[webkit-changes] [161439] branches/jsCStack/Source/JavaScriptCore

[msaboff]

Title: [161439] branches/jsCStack/Source/_javascript_Core

Revision

161439

Author

msab...@apple.com

Date

2014-01-07 11:30:34 -0800 (Tue, 07 Jan 2014)

Log Message

CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js
https://bugs.webkit.org/show_bug.cgi?id=126585

Reviewed by Geoffrey Garen.

We were improperly using a shifted add/subtract for operations with the stack
pointer as the destination.  Broadened the cases where we use the extended
register version of add/subtract to include when the destination is the
stack pointer.  In the ARM64 documentation, the immediate and extended register
forms of add and subtract are the right variants to manipulate the stack pointer.

* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::add):
(JSC::ARM64Assembler::sub):

Modified Paths

• branches/jsCStack/Source/_javascript_Core/ChangeLog
• branches/jsCStack/Source/_javascript_Core/assembler/ARM64Assembler.h

Diff

Modified: branches/jsCStack/Source/_javascript_Core/ChangeLog (161438 => 161439)

--- branches/jsCStack/Source/_javascript_Core/ChangeLog	2014-01-07 19:14:59 UTC (rev 161438)
+++ branches/jsCStack/Source/_javascript_Core/ChangeLog	2014-01-07 19:30:34 UTC (rev 161439)
@@ -1,3 +1,20 @@
+2014-01-07  Michael Saboff  <msab...@apple.com>
+
+        CStack Branch: ARM64 Crash running ecma/FunctionObjects/15.3.1.1-3.js
+        https://bugs.webkit.org/show_bug.cgi?id=126585
+
+        Reviewed by Geoffrey Garen.
+
+        We were improperly using a shifted add/subtract for operations with the stack
+        pointer as the destination.  Broadened the cases where we use the extended
+        register version of add/subtract to include when the destination is the
+        stack pointer.  In the ARM64 documentation, the immediate and extended register
+        forms of add and subtract are the right variants to manipulate the stack pointer.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::add):
+        (JSC::ARM64Assembler::sub):
+
 2014-01-07  Filip Pizlo  <fpi...@apple.com>
 
         Merge trunk r161411.

Modified: branches/jsCStack/Source/_javascript_Core/assembler/ARM64Assembler.h (161438 => 161439)

--- branches/jsCStack/Source/_javascript_Core/assembler/ARM64Assembler.h	2014-01-07 19:14:59 UTC (rev 161438)
+++ branches/jsCStack/Source/_javascript_Core/assembler/ARM64Assembler.h	2014-01-07 19:30:34 UTC (rev 161439)
@@ -929,8 +929,9 @@
     ALWAYS_INLINE void add(RegisterID rd, RegisterID rn, RegisterID rm, ShiftType shift, int amount)
     {
         CHECK_DATASIZE();
-        if (isSp(rn)) {
+        if (isSp(rd) || isSp(rn)) {
             ASSERT(shift == LSL);
+            ASSERT(!isSp(rm));
             add<datasize, setFlags>(rd, rn, rm, UXTX, amount);
         } else
             insn(addSubtractShiftedRegister(DATASIZE, AddOp_ADD, setFlags, shift, rm, amount, rn, rd));
@@ -1962,8 +1963,9 @@
     ALWAYS_INLINE void sub(RegisterID rd, RegisterID rn, RegisterID rm, ShiftType shift, int amount)
     {
         CHECK_DATASIZE();
-        if (isSp(rn)) {
+        if (isSp(rd) || isSp(rn)) {
             ASSERT(shift == LSL);
+            ASSERT(!isSp(rm));
             sub<datasize, setFlags>(rd, rn, rm, UXTX, amount);
         } else
             insn(addSubtractShiftedRegister(DATASIZE, AddOp_SUB, setFlags, shift, rm, amount, rn, rd));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes