[webkit-changes] [271309] branches/safari-610.4.3.0-branch/Source/JavaScriptCore

Fri, 08 Jan 2021 11:53:41 -0800

Title: [271309] branches/safari-610.4.3.0-branch/Source/_javascript_Core
Revision
271309
Author
[email protected]
Date
2021-01-08 11:53:01 -0800 (Fri, 08 Jan 2021)

Log Message

Cherry-pick r271240. rdar://problem/72935204

    The scratch register should be different from the target register when calling validateUntaggedPtr.
    https://bugs.webkit.org/show_bug.cgi?id=220397
    rdar://72771069

    Reviewed by Yusuke Suzuki.

    * assembler/MacroAssemblerARM64E.h:
    (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
    - Added an ASSERT to enforce this invariant.
    * jit/ThunkGenerators.cpp:
    (JSC::emitPointerValidation):
    - emitPointerValidation() was reusing the target register as the scratch register.
      This is a hold over from the previous way of doing the validation (which had a
      bug).  With the validation bug fixed, this register reuse is no longer allowed.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271240 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog (271308 => 271309)


--- branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog	2021-01-08 19:52:57 UTC (rev 271308)
+++ branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog	2021-01-08 19:53:01 UTC (rev 271309)
@@ -1,5 +1,43 @@
 2021-01-08  Kocsen Chung  <[email protected]>
 
+        Cherry-pick r271240. rdar://problem/72935204
+
+    The scratch register should be different from the target register when calling validateUntaggedPtr.
+    https://bugs.webkit.org/show_bug.cgi?id=220397
+    rdar://72771069
+    
+    Reviewed by Yusuke Suzuki.
+    
+    * assembler/MacroAssemblerARM64E.h:
+    (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
+    - Added an ASSERT to enforce this invariant.
+    * jit/ThunkGenerators.cpp:
+    (JSC::emitPointerValidation):
+    - emitPointerValidation() was reusing the target register as the scratch register.
+      This is a hold over from the previous way of doing the validation (which had a
+      bug).  With the validation bug fixed, this register reuse is no longer allowed.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271240 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-01-07  Mark Lam  <[email protected]>
+
+            The scratch register should be different from the target register when calling validateUntaggedPtr.
+            https://bugs.webkit.org/show_bug.cgi?id=220397
+            rdar://72771069
+
+            Reviewed by Yusuke Suzuki.
+
+            * assembler/MacroAssemblerARM64E.h:
+            (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
+            - Added an ASSERT to enforce this invariant.
+            * jit/ThunkGenerators.cpp:
+            (JSC::emitPointerValidation):
+            - emitPointerValidation() was reusing the target register as the scratch register.
+              This is a hold over from the previous way of doing the validation (which had a
+              bug).  With the validation bug fixed, this register reuse is no longer allowed.
+
+2021-01-08  Kocsen Chung  <[email protected]>
+
         Cherry-pick r271144. rdar://problem/72935400
 
     propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames

Modified: branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h (271308 => 271309)


--- branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h	2021-01-08 19:52:57 UTC (rev 271308)
+++ branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h	2021-01-08 19:53:01 UTC (rev 271309)
@@ -84,6 +84,7 @@
             scratch = getCachedDataTempRegisterIDAndInvalidate();
 
         DisallowMacroScratchRegisterUsage disallowScope(*this);
+        ASSERT(target != scratch);
         rshift64(target, TrustedImm32(8), scratch);
         and64(TrustedImm64(0xff000000000000), scratch, scratch);
         or64(target, scratch, scratch);

Modified: branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp (271308 => 271309)


--- branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp	2021-01-08 19:52:57 UTC (rev 271308)
+++ branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp	2021-01-08 19:53:01 UTC (rev 271309)
@@ -44,13 +44,15 @@
 {
     if (!ASSERT_ENABLED)
         return;
-    CCallHelpers::Jump isNonZero = jit.branchTestPtr(CCallHelpers::NonZero, pointerGPR);
-    jit.abortWithReason(TGInvalidPointer);
-    isNonZero.link(&jit);
-    jit.pushToSave(pointerGPR);
-    jit.untagPtr(tag, pointerGPR);
-    jit.validateUntaggedPtr(pointerGPR, pointerGPR);
-    jit.popToRestore(pointerGPR);
+    if (!Options::useJITCage()) {
+        CCallHelpers::Jump isNonZero = jit.branchTestPtr(CCallHelpers::NonZero, pointerGPR);
+        jit.abortWithReason(TGInvalidPointer);
+        isNonZero.link(&jit);
+        jit.pushToSave(pointerGPR);
+        jit.untagPtr(tag, pointerGPR);
+        jit.validateUntaggedPtr(pointerGPR);
+        jit.popToRestore(pointerGPR);
+    }
 }
 
 // We will jump here if the JIT code tries to make a call, but the

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to