macro assembler code-pointer tagging has its arguments backwards
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 May 2019 21:34:43 +0000 (21:34 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 May 2019 21:34:43 +0000 (21:34 +0000)
https://bugs.webkit.org/show_bug.cgi?id=197677

Reviewed by Michael Saboff.

We had the destination as the leftmost instead of the rightmost argument,
which goes against the convention of how we order arguments in macro assembler
methods.

* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::tagReturnAddress):
(JSC::MacroAssemblerARM64E::untagReturnAddress):
(JSC::MacroAssemblerARM64E::tagPtr):
(JSC::MacroAssemblerARM64E::untagPtr):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::prepareForTailCallSlow):
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::prepareForTailCall):
* jit/ThunkGenerators.cpp:
(JSC::emitPointerValidation):
(JSC::arityFixupGenerator):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245251 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/AbstractMacroAssembler.h
Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
Source/JavaScriptCore/ftl/FTLThunks.cpp
Source/JavaScriptCore/jit/CCallHelpers.h
Source/JavaScriptCore/jit/CallFrameShuffler.cpp
Source/JavaScriptCore/jit/ThunkGenerators.cpp
Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

index d26cb2b..adbfbd2 100644 (file)
@@ -1,3 +1,33 @@
+2019-05-13  Saam Barati  <sbarati@apple.com>
+
+        macro assembler code-pointer tagging has its arguments backwards
+        https://bugs.webkit.org/show_bug.cgi?id=197677
+
+        Reviewed by Michael Saboff.
+
+        We had the destination as the leftmost instead of the rightmost argument,
+        which goes against the convention of how we order arguments in macro assembler
+        methods.
+
+        * assembler/MacroAssemblerARM64E.h:
+        (JSC::MacroAssemblerARM64E::tagReturnAddress):
+        (JSC::MacroAssemblerARM64E::untagReturnAddress):
+        (JSC::MacroAssemblerARM64E::tagPtr):
+        (JSC::MacroAssemblerARM64E::untagPtr):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::prepareForTailCallSlow):
+        * jit/CallFrameShuffler.cpp:
+        (JSC::CallFrameShuffler::prepareForTailCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::emitPointerValidation):
+        (JSC::arityFixupGenerator):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
 
         JSObject::getOwnPropertyDescriptor is missing an exception check
index f9d0030..eecd0c5 100644 (file)
@@ -977,9 +977,9 @@ public:
     ALWAYS_INLINE void tagReturnAddress() { }
     ALWAYS_INLINE void untagReturnAddress() { }
 
-    ALWAYS_INLINE void tagPtr(RegisterID, PtrTag) { }
+    ALWAYS_INLINE void tagPtr(PtrTag, RegisterID) { }
     ALWAYS_INLINE void tagPtr(RegisterID, RegisterID) { }
-    ALWAYS_INLINE void untagPtr(RegisterID, PtrTag) { }
+    ALWAYS_INLINE void untagPtr(PtrTag, RegisterID) { }
     ALWAYS_INLINE void untagPtr(RegisterID, RegisterID) { }
     ALWAYS_INLINE void removePtrTag(RegisterID) { }
 
index 8c03d6a..0b968f6 100644 (file)
@@ -41,22 +41,22 @@ class MacroAssemblerARM64E : public MacroAssemblerARM64 {
 public:
     ALWAYS_INLINE void tagReturnAddress()
     {
-        tagPtr(ARM64Registers::lr, ARM64Registers::sp);
+        tagPtr(ARM64Registers::sp, ARM64Registers::lr);
     }
 
     ALWAYS_INLINE void untagReturnAddress()
     {
-        untagPtr(ARM64Registers::lr, ARM64Registers::sp);
+        untagPtr(ARM64Registers::sp, ARM64Registers::lr);
     }
 
-    ALWAYS_INLINE void tagPtr(RegisterID target, PtrTag tag)
+    ALWAYS_INLINE void tagPtr(PtrTag tag, RegisterID target)
     {
         auto tagGPR = getCachedDataTempRegisterIDAndInvalidate();
         move(TrustedImm64(tag), tagGPR);
         m_assembler.pacib(target, tagGPR);
     }
 
-    ALWAYS_INLINE void tagPtr(RegisterID target, RegisterID tag)
+    ALWAYS_INLINE void tagPtr(RegisterID tag, RegisterID target)
     {
         if (target == ARM64Registers::lr && tag == ARM64Registers::sp) {
             m_assembler.pacibsp();
@@ -65,14 +65,14 @@ public:
         m_assembler.pacib(target, tag);
     }
 
-    ALWAYS_INLINE void untagPtr(RegisterID target, PtrTag tag)
+    ALWAYS_INLINE void untagPtr(PtrTag tag, RegisterID target)
     {
         auto tagGPR = getCachedDataTempRegisterIDAndInvalidate();
         move(TrustedImm64(tag), tagGPR);
         m_assembler.autib(target, tagGPR);
     }
 
-    ALWAYS_INLINE void untagPtr(RegisterID target, RegisterID tag)
+    ALWAYS_INLINE void untagPtr(RegisterID tag, RegisterID target)
     {
         m_assembler.autib(target, tag);
     }
index ff51dde..89524da 100644 (file)
@@ -157,9 +157,9 @@ void reifyInlinedCallFrames(CCallHelpers& jit, const OSRExitBase& exit)
             jit.loadPtr(AssemblyHelpers::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()), GPRInfo::regT3);
 #if CPU(ARM64E)
             jit.addPtr(AssemblyHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, GPRInfo::regT2);
-            jit.untagPtr(GPRInfo::regT3, GPRInfo::regT2);
+            jit.untagPtr(GPRInfo::regT2, GPRInfo::regT3);
             jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->returnPCOffset() + sizeof(void*)), GPRInfo::callFrameRegister, GPRInfo::regT2);
-            jit.tagPtr(GPRInfo::regT3, GPRInfo::regT2);
+            jit.tagPtr(GPRInfo::regT2, GPRInfo::regT3);
 #endif
             jit.storePtr(GPRInfo::regT3, AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
             jit.loadPtr(AssemblyHelpers::Address(GPRInfo::callFrameRegister, CallFrame::callerFrameOffset()), GPRInfo::regT3);
@@ -209,7 +209,7 @@ void reifyInlinedCallFrames(CCallHelpers& jit, const OSRExitBase& exit)
 #if CPU(ARM64E)
             jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->returnPCOffset() + sizeof(void*)), GPRInfo::callFrameRegister, GPRInfo::regT2);
             jit.move(AssemblyHelpers::TrustedImmPtr(jumpTarget), GPRInfo::nonArgGPR0);
-            jit.tagPtr(GPRInfo::nonArgGPR0, GPRInfo::regT2);
+            jit.tagPtr(GPRInfo::regT2, GPRInfo::nonArgGPR0);
             jit.storePtr(GPRInfo::nonArgGPR0, AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
 #else
             jit.storePtr(AssemblyHelpers::TrustedImmPtr(jumpTarget), AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
index 01c34ad..92b5bd3 100644 (file)
@@ -116,7 +116,7 @@ static MacroAssemblerCodeRef<JITThunkPtrTag> genericGenerationThunkGenerator(
     restoreAllRegisters(jit, buffer);
 
 #if CPU(ARM64E)
-    jit.untagPtr(AssemblyHelpers::linkRegister, resultTag);
+    jit.untagPtr(resultTag, AssemblyHelpers::linkRegister);
     jit.tagReturnAddress();
 #else
     UNUSED_PARAM(resultTag);
index e21286f..ba669a9 100644 (file)
@@ -807,7 +807,7 @@ public:
         subPtr(TrustedImm32(2 * sizeof(void*)), newFrameSizeGPR);
 #if CPU(ARM64E)
         addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister, tempGPR);
-        untagPtr(linkRegister, tempGPR);
+        untagPtr(tempGPR, linkRegister);
 #endif
 #elif CPU(MIPS)
         loadPtr(Address(framePointerRegister, sizeof(void*)), returnAddressRegister);
index 02e372c..539e502 100644 (file)
@@ -456,7 +456,7 @@ void CallFrameShuffler::prepareForTailCall()
         MacroAssembler::linkRegister);
 #if CPU(ARM64E)
     m_jit.addPtr(MacroAssembler::TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister);
-    m_jit.untagPtr(MacroAssembler::linkRegister, MacroAssembler::framePointerRegister);
+    m_jit.untagPtr(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
     m_jit.subPtr(MacroAssembler::TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister);
 #endif
 
index 8e96351..e84f004 100644 (file)
@@ -53,7 +53,7 @@ inline void emitPointerValidation(CCallHelpers& jit, GPRReg pointerGPR, TagType
     jit.abortWithReason(TGInvalidPointer);
     isNonZero.link(&jit);
     jit.pushToSave(pointerGPR);
-    jit.untagPtr(pointerGPR, tag);
+    jit.untagPtr(tag, pointerGPR);
     jit.load8(pointerGPR, pointerGPR);
     jit.popToRestore(pointerGPR);
 }
@@ -459,10 +459,10 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
 #if CPU(ARM64E)
     jit.loadPtr(JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()), GPRInfo::regT3);
     jit.addPtr(JSInterfaceJIT::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, extraTemp);
-    jit.untagPtr(GPRInfo::regT3, extraTemp);
+    jit.untagPtr(extraTemp, GPRInfo::regT3);
     PtrTag tempReturnPCTag = static_cast<PtrTag>(random());
     jit.move(JSInterfaceJIT::TrustedImmPtr(tempReturnPCTag), extraTemp);
-    jit.tagPtr(GPRInfo::regT3, extraTemp);
+    jit.tagPtr(extraTemp, GPRInfo::regT3);
     jit.storePtr(GPRInfo::regT3, JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()));
 #endif
     jit.move(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::regT3);
@@ -515,9 +515,9 @@ MacroAssemblerCodeRef<JITThunkPtrTag> arityFixupGenerator(VM* vm)
 #if CPU(ARM64E)
     jit.loadPtr(JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()), GPRInfo::regT3);
     jit.move(JSInterfaceJIT::TrustedImmPtr(tempReturnPCTag), extraTemp);
-    jit.untagPtr(GPRInfo::regT3, extraTemp);
+    jit.untagPtr(extraTemp, GPRInfo::regT3);
     jit.addPtr(JSInterfaceJIT::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, extraTemp);
-    jit.tagPtr(GPRInfo::regT3, extraTemp);
+    jit.tagPtr(extraTemp, GPRInfo::regT3);
     jit.storePtr(GPRInfo::regT3, JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()));
 #endif
 
index b344c65..cf7c779 100644 (file)
@@ -480,7 +480,7 @@ MacroAssemblerCodePtr<JSEntryPtrTag> WebAssemblyFunction::jsCallEntrypointSlow()
     jit.move(CCallHelpers::TrustedImmPtr(this), GPRInfo::regT0);
     jit.emitFunctionEpilogue();
 #if CPU(ARM64E)
-    jit.untagPtr(MacroAssembler::linkRegister, MacroAssembler::stackPointerRegister);
+    jit.untagReturnAddress();
 #endif
     auto jumpToHostCallThunk = jit.jump();