Diff
Modified: trunk/JSTests/ChangeLog (245312 => 245313)
--- trunk/JSTests/ChangeLog 2019-05-14 21:49:54 UTC (rev 245312)
+++ trunk/JSTests/ChangeLog 2019-05-14 22:44:26 UTC (rev 245313)
@@ -1,3 +1,15 @@
+2019-05-14 Keith Miller <[email protected]>
+
+ Fix issue with byteOffset on ARM64E
+ https://bugs.webkit.org/show_bug.cgi?id=197884
+
+ Reviewed by Saam Barati.
+
+ We didn't have any tests that run with non-byte/non-zero offset
+ typed arrays.
+
+ * stress/ftl-gettypedarrayoffset-wasteful.js:
+
2019-05-14 Yusuke Suzuki <[email protected]>
[JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
Modified: trunk/JSTests/stress/ftl-gettypedarrayoffset-wasteful.js (245312 => 245313)
--- trunk/JSTests/stress/ftl-gettypedarrayoffset-wasteful.js 2019-05-14 21:49:54 UTC (rev 245312)
+++ trunk/JSTests/stress/ftl-gettypedarrayoffset-wasteful.js 2019-05-14 22:44:26 UTC (rev 245313)
@@ -7,6 +7,12 @@
for (var i = 0; i < 100000; ++i) {
var b = new Uint8Array(new ArrayBuffer(42), 0);
if (foo(b) != 0)
- throw "error"
+ throw new Error();
+ b = new Uint8Array(new ArrayBuffer(42), 5);
+ if (foo(b) !== 5)
+ throw new Error();
+ b = new Int32Array(new ArrayBuffer(100000 * 4), i * 4);
+ if (foo(b) !== i * 4)
+ throw new Error();
}
Modified: trunk/Source/_javascript_Core/ChangeLog (245312 => 245313)
--- trunk/Source/_javascript_Core/ChangeLog 2019-05-14 21:49:54 UTC (rev 245312)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-05-14 22:44:26 UTC (rev 245313)
@@ -1,3 +1,25 @@
+2019-05-14 Keith Miller <[email protected]>
+
+ Fix issue with byteOffset on ARM64E
+ https://bugs.webkit.org/show_bug.cgi?id=197884
+
+ Reviewed by Saam Barati.
+
+ We forgot to remove the tag from the ArrayBuffer's data
+ pointer. This corrupted data when computing the offset. We didn't
+ catch this because we didn't run any with a non-zero byteOffset in
+ the JITs.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+ (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+ (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+ * jit/IntrinsicEmitter.cpp:
+ (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+
2019-05-14 Tadeu Zagallo <[email protected]>
REGRESSION (r245249): ASSERTION FAILED: !m_needExceptionCheck seen with stress/proxy-delete.js and stress/proxy-property-descriptor.js
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (245312 => 245313)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-05-14 21:49:54 UTC (rev 245312)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-05-14 22:44:26 UTC (rev 245313)
@@ -6794,6 +6794,9 @@
TrustedImm32(WastefulTypedArray));
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
+
+ // FIXME: This should mask the PAC bits
+ // https://bugs.webkit.org/show_bug.cgi?id=197701
JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
@@ -6805,6 +6808,10 @@
// FIXME: This needs caging.
// https://bugs.webkit.org/show_bug.cgi?id=175515
m_jit.loadPtr(MacroAssembler::Address(arrayBufferGPR, ArrayBuffer::offsetOfData()), dataGPR);
+#if CPU(ARM64E)
+ m_jit.removeArrayPtrTag(dataGPR);
+#endif
+
m_jit.subPtr(dataGPR, vectorGPR);
JITCompiler::Jump done = m_jit.jump();
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (245312 => 245313)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-05-14 21:49:54 UTC (rev 245312)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-05-14 22:44:26 UTC (rev 245313)
@@ -3915,6 +3915,7 @@
// FIXME: This needs caging.
// https://bugs.webkit.org/show_bug.cgi?id=175515
LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
+ dataPtr = removeArrayPtrTag(dataPtr);
ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr));
@@ -14103,8 +14104,7 @@
LValue untagArrayPtr(LValue ptr, LValue size)
{
-
-#if !GIGACAGE_ENABLED && CPU(ARM64E)
+#if CPU(ARM64E)
PatchpointValue* authenticate = m_out.patchpoint(pointerType());
authenticate->appendSomeRegister(ptr);
authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
@@ -14119,6 +14119,20 @@
#endif
}
+ LValue removeArrayPtrTag(LValue ptr)
+ {
+#if CPU(ARM64E)
+ PatchpointValue* authenticate = m_out.patchpoint(pointerType());
+ authenticate->appendSomeRegister(ptr);
+ authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+ jit.move(params[1].gpr(), params[0].gpr());
+ jit.removeArrayPtrTag(params[0].gpr());
+ });
+ return authenticate;
+#endif
+ return ptr;
+ }
+
LValue caged(Gigacage::Kind kind, LValue ptr, LValue base)
{
#if GIGACAGE_ENABLED
@@ -16574,16 +16588,9 @@
LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation);
LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector);
-#if !GIGACAGE_ENABLED && CPU(ARM64E)
- // FIXME: We could probably make this a mask. https://bugs.webkit.org/show_bug.cgi?id=197701
- PatchpointValue* authenticate = m_out.patchpoint(pointerType());
- authenticate->appendSomeRegister(vector);
- authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
- jit.move(params[1].gpr(), params[0].gpr());
- jit.removeArrayPtrTag(params[0].gpr());
- });
- vector = authenticate;
-#endif
+ // FIXME: We could probably make this a mask.
+ // https://bugs.webkit.org/show_bug.cgi?id=197701
+ vector = removeArrayPtrTag(vector);
speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector));
m_out.jump(continuation);
Modified: trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp (245312 => 245313)
--- trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp 2019-05-14 21:49:54 UTC (rev 245312)
+++ trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp 2019-05-14 22:44:26 UTC (rev 245313)
@@ -114,11 +114,14 @@
jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR);
-#if !GIGACAGE_ENABLED && CPU(ARM64E)
+#if CPU(ARM64E)
jit.removeArrayPtrTag(valueGPR);
#endif
jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR);
jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR);
+#if CPU(ARM64E)
+ jit.removeArrayPtrTag(scratchGPR);
+#endif
jit.subPtr(scratchGPR, valueGPR);
CCallHelpers::Jump done = jit.jump();
