REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux

https://bugs.webkit.org/show_bug.cgi?id=154064 Reviewed by Mark Lam. * bytecode/PolymorphicAccess.cpp: (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary. * dfg/DFGSpeculativeJIT.h: Fixed the comment. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): Added. * wasm/WASMFunctionCompiler.h: Fixed the comment. Canonical link: https://commits.webkit.org/172174@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Feb 10, 2016 · bff4e1b · bff4e1b
1 parent 094e095
commit bff4e1b
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 6 deletions.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>
+
+        REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux
+        https://bugs.webkit.org/show_bug.cgi?id=154064
+
+        Reviewed by Mark Lam.
+
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
+        * dfg/DFGSpeculativeJIT.h: Fixed the comment.
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
+        * wasm/WASMFunctionCompiler.h: Fixed the comment.
+
 2016-02-09  Keith Miller  <keith_miller@apple.com>
 
         calling methods off super in a class constructor should check for TDZ

diff --git a/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp b/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
@@ -461,6 +461,14 @@ void AccessCase::generateWithGuard(
     generate(state);
 }
 
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
+// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+#if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
+#define EABI_32BIT_DUMMY_ARG      CCallHelpers::TrustedImm32(0),
+#else
+#define EABI_32BIT_DUMMY_ARG
+#endif
+
 void AccessCase::generate(AccessGenerationState& state)
 {
     if (verbose)
@@ -766,12 +774,12 @@ void AccessCase::generate(AccessGenerationState& state)
 #else
             if (m_type == CustomValueGetter || m_type == CustomAccessorGetter) {
                 jit.setupArgumentsWithExecState(
-                    baseForCustomValue,
+                    EABI_32BIT_DUMMY_ARG baseForCustomValue,
                     CCallHelpers::TrustedImm32(JSValue::CellTag),
                     CCallHelpers::TrustedImmPtr(ident.impl()));
             } else {
                 jit.setupArgumentsWithExecState(
-                    baseForCustomValue,
+                    EABI_32BIT_DUMMY_ARG baseForCustomValue,
                     CCallHelpers::TrustedImm32(JSValue::CellTag),
                     valueRegs.payloadGPR(), valueRegs.tagGPR());
             }

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -1549,8 +1549,8 @@ class SpeculativeJIT {
     }
 #else // USE(JSVALUE32_64)
 
-// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
-// To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
+// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
 #if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
 #define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
 #else

diff --git a/Source/JavaScriptCore/jit/CCallHelpers.h b/Source/JavaScriptCore/jit/CCallHelpers.h
@@ -1729,6 +1729,13 @@ class CCallHelpers : public AssemblyHelpers {
         setupArgumentsWithExecState(arg1, arg2, arg3);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, TrustedImm32 arg3, GPRReg arg4, GPRReg arg5)
+    {
+        poke(arg5, POKE_ARGUMENT_OFFSET + 1);
+        poke(arg4, POKE_ARGUMENT_OFFSET);
+        setupArgumentsWithExecState(arg1, arg2, arg3);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, TrustedImmPtr arg2, GPRReg arg3, GPRReg arg4)
     {
         poke(arg4, POKE_ARGUMENT_OFFSET);

diff --git a/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h b/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h
@@ -1287,8 +1287,8 @@ class WASMFunctionCompiler : private CCallHelpers {
         appendCallSetResult(operation, dst, FloatingPointPrecision::Double);
     }
 #else
-    // EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
-    // To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
+// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
 #if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
 #define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
 #else