Changeset 222417 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Sep 22, 2017, 5:27:47 PM (8 years ago)

Author:

[email protected]

Message:

[Win64] Crashes in Yarr JIT compiled code
​https://bugs.webkit.org/show_bug.cgi?id=177293

Patch by Fujii Hironori <Fujii Hironori> on 2017-09-22
Reviewed by Yusuke Suzuki.

In x64 Windows, rcx register is used for the address of allocated
space for the return value. But, rcx is used for regT1 since
r221052. Save rcx in the stack.

• yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
(JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• yarr/YarrJIT.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-09-22  Fujii Hironori  <[email protected]>
+
+        [Win64] Crashes in Yarr JIT compiled code
+        https://bugs.webkit.org/show_bug.cgi?id=177293
+
+        Reviewed by Yusuke Suzuki.
+
+        In x64 Windows, rcx register is used for the address of allocated
+        space for the return value. But, rcx is used for regT1 since
+        r221052. Save rcx in the stack.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
+        (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
+
 2017-09-22  Saam Barati  <[email protected]>
 

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

@@ -2853 +2853 @@
         if (compileMode == IncludeSubpatterns)
             loadPtr(Address(X86Registers::ebp, 6 * sizeof(void*)), output);
+        // rcx is the pointer to the allocated space for result in x64 Windows.
+        push(X86Registers::ecx);
 #endif
 #elif CPU(X86)
@@ -2902 +2904 @@
 #if OS(WINDOWS)
         // Store the return value in the allocated space pointed by rcx.
+        pop(X86Registers::ecx);
         store64(returnRegister, Address(X86Registers::ecx));
         store64(returnRegister2, Address(X86Registers::ecx, sizeof(void*)));