[webkit-changes] [92995] branches/safari-534.51-branch/Source/JavaScriptCore

Fri, 12 Aug 2011 14:08:17 -0700

Title: [92995] branches/safari-534.51-branch/Source/_javascript_Core

Diff

Modified: branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog (92994 => 92995)


--- branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-08-12 21:06:27 UTC (rev 92994)
+++ branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-08-12 21:08:10 UTC (rev 92995)
@@ -1,5 +1,22 @@
 2011-08-11  Lucas Forschler  <[email protected]>
 
+    Merged 92911
+
+    2011-08-11  Filip Pizlo  <[email protected]>
+
+            DFG JIT-specific structure stub info code offset fields are signed
+            8-bit, but it is possible for the offsets to be greater than 127
+            https://bugs.webkit.org/show_bug.cgi?id=66122
+
+            Reviewed by Gavin Barraclough.
+
+            * bytecode/StructureStubInfo.h:
+            * dfg/DFGJITCodeGenerator.cpp:
+            (JSC::DFG::JITCodeGenerator::cachedGetById):
+            (JSC::DFG::JITCodeGenerator::cachedPutById):
+
+2011-08-11  Lucas Forschler  <[email protected]>
+
     Merged 92909
 
     2011-08-11  Filip Pizlo  <[email protected]>

Modified: branches/safari-534.51-branch/Source/_javascript_Core/bytecode/StructureStubInfo.h (92994 => 92995)


--- branches/safari-534.51-branch/Source/_javascript_Core/bytecode/StructureStubInfo.h	2011-08-12 21:06:27 UTC (rev 92994)
+++ branches/safari-534.51-branch/Source/_javascript_Core/bytecode/StructureStubInfo.h	2011-08-12 21:08:10 UTC (rev 92995)
@@ -134,15 +134,15 @@
         int8_t baseGPR;
         int8_t valueGPR;
         int8_t scratchGPR;
-        int8_t deltaCallToDone;
-        int8_t deltaCallToStructCheck;
-        int8_t deltaCallToSlowCase;
+        int16_t deltaCallToDone;
+        int16_t deltaCallToStructCheck;
+        int16_t deltaCallToSlowCase;
 #endif
 
         union {
             struct {
-                int8_t deltaCheckImmToCall;
-                int8_t deltaCallToLoadOrStore;
+                int16_t deltaCheckImmToCall;
+                int16_t deltaCallToLoadOrStore;
             } unset;
             struct {
                 WriteBarrierBase<Structure> baseObjectStructure;

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (92994 => 92995)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-12 21:06:27 UTC (rev 92994)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-12 21:08:10 UTC (rev 92995)
@@ -391,6 +391,14 @@
         || (node.isConstant() && !valueOfJSConstant(nodeIndex).isInt32());
 }
 
+template<typename To, typename From>
+inline To safeCast(From value)
+{
+    To result = static_cast<To>(value);
+    ASSERT(result == value);
+    return result;
+}
+
 JITCompiler::Call JITCodeGenerator::cachedGetById(GPRReg baseGPR, GPRReg resultGPR, GPRReg scratchGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget, NodeType nodeType)
 {
     JITCompiler::DataLabelPtr structureToCompare;
@@ -433,13 +441,13 @@
     
     JITCompiler::Label doneLabel = m_jit.label();
 
-    int8_t checkImmToCall = static_cast<int8_t>(m_jit.differenceBetween(structureToCompare, functionCall));
-    int8_t callToCheck = static_cast<int8_t>(m_jit.differenceBetween(functionCall, structureCheck));
-    int8_t callToLoad = static_cast<int8_t>(m_jit.differenceBetween(functionCall, loadWithPatch));
-    int8_t callToSlowCase = static_cast<int8_t>(m_jit.differenceBetween(functionCall, slowCase));
-    int8_t callToDone = static_cast<int8_t>(m_jit.differenceBetween(functionCall, doneLabel));
+    int16_t checkImmToCall = safeCast<int16_t>(m_jit.differenceBetween(structureToCompare, functionCall));
+    int16_t callToCheck = safeCast<int16_t>(m_jit.differenceBetween(functionCall, structureCheck));
+    int16_t callToLoad = safeCast<int16_t>(m_jit.differenceBetween(functionCall, loadWithPatch));
+    int16_t callToSlowCase = safeCast<int16_t>(m_jit.differenceBetween(functionCall, slowCase));
+    int16_t callToDone = safeCast<int16_t>(m_jit.differenceBetween(functionCall, doneLabel));
     
-    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToLoad, callToSlowCase, callToDone, static_cast<int8_t>(baseGPR), static_cast<int8_t>(resultGPR), static_cast<int8_t>(scratchGPR));
+    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToLoad, callToSlowCase, callToDone, safeCast<int8_t>(baseGPR), safeCast<int8_t>(resultGPR), safeCast<int8_t>(scratchGPR));
     
     if (scratchGPR != resultGPR && scratchGPR != InvalidGPRReg)
         unlock(scratchGPR);
@@ -495,13 +503,13 @@
     done.link(&m_jit);
     JITCompiler::Label doneLabel = m_jit.label();
 
-    int8_t checkImmToCall = static_cast<int8_t>(m_jit.differenceBetween(structureToCompare, functionCall));
-    int8_t callToCheck = static_cast<int8_t>(m_jit.differenceBetween(functionCall, structureCheck));
-    int8_t callToStore = static_cast<int8_t>(m_jit.differenceBetween(functionCall, storeWithPatch));
-    int8_t callToSlowCase = static_cast<int8_t>(m_jit.differenceBetween(functionCall, slowCase));
-    int8_t callToDone = static_cast<int8_t>(m_jit.differenceBetween(functionCall, doneLabel));
+    int16_t checkImmToCall = safeCast<int16_t>(m_jit.differenceBetween(structureToCompare, functionCall));
+    int16_t callToCheck = safeCast<int16_t>(m_jit.differenceBetween(functionCall, structureCheck));
+    int16_t callToStore = safeCast<int16_t>(m_jit.differenceBetween(functionCall, storeWithPatch));
+    int16_t callToSlowCase = safeCast<int16_t>(m_jit.differenceBetween(functionCall, slowCase));
+    int16_t callToDone = safeCast<int16_t>(m_jit.differenceBetween(functionCall, doneLabel));
 
-    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToStore, callToSlowCase, callToDone, static_cast<int8_t>(baseGPR), static_cast<int8_t>(valueGPR), static_cast<int8_t>(scratchGPR));
+    m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToStore, callToSlowCase, callToDone, safeCast<int8_t>(baseGPR), safeCast<int8_t>(valueGPR), safeCast<int8_t>(scratchGPR));
 }
 
 void JITCodeGenerator::cachedGetMethod(GPRReg baseGPR, GPRReg resultGPR, GPRReg scratchGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget)

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.h (92994 => 92995)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.h	2011-08-12 21:06:27 UTC (rev 92994)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.h	2011-08-12 21:08:10 UTC (rev 92995)
@@ -309,7 +309,7 @@
     unsigned m_exceptionCheckCount;
 
     struct PropertyAccessRecord {
-        PropertyAccessRecord(Call functionCall, int8_t deltaCheckImmToCall, int8_t deltaCallToStructCheck, int8_t deltaCallToLoadOrStore, int8_t deltaCallToSlowCase, int8_t deltaCallToDone, int8_t baseGPR, int8_t valueGPR, int8_t scratchGPR)
+        PropertyAccessRecord(Call functionCall, int16_t deltaCheckImmToCall, int16_t deltaCallToStructCheck, int16_t deltaCallToLoadOrStore, int16_t deltaCallToSlowCase, int16_t deltaCallToDone, int8_t baseGPR, int8_t valueGPR, int8_t scratchGPR)
             : m_functionCall(functionCall)
             , m_deltaCheckImmToCall(deltaCheckImmToCall)
             , m_deltaCallToStructCheck(deltaCallToStructCheck)
@@ -323,11 +323,11 @@
         }
 
         JITCompiler::Call m_functionCall;
-        int8_t m_deltaCheckImmToCall;
-        int8_t m_deltaCallToStructCheck;
-        int8_t m_deltaCallToLoadOrStore;
-        int8_t m_deltaCallToSlowCase;
-        int8_t m_deltaCallToDone;
+        int16_t m_deltaCheckImmToCall;
+        int16_t m_deltaCallToStructCheck;
+        int16_t m_deltaCallToLoadOrStore;
+        int16_t m_deltaCallToSlowCase;
+        int16_t m_deltaCallToDone;
         int8_t m_baseGPR;
         int8_t m_valueGPR;
         int8_t m_scratchGPR;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to