From 0d0b7ae573962c7777116e32644f3a66cff7c92b Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Wed, 27 Mar 2013 10:19:03 +0100
Subject: Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled

https://bugs.webkit.org/show_bug.cgi?id=108991

Reviewed by Oliver Hunt.

Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
may step on calleeGPR is it happen to be nonArgGPR2.

* dfg/DFGRepatch.cpp:
(JSC::DFG::dfgLinkClosureCall):

Change-Id: I2d27a111ae1edbfea9335f3a06c5cc53e065a673
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141951 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 Source/JavaScriptCore/dfg/DFGRepatch.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Source/JavaScriptCore/dfg/DFGRepatch.cpp')

diff --git a/Source/JavaScriptCore/dfg/DFGRepatch.cpp b/Source/JavaScriptCore/dfg/DFGRepatch.cpp
index 07a509061..13653a647 100644
--- a/Source/JavaScriptCore/dfg/DFGRepatch.cpp
+++ b/Source/JavaScriptCore/dfg/DFGRepatch.cpp
@@ -1214,12 +1214,12 @@ void dfgLinkClosureCall(ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock*
     JITCompiler::Jump done = stubJit.jump();
     
     slowPath.link(&stubJit);
-    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2);
-    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2);
     stubJit.move(calleeGPR, GPRInfo::nonArgGPR0);
 #if USE(JSVALUE32_64)
     stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::nonArgGPR1);
 #endif
+    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2);
+    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2);
     JITCompiler::Jump slow = stubJit.jump();
     
     LinkBuffer patchBuffer(*globalData, &stubJit, callerCodeBlock);
-- 
cgit v1.2.1