Source/JavaScriptCore/dfg/DFGThunks.cpp · master · App_Technologies / webkit

[Win] Javascript crash with DFG JIT enabled. · 390095ec

commit-queue@webkit.org authored Oct 25, 2013

https://bugs.webkit.org/show_bug.cgi?id=121001

Patch by peavo@outlook.com <peavo@outlook.com> on 2013-10-25
Reviewed by Geoffrey Garen.

On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
This causes the register to be written to address 0, hence the crash.

* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator): Ditto.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158057 268f45cc-cd09-0410-ab3c-d52691b4dbfc

390095ec