Title: [271240] trunk/Source/_javascript_Core
- Revision
- 271240
- Author
- [email protected]
- Date
- 2021-01-07 09:33:24 -0800 (Thu, 07 Jan 2021)
Log Message
The scratch register should be different from the target register when calling validateUntaggedPtr.
https://bugs.webkit.org/show_bug.cgi?id=220397
rdar://72771069
Reviewed by Yusuke Suzuki.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::validateUntaggedPtr):
- Added an ASSERT to enforce this invariant.
* jit/ThunkGenerators.cpp:
(JSC::emitPointerValidation):
- emitPointerValidation() was reusing the target register as the scratch register.
This is a hold over from the previous way of doing the validation (which had a
bug). With the validation bug fixed, this register reuse is no longer allowed.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (271239 => 271240)
--- trunk/Source/_javascript_Core/ChangeLog 2021-01-07 17:23:23 UTC (rev 271239)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-01-07 17:33:24 UTC (rev 271240)
@@ -1,5 +1,22 @@
2021-01-07 Mark Lam <[email protected]>
+ The scratch register should be different from the target register when calling validateUntaggedPtr.
+ https://bugs.webkit.org/show_bug.cgi?id=220397
+ rdar://72771069
+
+ Reviewed by Yusuke Suzuki.
+
+ * assembler/MacroAssemblerARM64E.h:
+ (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
+ - Added an ASSERT to enforce this invariant.
+ * jit/ThunkGenerators.cpp:
+ (JSC::emitPointerValidation):
+ - emitPointerValidation() was reusing the target register as the scratch register.
+ This is a hold over from the previous way of doing the validation (which had a
+ bug). With the validation bug fixed, this register reuse is no longer allowed.
+
+2021-01-07 Mark Lam <[email protected]>
+
Remove some aliases of obsolete JSC options.
https://bugs.webkit.org/show_bug.cgi?id=220402
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h (271239 => 271240)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h 2021-01-07 17:23:23 UTC (rev 271239)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h 2021-01-07 17:33:24 UTC (rev 271240)
@@ -87,6 +87,7 @@
scratch = getCachedDataTempRegisterIDAndInvalidate();
DisallowMacroScratchRegisterUsage disallowScope(*this);
+ ASSERT(target != scratch);
rshift64(target, TrustedImm32(8), scratch);
and64(TrustedImm64(0xff000000000000), scratch, scratch);
or64(target, scratch, scratch);
Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (271239 => 271240)
--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2021-01-07 17:23:23 UTC (rev 271239)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2021-01-07 17:33:24 UTC (rev 271240)
@@ -51,7 +51,7 @@
isNonZero.link(&jit);
jit.pushToSave(pointerGPR);
jit.untagPtr(tag, pointerGPR);
- jit.validateUntaggedPtr(pointerGPR, pointerGPR);
+ jit.validateUntaggedPtr(pointerGPR);
jit.popToRestore(pointerGPR);
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
