Changeset 224539 in webkit for trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

Timestamp:

Nov 7, 2017, 11:33:22 AM (8 years ago)

Author:

[email protected]

Message:

AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
​https://bugs.webkit.org/show_bug.cgi?id=179355
<rdar://problem/35263053>

Reviewed by Saam Barati.

JSTests:

• stress/regress-179355.js: Added.

Source/JavaScriptCore:

In the Transition case in AccessCase::generateImpl(), we were restoring registers
using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
where we previously stashed the reallocated butterfly. If the generated code is
under heavy register pressure, scratchGPR could have been from the set of preserved
registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
As a result, the restoration would trash the butterfly result we stored there.
This patch fixes the issue by excluding the scratchGPR in the restoration.

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

File:

• trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -1043 +1043 @@
                 
                 noException.link(&jit);
-                state.restoreLiveRegistersFromStackForCall(spillState);
+                RegisterSet resultRegisterToExclude;
+                resultRegisterToExclude.set(scratchGPR);
+                state.restoreLiveRegistersFromStackForCall(spillState, resultRegisterToExclude);
             }
         }