133394 – fix arm64 css jit

RESOLVED FIXED 133394

fix arm64 css jit

https://bugs.webkit.org/show_bug.cgi?id=133394

Summary fix arm64 css jit

Alex Christensen

Reported 2014-05-29 17:10:33 PDT

The arm64 css jit could use a deallocated argument register to swap the argument registers in, which would generate invalid code. To prevent this, let's use a designated temporary register for now because we have a plentiful supply of registers, then we can do better register organization later.

Attachments
Patch (3.46 KB, patch) 2014-05-29 17:17 PDT, Alex Christensen	benjamin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alex Christensen

Comment 1 2014-05-29 17:17:14 PDT

Created attachment 232273 [details] Patch

Benjamin Poulain

Comment 2 2014-05-29 17:20:45 PDT

Comment on attachment 232273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=232273&action=review > Source/WebCore/cssjit/SelectorCompiler.cpp:904 > + RELEASE_ASSERT(minimumRegisterCountForAttributes <= registerCount); Please make this an assertion instead of a release assert. In this case, we do not risk a security problem if the assert is false. RegisterAllocator ensure we crash if we ever overallocate.

Alex Christensen

Comment 3 2014-05-29 17:26:16 PDT

http://trac.webkit.org/changeset/169479

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component CSS

Assignee

Nobody

Reported

2014-05-29 17:10 PDT

Modified

2014-05-29 17:26 PDT History

CC List

1 user Show

URL

Keywords

Depends on

Blocks