Title: [212706] releases/WebKitGTK/webkit-2.16/Source/_javascript_Core
- Revision
- 212706
- Author
- [email protected]
- Date
- 2017-02-21 00:38:40 -0800 (Tue, 21 Feb 2017)
Log Message
Merge r212640 - BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
https://bugs.webkit.org/show_bug.cgi?id=168585
Reviewed by Yusuke Suzuki.
This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
consecutive indices in the vector are not guaranteed to be consecutive in memory
layout. Instead, we should be using indexing instead.
This issue was detected by the marathon.js test from
https://bugs.webkit.org/show_bug.cgi?id=168580.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (212705 => 212706)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-02-21 08:38:29 UTC (rev 212705)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-02-21 08:38:40 UTC (rev 212706)
@@ -1,3 +1,21 @@
+2017-02-19 Mark Lam <[email protected]>
+
+ BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
+ https://bugs.webkit.org/show_bug.cgi?id=168585
+
+ Reviewed by Yusuke Suzuki.
+
+ This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
+ consecutive indices in the vector are not guaranteed to be consecutive in memory
+ layout. Instead, we should be using indexing instead.
+
+ This issue was detected by the marathon.js test from
+ https://bugs.webkit.org/show_bug.cgi?id=168580.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
+ (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
+
2017-02-20 Manuel Rego Casasnovas <[email protected]>
[css-grid] Remove compilation flag ENABLE_CSS_GRID_LAYOUT
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (212705 => 212706)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2017-02-21 08:38:29 UTC (rev 212705)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2017-02-21 08:38:40 UTC (rev 212706)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2009, 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
* Copyright (C) 2008 Cameron Zwarich <[email protected]>
* Copyright (C) 2012 Igalia, S.L.
*
@@ -4822,25 +4822,23 @@
bool BytecodeGenerator::emitJumpViaFinallyIfNeeded(int targetLabelScopeDepth, Label& jumpTarget)
{
ASSERT(labelScopeDepth() - targetLabelScopeDepth >= 0);
- size_t scopeDelta = labelScopeDepth() - targetLabelScopeDepth;
- ASSERT(scopeDelta <= m_controlFlowScopeStack.size());
- if (!scopeDelta)
- return false; // No finallys to thread through.
+ size_t numberOfScopesToCheckForFinally = labelScopeDepth() - targetLabelScopeDepth;
+ ASSERT(numberOfScopesToCheckForFinally <= m_controlFlowScopeStack.size());
+ if (!numberOfScopesToCheckForFinally)
+ return false;
- ControlFlowScope* topScope = &m_controlFlowScopeStack.last();
- ControlFlowScope* bottomScope = &m_controlFlowScopeStack.last() - scopeDelta;
-
FinallyContext* innermostFinallyContext = nullptr;
FinallyContext* outermostFinallyContext = nullptr;
- while (topScope > bottomScope) {
- if (topScope->isFinallyScope()) {
- FinallyContext* finallyContext = &topScope->finallyContext;
+ size_t scopeIndex = m_controlFlowScopeStack.size() - 1;
+ while (numberOfScopesToCheckForFinally--) {
+ ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex--];
+ if (scope->isFinallyScope()) {
+ FinallyContext* finallyContext = &scope->finallyContext;
if (!innermostFinallyContext)
innermostFinallyContext = finallyContext;
outermostFinallyContext = finallyContext;
finallyContext->incNumberOfBreaksOrContinues();
}
- --topScope;
}
if (!outermostFinallyContext)
return false; // No finallys to thread through.
@@ -4856,21 +4854,20 @@
bool BytecodeGenerator::emitReturnViaFinallyIfNeeded(RegisterID* returnRegister)
{
- if (!m_controlFlowScopeStack.size())
- return false; // No finallys to thread through.
+ size_t numberOfScopesToCheckForFinally = m_controlFlowScopeStack.size();
+ if (!numberOfScopesToCheckForFinally)
+ return false;
- ControlFlowScope* topScope = &m_controlFlowScopeStack.last();
- ControlFlowScope* bottomScope = &m_controlFlowScopeStack.first();
-
FinallyContext* innermostFinallyContext = nullptr;
- while (topScope >= bottomScope) {
- if (topScope->isFinallyScope()) {
- FinallyContext* finallyContext = &topScope->finallyContext;
+ while (numberOfScopesToCheckForFinally) {
+ size_t scopeIndex = --numberOfScopesToCheckForFinally;
+ ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex];
+ if (scope->isFinallyScope()) {
+ FinallyContext* finallyContext = &scope->finallyContext;
if (!innermostFinallyContext)
innermostFinallyContext = finallyContext;
finallyContext->setHandlesReturns();
}
- --topScope;
}
if (!innermostFinallyContext)
return false; // No finallys to thread through.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
