Changeset 195683 in webkit
- Timestamp:
- Jan 27, 2016 12:10:55 PM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
b3/air/AirTmpWidth.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r195675 r195683 1 2016-01-27 Filip Pizlo <fpizlo@apple.com> 2 3 Air::TmpWidth uses a stale pointer into its HashMap after it calls add() 4 https://bugs.webkit.org/show_bug.cgi?id=153546 5 6 Reviewed by Saam Barati. 7 8 * b3/air/AirTmpWidth.cpp: 9 (JSC::B3::Air::TmpWidth::recompute): 10 1 11 2016-01-27 Alexey Proskuryakov <ap@apple.com> 2 12 -
trunk/Source/JavaScriptCore/b3/air/AirTmpWidth.cpp
r194542 r195683 91 91 if (inst.opcode == Move && inst.args[1].isTmp()) { 92 92 if (inst.args[0].isTmp()) { 93 // Make sure that both sides of the Move have a width already initialized. The 94 // fixpoint below assumes that it never has to add things to the HashMap. 95 m_width.add(inst.args[0].tmp(), Widths(Arg::GP)); 96 m_width.add(inst.args[1].tmp(), Widths(Arg::GP)); 97 93 98 moves.append(&inst); 94 99 continue; … … 134 139 ASSERT(move->args[0].isTmp()); 135 140 ASSERT(move->args[1].isTmp()); 136 137 Widths& srcWidths = m_width.add(move->args[0].tmp(), Widths(Arg::GP)).iterator->value; 138 Widths& dstWidths = m_width.add(move->args[1].tmp(), Widths(Arg::GP)).iterator->value; 141 142 // We already ensure that both tmps are added to the width map. That's important 143 // because you cannot add both tmps here while simultaneously getting a reference to 144 // their values, since the second add would invalidate the reference returned by the 145 // first one. 146 Widths& srcWidths = m_width.find(move->args[0].tmp())->value; 147 Widths& dstWidths = m_width.find(move->args[1].tmp())->value; 139 148 140 149 // Legend:
Note: See TracChangeset
for help on using the changeset viewer.
