHelpers::Address(scratch2GPR));
} else {
switch (elementSize(type)) {
case 1:
