[webkit-changes] [91728] trunk/Source/JavaScriptCore

Mon, 25 Jul 2011 17:25:39 -0700

Title: [91728] trunk/Source/_javascript_Core
Revision
91728
Author
[email protected]
Date
2011-07-25 17:25:30 -0700 (Mon, 25 Jul 2011)

Log Message

DFG JIT bytecode parser misuses pointers into objects allocated as part of a
WTF::Vector.
https://bugs.webkit.org/show_bug.cgi?id=65128

Patch by Filip Pizlo <[email protected]> on 2011-07-25
Reviewed by Gavin Barraclough.

The bytecode parser code seems to be right to have a DFGNode& phiNode reference
into the graph, since this makes the code greatly more readable.  This patch
thus makes the minimal change necessary to make the code right: it uses a
pointer (to disambiguate between reloading the pointer and performing a
copy from one location of the vector to another) and reloads it after the
calls to addToGraph().

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::processPhiStack):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (91727 => 91728)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-26 00:12:29 UTC (rev 91727)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-26 00:25:30 UTC (rev 91728)
@@ -1,3 +1,21 @@
+2011-07-25  Filip Pizlo  <[email protected]>
+
+        DFG JIT bytecode parser misuses pointers into objects allocated as part of a
+        WTF::Vector.
+        https://bugs.webkit.org/show_bug.cgi?id=65128
+
+        Reviewed by Gavin Barraclough.
+        
+        The bytecode parser code seems to be right to have a DFGNode& phiNode reference
+        into the graph, since this makes the code greatly more readable.  This patch
+        thus makes the minimal change necessary to make the code right: it uses a
+        pointer (to disambiguate between reloading the pointer and performing a
+        copy from one location of the vector to another) and reloads it after the
+        calls to addToGraph().
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::processPhiStack):
+
 2011-07-25  Sheriff Bot  <[email protected]>
 
         Unreviewed, rolling out r91686.

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (91727 => 91728)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2011-07-26 00:12:29 UTC (rev 91727)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2011-07-26 00:25:30 UTC (rev 91728)
@@ -1172,7 +1172,6 @@
         PhiStackEntry entry = phiStack.last();
         phiStack.removeLast();
         
-        Node& phiNode = m_graph[entry.m_phi];
         PredecessorList& predecessors = entry.m_block->m_predecessors;
         unsigned varNo = entry.m_varNo;
 
@@ -1190,34 +1189,37 @@
                 valueInPredecessor = m_graph[valueInPredecessor].child1();
             ASSERT(m_graph[valueInPredecessor].op == SetLocal || m_graph[valueInPredecessor].op == Phi);
 
-            if (phiNode.refCount())
+            Node* phiNode = &m_graph[entry.m_phi];
+            if (phiNode->refCount())
                 m_graph.ref(valueInPredecessor);
 
-            if (phiNode.child1() == NoNode) {
-                phiNode.children.fixed.child1 = valueInPredecessor;
+            if (phiNode->child1() == NoNode) {
+                phiNode->children.fixed.child1 = valueInPredecessor;
                 continue;
             }
-            if (phiNode.child2() == NoNode) {
-                phiNode.children.fixed.child2 = valueInPredecessor;
+            if (phiNode->child2() == NoNode) {
+                phiNode->children.fixed.child2 = valueInPredecessor;
                 continue;
             }
-            if (phiNode.child3() == NoNode) {
-                phiNode.children.fixed.child3 = valueInPredecessor;
+            if (phiNode->child3() == NoNode) {
+                phiNode->children.fixed.child3 = valueInPredecessor;
                 continue;
             }
 
             NodeIndex newPhi = addToGraph(Phi);
+            
+            phiNode = &m_graph[entry.m_phi]; // reload after vector resize
             Node& newPhiNode = m_graph[newPhi];
-            if (phiNode.refCount())
+            if (phiNode->refCount())
                 m_graph.ref(newPhi);
 
-            newPhiNode.children.fixed.child1 = phiNode.child1();
-            newPhiNode.children.fixed.child2 = phiNode.child2();
-            newPhiNode.children.fixed.child3 = phiNode.child3();
+            newPhiNode.children.fixed.child1 = phiNode->child1();
+            newPhiNode.children.fixed.child2 = phiNode->child2();
+            newPhiNode.children.fixed.child3 = phiNode->child3();
 
-            phiNode.children.fixed.child1 = newPhi;
-            phiNode.children.fixed.child1 = valueInPredecessor;
-            phiNode.children.fixed.child3 = NoNode;
+            phiNode->children.fixed.child1 = newPhi;
+            phiNode->children.fixed.child1 = valueInPredecessor;
+            phiNode->children.fixed.child3 = NoNode;
         }
     }
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to