Changeset 241756 in webkit for trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

Timestamp:

Feb 18, 2019, 11:15:57 PM (6 years ago)

Author:

[email protected]

Message:

[ARM] Fix crash with sampling profiler
​https://bugs.webkit.org/show_bug.cgi?id=194772

Reviewed by Mark Lam.

JSTests:

Do not skip test since crash with sampling profiler is now fixed.

• stress/sampling-profiler-richards.js:

Source/JavaScriptCore:

sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
did not update the stack pointer in a single instruction. The src register was first
moved into the stack pointer, the immediate imm was added in a subsequent instruction.

This was problematic when a signal handler was invoked before applying the immediate,
when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
a temporary register and then move it in one go into the stack pointer.

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::add32):

File:

• trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h (modified) (1 diff)

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

@@ -178 +178 @@
     void add32(TrustedImm32 imm, RegisterID src, RegisterID dest)
     {
+        // For adds with stack pointer destination avoid unpredictable instruction
+        if (dest == ARMRegisters::sp && src != dest) {
+            add32(imm, src, dataTempRegister);
+            move(dataTempRegister, dest);
+            return;
+        }
+
         ARMThumbImmediate armImm = ARMThumbImmediate::makeUInt12OrEncodedImm(imm.m_value);
-
-        // For adds with stack pointer destination, moving the src first to sp is
-        // needed to avoid unpredictable instruction
-        if (dest == ARMRegisters::sp && src != dest) {
-            move(src, ARMRegisters::sp);
-            src = ARMRegisters::sp;
-        }
 
         if (armImm.isValid())