Skip to site navigation (Press enter)

[webkit-changes] [144083] trunk/Source/JavaScriptCore

msaboff Tue, 26 Feb 2013 11:36:00 -0800

Title: [144083] trunk/Source/_javascript_Core

Revision: 144083
Author: [email protected]
Date: 2013-02-26 11:37:53 -0800 (Tue, 26 Feb 2013)

Log Message

Potential crash in YARR JIT generated code when building 64 bit
https://bugs.webkit.org/show_bug.cgi?id=110893


Reviewed by Gavin Barraclough.

The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
Therefore, we zero extend both the count and length registers to assure that these unsigned values
don't have garbage upper bits.

* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/yarr/YarrJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (144082 => 144083)


--- trunk/Source/_javascript_Core/ChangeLog	2013-02-26 19:25:42 UTC (rev 144082)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-02-26 19:37:53 UTC (rev 144083)
@@ -1,3 +1,17 @@
+2013-02-26  Michael Saboff  <[email protected]>
+
+        Potential crash in YARR JIT generated code when building 64 bit
+        https://bugs.webkit.org/show_bug.cgi?id=110893
+
+        Reviewed by Gavin Barraclough.
+
+        The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
+        Therefore, we zero extend both the count and length registers to assure that these unsigned values
+        don't have garbage upper bits.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter):
+
 2013-02-26  Andreas Kling  <[email protected]>
 
         Unused Structure property tables waste 14MB on Membuster.

Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (144082 => 144083)


--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp	2013-02-26 19:25:42 UTC (rev 144082)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp	2013-02-26 19:37:53 UTC (rev 144083)
@@ -2524,6 +2524,9 @@
         push(X86Registers::ebp);
         move(stackPointerRegister, X86Registers::ebp);
         push(X86Registers::ebx);
+        // The ABI doesn't guarantee the upper bits are zero on unsigned arguments, so clear them ourselves.
+        zeroExtend32ToPtr(index, index);
+        zeroExtend32ToPtr(length, length);
 #if OS(WINDOWS)
         if (compileMode == IncludeSubpatterns)
             loadPtr(Address(X86Registers::ebp, 6 * sizeof(void*)), output);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes