Title: [199586] trunk/Source/_javascript_Core
- Revision
- 199586
- Author
- [email protected]
- Date
- 2016-04-15 02:07:36 -0700 (Fri, 15 Apr 2016)
Log Message
Tail call optimizations lead to crashes on ARM Thumb + Linux
https://bugs.webkit.org/show_bug.cgi?id=150083
Patch by Zan Dobersek <[email protected]> on 2016-04-15
Reviewed by Csaba Osztrogonác.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
data location of the destination, and not the executable address. This is needed for
the ARM Thumb2 platform where both the source and destination addresses of a jump relink
must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (199585 => 199586)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-15 08:53:38 UTC (rev 199585)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-15 09:07:36 UTC (rev 199586)
@@ -1,3 +1,19 @@
+2016-04-15 Zan Dobersek <[email protected]>
+
+ Tail call optimizations lead to crashes on ARM Thumb + Linux
+ https://bugs.webkit.org/show_bug.cgi?id=150083
+
+ Reviewed by Csaba Osztrogonác.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
+ data location of the destination, and not the executable address. This is needed for
+ the ARM Thumb2 platform where both the source and destination addresses of a jump relink
+ must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
+ * jit/Repatch.cpp:
+ (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
+ address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
+
2016-04-14 Geoffrey Garen <[email protected]>
Unreviewed, rolling out r199567.
Modified: trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h (199585 => 199586)
--- trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2016-04-15 08:53:38 UTC (rev 199585)
+++ trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2016-04-15 09:07:36 UTC (rev 199586)
@@ -993,7 +993,7 @@
{
switch (nearCall.callMode()) {
case NearCallMode::Tail:
- AssemblerType::relinkJump(nearCall.dataLocation(), destination.executableAddress());
+ AssemblerType::relinkJump(nearCall.dataLocation(), destination.dataLocation());
return;
case NearCallMode::Regular:
AssemblerType::relinkCall(nearCall.dataLocation(), destination.executableAddress());
Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (199585 => 199586)
--- trunk/Source/_javascript_Core/jit/Repatch.cpp 2016-04-15 08:53:38 UTC (rev 199585)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2016-04-15 09:07:36 UTC (rev 199586)
@@ -926,8 +926,11 @@
RELEASE_ASSERT(callCases.size() == calls.size());
for (CallToCodePtr callToCodePtr : calls) {
+ // Tail call special-casing ensures proper linking on ARM Thumb2, where a tail call jumps to an address
+ // with a non-decorated bottom bit but a normal call calls an address with a decorated bottom bit.
+ bool isTailCall = callToCodePtr.call.isFlagSet(CCallHelpers::Call::Tail);
patchBuffer.link(
- callToCodePtr.call, FunctionPtr(callToCodePtr.codePtr.executableAddress()));
+ callToCodePtr.call, FunctionPtr(isTailCall ? callToCodePtr.codePtr.dataLocation() : callToCodePtr.codePtr.executableAddress()));
}
if (JITCode::isOptimizingJIT(callerCodeBlock->jitType()))
patchBuffer.link(done, callLinkInfo.callReturnLocation().labelAtOffset(0));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
