Changeset 167532 in webkit
- Timestamp:
- Apr 18, 2014 11:53:46 PM (10 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r167530 r167532 1 2014-04-18 Mark Lam <mark.lam@apple.com> 2 3 REGRESSION(r164205): WebKit crash @StructureIDTable::get. 4 <https://webkit.org/b/130539> 5 6 Reviewed by Geoffrey Garen. 7 8 prepareOSREntry() prepares for OSR entry by first copying the local var 9 values from the baseline frame to a scartch buffer, which is then used 10 to fill in the locals in their new position in the DFG frame. Unfortunately, 11 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame 12 size of the baseline frame. As a result, some values of locals in the 13 baseline frame were not saved off, and the DFG frame may get initialized 14 with random content that happened to be in the uninitialized (and possibly 15 unallocated) portions of the scratch buffer. 16 17 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the 18 number of locals in the baseline frame that we want to copy to the scratch 19 buffer. 20 21 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount 22 at offset 0 in the scratch buffer. So, we continue to write that value 23 there, not the baseline frame size. 24 25 * dfg/DFGOSREntry.cpp: 26 (JSC::DFG::prepareOSREntry): 27 1 28 2014-04-18 Timothy Hatcher <timothy@apple.com> 2 29 -
trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
r166493 r167532 206 206 207 207 unsigned frameSize = jitCode->common.frameRegisterCount; 208 209 Register* scratch = bitwise_cast<Register*>(vm->scratchBufferForSize(sizeof(Register) * (2 + JSStack::CallFrameHeaderSize + frameSize))->dataBuffer()); 208 unsigned baselineFrameSize = entry->m_expectedValues.numberOfLocals(); 209 unsigned maxFrameSize = std::max(frameSize, baselineFrameSize); 210 211 Register* scratch = bitwise_cast<Register*>(vm->scratchBufferForSize(sizeof(Register) * (2 + JSStack::CallFrameHeaderSize + maxFrameSize))->dataBuffer()); 210 212 211 213 *bitwise_cast<size_t*>(scratch + 0) = frameSize; … … 219 221 Register* pivot = scratch + 2 + JSStack::CallFrameHeaderSize; 220 222 221 for (int index = -JSStack::CallFrameHeaderSize; index < static_cast<int>( frameSize); ++index) {223 for (int index = -JSStack::CallFrameHeaderSize; index < static_cast<int>(baselineFrameSize); ++index) { 222 224 VirtualRegister reg(-1 - index); 223 225
Note: See TracChangeset
for help on using the changeset viewer.