Changeset 245313 in webkit
- Timestamp:
- May 14, 2019 3:44:26 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 6 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/ftl-gettypedarrayoffset-wasteful.js (modified) (1 diff)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
-
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)
-
Source/JavaScriptCore/jit/IntrinsicEmitter.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r245288 r245313 1 2019-05-14 Keith Miller <keith_miller@apple.com> 2 3 Fix issue with byteOffset on ARM64E 4 https://bugs.webkit.org/show_bug.cgi?id=197884 5 6 Reviewed by Saam Barati. 7 8 We didn't have any tests that run with non-byte/non-zero offset 9 typed arrays. 10 11 * stress/ftl-gettypedarrayoffset-wasteful.js: 12 1 13 2019-05-14 Yusuke Suzuki <ysuzuki@apple.com> 2 14 -
trunk/JSTests/stress/ftl-gettypedarrayoffset-wasteful.js
r163324 r245313 8 8 var b = new Uint8Array(new ArrayBuffer(42), 0); 9 9 if (foo(b) != 0) 10 throw "error" 10 throw new Error(); 11 b = new Uint8Array(new ArrayBuffer(42), 5); 12 if (foo(b) !== 5) 13 throw new Error(); 14 b = new Int32Array(new ArrayBuffer(100000 * 4), i * 4); 15 if (foo(b) !== i * 4) 16 throw new Error(); 11 17 } 12 18 -
trunk/Source/JavaScriptCore/ChangeLog
r245311 r245313 1 2019-05-14 Keith Miller <keith_miller@apple.com> 2 3 Fix issue with byteOffset on ARM64E 4 https://bugs.webkit.org/show_bug.cgi?id=197884 5 6 Reviewed by Saam Barati. 7 8 We forgot to remove the tag from the ArrayBuffer's data 9 pointer. This corrupted data when computing the offset. We didn't 10 catch this because we didn't run any with a non-zero byteOffset in 11 the JITs. 12 13 * dfg/DFGSpeculativeJIT.cpp: 14 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): 15 * ftl/FTLLowerDFGToB3.cpp: 16 (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): 17 (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): 18 (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): 19 (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): 20 * jit/IntrinsicEmitter.cpp: 21 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): 22 1 23 2019-05-14 Tadeu Zagallo <tzagallo@apple.com> 2 24 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r245239 r245313 6795 6795 6796 6796 m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR); 6797 6798 // FIXME: This should mask the PAC bits 6799 // https://bugs.webkit.org/show_bug.cgi?id=197701 6797 6800 JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR); 6798 6801 … … 6806 6809 // https://bugs.webkit.org/show_bug.cgi?id=175515 6807 6810 m_jit.loadPtr(MacroAssembler::Address(arrayBufferGPR, ArrayBuffer::offsetOfData()), dataGPR); 6811 #if CPU(ARM64E) 6812 m_jit.removeArrayPtrTag(dataGPR); 6813 #endif 6814 6808 6815 m_jit.subPtr(dataGPR, vectorGPR); 6809 6816 -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r245239 r245313 3916 3916 // https://bugs.webkit.org/show_bug.cgi?id=175515 3917 3917 LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data); 3918 dataPtr = removeArrayPtrTag(dataPtr); 3918 3919 3919 3920 ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr)); … … 14104 14105 LValue untagArrayPtr(LValue ptr, LValue size) 14105 14106 { 14106 14107 #if !GIGACAGE_ENABLED && CPU(ARM64E) 14107 #if CPU(ARM64E) 14108 14108 PatchpointValue* authenticate = m_out.patchpoint(pointerType()); 14109 14109 authenticate->appendSomeRegister(ptr); … … 14118 14118 return ptr; 14119 14119 #endif 14120 } 14121 14122 LValue removeArrayPtrTag(LValue ptr) 14123 { 14124 #if CPU(ARM64E) 14125 PatchpointValue* authenticate = m_out.patchpoint(pointerType()); 14126 authenticate->appendSomeRegister(ptr); 14127 authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { 14128 jit.move(params[1].gpr(), params[0].gpr()); 14129 jit.removeArrayPtrTag(params[0].gpr()); 14130 }); 14131 return authenticate; 14132 #endif 14133 return ptr; 14120 14134 } 14121 14135 … … 16575 16589 LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation); 16576 16590 LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector); 16577 #if !GIGACAGE_ENABLED && CPU(ARM64E) 16578 // FIXME: We could probably make this a mask. https://bugs.webkit.org/show_bug.cgi?id=197701 16579 PatchpointValue* authenticate = m_out.patchpoint(pointerType()); 16580 authenticate->appendSomeRegister(vector); 16581 authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { 16582 jit.move(params[1].gpr(), params[0].gpr()); 16583 jit.removeArrayPtrTag(params[0].gpr()); 16584 }); 16585 vector = authenticate; 16586 #endif 16591 // FIXME: We could probably make this a mask. 16592 // https://bugs.webkit.org/show_bug.cgi?id=197701 16593 vector = removeArrayPtrTag(vector); 16587 16594 speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector)); 16588 16595 m_out.jump(continuation); -
trunk/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp
r245064 r245313 115 115 jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); 116 116 jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR); 117 #if !GIGACAGE_ENABLED &&CPU(ARM64E)117 #if CPU(ARM64E) 118 118 jit.removeArrayPtrTag(valueGPR); 119 119 #endif 120 120 jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR); 121 121 jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR); 122 #if CPU(ARM64E) 123 jit.removeArrayPtrTag(scratchGPR); 124 #endif 122 125 jit.subPtr(scratchGPR, valueGPR); 123 126
Note: See TracChangeset
for help on using the changeset viewer.
