From bff4e1b28663a322d7101f42d98d5df56c874e11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Csaba=20Osztrogon=C3=A1c?= <ossy@webkit.org>
Date: Wed, 10 Feb 2016 17:50:07 +0000
Subject: [PATCH] REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7
 Linux https://bugs.webkit.org/show_bug.cgi?id=154064

Reviewed by Mark Lam.

* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
* dfg/DFGSpeculativeJIT.h: Fixed the comment.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState): Added.
* wasm/WASMFunctionCompiler.h: Fixed the comment.

Canonical link: https://commits.webkit.org/172174@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/JavaScriptCore/ChangeLog                    | 14 ++++++++++++++
 .../JavaScriptCore/bytecode/PolymorphicAccess.cpp  | 12 ++++++++++--
 Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h      |  4 ++--
 Source/JavaScriptCore/jit/CCallHelpers.h           |  7 +++++++
 Source/JavaScriptCore/wasm/WASMFunctionCompiler.h  |  4 ++--
 5 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 012f3a566c9f..bd3a5ab1150a 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>
+
+        REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux
+        https://bugs.webkit.org/show_bug.cgi?id=154064
+
+        Reviewed by Mark Lam.
+
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
+        * dfg/DFGSpeculativeJIT.h: Fixed the comment.
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
+        * wasm/WASMFunctionCompiler.h: Fixed the comment.
+
 2016-02-09  Keith Miller  <keith_miller@apple.com>
 
         calling methods off super in a class constructor should check for TDZ
diff --git a/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp b/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
index df5cc0cf00e6..3a59f8db4d40 100644
--- a/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
+++ b/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
@@ -461,6 +461,14 @@ void AccessCase::generateWithGuard(
     generate(state);
 }
 
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
+// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+#if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
+#define EABI_32BIT_DUMMY_ARG      CCallHelpers::TrustedImm32(0),
+#else
+#define EABI_32BIT_DUMMY_ARG
+#endif
+
 void AccessCase::generate(AccessGenerationState& state)
 {
     if (verbose)
@@ -766,12 +774,12 @@ void AccessCase::generate(AccessGenerationState& state)
 #else
             if (m_type == CustomValueGetter || m_type == CustomAccessorGetter) {
                 jit.setupArgumentsWithExecState(
-                    baseForCustomValue,
+                    EABI_32BIT_DUMMY_ARG baseForCustomValue,
                     CCallHelpers::TrustedImm32(JSValue::CellTag),
                     CCallHelpers::TrustedImmPtr(ident.impl()));
             } else {
                 jit.setupArgumentsWithExecState(
-                    baseForCustomValue,
+                    EABI_32BIT_DUMMY_ARG baseForCustomValue,
                     CCallHelpers::TrustedImm32(JSValue::CellTag),
                     valueRegs.payloadGPR(), valueRegs.tagGPR());
             }
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index 1e9451370315..74b034abd7a6 100755
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -1549,8 +1549,8 @@ class SpeculativeJIT {
     }
 #else // USE(JSVALUE32_64)
 
-// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
-// To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
+// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
 #if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
 #define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
 #else
diff --git a/Source/JavaScriptCore/jit/CCallHelpers.h b/Source/JavaScriptCore/jit/CCallHelpers.h
index ef3634329997..13e67b001207 100644
--- a/Source/JavaScriptCore/jit/CCallHelpers.h
+++ b/Source/JavaScriptCore/jit/CCallHelpers.h
@@ -1729,6 +1729,13 @@ class CCallHelpers : public AssemblyHelpers {
         setupArgumentsWithExecState(arg1, arg2, arg3);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, TrustedImm32 arg3, GPRReg arg4, GPRReg arg5)
+    {
+        poke(arg5, POKE_ARGUMENT_OFFSET + 1);
+        poke(arg4, POKE_ARGUMENT_OFFSET);
+        setupArgumentsWithExecState(arg1, arg2, arg3);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, TrustedImmPtr arg2, GPRReg arg3, GPRReg arg4)
     {
         poke(arg4, POKE_ARGUMENT_OFFSET);
diff --git a/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h b/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h
index a82927a4d26f..de439ba07ebe 100644
--- a/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h
+++ b/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h
@@ -1287,8 +1287,8 @@ class WASMFunctionCompiler : private CCallHelpers {
         appendCallSetResult(operation, dst, FloatingPointPrecision::Double);
     }
 #else
-    // EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned even-numbered register (r0, r2 or [sp]).
-    // To avoid assemblies from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
+// EncodedJSValue in JSVALUE32_64 is a 64-bit integer. When being compiled in ARM EABI, it must be aligned on an even-numbered register (r0, r2 or [sp]).
+// To prevent the assembler from using wrong registers, let's occupy r1 or r3 with a dummy argument when necessary.
 #if (COMPILER_SUPPORTS(EABI) && CPU(ARM)) || CPU(MIPS)
 #define EABI_32BIT_DUMMY_ARG      TrustedImm32(0),
 #else