Changeset 166440 in webkit


Ignore:
Timestamp:
Mar 28, 2014 5:37:10 PM (10 years ago)
Author:
mark.lam@apple.com
Message:

mandreel throws a checksum error on 32-bit x86.
<https://webkit.org/b/125706>

Reviewed by Filip Pizlo.

The 32-bit DFG can emit code that loads double constants from its
CodeBlock's m_constantRegisters vector. The emitted instruction will
embed the address of the constant from the vector's backing store.
Subsequently, while inserting new constants, the DFG may resize the
vector, thereby reallocating the backing store. This renders the
previously embedded constant addresses stale.

The fix is to use a dedicated doubles constant pool stored in the DFG
CommonData instead. This constant pool won't be reallocated, and
hence will not manifest this issue.

  • dfg/DFGCommonData.h:
  • dfg/DFGGraph.h:
  • dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::addressOfDoubleConstant):

  • dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.

Location:
trunk/Source/JavaScriptCore
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r166439 r166440  
     12014-03-28  Mark Lam  <mark.lam@apple.com>
     2
     3        mandreel throws a checksum error on 32-bit x86.
     4        <https://webkit.org/b/125706>
     5
     6        Reviewed by Filip Pizlo.
     7
     8        The 32-bit DFG can emit code that loads double constants from its
     9        CodeBlock's m_constantRegisters vector.  The emitted instruction will
     10        embed the address of the constant from the vector's backing store.
     11        Subsequently, while inserting new constants, the DFG may resize the
     12        vector, thereby reallocating the backing store.  This renders the
     13        previously embedded constant addresses stale.
     14
     15        The fix is to use a dedicated doubles constant pool stored in the DFG
     16        CommonData instead.  This constant pool won't be reallocated, and
     17        hence will not manifest this issue.
     18
     19        * dfg/DFGCommonData.h:
     20        * dfg/DFGGraph.h:
     21        * dfg/DFGJITCompiler.cpp:
     22        (JSC::DFG::JITCompiler::link):
     23        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
     24        * dfg/DFGJITCompiler.h:
     25        (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
     26
    1272014-03-28  Joseph Pecoraro  <pecoraro@apple.com>
    228

  • trunk/Source/JavaScriptCore/dfg/DFGCommonData.h

    r164424 r166440  
    3636#include "ProfilerCompilation.h"
    3737#include "SymbolTable.h"
     38#include <wtf/Bag.h>
    3839#include <wtf/Noncopyable.h>
    3940
     
    106107    int machineCaptureStart;
    107108    std::unique_ptr<SlowArgument[]> slowArguments;
     109
     110#if USE(JSVALUE32_64)
     111    std::unique_ptr<Bag<double>> doubleConstants;
     112#endif
    108113   
    109114    unsigned frameRegisterCount;

  • trunk/Source/JavaScriptCore/dfg/DFGGraph.h

    r165995 r166440  
    847847    int m_machineCaptureStart;
    848848    std::unique_ptr<SlowArgument[]> m_slowArguments;
     849
     850#if USE(JSVALUE32_64)
     851    HashMap<double, double*> m_doubleConstantsMap;
     852    std::unique_ptr<Bag<double>> m_doubleConstants;
     853#endif
    849854   
    850855    OptimizationFixpointState m_fixpointState;

  • trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

    r166135 r166440  
    160160    m_jitCode->common.slowArguments = std::move(m_graph.m_slowArguments);
    161161
     162#if USE(JSVALUE32_64)
     163    m_jitCode->common.doubleConstants = std::move(m_graph.m_doubleConstants);
     164#endif
     165
    162166    BitVector usedJumpTables;
    163167    for (Bag<SwitchData>::iterator iter = m_graph.m_switchData.begin(); !!iter; ++iter) {
     
    433437}
    434438
     439#if USE(JSVALUE32_64)
     440void* JITCompiler::addressOfDoubleConstant(Node* node)
     441{
     442    ASSERT(m_graph.isNumberConstant(node));
     443    JSValue jsvalue = node->valueOfJSConstant(codeBlock());
     444    ASSERT(jsvalue.isDouble());
     445
     446    double value = jsvalue.asDouble();
     447    auto it = m_graph.m_doubleConstantsMap.find(value);
     448    if (it != m_graph.m_doubleConstantsMap.end())
     449        return it->value;
     450
     451    if (!m_graph.m_doubleConstants)
     452        m_graph.m_doubleConstants = std::make_unique<Bag<double>>();
     453
     454    double* addressInConstantPool = m_graph.m_doubleConstants->add();
     455    *addressInConstantPool = value;
     456    m_graph.m_doubleConstantsMap.add(value, addressInConstantPool);
     457    return addressInConstantPool;
     458}
     459#endif
     460
    435461} } // namespace JSC::DFG
    436462

  • trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

    r166135 r166440  
    199199
    200200#if USE(JSVALUE32_64)
    201     void* addressOfDoubleConstant(Node* node)
    202     {
    203         ASSERT(m_graph.isNumberConstant(node));
    204         unsigned constantIndex = node->constantNumber();
    205         return &(codeBlock()->constantRegister(FirstConstantRegisterIndex + constantIndex));
    206     }
     201    void* addressOfDoubleConstant(Node*);
    207202#endif
    208203
Note: See TracChangeset for help on using the changeset viewer.