Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JSC][32-bit] Wasm callee pointer should not be incorrectly untagged #8311

Merged
merged 1 commit into from Jan 7, 2023
Merged

[JSC][32-bit] Wasm callee pointer should not be incorrectly untagged #8311

merged 1 commit into from Jan 7, 2023

Conversation

jjgriego
Copy link
Contributor

@jjgriego jjgriego commented Jan 6, 2023
edited by webkit-early-warning-system

0df23a9

[JSC][32-bit] Wasm callee pointer should not be incorrectly untagged
https://bugs.webkit.org/show_bug.cgi?id=250219

Reviewed by Justin Michaud.

After #8138, the untag code in the LLInt
wasm prologue was changed to use `~WasmTag` as a mask; which on 32-bit ends up
having most bits unset, effectively zeroing out the callee pointer, breaking a
big chunk of the test suite on armv7.

The old version of this untag code used `~3` as the mask which happened to work
for all platforms.

Fix this by emitting the untag instruction only for the 64-bit JSValue
representation, since for JSVALUE32_64 platforms, the callee pointer is untagged
anyways.

* Source/JavaScriptCore/llint/WebAssembly.asm:

Canonical link: https://commits.webkit.org/258584@main

1914eec

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe   πŸ›  πŸ§ͺ win
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ›  gtk βœ… πŸ›  wincairo
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2   πŸ§ͺ api-mac   πŸ§ͺ gtk-wk2
  πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk1   πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ›  tv βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  jsc-armv7
βœ… πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv-sim βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ jsc-armv7-tests
βœ… πŸ›  watch βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ›  jsc-mips
βœ… πŸ›  watch-sim βœ… πŸ§ͺ jsc-mips-tests
βœ… πŸ›  πŸ§ͺ unsafe-merge

@jjgriego jjgriego requested a review from a team as a code owner January 6, 2023 18:16
@jjgriego jjgriego self-assigned this Jan 6, 2023
@jjgriego jjgriego added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Jan 6, 2023
@webkit-early-warning-system
Copy link
Collaborator

EWS run on current version of this PR (hash 1914eec)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe   πŸ›  πŸ§ͺ win
βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ›  gtk βœ… πŸ›  wincairo
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2   πŸ§ͺ api-mac   πŸ§ͺ gtk-wk2
  πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk1   πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ jsc βœ… πŸ›  tv βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  jsc-armv7
βœ… πŸ›  πŸ§ͺ jsc-arm64 βœ… πŸ›  tv-sim βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ jsc-armv7-tests
βœ… πŸ›  watch βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ›  jsc-mips
βœ… πŸ›  watch-sim βœ… πŸ§ͺ jsc-mips-tests
βœ… πŸ›  πŸ§ͺ unsafe-merge

justinmichaud
justinmichaud approved these changes Jan 6, 2023
View reviewed changes
Copy link
Contributor

@justinmichaud justinmichaud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me

@jjgriego jjgriego added the request-merge-queue Request a pull request to be added to merge-queue once ready label Jan 6, 2023
@Constellation Constellation added unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing and removed request-merge-queue Request a pull request to be added to merge-queue once ready labels Jan 7, 2023
@jjgriego @Constellation
[JSC][32-bit] Wasm callee pointer should not be incorrectly untagged
0df23a9 
https://bugs.webkit.org/show_bug.cgi?id=250219

Reviewed by Justin Michaud.

After WebKit#8138, the untag code in the LLInt
wasm prologue was changed to use `~WasmTag` as a mask; which on 32-bit ends up
having most bits unset, effectively zeroing out the callee pointer, breaking a
big chunk of the test suite on armv7.

The old version of this untag code used `~3` as the mask which happened to work
for all platforms.

Fix this by emitting the untag instruction only for the 64-bit JSValue
representation, since for JSVALUE32_64 platforms, the callee pointer is untagged
anyways.

* Source/JavaScriptCore/llint/WebAssembly.asm:

Canonical link: https://commits.webkit.org/258584@main
@webkit-commit-queue
Copy link
Collaborator

Committed 258584@main (0df23a9): https://commits.webkit.org/258584@main

Reviewed commits have been landed. Closing PR #8311 and removing active labels.

@webkit-early-warning-system webkit-early-warning-system merged commit 0df23a9 into WebKit:main Jan 7, 2023
@webkit-commit-queue webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Jan 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinmichaud justinmichaud justinmichaud approved these changes

Assignees

@jjgriego jjgriego

Labels
JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.
Projects
None yet
Milestone
No milestone
5 participants
@jjgriego @webkit-early-warning-system @webkit-commit-queue @justinmichaud @Constellation