Title: [165021] trunk/Source/_javascript_Core
- Revision
- 165021
- Author
- msab...@apple.com
- Date
- 2014-03-03 16:49:19 -0800 (Mon, 03 Mar 2014)
Log Message
Crash in JIT code while watching a video @ storyboard.tumblr.com
https://bugs.webkit.org/show_bug.cgi?id=129635
Reviewed by Filip Pizlo.
Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
construtor.
* jit/TempRegisterSet.cpp:
(JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
* jit/TempRegisterSet.h:
(JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
(JSC::TempRegisterSet::clearAll): New private helper.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (165020 => 165021)
--- trunk/Source/_javascript_Core/ChangeLog 2014-03-04 00:45:15 UTC (rev 165020)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-03-04 00:49:19 UTC (rev 165021)
@@ -1,3 +1,19 @@
+2014-03-03 Michael Saboff <msab...@apple.com>
+
+ Crash in JIT code while watching a video @ storyboard.tumblr.com
+ https://bugs.webkit.org/show_bug.cgi?id=129635
+
+ Reviewed by Filip Pizlo.
+
+ Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
+ construtor.
+
+ * jit/TempRegisterSet.cpp:
+ (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
+ * jit/TempRegisterSet.h:
+ (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
+ (JSC::TempRegisterSet::clearAll): New private helper.
+
2014-03-03 Benjamin Poulain <benja...@webkit.org>
[x86] Improve code generation of byte test
Modified: trunk/Source/_javascript_Core/jit/TempRegisterSet.cpp (165020 => 165021)
--- trunk/Source/_javascript_Core/jit/TempRegisterSet.cpp 2014-03-04 00:45:15 UTC (rev 165020)
+++ trunk/Source/_javascript_Core/jit/TempRegisterSet.cpp 2014-03-04 00:49:19 UTC (rev 165021)
@@ -35,6 +35,8 @@
TempRegisterSet::TempRegisterSet(const RegisterSet& other)
{
+ clearAll();
+
for (unsigned i = GPRInfo::numberOfRegisters; i--;) {
GPRReg reg = GPRInfo::toRegister(i);
if (other.get(reg))
Modified: trunk/Source/_javascript_Core/jit/TempRegisterSet.h (165020 => 165021)
--- trunk/Source/_javascript_Core/jit/TempRegisterSet.h 2014-03-04 00:45:15 UTC (rev 165020)
+++ trunk/Source/_javascript_Core/jit/TempRegisterSet.h 2014-03-04 00:49:19 UTC (rev 165021)
@@ -39,8 +39,7 @@
public:
TempRegisterSet()
{
- for (unsigned i = numberOfBytesInTempRegisterSet; i--;)
- m_set[i] = 0;
+ clearAll();
}
TempRegisterSet(const RegisterSet&);
@@ -162,6 +161,12 @@
}
private:
+ void clearAll()
+ {
+ for (unsigned i = numberOfBytesInTempRegisterSet; i--;)
+ m_set[i] = 0;
+ }
+
void setBit(unsigned i)
{
ASSERT(i < totalNumberOfRegisters);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
