Title: [159203] trunk/Source/_javascript_Core
Revision
159203
Author
[email protected]
Date
2013-11-13 09:39:43 -0800 (Wed, 13 Nov 2013)

Log Message

[sh4] Protect repatchCompact from flushConstantPool.
https://bugs.webkit.org/show_bug.cgi?id=124278

Patch by Julien Brianceau <[email protected]> on 2013-11-13
Reviewed by Michael Saboff.

Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
movlMemRegCompact. As in this case a branch opcode and the constant pool are put
before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
instead of the mov instruction, which is really bad.

* assembler/SH4Assembler.h:
(JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (159202 => 159203)


--- trunk/Source/_javascript_Core/ChangeLog	2013-11-13 17:35:30 UTC (rev 159202)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-11-13 17:39:43 UTC (rev 159203)
@@ -1,3 +1,18 @@
+2013-11-13  Julien Brianceau  <[email protected]>
+
+        [sh4] Protect repatchCompact from flushConstantPool.
+        https://bugs.webkit.org/show_bug.cgi?id=124278
+
+        Reviewed by Michael Saboff.
+
+        Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
+        movlMemRegCompact. As in this case a branch opcode and the constant pool are put
+        before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
+        instead of the mov instruction, which is really bad.
+
+        * assembler/SH4Assembler.h:
+        (JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.
+
 2013-11-12  Alexey Proskuryakov  <[email protected]>
 
         Disable WebCrypto on Mountain Lion

Modified: trunk/Source/_javascript_Core/assembler/SH4Assembler.h (159202 => 159203)


--- trunk/Source/_javascript_Core/assembler/SH4Assembler.h	2013-11-13 17:35:30 UTC (rev 159202)
+++ trunk/Source/_javascript_Core/assembler/SH4Assembler.h	2013-11-13 17:39:43 UTC (rev 159203)
@@ -1463,10 +1463,17 @@
 
     static void repatchCompact(void* where, int32_t value)
     {
+        uint16_t* instructionPtr = reinterpret_cast<uint16_t*>(where);
         ASSERT(value >= 0);
         ASSERT(value <= 60);
-        *reinterpret_cast<uint16_t*>(where) = ((*reinterpret_cast<uint16_t*>(where) & 0xfff0) | (value >> 2));
-        cacheFlush(reinterpret_cast<uint16_t*>(where), sizeof(uint16_t));
+
+        // Handle the uncommon case where a flushConstantPool occured in movlMemRegCompact.
+        if ((instructionPtr[0] & 0xf000) == BRA_OPCODE)
+            instructionPtr += (instructionPtr[0] & 0x0fff) + 2;
+
+        ASSERT((instructionPtr[0] & 0xf000) == MOVL_READ_OFFRM_OPCODE);
+        instructionPtr[0] = (instructionPtr[0] & 0xfff0) | (value >> 2);
+        cacheFlush(instructionPtr, sizeof(uint16_t));
     }
 
     static void relinkCall(void* from, void* to)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to