Changeset 212640 in webkit


Ignore:
Timestamp:
Feb 20, 2017, 9:18:27 AM (8 years ago)
Author:
mark.lam@apple.com
Message:

BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
https://bugs.webkit.org/show_bug.cgi?id=168585

Reviewed by Yusuke Suzuki.

This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
consecutive indices in the vector are not guaranteed to be consecutive in memory
layout. Instead, we should be using indexing instead.

This issue was detected by the marathon.js test from
https://bugs.webkit.org/show_bug.cgi?id=168580.

  • bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r212629 r212640  
     12017-02-19  Mark Lam  <mark.lam@apple.com>
     2
     3        BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
     4        https://bugs.webkit.org/show_bug.cgi?id=168585
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
     9        consecutive indices in the vector are not guaranteed to be consecutive in memory
     10        layout.  Instead, we should be using indexing instead.
     11
     12        This issue was detected by the marathon.js test from
     13        https://bugs.webkit.org/show_bug.cgi?id=168580.
     14
     15        * bytecompiler/BytecodeGenerator.cpp:
     16        (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
     17        (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
     18
    1192017-02-20  Manuel Rego Casasnovas  <rego@igalia.com>
    220

  • trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

    r212425 r212640  
    11/*
    2  * Copyright (C) 2008-2009, 2012-2016 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
    33 * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
    44 * Copyright (C) 2012 Igalia, S.L.
     
    48234823{
    48244824    ASSERT(labelScopeDepth() - targetLabelScopeDepth >= 0);
    4825     size_t scopeDelta = labelScopeDepth() - targetLabelScopeDepth;
    4826     ASSERT(scopeDelta <= m_controlFlowScopeStack.size());
    4827     if (!scopeDelta)
    4828         return false; // No finallys to thread through.
    4829 
    4830     ControlFlowScope* topScope = &m_controlFlowScopeStack.last();
    4831     ControlFlowScope* bottomScope = &m_controlFlowScopeStack.last() - scopeDelta;
     4825    size_t numberOfScopesToCheckForFinally = labelScopeDepth() - targetLabelScopeDepth;
     4826    ASSERT(numberOfScopesToCheckForFinally <= m_controlFlowScopeStack.size());
     4827    if (!numberOfScopesToCheckForFinally)
     4828        return false;
    48324829
    48334830    FinallyContext* innermostFinallyContext = nullptr;
    48344831    FinallyContext* outermostFinallyContext = nullptr;
    4835     while (topScope > bottomScope) {
    4836         if (topScope->isFinallyScope()) {
    4837             FinallyContext* finallyContext = &topScope->finallyContext;
     4832    size_t scopeIndex = m_controlFlowScopeStack.size() - 1;
     4833    while (numberOfScopesToCheckForFinally--) {
     4834        ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex--];
     4835        if (scope->isFinallyScope()) {
     4836            FinallyContext* finallyContext = &scope->finallyContext;
    48384837            if (!innermostFinallyContext)
    48394838                innermostFinallyContext = finallyContext;
     
    48414840            finallyContext->incNumberOfBreaksOrContinues();
    48424841        }
    4843         --topScope;
    48444842    }
    48454843    if (!outermostFinallyContext)
     
    48574855bool BytecodeGenerator::emitReturnViaFinallyIfNeeded(RegisterID* returnRegister)
    48584856{
    4859     if (!m_controlFlowScopeStack.size())
    4860         return false; // No finallys to thread through.
    4861 
    4862     ControlFlowScope* topScope = &m_controlFlowScopeStack.last();
    4863     ControlFlowScope* bottomScope = &m_controlFlowScopeStack.first();
     4857    size_t numberOfScopesToCheckForFinally = m_controlFlowScopeStack.size();
     4858    if (!numberOfScopesToCheckForFinally)
     4859        return false;
    48644860
    48654861    FinallyContext* innermostFinallyContext = nullptr;
    4866     while (topScope >= bottomScope) {
    4867         if (topScope->isFinallyScope()) {
    4868             FinallyContext* finallyContext = &topScope->finallyContext;
     4862    while (numberOfScopesToCheckForFinally) {
     4863        size_t scopeIndex = --numberOfScopesToCheckForFinally;
     4864        ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex];
     4865        if (scope->isFinallyScope()) {
     4866            FinallyContext* finallyContext = &scope->finallyContext;
    48694867            if (!innermostFinallyContext)
    48704868                innermostFinallyContext = finallyContext;
    48714869            finallyContext->setHandlesReturns();
    48724870        }
    4873         --topScope;
    48744871    }
    48754872    if (!innermostFinallyContext)
Note: See TracChangeset for help on using the changeset viewer.