Fix issue with byteOffset on ARM64E
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 May 2019 22:44:26 +0000 (22:44 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 May 2019 22:44:26 +0000 (22:44 +0000)
commite60ad58f96f95e855673935356a3bd510b4bf3a4
treea2248ce388abe404904d62fbf5353d0a74c0fa55
parent860ec17df4721d930cde3be949d75d2290fa6438
Fix issue with byteOffset on ARM64E
https://bugs.webkit.org/show_bug.cgi?id=197884

Reviewed by Saam Barati.

JSTests:

We didn't have any tests that run with non-byte/non-zero offset
typed arrays.

* stress/ftl-gettypedarrayoffset-wasteful.js:

Source/JavaScriptCore:

We forgot to remove the tag from the ArrayBuffer's data
pointer. This corrupted data when computing the offset.  We didn't
catch this because we didn't run any with a non-zero byteOffset in
the JITs.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
(JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245313 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/ftl-gettypedarrayoffset-wasteful.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/IntrinsicEmitter.cpp