238827 – [JSC] Strictly annotate pointers with TrustedImmPtr in CCallHelpers

Bug 238827 - [JSC] Strictly annotate pointers with TrustedImmPtr in CCallHelpers

Summary: [JSC] Strictly annotate pointers with TrustedImmPtr in CCallHelpers

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-04-05 12:40 PDT by Yusuke Suzuki
Modified:	2022-04-05 17:55 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (244.58 KB, patch) 2022-04-05 12:41 PDT, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Patch (247.35 KB, patch) 2022-04-05 12:57 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (247.34 KB, patch) 2022-04-05 13:30 PDT, Yusuke Suzuki	mark.lam: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yusuke Suzuki 2022-04-05 12:40:37 PDT

[JSC] Strictly annotate pointers with TrustedImmPtr in CCallHelpers

Comment 1 Yusuke Suzuki 2022-04-05 12:41:49 PDT

Created attachment 456731 [details]
Patch

Comment 2 Yusuke Suzuki 2022-04-05 12:57:42 PDT

Created attachment 456734 [details]
Patch

Comment 3 Yusuke Suzuki 2022-04-05 13:30:13 PDT

Created attachment 456738 [details]
Patch

Comment 4 Mark Lam 2022-04-05 14:04:09 PDT

Comment on attachment 456738 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456738&action=review

r=me

> Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h:97
> +            jit->callOperation(operationEnsureInt32, m_tempGPR, SpeculativeJIT::TrustedImmPtr(&vm), m_baseGPR);

Why "SpeculativeJIT::" instead of "MacroAssembler::"?  We use "MacroAssembler::" above.  Would be good to be consistent everywhere.  Ditto below.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3528
> +    jit.loadDouble(SpeculativeJIT::TrustedImmPtr(&zero), scratch);

Why not use MacroAssembler:: qualifier instead?

Comment 5 Yusuke Suzuki 2022-04-05 14:22:14 PDT

Comment on attachment 456738 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456738&action=review

>> Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h:97
>> +            jit->callOperation(operationEnsureInt32, m_tempGPR, SpeculativeJIT::TrustedImmPtr(&vm), m_baseGPR);
> 
> Why "SpeculativeJIT::" instead of "MacroAssembler::"?  We use "MacroAssembler::" above.  Would be good to be consistent everywhere.  Ditto below.

Because SpeculativeJIT::TrustedImmPtr is different from MacroAssembler::TrustedImmPtr. It has some more extra checks.

>> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3528
>> +    jit.loadDouble(SpeculativeJIT::TrustedImmPtr(&zero), scratch);
> 
> Why not use MacroAssembler:: qualifier instead?

Ditto.

Comment 6 Yusuke Suzuki 2022-04-05 17:54:17 PDT

Committed r292445 (?): <https://commits.webkit.org/r292445>

Comment 7 Radar WebKit Bug Importer 2022-04-05 17:55:20 PDT

<rdar://problem/91327271>