Context Navigation

← Previous Changeset
Next Changeset →

Changeset 192632 in webkit

Timestamp:

Nov 19, 2015 10:00:18 AM (8 years ago)

Author:

mark.lam@apple.com

Message:

JIT snippet generator JumpLists should be returned as references.
https://bugs.webkit.org/show_bug.cgi?id=151445

Reviewed by Gavin Barraclough.

The JumpLists were being returned by value. As a result, new jumps added to
them in the client are actually added to a temporary copy and promptly discarded.
Those jumps never get linked, resulting in infinite loops in DFG generated code
that used the snippets.

jit/JITAddGenerator.h:

(JSC::JITAddGenerator::endJumpList):
(JSC::JITAddGenerator::slowPathJumpList):

jit/JITMulGenerator.h:

(JSC::JITMulGenerator::endJumpList):
(JSC::JITMulGenerator::slowPathJumpList):

jit/JITSubGenerator.h:

(JSC::JITSubGenerator::endJumpList):
(JSC::JITSubGenerator::slowPathJumpList):

Location:

trunk/Source/JavaScriptCore

Files:

: 4 edited

ChangeLog (modified) (1 diff)
jit/JITAddGenerator.h (modified) (1 diff)
jit/JITMulGenerator.h (modified) (1 diff)
jit/JITSubGenerator.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-                      r192626
+                      r192632
+-11-19  Mark Lam  <mark.lam@apple.com>
+        JIT snippet generator JumpLists should be returned as references.
+        https://bugs.webkit.org/show_bug.cgi?id=151445
+        Reviewed by Gavin Barraclough.
+        The JumpLists were being returned by value.  As a result, new jumps added to
+        them in the client are actually added to a temporary copy and promptly discarded.
+        Those jumps never get linked, resulting in infinite loops in DFG generated code
+        that used the snippets.
+        * jit/JITAddGenerator.h:
+        (JSC::JITAddGenerator::endJumpList):
+        (JSC::JITAddGenerator::slowPathJumpList):
+        * jit/JITMulGenerator.h:
+        (JSC::JITMulGenerator::endJumpList):
+        (JSC::JITMulGenerator::slowPathJumpList):
+        * jit/JITSubGenerator.h:
+        (JSC::JITSubGenerator::endJumpList):
+        (JSC::JITSubGenerator::slowPathJumpList):
 -11-19  Csaba Osztrogonác  <ossy@webkit.org>

trunk/Source/JavaScriptCore/jit/JITAddGenerator.h

-                      r192599
+                      r192632
     bool didEmitFastPath() const { return m_didEmitFastPath; }
     CCallHelpers::JumpList endJumpList() { return m_endJumpList; }
     CCallHelpers::JumpList slowPathJumpList() { return m_slowPathJumpList; }
+    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
+    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
 private:

trunk/Source/JavaScriptCore/jit/JITMulGenerator.h

-                      r192600
+                      r192632
     bool didEmitFastPath() const { return m_didEmitFastPath; }
     CCallHelpers::JumpList endJumpList() { return m_endJumpList; }
     CCallHelpers::JumpList slowPathJumpList() { return m_slowPathJumpList; }
+    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
+    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
 private:

trunk/Source/JavaScriptCore/jit/JITSubGenerator.h

-                      r192599
+                      r192632
     bool didEmitFastPath() const { return m_didEmitFastPath; }
     CCallHelpers::JumpList endJumpList() { return m_endJumpList; }
     CCallHelpers::JumpList slowPathJumpList() { return m_slowPathJumpList; }
+    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
+    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
 private:

Note: See TracChangeset for help on using the changeset viewer.