[webkit-changes] [141951] trunk/Source/JavaScriptCore

[msaboff]

Title: [141951] trunk/Source/_javascript_Core

Revision

141951

Author

msab...@apple.com

Date

2013-02-05 17:06:55 -0800 (Tue, 05 Feb 2013)

Log Message

Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
https://bugs.webkit.org/show_bug.cgi?id=108991

Reviewed by Oliver Hunt.

Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
may step on calleeGPR is it happen to be nonArgGPR2.

* dfg/DFGRepatch.cpp:
(JSC::DFG::dfgLinkClosureCall):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (141950 => 141951)

--- trunk/Source/_javascript_Core/ChangeLog	2013-02-06 00:58:47 UTC (rev 141950)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-02-06 01:06:55 UTC (rev 141951)
@@ -1,3 +1,16 @@
+2013-02-05  Michael Saboff  <msab...@apple.com>
+
+        Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
+        https://bugs.webkit.org/show_bug.cgi?id=108991
+
+        Reviewed by Oliver Hunt.
+
+        Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
+        may step on calleeGPR is it happen to be nonArgGPR2.
+
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgLinkClosureCall):
+
 2013-02-05  Roger Fong  <roger_f...@apple.com>
 
         Add a _javascript_Core Export Generator project.

Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (141950 => 141951)

--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp	2013-02-06 00:58:47 UTC (rev 141950)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp	2013-02-06 01:06:55 UTC (rev 141951)
@@ -1215,12 +1215,12 @@
     JITCompiler::Jump done = stubJit.jump();
     
     slowPath.link(&stubJit);
-    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2);
-    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2);
     stubJit.move(calleeGPR, GPRInfo::nonArgGPR0);
 #if USE(JSVALUE32_64)
     stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::nonArgGPR1);
 #endif
+    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2);
+    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2);
     JITCompiler::Jump slow = stubJit.jump();
     
     LinkBuffer patchBuffer(*globalData, &stubJit, callerCodeBlock);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes