ArityFixup should adjust SP first on 32-bit platforms too
authorguijemont@igalia.com <guijemont@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jun 2018 02:43:30 +0000 (02:43 +0000)
committerguijemont@igalia.com <guijemont@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jun 2018 02:43:30 +0000 (02:43 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186351

Reviewed by Yusuke Suzuki.

* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232568 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/ThunkGenerators.cpp

index 818dd4b..80a6089 100644 (file)
@@ -1,3 +1,13 @@
+2018-06-06  Guillaume Emont  <guijemont@igalia.com>
+
+        ArityFixup should adjust SP first on 32-bit platforms too
+        https://bugs.webkit.org/show_bug.cgi?id=186351
+
+        Reviewed by Yusuke Suzuki.
+
+        * jit/ThunkGenerators.cpp:
+        (JSC::arityFixupGenerator):
+
 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [DFG] Compare operations do not respect negative zeros
index ee35a02..dd5d830 100644 (file)
@@ -500,7 +500,7 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
 
     // Adjust call frame register and stack pointer to account for missing args.
     // We need to change the stack pointer first before performing copy/fill loops.
-    // This stack space below the stack pointer is considered unsed by OS. Therefore,
+    // This stack space below the stack pointer is considered unused by OS. Therefore,
     // OS may corrupt this space when constructing a signal stack.
     jit.move(JSInterfaceJIT::argumentGPR0, extraTemp);
     jit.lshift64(JSInterfaceJIT::TrustedImm32(3), extraTemp);
@@ -564,6 +564,17 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
 
     jit.neg32(JSInterfaceJIT::argumentGPR0);
 
+    // Adjust call frame register and stack pointer to account for missing args.
+    // We need to change the stack pointer first before performing copy/fill loops.
+    // This stack space below the stack pointer is considered unused by OS. Therefore,
+    // OS may corrupt this space when constructing a signal stack.
+    jit.move(JSInterfaceJIT::argumentGPR0, JSInterfaceJIT::regT5);
+    jit.lshift32(JSInterfaceJIT::TrustedImm32(3), JSInterfaceJIT::regT5);
+    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::callFrameRegister);
+    jit.untagReturnAddress();
+    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::stackPointerRegister);
+    jit.tagReturnAddress();
+
     // Move current frame down argumentGPR0 number of slots
     JSInterfaceJIT::Label copyLoop(jit.label());
     jit.load32(MacroAssembler::Address(JSInterfaceJIT::regT3, PayloadOffset), JSInterfaceJIT::regT5);
@@ -584,12 +595,6 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
     jit.addPtr(JSInterfaceJIT::TrustedImm32(8), JSInterfaceJIT::regT3);
     jit.branchAdd32(MacroAssembler::NonZero, JSInterfaceJIT::TrustedImm32(1), JSInterfaceJIT::argumentGPR2).linkTo(fillUndefinedLoop, &jit);
 
-    // Adjust call frame register and stack pointer to account for missing args
-    jit.move(JSInterfaceJIT::argumentGPR0, JSInterfaceJIT::regT5);
-    jit.lshift32(JSInterfaceJIT::TrustedImm32(3), JSInterfaceJIT::regT5);
-    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::callFrameRegister);
-    jit.addPtr(JSInterfaceJIT::regT5, JSInterfaceJIT::stackPointerRegister);
-
     done.link(&jit);
 
 #  if CPU(X86)