Title: [205606] releases/WebKitGTK/webkit-2.14/Source/_javascript_Core
- Revision
- 205606
- Author
- [email protected]
- Date
- 2016-09-08 01:23:42 -0700 (Thu, 08 Sep 2016)
Log Message
Merge r205254 - [JSC] AbstractValue can contain padding which is not zero-filled
https://bugs.webkit.org/show_bug.cgi?id=161427
Reviewed by Saam Barati.
We checked that AbstractValue is zero-filled when initializing it to ensure
that zero-filled memory can be used as the initialized AbstractValue.
However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
padding now. And this padding is not ensured that it is initialized with zeros.
So debug assertion fails when building with GCC.
This patch changes the strategy. Instead of checking the initialized
AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
considered to be equal to the initialized AbstractValue.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::AbstractValue):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog (205605 => 205606)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog 2016-09-08 08:23:35 UTC (rev 205605)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog 2016-09-08 08:23:42 UTC (rev 205606)
@@ -1,3 +1,25 @@
+2016-08-31 Yusuke Suzuki <[email protected]>
+
+ [JSC] AbstractValue can contain padding which is not zero-filled
+ https://bugs.webkit.org/show_bug.cgi?id=161427
+
+ Reviewed by Saam Barati.
+
+ We checked that AbstractValue is zero-filled when initializing it to ensure
+ that zero-filled memory can be used as the initialized AbstractValue.
+ However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
+ padding now. And this padding is not ensured that it is initialized with zeros.
+ So debug assertion fails when building with GCC.
+
+ This patch changes the strategy. Instead of checking the initialized
+ AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
+ considered to be equal to the initialized AbstractValue.
+
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::AbstractValue):
+
2016-08-30 Benjamin Poulain <[email protected]>
[JSC] Some arith nodes are too pessimistic with the types supported on the fast path
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (205605 => 205606)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2016-09-08 08:23:35 UTC (rev 205605)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2016-09-08 08:23:42 UTC (rev 205606)
@@ -539,6 +539,15 @@
m_structure.validateReferences(trackedReferences);
}
+#if USE(JSVALUE64) && !defined(NDEBUG)
+void AbstractValue::ensureCanInitializeWithZeros()
+{
+ std::aligned_storage<sizeof(AbstractValue), alignof(AbstractValue)>::type zeroFilledStorage;
+ memset(static_cast<void*>(&zeroFilledStorage), 0, sizeof(AbstractValue));
+ ASSERT(*this == *static_cast<AbstractValue*>(static_cast<void*>(&zeroFilledStorage)));
+}
+#endif
+
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGAbstractValue.h (205605 => 205606)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGAbstractValue.h 2016-09-08 08:23:35 UTC (rev 205605)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGAbstractValue.h 2016-09-08 08:23:42 UTC (rev 205606)
@@ -61,9 +61,7 @@
static bool needsDefaultConstructorCheck = true;
if (needsDefaultConstructorCheck) {
needsDefaultConstructorCheck = false;
-
- for (unsigned i = 0; i < sizeof(AbstractValue); ++i)
- ASSERT(!(reinterpret_cast<char*>(this)[i]));
+ ensureCanInitializeWithZeros();
}
#endif
}
@@ -459,6 +457,10 @@
void filterValueByType();
void filterArrayModesByType();
+
+#if USE(JSVALUE64) && !defined(NDEBUG)
+ void ensureCanInitializeWithZeros();
+#endif
bool shouldBeClear() const;
FiltrationResult normalizeClarity();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
