Changeset 222417 in webkit for trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

Timestamp:

Sep 22, 2017, 5:27:47 PM (8 years ago)

Author:

[email protected]

Message:

[Win64] Crashes in Yarr JIT compiled code
​https://bugs.webkit.org/show_bug.cgi?id=177293

Patch by Fujii Hironori <Fujii Hironori> on 2017-09-22
Reviewed by Yusuke Suzuki.

In x64 Windows, rcx register is used for the address of allocated
space for the return value. But, rcx is used for regT1 since
r221052. Save rcx in the stack.

• yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
(JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.

File:

• trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

@@ -2853 +2853 @@
         if (compileMode == IncludeSubpatterns)
             loadPtr(Address(X86Registers::ebp, 6 * sizeof(void*)), output);
+        // rcx is the pointer to the allocated space for result in x64 Windows.
+        push(X86Registers::ecx);
 #endif
 #elif CPU(X86)
@@ -2902 +2904 @@
 #if OS(WINDOWS)
         // Store the return value in the allocated space pointed by rcx.
+        pop(X86Registers::ecx);
         store64(returnRegister, Address(X86Registers::ecx));
         store64(returnRegister2, Address(X86Registers::ecx, sizeof(void*)));