diff options
author | Erik Verbruggen <erik.verbruggen@qt.io> | 2019-02-14 11:06:35 +0100 |
---|---|---|
committer | Erik Verbruggen <erik.verbruggen@qt.io> | 2019-02-14 10:10:32 +0000 |
commit | 8df1afa89558ddb608ff0df792d2015dd5e2e6ac (patch) | |
tree | 6007100971261e0728122266fedb93813b8e5f58 | |
parent | 9343fbc478e42c7aec3247486b25b34f1908e93b (diff) |
V4: Fix JS tail call crashes on win32/linux32
For platforms where arguments are passed on the stack, we would do an
invalid (off-by-one) calcultion to see where we should put arguments for
a tail call, thereby overwriting other values. As we don't write to
these memory locations anywhere, and the arguments are exactly the same
as calls to jitted code (which is done by design), we could just as well
re-use them.
Change-Id: If4118b2023da6dc301252a1579a36df0e0cbc3a5
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
-rw-r--r-- | src/qml/jit/qv4assemblercommon.cpp | 16 | ||||
-rw-r--r-- | src/qml/jit/qv4assemblercommon_p.h | 1 |
2 files changed, 6 insertions, 11 deletions
diff --git a/src/qml/jit/qv4assemblercommon.cpp b/src/qml/jit/qv4assemblercommon.cpp index b302ac6403..831496a628 100644 --- a/src/qml/jit/qv4assemblercommon.cpp +++ b/src/qml/jit/qv4assemblercommon.cpp @@ -212,13 +212,6 @@ PlatformAssemblerCommon::Address PlatformAssemblerCommon::argStackAddress(int ar return Address(StackPointerRegister, offset * PointerSize); } -JSC::MacroAssemblerBase::Address PlatformAssemblerCommon::inArgStackAddress(int arg) -{ - int offset = arg - ArgInRegCount; - Q_ASSERT(offset >= 0); - return Address(FramePointerRegister, -(offset + 1) * PointerSize); -} - void PlatformAssemblerCommon::passAccumulatorAsArg(int arg) { #ifndef QT_NO_DEBUG @@ -354,10 +347,13 @@ void PlatformAssemblerCommon::tailCallRuntime(const char *functionName, const vo void PlatformAssemblerCommon::setTailCallArg(RegisterID src, int arg) { - if (arg < ArgInRegCount) + if (arg < ArgInRegCount) { move(src, registerForArg(arg)); - else - storePtr(src, inArgStackAddress(arg)); + } else { + // We never write to the incoming arguments space on the stack, and the tail call runtime + // method has the same signature as the jitted function, so it is safe for us to just reuse + // the arguments that we got in. + } } JSC::MacroAssemblerBase::Address PlatformAssemblerCommon::jsAlloca(int slotCount) diff --git a/src/qml/jit/qv4assemblercommon_p.h b/src/qml/jit/qv4assemblercommon_p.h index c17fdd3a23..729d0fc53d 100644 --- a/src/qml/jit/qv4assemblercommon_p.h +++ b/src/qml/jit/qv4assemblercommon_p.h @@ -709,7 +709,6 @@ public: private: void passAccumulatorAsArg_internal(int arg, bool doPush); static Address argStackAddress(int arg); - static Address inArgStackAddress(int arg); private: const Value* constantTable; |