Title: [205254] trunk/Source/_javascript_Core
- Revision
- 205254
- Author
- [email protected]
- Date
- 2016-08-31 10:00:18 -0700 (Wed, 31 Aug 2016)
Log Message
[JSC] AbstractValue can contain padding which is not zero-filled
https://bugs.webkit.org/show_bug.cgi?id=161427
Reviewed by Saam Barati.
We checked that AbstractValue is zero-filled when initializing it to ensure
that zero-filled memory can be used as the initialized AbstractValue.
However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
padding now. And this padding is not ensured that it is initialized with zeros.
So debug assertion fails when building with GCC.
This patch changes the strategy. Instead of checking the initialized
AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
considered to be equal to the initialized AbstractValue.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::AbstractValue):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (205253 => 205254)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-31 16:44:49 UTC (rev 205253)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-31 17:00:18 UTC (rev 205254)
@@ -1,3 +1,25 @@
+2016-08-31 Yusuke Suzuki <[email protected]>
+
+ [JSC] AbstractValue can contain padding which is not zero-filled
+ https://bugs.webkit.org/show_bug.cgi?id=161427
+
+ Reviewed by Saam Barati.
+
+ We checked that AbstractValue is zero-filled when initializing it to ensure
+ that zero-filled memory can be used as the initialized AbstractValue.
+ However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
+ padding now. And this padding is not ensured that it is initialized with zeros.
+ So debug assertion fails when building with GCC.
+
+ This patch changes the strategy. Instead of checking the initialized
+ AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
+ considered to be equal to the initialized AbstractValue.
+
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::AbstractValue):
+
2016-08-31 Brady Eidson <[email protected]>
WK2 Gamepad provider on iOS.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (205253 => 205254)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2016-08-31 16:44:49 UTC (rev 205253)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2016-08-31 17:00:18 UTC (rev 205254)
@@ -539,6 +539,15 @@
m_structure.validateReferences(trackedReferences);
}
+#if USE(JSVALUE64) && !defined(NDEBUG)
+void AbstractValue::ensureCanInitializeWithZeros()
+{
+ std::aligned_storage<sizeof(AbstractValue), alignof(AbstractValue)>::type zeroFilledStorage;
+ memset(static_cast<void*>(&zeroFilledStorage), 0, sizeof(AbstractValue));
+ ASSERT(*this == *static_cast<AbstractValue*>(static_cast<void*>(&zeroFilledStorage)));
+}
+#endif
+
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h (205253 => 205254)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h 2016-08-31 16:44:49 UTC (rev 205253)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h 2016-08-31 17:00:18 UTC (rev 205254)
@@ -61,9 +61,7 @@
static bool needsDefaultConstructorCheck = true;
if (needsDefaultConstructorCheck) {
needsDefaultConstructorCheck = false;
-
- for (unsigned i = 0; i < sizeof(AbstractValue); ++i)
- ASSERT(!(reinterpret_cast<char*>(this)[i]));
+ ensureCanInitializeWithZeros();
}
#endif
}
@@ -459,6 +457,10 @@
void filterValueByType();
void filterArrayModesByType();
+
+#if USE(JSVALUE64) && !defined(NDEBUG)
+ void ensureCanInitializeWithZeros();
+#endif
bool shouldBeClear() const;
FiltrationResult normalizeClarity();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
