Modified: trunk/Source/_javascript_Core/ChangeLog (160055 => 160056)
--- trunk/Source/_javascript_Core/ChangeLog 2013-12-03 23:54:15 UTC (rev 160055)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-12-03 23:56:31 UTC (rev 160056)
@@ -1,5 +1,27 @@
2013-12-03 Michael Saboff <[email protected]>
+ ARM64: Crash in JIT code due to improper reuse of cached memory temp register
+ https://bugs.webkit.org/show_bug.cgi?id=125181
+
+ Reviewed by Geoffrey Garen.
+
+ Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
+ destination of an absolute load is the memory temp register since the source address
+ is also the memory temp register. Change branch{8,32,64} of an AbsoluteAddress with
+ a register to use the dataTempRegister as the destinate of the absolute load to
+ reduce the chance that we need to invalidate the memory temp register cache.
+ In the process, found and fixed an outright bug in branch8() where we'd load into
+ the data temp register and then compare and branch on the memory temp register.
+
+ * assembler/MacroAssemblerARM64.h:
+ (JSC::MacroAssemblerARM64::load8):
+ (JSC::MacroAssemblerARM64::branch32):
+ (JSC::MacroAssemblerARM64::branch64):
+ (JSC::MacroAssemblerARM64::branch8):
+ (JSC::MacroAssemblerARM64::load):
+
+2013-12-03 Michael Saboff <[email protected]>
+
jit/JITArithmetic.cpp doesn't build for non-X86 ports
https://bugs.webkit.org/show_bug.cgi?id=125185
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h (160055 => 160056)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h 2013-12-03 23:54:15 UTC (rev 160055)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h 2013-12-03 23:56:31 UTC (rev 160056)
@@ -898,6 +898,8 @@
{
moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
m_assembler.ldrb(dest, memoryTempRegister, ARM64Registers::zr);
+ if (dest == memoryTempRegister)
+ m_cachedMemoryTempRegister.invalidate();
}
void load8Signed(BaseIndex address, RegisterID dest)
@@ -1570,8 +1572,8 @@
Jump branch32(RelationalCondition cond, AbsoluteAddress left, RegisterID right)
{
- load32(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
- return branch32(cond, memoryTempRegister, right);
+ load32(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
+ return branch32(cond, dataTempRegister, right);
}
Jump branch32(RelationalCondition cond, AbsoluteAddress left, TrustedImm32 right)
@@ -1608,8 +1610,8 @@
Jump branch64(RelationalCondition cond, AbsoluteAddress left, RegisterID right)
{
- load64(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
- return branch64(cond, memoryTempRegister, right);
+ load64(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
+ return branch64(cond, dataTempRegister, right);
}
Jump branch64(RelationalCondition cond, Address left, RegisterID right)
@@ -1641,7 +1643,7 @@
Jump branch8(RelationalCondition cond, AbsoluteAddress left, TrustedImm32 right)
{
ASSERT(!(0xffffff00 & right.m_value));
- load8(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
+ load8(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
return branch32(cond, memoryTempRegister, right);
}
@@ -2493,6 +2495,9 @@
intptr_t addressAsInt = reinterpret_cast<intptr_t>(address);
intptr_t addressDelta = addressAsInt - currentRegisterContents;
+ if (dest == memoryTempRegister)
+ m_cachedMemoryTempRegister.invalidate();
+
if (isInIntRange(addressDelta)) {
if (ARM64Assembler::canEncodeSImmOffset(addressDelta)) {
m_assembler.ldur<datasize>(dest, memoryTempRegister, addressDelta);
@@ -2514,7 +2519,10 @@
}
move(TrustedImmPtr(address), memoryTempRegister);
- m_cachedMemoryTempRegister.setValue(reinterpret_cast<intptr_t>(address));
+ if (dest == memoryTempRegister)
+ m_cachedMemoryTempRegister.invalidate();
+ else
+ m_cachedMemoryTempRegister.setValue(reinterpret_cast<intptr_t>(address));
m_assembler.ldr<datasize>(dest, memoryTempRegister, ARM64Registers::zr);
}
