Commit 7e11b5f2 authored by msaboff@apple.com's avatar msaboff@apple.com

ARM64: Crash in JIT code due to improper reuse of cached memory temp register

https://bugs.webkit.org/show_bug.cgi?id=125181

Reviewed by Geoffrey Garen.

Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
destination of an absolute load is the memory temp register since the source address
is also the memory temp register.  Change branch{8,32,64} of an AbsoluteAddress with
a register to use the dataTempRegister as the destinate of the absolute load to
reduce the chance that we need to invalidate the memory temp register cache.
In the process, found and fixed an outright bug in branch8() where we'd load into
the data temp register and then compare and branch on the memory temp register.

* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::branch32):
(JSC::MacroAssemblerARM64::branch64):
(JSC::MacroAssemblerARM64::branch8):
(JSC::MacroAssemblerARM64::load):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160056 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 3962bec0
2013-12-03 Michael Saboff <msaboff@apple.com>
ARM64: Crash in JIT code due to improper reuse of cached memory temp register
https://bugs.webkit.org/show_bug.cgi?id=125181
Reviewed by Geoffrey Garen.
Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
destination of an absolute load is the memory temp register since the source address
is also the memory temp register. Change branch{8,32,64} of an AbsoluteAddress with
a register to use the dataTempRegister as the destinate of the absolute load to
reduce the chance that we need to invalidate the memory temp register cache.
In the process, found and fixed an outright bug in branch8() where we'd load into
the data temp register and then compare and branch on the memory temp register.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::branch32):
(JSC::MacroAssemblerARM64::branch64):
(JSC::MacroAssemblerARM64::branch8):
(JSC::MacroAssemblerARM64::load):
2013-12-03 Michael Saboff <msaboff@apple.com>
jit/JITArithmetic.cpp doesn't build for non-X86 ports
......
......@@ -898,6 +898,8 @@ public:
{
moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
m_assembler.ldrb(dest, memoryTempRegister, ARM64Registers::zr);
if (dest == memoryTempRegister)
m_cachedMemoryTempRegister.invalidate();
}
void load8Signed(BaseIndex address, RegisterID dest)
......@@ -1570,8 +1572,8 @@ public:
Jump branch32(RelationalCondition cond, AbsoluteAddress left, RegisterID right)
{
load32(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
return branch32(cond, memoryTempRegister, right);
load32(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
return branch32(cond, dataTempRegister, right);
}
Jump branch32(RelationalCondition cond, AbsoluteAddress left, TrustedImm32 right)
......@@ -1608,8 +1610,8 @@ public:
Jump branch64(RelationalCondition cond, AbsoluteAddress left, RegisterID right)
{
load64(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
return branch64(cond, memoryTempRegister, right);
load64(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
return branch64(cond, dataTempRegister, right);
}
Jump branch64(RelationalCondition cond, Address left, RegisterID right)
......@@ -1641,7 +1643,7 @@ public:
Jump branch8(RelationalCondition cond, AbsoluteAddress left, TrustedImm32 right)
{
ASSERT(!(0xffffff00 & right.m_value));
load8(left.m_ptr, getCachedDataTempRegisterIDAndInvalidate());
load8(left.m_ptr, getCachedMemoryTempRegisterIDAndInvalidate());
return branch32(cond, memoryTempRegister, right);
}
......@@ -2493,6 +2495,9 @@ private:
intptr_t addressAsInt = reinterpret_cast<intptr_t>(address);
intptr_t addressDelta = addressAsInt - currentRegisterContents;
if (dest == memoryTempRegister)
m_cachedMemoryTempRegister.invalidate();
if (isInIntRange(addressDelta)) {
if (ARM64Assembler::canEncodeSImmOffset(addressDelta)) {
m_assembler.ldur<datasize>(dest, memoryTempRegister, addressDelta);
......@@ -2514,7 +2519,10 @@ private:
}
move(TrustedImmPtr(address), memoryTempRegister);
m_cachedMemoryTempRegister.setValue(reinterpret_cast<intptr_t>(address));
if (dest == memoryTempRegister)
m_cachedMemoryTempRegister.invalidate();
else
m_cachedMemoryTempRegister.setValue(reinterpret_cast<intptr_t>(address));
m_assembler.ldr<datasize>(dest, memoryTempRegister, ARM64Registers::zr);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment