Diff
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-06-14 10:24:40 UTC (rev 232835)
@@ -1,3 +1,30 @@
+2018-06-13 Caitlin Potter <[email protected]>
+
+ [LLInt] use loadp consistently for get_from_scope/put_to_scope
+ https://bugs.webkit.org/show_bug.cgi?id=132333
+
+ Reviewed by Mark Lam.
+
+ Using `loadis` for register indexes and `loadp` for constant scopes /
+ symboltables makes sense, but is problematic for big-endian
+ architectures.
+
+ Consistently treating the operand as a pointer simplifies determining
+ how to access the operand, and helps avoid bad accesses and crashes on
+ big-endian ports.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finishCreation):
+ * bytecode/Instruction.h:
+ * jit/JITOperations.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
+ (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
+
2018-04-14 Filip Pizlo <[email protected]>
Function.prototype.caller shouldn't return generator bodies
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecode/CodeBlock.cpp (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecode/CodeBlock.cpp 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecode/CodeBlock.cpp 2018-06-14 10:24:40 UTC (rev 232835)
@@ -678,7 +678,7 @@
instructions[i + 5].u.watchpointSet = op.watchpointSet;
else if (op.structure)
instructions[i + 5].u.structure.set(vm, this, op.structure);
- instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
+ instructions[i + 6].u.operandPointer = op.operand;
break;
}
@@ -715,7 +715,7 @@
op.watchpointSet->invalidate(vm, PutToScopeFireDetail(this, ident));
} else if (op.structure)
instructions[i + 5].u.structure.set(vm, this, op.structure);
- instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
+ instructions[i + 6].u.operandPointer = op.operand;
break;
}
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecode/Instruction.h (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecode/Instruction.h 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecode/Instruction.h 2018-06-14 10:24:40 UTC (rev 232835)
@@ -122,6 +122,7 @@
Opcode opcode;
int operand;
unsigned unsignedValue;
+ intptr_t operandPointer;
WriteBarrierBase<Structure> structure;
StructureID structureID;
WriteBarrierBase<SymbolTable> symbolTable;
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/jit/JITOperations.cpp (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/jit/JITOperations.cpp 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/jit/JITOperations.cpp 2018-06-14 10:24:40 UTC (rev 232835)
@@ -2310,7 +2310,7 @@
if (getPutInfo.resolveType() == LocalClosureVar) {
JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
- environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
+ environment->variableAt(ScopeOffset(pc[6].u.operandPointer)).set(vm, environment, value);
if (WatchpointSet* set = pc[5].u.watchpointSet)
set->touch(vm, "Executed op_put_scope<LocalClosureVar>");
return;
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2018-06-14 10:24:40 UTC (rev 232835)
@@ -1722,7 +1722,7 @@
GetPutInfo getPutInfo = GetPutInfo(pc[4].u.operand);
if (getPutInfo.resolveType() == LocalClosureVar) {
JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
- environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
+ environment->variableAt(ScopeOffset(pc[6].u.operandPointer)).set(vm, environment, value);
// Have to do this *after* the write, because if this puts the set into IsWatched, then we need
// to have already changed the value of the variable. Otherwise we might watch and constant-fold
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-06-14 10:24:40 UTC (rev 232835)
@@ -2303,7 +2303,7 @@
end
macro getProperty()
- loadisFromInstruction(6, t3)
+ loadpFromInstruction(6, t3)
loadPropertyAtVariableOffset(t3, t0, t1, t2)
valueProfile(t1, t2, 28, t0)
loadisFromInstruction(1, t0)
@@ -2323,7 +2323,7 @@
end
macro getClosureVar()
- loadisFromInstruction(6, t3)
+ loadpFromInstruction(6, t3)
loadp JSLexicalEnvironment_variables + TagOffset[t0, t3, 8], t1
loadp JSLexicalEnvironment_variables + PayloadOffset[t0, t3, 8], t2
valueProfile(t1, t2, 28, t0)
@@ -2398,7 +2398,7 @@
macro putProperty()
loadisFromInstruction(3, t1)
loadConstantOrVariable(t1, t2, t3)
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
storePropertyAtVariableOffset(t1, t0, t2, t3)
end
@@ -2415,7 +2415,7 @@
macro putClosureVar()
loadisFromInstruction(3, t1)
loadConstantOrVariable(t1, t2, t3)
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
storei t2, JSLexicalEnvironment_variables + TagOffset[t0, t1, 8]
storei t3, JSLexicalEnvironment_variables + PayloadOffset[t0, t1, 8]
end
@@ -2427,7 +2427,7 @@
btpz t5, .noVariableWatchpointSet
notifyWrite(t5, .pDynamic)
.noVariableWatchpointSet:
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
storei t2, JSLexicalEnvironment_variables + TagOffset[t0, t1, 8]
storei t3, JSLexicalEnvironment_variables + PayloadOffset[t0, t1, 8]
end
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-06-14 10:24:40 UTC (rev 232835)
@@ -1448,7 +1448,7 @@
bineq t1, JSCell::m_structureID[t3], .opPutByIdSlow
.opPutByIdDoneCheckingTypes:
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
btiz t1, .opPutByIdNotTransition
@@ -1478,7 +1478,7 @@
.opPutByIdTransitionChainDone:
# Reload the new structure, since we clobbered it above.
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
.opPutByIdTransitionDirect:
storei t1, JSCell::m_structureID[t0]
@@ -2289,7 +2289,7 @@
end
macro getProperty()
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
loadPropertyAtVariableOffset(t1, t0, t2)
valueProfile(t2, 7, t0)
loadisFromInstruction(1, t0)
@@ -2306,7 +2306,7 @@
end
macro getClosureVar()
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
loadq JSLexicalEnvironment_variables[t0, t1, 8], t0
valueProfile(t0, 7, t1)
loadisFromInstruction(1, t1)
@@ -2379,7 +2379,7 @@
macro putProperty()
loadisFromInstruction(3, t1)
loadConstantOrVariable(t1, t2)
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
storePropertyAtVariableOffset(t1, t0, t2)
end
@@ -2395,7 +2395,7 @@
macro putClosureVar()
loadisFromInstruction(3, t1)
loadConstantOrVariable(t1, t2)
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
storeq t2, JSLexicalEnvironment_variables[t0, t1, 8]
end
@@ -2406,7 +2406,7 @@
btpz t3, .noVariableWatchpointSet
notifyWrite(t3, .pDynamic)
.noVariableWatchpointSet:
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
storeq t2, JSLexicalEnvironment_variables[t0, t1, 8]
end
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/CommonSlowPaths.h (232834 => 232835)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/CommonSlowPaths.h 2018-06-14 08:57:03 UTC (rev 232834)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/CommonSlowPaths.h 2018-06-14 10:24:40 UTC (rev 232835)
@@ -135,7 +135,7 @@
ASSERT(!entry.isNull());
ConcurrentJSLocker locker(codeBlock->m_lock);
pc[5].u.watchpointSet = entry.watchpointSet();
- pc[6].u.pointer = static_cast<void*>(globalLexicalEnvironment->variableAt(entry.scopeOffset()).slot());
+ pc[6].u.pointer = globalLexicalEnvironment->variableAt(entry.scopeOffset()).slot();
}
}
@@ -158,8 +158,8 @@
scope->structure()->didCachePropertyReplacement(vm, slot.cachedOffset());
ConcurrentJSLocker locker(codeBlock->m_lock);
- pc[5].u.structure.set(vm, codeBlock, scope->structure());
- pc[6].u.operand = slot.cachedOffset();
+ pc[5].u.structure.set(vm, codeBlock, scope->structure(vm));
+ pc[6].u.operandPointer = slot.cachedOffset();
}
}
@@ -183,7 +183,7 @@
ConcurrentJSLocker locker(exec->codeBlock()->m_lock);
pc[4].u.operand = GetPutInfo(getPutInfo.resolveMode(), newResolveType, getPutInfo.initializationMode()).operand();
pc[5].u.watchpointSet = entry.watchpointSet();
- pc[6].u.pointer = static_cast<void*>(globalLexicalEnvironment->variableAt(entry.scopeOffset()).slot());
+ pc[6].u.pointer = globalLexicalEnvironment->variableAt(entry.scopeOffset()).slot();
}
}
@@ -197,7 +197,7 @@
{
ConcurrentJSLocker locker(codeBlock->m_lock);
pc[5].u.structure.set(vm, codeBlock, structure);
- pc[6].u.operand = slot.cachedOffset();
+ pc[6].u.operandPointer = slot.cachedOffset();
}
structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset());
}
