Title: [260289] trunk
Revision
260289
Author
[email protected]
Date
2020-04-17 14:48:21 -0700 (Fri, 17 Apr 2020)

Log Message

GetTypedArrayByteOffset is broken on arm64e
https://bugs.webkit.org/show_bug.cgi?id=210631

Reviewed by Mark Lam.

JSTests:

* stress/byte-offset-on-wasteful-neutered-arm64e.js: Added.
(foo):
(assert):
(transferArrayBuffer.array.buffer):

Source/_javascript_Core:

The vector of JSArrayBufferView is signed even when null on arm64e.  However, we were
comparing against zero, which is wrong. This patch changes it so we do the right thing
and instead compare against whatever constant (ptr=nullptr,size=0) signs as.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
* runtime/CagedBarrierPtr.h:
(JSC::CagedBarrierPtr::rawBits const):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::nullVectorPtr):

Source/WTF:

* wtf/CagedPtr.h:
(WTF::CagedPtr::rawBits const):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (260288 => 260289)


--- trunk/JSTests/ChangeLog	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/JSTests/ChangeLog	2020-04-17 21:48:21 UTC (rev 260289)
@@ -1,3 +1,15 @@
+2020-04-17  Saam Barati  <[email protected]>
+
+        GetTypedArrayByteOffset is broken on arm64e
+        https://bugs.webkit.org/show_bug.cgi?id=210631
+
+        Reviewed by Mark Lam.
+
+        * stress/byte-offset-on-wasteful-neutered-arm64e.js: Added.
+        (foo):
+        (assert):
+        (transferArrayBuffer.array.buffer):
+
 2020-04-17  Devin Rousso  <[email protected]>
 
         Rename NullishEq / NULLISHEQUAL to CoalesceEq / COALESCEEQUAL to match the spec

Added: trunk/JSTests/stress/byte-offset-on-wasteful-neutered-arm64e.js (0 => 260289)


--- trunk/JSTests/stress/byte-offset-on-wasteful-neutered-arm64e.js	                        (rev 0)
+++ trunk/JSTests/stress/byte-offset-on-wasteful-neutered-arm64e.js	2020-04-17 21:48:21 UTC (rev 260289)
@@ -0,0 +1,21 @@
+function foo(o) {
+    return o.byteOffset;
+}
+noInline(foo);
+
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+var array = new Int8Array(new ArrayBuffer(100));
+
+for (let i = 0; i < 1000; ++i) {
+    assert(foo(array) === 0);
+}
+
+transferArrayBuffer(array.buffer)
+
+for (let i = 0; i < 10000; ++i) {
+    assert(foo(array) === 0);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (260288 => 260289)


--- trunk/Source/_javascript_Core/ChangeLog	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-17 21:48:21 UTC (rev 260289)
@@ -1,3 +1,23 @@
+2020-04-17  Saam Barati  <[email protected]>
+
+        GetTypedArrayByteOffset is broken on arm64e
+        https://bugs.webkit.org/show_bug.cgi?id=210631
+
+        Reviewed by Mark Lam.
+
+        The vector of JSArrayBufferView is signed even when null on arm64e.  However, we were
+        comparing against zero, which is wrong. This patch changes it so we do the right thing
+        and instead compare against whatever constant (ptr=nullptr,size=0) signs as.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        * runtime/CagedBarrierPtr.h:
+        (JSC::CagedBarrierPtr::rawBits const):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::nullVectorPtr):
+
 2020-04-17  Yusuke Suzuki  <[email protected]>
 
         [JSC] We do not need to have exit-check for Map/Set iterator functions

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (260288 => 260289)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2020-04-17 21:48:21 UTC (rev 260289)
@@ -6906,9 +6906,7 @@
 
     m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
 
-    // FIXME: This should mask the PAC bits
-    // https://bugs.webkit.org/show_bug.cgi?id=197701
-    JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
+    JITCompiler::Jump nullVector = m_jit.branchPtr(JITCompiler::Equal, vectorGPR, TrustedImmPtr(JSArrayBufferView::nullVectorPtr()));
 
     m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
     m_jit.cageWithoutUntagging(Gigacage::JSValue, dataGPR);
@@ -6927,11 +6925,17 @@
     
     JITCompiler::Jump done = m_jit.jump();
     
+#if CPU(ARM64E)
+    nullVector.link(&m_jit);
+#endif
     emptyByteOffset.link(&m_jit);
     m_jit.move(TrustedImmPtr(nullptr), vectorGPR);
     
     done.link(&m_jit);
+#if !CPU(ARM64E)
+    ASSERT(!JSArrayBufferView::nullVectorPtr());
     nullVector.link(&m_jit);
+#endif
 
     strictInt32Result(vectorGPR, node);
 }

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (260288 => 260289)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-04-17 21:48:21 UTC (rev 260289)
@@ -4121,27 +4121,22 @@
     {
         LValue basePtr = lowCell(m_node->child1());    
 
-        LBasicBlock simpleCase = m_out.newBlock();
         LBasicBlock wastefulCase = m_out.newBlock();
         LBasicBlock notNull = m_out.newBlock();
         LBasicBlock continuation = m_out.newBlock();
         
+        ValueFromBlock nullVectorOut = m_out.anchor(m_out.constIntPtr(0));
+
         LValue mode = m_out.load32(basePtr, m_heaps.JSArrayBufferView_mode);
         m_out.branch(
             m_out.notEqual(mode, m_out.constInt32(WastefulTypedArray)),
-            unsure(simpleCase), unsure(wastefulCase));
+            unsure(continuation), unsure(wastefulCase));
 
-        LBasicBlock lastNext = m_out.appendTo(simpleCase, wastefulCase);
+        LBasicBlock lastNext = m_out.appendTo(wastefulCase, notNull);
 
-        ValueFromBlock simpleOut = m_out.anchor(m_out.constIntPtr(0));
-
-        m_out.jump(continuation);
-
-        m_out.appendTo(wastefulCase, notNull);
-
         LValue vector = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
-        ValueFromBlock nullVectorOut = m_out.anchor(vector);
-        m_out.branch(vector, unsure(notNull), unsure(continuation));
+        m_out.branch(m_out.equal(vector, m_out.constIntPtr(JSArrayBufferView::nullVectorPtr())), 
+            unsure(continuation), unsure(notNull));
 
         m_out.appendTo(notNull, continuation);
 
@@ -4160,7 +4155,7 @@
         m_out.jump(continuation);
         m_out.appendTo(continuation, lastNext);
 
-        setInt32(m_out.castToInt32(m_out.phi(pointerType(), simpleOut, nullVectorOut, wastefulOut)));
+        setInt32(m_out.castToInt32(m_out.phi(pointerType(), nullVectorOut, wastefulOut)));
     }
 
     void compileGetPrototypeOf()

Modified: trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h (260288 => 260289)


--- trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h	2020-04-17 21:48:21 UTC (rev 260289)
@@ -84,6 +84,11 @@
     
     template<typename U>
     void setWithoutBarrier(U&& value, unsigned size) { m_barrier.setWithoutBarrier(CagedType(std::forward<U>(value), size)); }
+
+    T* rawBits() const
+    {
+        return m_barrier.get().rawBits();
+    }
     
 private:
     AuxiliaryBarrier<CagedType> m_barrier;

Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (260288 => 260289)


--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h	2020-04-17 21:48:21 UTC (rev 260289)
@@ -105,6 +105,12 @@
 
     static constexpr unsigned fastSizeLimit = 1000;
     using VectorPtr = CagedBarrierPtr<Gigacage::Primitive, void, tagCagedPtr>;
+
+    static void* nullVectorPtr()
+    {
+        VectorPtr null { };
+        return null.rawBits();
+    }
     
     static size_t sizeOf(uint32_t length, uint32_t elementSize)
     {

Modified: trunk/Source/WTF/ChangeLog (260288 => 260289)


--- trunk/Source/WTF/ChangeLog	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/WTF/ChangeLog	2020-04-17 21:48:21 UTC (rev 260289)
@@ -1,3 +1,13 @@
+2020-04-17  Saam Barati  <[email protected]>
+
+        GetTypedArrayByteOffset is broken on arm64e
+        https://bugs.webkit.org/show_bug.cgi?id=210631
+
+        Reviewed by Mark Lam.
+
+        * wtf/CagedPtr.h:
+        (WTF::CagedPtr::rawBits const):
+
 2020-04-17  Peng Liu  <[email protected]>
 
         Cleanup the macros for video fullscreen and picture-in-picture

Modified: trunk/Source/WTF/wtf/CagedPtr.h (260288 => 260289)


--- trunk/Source/WTF/wtf/CagedPtr.h	2020-04-17 21:34:43 UTC (rev 260288)
+++ trunk/Source/WTF/wtf/CagedPtr.h	2020-04-17 21:48:21 UTC (rev 260289)
@@ -127,6 +127,11 @@
     {
         return getUnsafe() != nullptr;
     }
+
+    T* rawBits() const
+    {
+        return bitwise_cast<T*>(m_ptr);
+    }
     
 protected:
     static inline T* mergePointers(T* sourcePtr, T* cagedPtr)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to