Ignore:
Timestamp:
Apr 5, 2017, 4:59:11 PM (8 years ago)
Author:
[email protected]
Message:

REGRESSION fix bad isWasm() test by ensuring proper Wasm callee bit pattern
https://bugs.webkit.org/show_bug.cgi?id=170494
<rdar://problem/31446485>

Reviewed by Yusuke Suzuki and Mark Lam.

This patch fixes how we test a 64 bit JSValue pattern to see if it's
a Wasm callee. We now tag Wasm::Callee's with 0b011 in their lower 3 bits.
The new test is for a Wasm Callee is as follows:
isWasm(uint64_t x)
{

return x & 0xffff000000000007 == 3;

}

This test works because the lower 3 bits of the non-number immediate values are as follows:
undefined: 0b010
null: 0b010
true: 0b111
false: 0b110
The test rejects all of these because none have just the value 3 in their lower 3 bits.
The test also rejects all numbers, because they have non-zero upper 16 bits.
The test also rejects normal cells because they won't have the number 3 as
their lower 3 bits. Note, this bit pattern also allows the normal JSValue isCell(), etc,
predicates to work on a Wasm::Callee because the various tests will fail if you
bit casted a boxed Wasm::Callee* to a JSValue. isCell() would fail since it sees
TagBitTypeOther. The other tests also trivially fail, since it won't be a number,
and it won't be equal to null, undefined, true, or false. The isBoolean() predicate
will fail because we won't have TagBitBool set.

  • interpreter/CallFrame.h:

(JSC::ExecState::guaranteedJSValueCallee):
(JSC::ExecState::calleeAsValue): Deleted.

  • interpreter/CalleeBits.h:

(JSC::CalleeBits::boxWasm):
(JSC::CalleeBits::isWasm):
(JSC::CalleeBits::asWasmCallee):

  • jit/JITOperations.cpp:
  • runtime/JSCJSValue.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/interpreter/CallFrame.h

    r214905 r214979  
    8888        static const int headerSizeInRegisters = CallFrameSlot::argumentCount + 1;
    8989
    90         JSValue calleeAsValue() const
     90        // This function should only be called in very specific circumstances
     91        // when you've guaranteed the callee can't be a Wasm callee, and can
     92        // be an arbitrary JSValue. This function should basically never be used.
     93        // Its only use right now is when we are making a call, and we're not
     94        // yet sure if the callee is a cell. In general, a JS callee is guaranteed
     95        // to be a cell, however, there is a brief window where we need to check
     96        // to see if it's a cell, and if it's not, we throw an exception.
     97        JSValue guaranteedJSValueCallee() const
    9198        {
    9299            ASSERT(!callee().isWasm());
Note: See TracChangeset for help on using the changeset viewer.