Skip to content
Permalink
Browse files
[JSC] Segfault in stress/typedarray-every.js (32bit)
https://bugs.webkit.org/show_bug.cgi?id=229546

Reviewed by Saam Barati.

ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):


Canonical link: https://commits.webkit.org/240994@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281638 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Constellation committed Aug 26, 2021
1 parent e4f124a commit 3140a4346911c56e48954b690f7bad93b8beeba1
Showing 2 changed files with 19 additions and 9 deletions.
@@ -1,3 +1,15 @@
2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>

[JSC] Segfault in stress/typedarray-every.js (32bit)
https://bugs.webkit.org/show_bug.cgi?id=229546

Reviewed by Saam Barati.

ARMv7 does not have enough registers. Adding workaround by using getEffectiveAddress.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):

2021-08-26 Yusuke Suzuki <ysuzuki@apple.com>

[JSC] DataIC should not embed StructureStubInfo pointer
@@ -1606,9 +1606,6 @@ void AccessCase::generateWithGuard(
allocator.lock(stubInfo.m_arrayProfileGPR);
allocator.lock(scratchGPR);
GPRReg scratch2GPR = allocator.allocateScratchGPR();
GPRReg scratch3GPR = InvalidGPRReg;
if (isClamped(type))
scratch3GPR = allocator.allocateScratchGPR();

ScratchRegisterAllocator::PreservedState preservedState = allocator.preserveReusedRegistersByPushing(
jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
@@ -1621,16 +1618,17 @@ void AccessCase::generateWithGuard(
if (isClamped(type)) {
ASSERT(elementSize(type) == 1);
ASSERT(!JSC::isSigned(type));
jit.move(valueRegs.payloadGPR(), scratch3GPR);
auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
jit.xor32(scratch3GPR, scratch3GPR);
jit.getEffectiveAddress(CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne), scratch2GPR);
jit.move(valueRegs.payloadGPR(), scratchGPR);
auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratchGPR, CCallHelpers::TrustedImm32(0xff));
auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratchGPR, CCallHelpers::TrustedImm32(0xff));
jit.xor32(scratchGPR, scratchGPR);
auto clamped = jit.jump();
tooBig.link(&jit);
jit.move(CCallHelpers::TrustedImm32(0xff), scratch3GPR);
jit.move(CCallHelpers::TrustedImm32(0xff), scratchGPR);
clamped.link(&jit);
inBounds.link(&jit);
jit.store8(scratch3GPR, CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne));
jit.store8(scratchGPR, CCallHelpers::Address(scratch2GPR));
} else {
switch (elementSize(type)) {
case 1:

0 comments on commit 3140a43

Please sign in to comment.