Bug 133394

Summary: fix arm64 css jit
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch benjamin: review+

Description Alex Christensen 2014-05-29 17:10:33 PDT 
The arm64 css jit could use a deallocated argument register to swap the argument registers in, which would generate invalid code.  To prevent this, let's use a designated temporary register for now because we have a plentiful supply of registers, then we can do better register organization later.
Comment 1 Alex Christensen 2014-05-29 17:17:14 PDT 
Created attachment 232273 [details]
Patch
Comment 2 Benjamin Poulain 2014-05-29 17:20:45 PDT 
Comment on attachment 232273 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=232273&action=review

> Source/WebCore/cssjit/SelectorCompiler.cpp:904
> +    RELEASE_ASSERT(minimumRegisterCountForAttributes <= registerCount);

Please make this an assertion instead of a release assert.
In this case, we do not risk a security problem if the assert is false. RegisterAllocator ensure we crash if we ever overallocate.
Comment 3 Alex Christensen 2014-05-29 17:26:16 PDT 
http://trac.webkit.org/changeset/169479