[webkit-changes] [92911] trunk/Source/JavaScriptCore

Thu, 11 Aug 2011 21:09:51 -0700

Title: [92911] trunk/Source/_javascript_Core
Revision
92911
Author
[email protected]
Date
2011-08-11 21:09:42 -0700 (Thu, 11 Aug 2011)

Log Message

DFG JIT-specific structure stub info code offset fields are signed
8-bit, but it is possible for the offsets to be greater than 127
https://bugs.webkit.org/show_bug.cgi?id=66122

Reviewed by Gavin Barraclough.

* bytecode/StructureStubInfo.h:
* dfg/DFGJITCodeGenerator.cpp:
(JSC::DFG::JITCodeGenerator::cachedGetById):
(JSC::DFG::JITCodeGenerator::cachedPutById):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (92910 => 92911)


--- trunk/Source/_javascript_Core/ChangeLog	2011-08-12 04:08:38 UTC (rev 92910)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-08-12 04:09:42 UTC (rev 92911)
@@ -1,5 +1,18 @@
 2011-08-11  Filip Pizlo  <[email protected]>
 
+        DFG JIT-specific structure stub info code offset fields are signed
+        8-bit, but it is possible for the offsets to be greater than 127
+        https://bugs.webkit.org/show_bug.cgi?id=66122
+
+        Reviewed by Gavin Barraclough.
+
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedGetById):
+        (JSC::DFG::JITCodeGenerator::cachedPutById):
+
+2011-08-11  Filip Pizlo  <[email protected]>
+
         DFG JIT speculation failure code sometimes picks the wrong register
         as a scratch register.
         https://bugs.webkit.org/show_bug.cgi?id=66104

Modified: trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h (92910 => 92911)


--- trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h	2011-08-12 04:08:38 UTC (rev 92910)
+++ trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h	2011-08-12 04:09:42 UTC (rev 92911)
@@ -134,15 +134,15 @@
         int8_t baseGPR;
         int8_t valueGPR;
         int8_t scratchGPR;
-        int8_t deltaCallToDone;
-        int8_t deltaCallToStructCheck;
-        int8_t deltaCallToSlowCase;
+        int16_t deltaCallToDone;
+        int16_t deltaCallToStructCheck;
+        int16_t deltaCallToSlowCase;
 #endif
 
         union {
             struct {
-                int8_t deltaCheckImmToCall;
-                int8_t deltaCallToLoadOrStore;
+                int16_t deltaCheckImmToCall;
+                int16_t deltaCallToLoadOrStore;
             } unset;
             struct {
                 WriteBarrierBase<Structure> baseObjectStructure;

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (92910 => 92911)


--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-12 04:08:38 UTC (rev 92910)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-12 04:09:42 UTC (rev 92911)
@@ -391,6 +391,14 @@
         || (node.isConstant() && !valueOfJSConstant(nodeIndex).isInt32());
 }
 
+template<typename To, typename From>
+inline To safeCast(From value)
+{
+    To result = static_cast<To>(value);
+    ASSERT(result == value);
+    return result;
+}
+
 JITCompiler::Call JITCodeGenerator::cachedGetById(GPRReg baseGPR, GPRReg resultGPR, GPRReg scratchGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget, NodeType nodeType)
 {
     JITCompiler::DataLabelPtr structureToCompare;
@@ -433,13 +441,13 @@
     
     JITCompiler::Label doneLabel = m_jit.label();
 
-    int8_t checkImmToCall = static_cast<int8_t>(m_jit.differenceBetween(structureToCompare, functionCall));
-    int8_t callToCheck = static_cast<int8_t>(m_jit.differenceBetween(functionCall, structureCheck));
-    int8_t callToLoad = static_cast<int8_t>(m_jit.differenceBetween(functionCall, loadWithPatch));
-    int8_t callToSlowCase = static_cast<int8_t>(m_jit.differenceBetween(functionCall, slowCase));
-    int8_t callToDone = static_cast<int8_t>(m_jit.differenceBetween(functionCall, doneLabel));
+    int16_t checkImmToCall = safeCast<int16_t>(m_jit.differenceBetween(structureToCompare, functionCall));
+    int16_t callToCheck = safeCast<int16_t>(m_jit.differenceBetween(functionCall, structureCheck));
+    int16_t callToLoad = safeCast<int16_t>(m_jit.differenceBetween(functionCall, loadWithPatch));
+    int16_t callToSlowCase = safeCast<int16_t>(m_jit.differenceBetween(functionCall, slowCase));
+    int16_t callToDone = safeCast<int16_t>(m_jit.differenceBetween(functionCall, doneLabel));
     
-    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToLoad, callToSlowCase, callToDone, static_cast<int8_t>(baseGPR), static_cast<int8_t>(resultGPR), static_cast<int8_t>(scratchGPR));
+    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToLoad, callToSlowCase, callToDone, safeCast<int8_t>(baseGPR), safeCast<int8_t>(resultGPR), safeCast<int8_t>(scratchGPR));
     
     if (scratchGPR != resultGPR && scratchGPR != InvalidGPRReg)
         unlock(scratchGPR);
@@ -495,13 +503,13 @@
     done.link(&m_jit);
     JITCompiler::Label doneLabel = m_jit.label();
 
-    int8_t checkImmToCall = static_cast<int8_t>(m_jit.differenceBetween(structureToCompare, functionCall));
-    int8_t callToCheck = static_cast<int8_t>(m_jit.differenceBetween(functionCall, structureCheck));
-    int8_t callToStore = static_cast<int8_t>(m_jit.differenceBetween(functionCall, storeWithPatch));
-    int8_t callToSlowCase = static_cast<int8_t>(m_jit.differenceBetween(functionCall, slowCase));
-    int8_t callToDone = static_cast<int8_t>(m_jit.differenceBetween(functionCall, doneLabel));
+    int16_t checkImmToCall = safeCast<int16_t>(m_jit.differenceBetween(structureToCompare, functionCall));
+    int16_t callToCheck = safeCast<int16_t>(m_jit.differenceBetween(functionCall, structureCheck));
+    int16_t callToStore = safeCast<int16_t>(m_jit.differenceBetween(functionCall, storeWithPatch));
+    int16_t callToSlowCase = safeCast<int16_t>(m_jit.differenceBetween(functionCall, slowCase));
+    int16_t callToDone = safeCast<int16_t>(m_jit.differenceBetween(functionCall, doneLabel));
 
-    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToStore, callToSlowCase, callToDone, static_cast<int8_t>(baseGPR), static_cast<int8_t>(valueGPR), static_cast<int8_t>(scratchGPR));
+    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToStore, callToSlowCase, callToDone, safeCast<int8_t>(baseGPR), safeCast<int8_t>(valueGPR), safeCast<int8_t>(scratchGPR));
 }
 
 void JITCodeGenerator::cachedGetMethod(GPRReg baseGPR, GPRReg resultGPR, GPRReg scratchGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget)

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCompiler.h (92910 => 92911)


--- trunk/Source/_javascript_Core/dfg/DFGJITCompiler.h	2011-08-12 04:08:38 UTC (rev 92910)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCompiler.h	2011-08-12 04:09:42 UTC (rev 92911)
@@ -309,7 +309,7 @@
     unsigned m_exceptionCheckCount;
 
     struct PropertyAccessRecord {
-        PropertyAccessRecord(Call functionCall, int8_t deltaCheckImmToCall, int8_t deltaCallToStructCheck, int8_t deltaCallToLoadOrStore, int8_t deltaCallToSlowCase, int8_t deltaCallToDone, int8_t baseGPR, int8_t valueGPR, int8_t scratchGPR)
+        PropertyAccessRecord(Call functionCall, int16_t deltaCheckImmToCall, int16_t deltaCallToStructCheck, int16_t deltaCallToLoadOrStore, int16_t deltaCallToSlowCase, int16_t deltaCallToDone, int8_t baseGPR, int8_t valueGPR, int8_t scratchGPR)
             : m_functionCall(functionCall)
             , m_deltaCheckImmToCall(deltaCheckImmToCall)
             , m_deltaCallToStructCheck(deltaCallToStructCheck)
@@ -323,11 +323,11 @@
         }
 
         JITCompiler::Call m_functionCall;
-        int8_t m_deltaCheckImmToCall;
-        int8_t m_deltaCallToStructCheck;
-        int8_t m_deltaCallToLoadOrStore;
-        int8_t m_deltaCallToSlowCase;
-        int8_t m_deltaCallToDone;
+        int16_t m_deltaCheckImmToCall;
+        int16_t m_deltaCallToStructCheck;
+        int16_t m_deltaCallToLoadOrStore;
+        int16_t m_deltaCallToSlowCase;
+        int16_t m_deltaCallToDone;
         int8_t m_baseGPR;
         int8_t m_valueGPR;
         int8_t m_scratchGPR;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to