Bug 133394

Summary: fix arm64 css jit
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch benjamin: review+

Alex Christensen
Reported 2014-05-29 17:10:33 PDT
The arm64 css jit could use a deallocated argument register to swap the argument registers in, which would generate invalid code. To prevent this, let's use a designated temporary register for now because we have a plentiful supply of registers, then we can do better register organization later.
Attachments
Patch (3.46 KB, patch)
2014-05-29 17:17 PDT, Alex Christensen 		benjamin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2014-05-29 17:17:14 PDT
Created attachment 232273 [details] Patch
Benjamin Poulain
Comment 2 2014-05-29 17:20:45 PDT
Comment on attachment 232273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=232273&action=review > Source/WebCore/cssjit/SelectorCompiler.cpp:904 > + RELEASE_ASSERT(minimumRegisterCountForAttributes <= registerCount); Please make this an assertion instead of a release assert. In this case, we do not risk a security problem if the assert is false. RegisterAllocator ensure we crash if we ever overallocate.
Alex Christensen
Comment 3 2014-05-29 17:26:16 PDT
http://trac.webkit.org/changeset/169479
Note You need to log in before you can comment on or make changes to this bug.