[Win] Javascript crash with DFG JIT enabled.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 25 Oct 2013 22:01:35 +0000 (22:01 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 25 Oct 2013 22:01:35 +0000 (22:01 +0000)
commit48e3c20b021fd1432e469cf634c0557a6c670ab1
treee87b9d03e5720beb1b5fab7ba2adc6784e3cac1e
parentc0d916173d025dc159cd81d318524ef4451d903f
[Win] Javascript crash with DFG JIT enabled.
https://bugs.webkit.org/show_bug.cgi?id=121001

Patch by peavo@outlook.com <peavo@outlook.com> on 2013-10-25
Reviewed by Geoffrey Garen.

On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
This causes the register to be written to address 0, hence the crash.

* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator): Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@158057 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssemblerX86.h
Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp
Source/JavaScriptCore/dfg/DFGThunks.cpp