Modified: trunk/Source/_javascript_Core/ChangeLog (280983 => 280984)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-12 20:35:58 UTC (rev 280983)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-12 20:45:02 UTC (rev 280984)
@@ -1,3 +1,26 @@
+2021-08-12 Saam Barati <sbar...@apple.com>
+
+ Update ARM64EHash
+ https://bugs.webkit.org/show_bug.cgi?id=228962
+ <rdar://79883337>
+
+ Reviewed by Mark Lam.
+
+ * assembler/AssemblerBuffer.h:
+ (JSC::ARM64EHash::makeDiversifier):
+ (JSC::ARM64EHash::nextValue):
+ (JSC::ARM64EHash::bitsForDiversifier):
+ (JSC::ARM64EHash::currentHash):
+ (JSC::ARM64EHash::setUpdatedHash):
+ (JSC::ARM64EHash::ARM64EHash):
+ (JSC::ARM64EHash::update):
+ (JSC::ARM64EHash::finalize):
+ (JSC::AssemblerBuffer::AssemblerBuffer):
+ (JSC::AssemblerBuffer::putIntegralUnchecked):
+ (JSC::AssemblerBuffer::hash const):
+ * assembler/LinkBuffer.cpp:
+ (JSC::LinkBuffer::copyCompactAndLinkCode):
+
2021-08-11 Yusuke Suzuki <ysuz...@apple.com>
WTFCrash in JSC::Lexer<char16_t>::append8
Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (280983 => 280984)
--- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-12 20:35:58 UTC (rev 280983)
+++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-12 20:45:02 UTC (rev 280984)
@@ -205,22 +205,62 @@
#if CPU(ARM64E)
class ARM64EHash {
public:
- ARM64EHash(uint32_t initialHash)
- : m_hash(initialHash)
+ static constexpr uint8_t initializationNamespace = 0x11;
+
+ static ALWAYS_INLINE PtrTag makeDiversifier(uint8_t namespaceTag, uint64_t index, uint32_t value)
{
+ // <namespaceTag:8><index:24><value:32>
+ return static_cast<PtrTag>((static_cast<uint64_t>(namespaceTag) << 56) + ((index & 0xFFFFFF) << 32) + static_cast<uint64_t>(value));
}
- ALWAYS_INLINE uint32_t update(uint32_t value)
+ static ALWAYS_INLINE uint32_t nextValue(uint64_t instruction, uint64_t index, uint32_t currentValue)
{
- uint64_t input = value ^ m_hash;
- uint64_t a = static_cast<uint32_t>(tagInt(input, static_cast<PtrTag>(0)) >> 39);
- uint64_t b = tagInt(input, static_cast<PtrTag>(0xb7e151628aed2a6a)) >> 23;
- m_hash = a ^ b;
- return m_hash;
+ uint64_t a = tagInt(instruction, makeDiversifier(0x12, index, currentValue));
+ uint64_t b = tagInt(instruction, makeDiversifier(0x13, index, currentValue));
+ return static_cast<uint32_t>((a >> 39) ^ (b >> 23));
}
+ static ALWAYS_INLINE uint32_t bitsForDiversifier(void* diversifier)
+ {
+ return static_cast<uint32_t>(bitwise_cast<uintptr_t>(diversifier));
+ }
+
+ ALWAYS_INLINE uint32_t currentHash(uint32_t index, void* diversifier)
+ {
+ uint64_t result;
+ bool hashFieldIsTagged = index == 0;
+ if (hashFieldIsTagged)
+ result = untagInt(m_hash, makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier)));
+ else
+ result = m_hash;
+ return static_cast<uint32_t>(result);
+ }
+
+ ALWAYS_INLINE void setUpdatedHash(uint32_t value, uint32_t index, void* diversifier)
+ {
+ bool shouldTagHashField = index == 0;
+ if (shouldTagHashField)
+ m_hash = tagInt(static_cast<uint64_t>(value), makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier)));
+ else
+ m_hash = value;
+ }
+
+ ARM64EHash(void* diversifier)
+ {
+ setUpdatedHash(0, 0, diversifier);
+ }
+
+ ALWAYS_INLINE uint32_t update(uint32_t instruction, uint32_t index, void* diversifier)
+ {
+ uint32_t currentHash = this->currentHash(index, diversifier);
+ uint64_t nextIndex = index + 1;
+ uint32_t output = nextValue(instruction, nextIndex, currentHash);
+ setUpdatedHash(output, nextIndex, diversifier);
+ return output;
+ }
+
private:
- uint32_t m_hash;
+ uint64_t m_hash;
};
#endif
@@ -230,7 +270,7 @@
: m_storage()
, m_index(0)
#if CPU(ARM64E)
- , m_hash(static_cast<uint32_t>(bitwise_cast<uint64_t>(this)))
+ , m_hash(this)
, m_hashes()
#endif
{
@@ -388,7 +428,7 @@
#if CPU(ARM64)
static_assert(sizeof(value) == 4, "");
#if CPU(ARM64E)
- uint32_t hash = m_hash.update(value);
+ uint32_t hash = m_hash.update(value, m_index / sizeof(IntegralType), this);
WTF::unalignedStore<uint32_t>(m_hashes.buffer() + m_index, hash);
#endif
#endif
Modified: trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp (280983 => 280984)
--- trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp 2021-08-12 20:35:58 UTC (rev 280983)
+++ trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp 2021-08-12 20:45:02 UTC (rev 280984)
@@ -245,7 +245,8 @@
m_assemblerStorage = macroAssembler.m_assembler.buffer().releaseAssemblerData();
uint8_t* inData = bitwise_cast<uint8_t*>(m_assemblerStorage.buffer());
#if CPU(ARM64E)
- ARM64EHash verifyUncompactedHash { static_cast<uint32_t>(bitwise_cast<uint64_t>(¯oAssembler.m_assembler.buffer())) };
+ void* bufferPtr = ¯oAssembler.m_assembler.buffer();
+ ARM64EHash verifyUncompactedHash { bufferPtr };
m_assemblerHashesStorage = macroAssembler.m_assembler.buffer().releaseAssemblerHashes();
uint32_t* inHashes = bitwise_cast<uint32_t*>(m_assemblerHashesStorage.buffer());
#endif
@@ -267,8 +268,8 @@
auto read = [&](const InstructionType* ptr) -> InstructionType {
InstructionType value = *ptr;
#if CPU(ARM64E)
- uint32_t hash = verifyUncompactedHash.update(value);
unsigned index = (bitwise_cast<uint8_t*>(ptr) - inData) / 4;
+ uint32_t hash = verifyUncompactedHash.update(value, index, bufferPtr);
RELEASE_ASSERT(inHashes[index] == hash);
#endif
return value;
