Title: [159203] trunk/Source/_javascript_Core
- Revision
- 159203
- Author
- [email protected]
- Date
- 2013-11-13 09:39:43 -0800 (Wed, 13 Nov 2013)
Log Message
[sh4] Protect repatchCompact from flushConstantPool.
https://bugs.webkit.org/show_bug.cgi?id=124278
Patch by Julien Brianceau <[email protected]> on 2013-11-13
Reviewed by Michael Saboff.
Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
movlMemRegCompact. As in this case a branch opcode and the constant pool are put
before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
instead of the mov instruction, which is really bad.
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (159202 => 159203)
--- trunk/Source/_javascript_Core/ChangeLog 2013-11-13 17:35:30 UTC (rev 159202)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-11-13 17:39:43 UTC (rev 159203)
@@ -1,3 +1,18 @@
+2013-11-13 Julien Brianceau <[email protected]>
+
+ [sh4] Protect repatchCompact from flushConstantPool.
+ https://bugs.webkit.org/show_bug.cgi?id=124278
+
+ Reviewed by Michael Saboff.
+
+ Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
+ movlMemRegCompact. As in this case a branch opcode and the constant pool are put
+ before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
+ instead of the mov instruction, which is really bad.
+
+ * assembler/SH4Assembler.h:
+ (JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.
+
2013-11-12 Alexey Proskuryakov <[email protected]>
Disable WebCrypto on Mountain Lion
Modified: trunk/Source/_javascript_Core/assembler/SH4Assembler.h (159202 => 159203)
--- trunk/Source/_javascript_Core/assembler/SH4Assembler.h 2013-11-13 17:35:30 UTC (rev 159202)
+++ trunk/Source/_javascript_Core/assembler/SH4Assembler.h 2013-11-13 17:39:43 UTC (rev 159203)
@@ -1463,10 +1463,17 @@
static void repatchCompact(void* where, int32_t value)
{
+ uint16_t* instructionPtr = reinterpret_cast<uint16_t*>(where);
ASSERT(value >= 0);
ASSERT(value <= 60);
- *reinterpret_cast<uint16_t*>(where) = ((*reinterpret_cast<uint16_t*>(where) & 0xfff0) | (value >> 2));
- cacheFlush(reinterpret_cast<uint16_t*>(where), sizeof(uint16_t));
+
+ // Handle the uncommon case where a flushConstantPool occured in movlMemRegCompact.
+ if ((instructionPtr[0] & 0xf000) == BRA_OPCODE)
+ instructionPtr += (instructionPtr[0] & 0x0fff) + 2;
+
+ ASSERT((instructionPtr[0] & 0xf000) == MOVL_READ_OFFRM_OPCODE);
+ instructionPtr[0] = (instructionPtr[0] & 0xfff0) | (value >> 2);
+ cacheFlush(instructionPtr, sizeof(uint16_t));
}
static void relinkCall(void* from, void* to)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
