Skip to site navigation (Press enter)

[webkit-changes] [271313] branches/safari-610.4.3.0-branch/Source/JavaScriptCore

alancoon Fri, 08 Jan 2021 12:04:19 -0800

Title: [271313] branches/safari-610.4.3.0-branch/Source/_javascript_Core

Revision: 271313
Author: [email protected]
Date: 2021-01-08 12:04:07 -0800 (Fri, 08 Jan 2021)

Log Message

Cherry-pick r271240. rdar://problem/72935204


    The scratch register should be different from the target register when calling validateUntaggedPtr.
    https://bugs.webkit.org/show_bug.cgi?id=220397
    rdar://72771069

    Reviewed by Yusuke Suzuki.

    * assembler/MacroAssemblerARM64E.h:
    (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
    - Added an ASSERT to enforce this invariant.
    * jit/ThunkGenerators.cpp:
    (JSC::emitPointerValidation):
    - emitPointerValidation() was reusing the target register as the scratch register.
      This is a hold over from the previous way of doing the validation (which had a
      bug).  With the validation bug fixed, this register reuse is no longer allowed.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271240 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog
branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h
branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp

Diff

Modified: branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog (271312 => 271313)


--- branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog	2021-01-08 20:04:03 UTC (rev 271312)
+++ branches/safari-610.4.3.0-branch/Source/_javascript_Core/ChangeLog	2021-01-08 20:04:07 UTC (rev 271313)
@@ -1,5 +1,43 @@
 2021-01-08  Kocsen Chung  <[email protected]>
 
+        Cherry-pick r271240. rdar://problem/72935204
+
+    The scratch register should be different from the target register when calling validateUntaggedPtr.
+    https://bugs.webkit.org/show_bug.cgi?id=220397
+    rdar://72771069
+    
+    Reviewed by Yusuke Suzuki.
+    
+    * assembler/MacroAssemblerARM64E.h:
+    (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
+    - Added an ASSERT to enforce this invariant.
+    * jit/ThunkGenerators.cpp:
+    (JSC::emitPointerValidation):
+    - emitPointerValidation() was reusing the target register as the scratch register.
+      This is a hold over from the previous way of doing the validation (which had a
+      bug).  With the validation bug fixed, this register reuse is no longer allowed.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271240 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-01-07  Mark Lam  <[email protected]>
+
+            The scratch register should be different from the target register when calling validateUntaggedPtr.
+            https://bugs.webkit.org/show_bug.cgi?id=220397
+            rdar://72771069
+
+            Reviewed by Yusuke Suzuki.
+
+            * assembler/MacroAssemblerARM64E.h:
+            (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
+            - Added an ASSERT to enforce this invariant.
+            * jit/ThunkGenerators.cpp:
+            (JSC::emitPointerValidation):
+            - emitPointerValidation() was reusing the target register as the scratch register.
+              This is a hold over from the previous way of doing the validation (which had a
+              bug).  With the validation bug fixed, this register reuse is no longer allowed.
+
+2021-01-08  Kocsen Chung  <[email protected]>
+
         Cherry-pick r271144. rdar://problem/72935400
 
     propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames

Modified: branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h (271312 => 271313)


--- branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h	2021-01-08 20:04:03 UTC (rev 271312)
+++ branches/safari-610.4.3.0-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h	2021-01-08 20:04:07 UTC (rev 271313)
@@ -84,6 +84,7 @@
             scratch = getCachedDataTempRegisterIDAndInvalidate();
 
         DisallowMacroScratchRegisterUsage disallowScope(*this);
+        ASSERT(target != scratch);
         rshift64(target, TrustedImm32(8), scratch);
         and64(TrustedImm64(0xff000000000000), scratch, scratch);
         or64(target, scratch, scratch);

Modified: branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp (271312 => 271313)


--- branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp	2021-01-08 20:04:03 UTC (rev 271312)
+++ branches/safari-610.4.3.0-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp	2021-01-08 20:04:07 UTC (rev 271313)
@@ -49,7 +49,7 @@
     isNonZero.link(&jit);
     jit.pushToSave(pointerGPR);
     jit.untagPtr(tag, pointerGPR);
-    jit.validateUntaggedPtr(pointerGPR, pointerGPR);
+    jit.validateUntaggedPtr(pointerGPR);
     jit.popToRestore(pointerGPR);
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes