133394 – fix arm64 css jit

Bug 133394 - fix arm64 css jit

Summary: fix arm64 css jit

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-05-29 17:10 PDT by Alex Christensen
Modified:	2014-05-29 17:26 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (3.46 KB, patch) 2014-05-29 17:17 PDT, Alex Christensen	benjamin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Christensen 2014-05-29 17:10:33 PDT

The arm64 css jit could use a deallocated argument register to swap the argument registers in, which would generate invalid code.  To prevent this, let's use a designated temporary register for now because we have a plentiful supply of registers, then we can do better register organization later.

Comment 1 Alex Christensen 2014-05-29 17:17:14 PDT

Created attachment 232273 [details]
Patch

Comment 2 Benjamin Poulain 2014-05-29 17:20:45 PDT

Comment on attachment 232273 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=232273&action=review

> Source/WebCore/cssjit/SelectorCompiler.cpp:904
> +    RELEASE_ASSERT(minimumRegisterCountForAttributes <= registerCount);

Please make this an assertion instead of a release assert.
In this case, we do not risk a security problem if the assert is false. RegisterAllocator ensure we crash if we ever overallocate.

Comment 3 Alex Christensen 2014-05-29 17:26:16 PDT

http://trac.webkit.org/changeset/169479