Title: [203413] trunk/Source/_javascript_Core
- Revision
- 203413
- Author
- [email protected]
- Date
- 2016-07-19 12:20:02 -0700 (Tue, 19 Jul 2016)
Log Message
B3 methods that mutate the successors array should take FrequentedBlock by value
https://bugs.webkit.org/show_bug.cgi?id=159935
Reviewed by Michael Saboff.
This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
caller that caused the ASan crash was doing:
block->setSuccessors(block->notTaken())
So, inside setSuccessors(), after we resize() the successors array, the const
FrequentedBlock& points to nonsense.
The fix is to pass FrequentedBlock by value in all of these kinds of methods.
No new tests, but ASan testing catches this instantly for anything that triggers CFG
simplification in B3. So like half of our tests.
* b3/B3BasicBlock.cpp:
(JSC::B3::BasicBlock::clearSuccessors):
(JSC::B3::BasicBlock::appendSuccessor):
(JSC::B3::BasicBlock::setSuccessors):
* b3/B3BasicBlock.h:
(JSC::B3::BasicBlock::successors):
(JSC::B3::BasicBlock::successorBlock):
* b3/B3Value.cpp:
(JSC::B3::Value::replaceWithPhi):
(JSC::B3::Value::replaceWithJump):
(JSC::B3::Value::replaceWithOops):
* b3/B3Value.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (203412 => 203413)
--- trunk/Source/_javascript_Core/ChangeLog 2016-07-19 18:14:02 UTC (rev 203412)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-07-19 19:20:02 UTC (rev 203413)
@@ -1,3 +1,36 @@
+2016-07-19 Filip Pizlo <[email protected]>
+
+ B3 methods that mutate the successors array should take FrequentedBlock by value
+ https://bugs.webkit.org/show_bug.cgi?id=159935
+
+ Reviewed by Michael Saboff.
+
+ This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
+ caller that caused the ASan crash was doing:
+
+ block->setSuccessors(block->notTaken())
+
+ So, inside setSuccessors(), after we resize() the successors array, the const
+ FrequentedBlock& points to nonsense.
+
+ The fix is to pass FrequentedBlock by value in all of these kinds of methods.
+
+ No new tests, but ASan testing catches this instantly for anything that triggers CFG
+ simplification in B3. So like half of our tests.
+
+ * b3/B3BasicBlock.cpp:
+ (JSC::B3::BasicBlock::clearSuccessors):
+ (JSC::B3::BasicBlock::appendSuccessor):
+ (JSC::B3::BasicBlock::setSuccessors):
+ * b3/B3BasicBlock.h:
+ (JSC::B3::BasicBlock::successors):
+ (JSC::B3::BasicBlock::successorBlock):
+ * b3/B3Value.cpp:
+ (JSC::B3::Value::replaceWithPhi):
+ (JSC::B3::Value::replaceWithJump):
+ (JSC::B3::Value::replaceWithOops):
+ * b3/B3Value.h:
+
2016-07-18 Joseph Pecoraro <[email protected]>
Make builtin TypeErrors consistent
Modified: trunk/Source/_javascript_Core/b3/B3BasicBlock.cpp (203412 => 203413)
--- trunk/Source/_javascript_Core/b3/B3BasicBlock.cpp 2016-07-19 18:14:02 UTC (rev 203412)
+++ trunk/Source/_javascript_Core/b3/B3BasicBlock.cpp 2016-07-19 19:20:02 UTC (rev 203413)
@@ -90,18 +90,18 @@
m_successors.clear();
}
-void BasicBlock::appendSuccessor(const FrequentedBlock& target)
+void BasicBlock::appendSuccessor(FrequentedBlock target)
{
m_successors.append(target);
}
-void BasicBlock::setSuccessors(const FrequentedBlock& target)
+void BasicBlock::setSuccessors(FrequentedBlock target)
{
m_successors.resize(1);
m_successors[0] = target;
}
-void BasicBlock::setSuccessors(const FrequentedBlock& taken, const FrequentedBlock& notTaken)
+void BasicBlock::setSuccessors(FrequentedBlock taken, FrequentedBlock notTaken)
{
m_successors.resize(2);
m_successors[0] = taken;
Modified: trunk/Source/_javascript_Core/b3/B3BasicBlock.h (203412 => 203413)
--- trunk/Source/_javascript_Core/b3/B3BasicBlock.h 2016-07-19 18:14:02 UTC (rev 203412)
+++ trunk/Source/_javascript_Core/b3/B3BasicBlock.h 2016-07-19 19:20:02 UTC (rev 203413)
@@ -95,9 +95,9 @@
SuccessorList& successors() { return m_successors; }
void clearSuccessors();
- JS_EXPORT_PRIVATE void appendSuccessor(const FrequentedBlock&);
- void setSuccessors(const FrequentedBlock&);
- void setSuccessors(const FrequentedBlock&, const FrequentedBlock&);
+ JS_EXPORT_PRIVATE void appendSuccessor(FrequentedBlock);
+ void setSuccessors(FrequentedBlock);
+ void setSuccessors(FrequentedBlock, FrequentedBlock);
BasicBlock* successorBlock(unsigned index) const { return successor(index).block(); }
BasicBlock*& successorBlock(unsigned index) { return successor(index).block(); }
Modified: trunk/Source/_javascript_Core/b3/B3Value.cpp (203412 => 203413)
--- trunk/Source/_javascript_Core/b3/B3Value.cpp 2016-07-19 18:14:02 UTC (rev 203412)
+++ trunk/Source/_javascript_Core/b3/B3Value.cpp 2016-07-19 19:20:02 UTC (rev 203413)
@@ -126,7 +126,7 @@
this->m_index = index;
}
-void Value::replaceWithJump(BasicBlock* owner, const FrequentedBlock& target)
+void Value::replaceWithJump(BasicBlock* owner, FrequentedBlock target)
{
RELEASE_ASSERT(owner->last() == this);
@@ -160,7 +160,7 @@
owner->clearSuccessors();
}
-void Value::replaceWithJump(const FrequentedBlock& target)
+void Value::replaceWithJump(FrequentedBlock target)
{
replaceWithJump(owner, target);
}
Modified: trunk/Source/_javascript_Core/b3/B3Value.h (203412 => 203413)
--- trunk/Source/_javascript_Core/b3/B3Value.h 2016-07-19 18:14:02 UTC (rev 203412)
+++ trunk/Source/_javascript_Core/b3/B3Value.h 2016-07-19 19:20:02 UTC (rev 203413)
@@ -113,11 +113,11 @@
void replaceWithPhi();
// These transformations are only valid for terminals.
- void replaceWithJump(BasicBlock* owner, const FrequentedBlock&);
+ void replaceWithJump(BasicBlock* owner, FrequentedBlock);
void replaceWithOops(BasicBlock* owner);
// You can use this form if owners are valid. They're usually not valid.
- void replaceWithJump(const FrequentedBlock&);
+ void replaceWithJump(FrequentedBlock);
void replaceWithOops();
void dump(PrintStream&) const;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
