Title: [159593] trunk/Source/_javascript_Core
- Revision
- 159593
- Author
- [email protected]
- Date
- 2013-11-20 16:42:38 -0800 (Wed, 20 Nov 2013)
Log Message
[Win] _javascript_ JIT crash (with DFG enabled).
https://bugs.webkit.org/show_bug.cgi?id=124675
Reviewed by Geoffrey Garen.
Similar to the change in r159427, changed linkClosureCall to use regT0/regT1 (payload/tag) for the callee.
linkForThunkGenerator already expected the callee in regT0/regT1, but changed the comment to reflect that.
* jit/Repatch.cpp:
(JSC::linkClosureCall):
* jit/ThunkGenerators.cpp:
(JSC::linkForThunkGenerator):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (159592 => 159593)
--- trunk/Source/_javascript_Core/ChangeLog 2013-11-21 00:41:18 UTC (rev 159592)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-11-21 00:42:38 UTC (rev 159593)
@@ -1,5 +1,20 @@
2013-11-20 Michael Saboff <[email protected]>
+ [Win] _javascript_ JIT crash (with DFG enabled).
+ https://bugs.webkit.org/show_bug.cgi?id=124675
+
+ Reviewed by Geoffrey Garen.
+
+ Similar to the change in r159427, changed linkClosureCall to use regT0/regT1 (payload/tag) for the callee.
+ linkForThunkGenerator already expected the callee in regT0/regT1, but changed the comment to reflect that.
+
+ * jit/Repatch.cpp:
+ (JSC::linkClosureCall):
+ * jit/ThunkGenerators.cpp:
+ (JSC::linkForThunkGenerator):
+
+2013-11-20 Michael Saboff <[email protected]>
+
ARMv7: Crash due to use after free of AssemblerBuffer
https://bugs.webkit.org/show_bug.cgi?id=124611
Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (159592 => 159593)
--- trunk/Source/_javascript_Core/jit/Repatch.cpp 2013-11-21 00:41:18 UTC (rev 159592)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2013-11-21 00:42:38 UTC (rev 159593)
@@ -1379,9 +1379,9 @@
AssemblyHelpers::Jump done = stubJit.jump();
slowPath.link(&stubJit);
- stubJit.move(calleeGPR, GPRInfo::nonArgGPR0);
+ stubJit.move(calleeGPR, GPRInfo::regT0);
#if USE(JSVALUE32_64)
- stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::nonArgGPR1);
+ stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::regT1);
#endif
stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2);
stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2);
Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (159592 => 159593)
--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2013-11-21 00:41:18 UTC (rev 159592)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2013-11-21 00:42:38 UTC (rev 159593)
@@ -109,7 +109,7 @@
// The return address is on the stack or in the link register. We will hence
// save the return address to the call frame while we make a C++ function call
// to perform linking and lazy compilation if necessary. We expect the callee
- // to be in nonArgGPR0/nonArgGPR1 (payload/tag), the CallFrame to have already
+ // to be in regT0/regT1 (payload/tag), the CallFrame to have already
// been adjusted, and all other registers to be available for use.
CCallHelpers jit(vm);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
