[arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test.

https://bugs.webkit.org/show_bug.cgi?id=124839 Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-25 Reviewed by Michael Saboff. In ARM EABI and MIPS, 64-bit values have to be aligned on stack too. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): * jit/JITInlines.h: (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG. Canonical link: https://commits.webkit.org/142999@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@159748 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Nov 25, 2013 · 1e264aa3ad49aea5ba99249014a6c3d5c6f69c54 · 1e264aa
1 parent 87cfac6
commit 1e264aa3ad49aea5ba99249014a6c3d5c6f69c54
Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2013-11-25  Julien Brianceau  <jbriance@cisco.com>
+
+        [arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test.
+        https://bugs.webkit.org/show_bug.cgi?id=124839
+
+        Reviewed by Michael Saboff.
+
+        In ARM EABI and MIPS, 64-bit values have to be aligned on stack too.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgumentsWithExecState):
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
+
 2013-11-23  Filip Pizlo  <fpizlo@apple.com>
 
         Fix more fallout from failed attempts at div/mod DFG strength reductions

diff --git a/Source/JavaScriptCore/jit/CCallHelpers.h b/Source/JavaScriptCore/jit/CCallHelpers.h
@@ -1487,6 +1487,15 @@ class CCallHelpers : public AssemblyHelpers {
         setupArgumentsWithExecState(arg1, arg2, arg3);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, GPRReg arg3, TrustedImm32 arg4, TrustedImm32 arg5, GPRReg arg6, GPRReg arg7)
+    {
+        poke(arg7, POKE_ARGUMENT_OFFSET + 3);
+        poke(arg6, POKE_ARGUMENT_OFFSET + 2);
+        poke(arg5, POKE_ARGUMENT_OFFSET + 1);
+        poke(arg4, POKE_ARGUMENT_OFFSET);
+        setupArgumentsWithExecState(arg1, arg2, arg3);
+    }
+
     ALWAYS_INLINE void setupArguments(GPRReg arg1, GPRReg arg2, TrustedImmPtr arg3, TrustedImm32 arg4, GPRReg arg5)
     {
         poke(arg5, POKE_ARGUMENT_OFFSET);

diff --git a/Source/JavaScriptCore/jit/JITInlines.h b/Source/JavaScriptCore/jit/JITInlines.h
@@ -523,7 +523,7 @@ ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EJZ operati
 
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EJZJ operation, RegisterID regOp1Tag, RegisterID regOp1Payload, int32_t op2, RegisterID regOp3Tag, RegisterID regOp3Payload)
 {
-    setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG regOp1Payload, regOp1Tag, TrustedImm32(op2), regOp3Payload, regOp3Tag);
+    setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG regOp1Payload, regOp1Tag, TrustedImm32(op2), EABI_32BIT_DUMMY_ARG regOp3Payload, regOp3Tag);
     return appendCallWithExceptionCheck(operation);
 }