Diff
Modified: trunk/JSTests/ChangeLog (260288 => 260289)
--- trunk/JSTests/ChangeLog 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/JSTests/ChangeLog 2020-04-17 21:48:21 UTC (rev 260289)
@@ -1,3 +1,15 @@
+2020-04-17 Saam Barati <[email protected]>
+
+ GetTypedArrayByteOffset is broken on arm64e
+ https://bugs.webkit.org/show_bug.cgi?id=210631
+
+ Reviewed by Mark Lam.
+
+ * stress/byte-offset-on-wasteful-neutered-arm64e.js: Added.
+ (foo):
+ (assert):
+ (transferArrayBuffer.array.buffer):
+
2020-04-17 Devin Rousso <[email protected]>
Rename NullishEq / NULLISHEQUAL to CoalesceEq / COALESCEEQUAL to match the spec
Added: trunk/JSTests/stress/byte-offset-on-wasteful-neutered-arm64e.js (0 => 260289)
--- trunk/JSTests/stress/byte-offset-on-wasteful-neutered-arm64e.js (rev 0)
+++ trunk/JSTests/stress/byte-offset-on-wasteful-neutered-arm64e.js 2020-04-17 21:48:21 UTC (rev 260289)
@@ -0,0 +1,21 @@
+function foo(o) {
+ return o.byteOffset;
+}
+noInline(foo);
+
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+var array = new Int8Array(new ArrayBuffer(100));
+
+for (let i = 0; i < 1000; ++i) {
+ assert(foo(array) === 0);
+}
+
+transferArrayBuffer(array.buffer)
+
+for (let i = 0; i < 10000; ++i) {
+ assert(foo(array) === 0);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (260288 => 260289)
--- trunk/Source/_javascript_Core/ChangeLog 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-04-17 21:48:21 UTC (rev 260289)
@@ -1,3 +1,23 @@
+2020-04-17 Saam Barati <[email protected]>
+
+ GetTypedArrayByteOffset is broken on arm64e
+ https://bugs.webkit.org/show_bug.cgi?id=210631
+
+ Reviewed by Mark Lam.
+
+ The vector of JSArrayBufferView is signed even when null on arm64e. However, we were
+ comparing against zero, which is wrong. This patch changes it so we do the right thing
+ and instead compare against whatever constant (ptr=nullptr,size=0) signs as.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+ * runtime/CagedBarrierPtr.h:
+ (JSC::CagedBarrierPtr::rawBits const):
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::nullVectorPtr):
+
2020-04-17 Yusuke Suzuki <[email protected]>
[JSC] We do not need to have exit-check for Map/Set iterator functions
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (260288 => 260289)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2020-04-17 21:48:21 UTC (rev 260289)
@@ -6906,9 +6906,7 @@
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
- // FIXME: This should mask the PAC bits
- // https://bugs.webkit.org/show_bug.cgi?id=197701
- JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
+ JITCompiler::Jump nullVector = m_jit.branchPtr(JITCompiler::Equal, vectorGPR, TrustedImmPtr(JSArrayBufferView::nullVectorPtr()));
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
m_jit.cageWithoutUntagging(Gigacage::JSValue, dataGPR);
@@ -6927,11 +6925,17 @@
JITCompiler::Jump done = m_jit.jump();
+#if CPU(ARM64E)
+ nullVector.link(&m_jit);
+#endif
emptyByteOffset.link(&m_jit);
m_jit.move(TrustedImmPtr(nullptr), vectorGPR);
done.link(&m_jit);
+#if !CPU(ARM64E)
+ ASSERT(!JSArrayBufferView::nullVectorPtr());
nullVector.link(&m_jit);
+#endif
strictInt32Result(vectorGPR, node);
}
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (260288 => 260289)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-04-17 21:48:21 UTC (rev 260289)
@@ -4121,27 +4121,22 @@
{
LValue basePtr = lowCell(m_node->child1());
- LBasicBlock simpleCase = m_out.newBlock();
LBasicBlock wastefulCase = m_out.newBlock();
LBasicBlock notNull = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
+ ValueFromBlock nullVectorOut = m_out.anchor(m_out.constIntPtr(0));
+
LValue mode = m_out.load32(basePtr, m_heaps.JSArrayBufferView_mode);
m_out.branch(
m_out.notEqual(mode, m_out.constInt32(WastefulTypedArray)),
- unsure(simpleCase), unsure(wastefulCase));
+ unsure(continuation), unsure(wastefulCase));
- LBasicBlock lastNext = m_out.appendTo(simpleCase, wastefulCase);
+ LBasicBlock lastNext = m_out.appendTo(wastefulCase, notNull);
- ValueFromBlock simpleOut = m_out.anchor(m_out.constIntPtr(0));
-
- m_out.jump(continuation);
-
- m_out.appendTo(wastefulCase, notNull);
-
LValue vector = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
- ValueFromBlock nullVectorOut = m_out.anchor(vector);
- m_out.branch(vector, unsure(notNull), unsure(continuation));
+ m_out.branch(m_out.equal(vector, m_out.constIntPtr(JSArrayBufferView::nullVectorPtr())),
+ unsure(continuation), unsure(notNull));
m_out.appendTo(notNull, continuation);
@@ -4160,7 +4155,7 @@
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);
- setInt32(m_out.castToInt32(m_out.phi(pointerType(), simpleOut, nullVectorOut, wastefulOut)));
+ setInt32(m_out.castToInt32(m_out.phi(pointerType(), nullVectorOut, wastefulOut)));
}
void compileGetPrototypeOf()
Modified: trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h (260288 => 260289)
--- trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h 2020-04-17 21:48:21 UTC (rev 260289)
@@ -84,6 +84,11 @@
template<typename U>
void setWithoutBarrier(U&& value, unsigned size) { m_barrier.setWithoutBarrier(CagedType(std::forward<U>(value), size)); }
+
+ T* rawBits() const
+ {
+ return m_barrier.get().rawBits();
+ }
private:
AuxiliaryBarrier<CagedType> m_barrier;
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (260288 => 260289)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2020-04-17 21:48:21 UTC (rev 260289)
@@ -105,6 +105,12 @@
static constexpr unsigned fastSizeLimit = 1000;
using VectorPtr = CagedBarrierPtr<Gigacage::Primitive, void, tagCagedPtr>;
+
+ static void* nullVectorPtr()
+ {
+ VectorPtr null { };
+ return null.rawBits();
+ }
static size_t sizeOf(uint32_t length, uint32_t elementSize)
{
Modified: trunk/Source/WTF/ChangeLog (260288 => 260289)
--- trunk/Source/WTF/ChangeLog 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/WTF/ChangeLog 2020-04-17 21:48:21 UTC (rev 260289)
@@ -1,3 +1,13 @@
+2020-04-17 Saam Barati <[email protected]>
+
+ GetTypedArrayByteOffset is broken on arm64e
+ https://bugs.webkit.org/show_bug.cgi?id=210631
+
+ Reviewed by Mark Lam.
+
+ * wtf/CagedPtr.h:
+ (WTF::CagedPtr::rawBits const):
+
2020-04-17 Peng Liu <[email protected]>
Cleanup the macros for video fullscreen and picture-in-picture
Modified: trunk/Source/WTF/wtf/CagedPtr.h (260288 => 260289)
--- trunk/Source/WTF/wtf/CagedPtr.h 2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/WTF/wtf/CagedPtr.h 2020-04-17 21:48:21 UTC (rev 260289)
@@ -127,6 +127,11 @@
{
return getUnsafe() != nullptr;
}
+
+ T* rawBits() const
+ {
+ return bitwise_cast<T*>(m_ptr);
+ }
protected:
static inline T* mergePointers(T* sourcePtr, T* cagedPtr)
