Title: [167288] trunk/Source/_javascript_Core
- Revision
- 167288
- Author
- [email protected]
- Date
- 2014-04-14 19:20:17 -0700 (Mon, 14 Apr 2014)
Log Message
emit_op_put_by_id should not emit a write barrier that filters on value
https://bugs.webkit.org/show_bug.cgi?id=131654
Reviewed by Filip Pizlo.
The 32-bit implementation does this, and it can cause crashes if we later repatch the
code to allocate and store new Butterflies.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
load down into the if statement so that we don't do it if we're not filtering on the value.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_id):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (167287 => 167288)
--- trunk/Source/_javascript_Core/ChangeLog 2014-04-15 00:55:15 UTC (rev 167287)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-04-15 02:20:17 UTC (rev 167288)
@@ -1,3 +1,20 @@
+2014-04-14 Mark Hahnenberg <[email protected]>
+
+ emit_op_put_by_id should not emit a write barrier that filters on value
+ https://bugs.webkit.org/show_bug.cgi?id=131654
+
+ Reviewed by Filip Pizlo.
+
+ The 32-bit implementation does this, and it can cause crashes if we later repatch the
+ code to allocate and store new Butterflies.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
+ 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
+ load down into the if statement so that we don't do it if we're not filtering on the value.
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_put_by_id):
+
2014-04-14 Oliver Hunt <[email protected]>
Function.bind itself is too slow
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (167287 => 167288)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2014-04-15 00:55:15 UTC (rev 167287)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2014-04-15 02:20:17 UTC (rev 167288)
@@ -933,21 +933,22 @@
void JIT::emitWriteBarrier(unsigned owner, unsigned value, WriteBarrierMode mode)
{
#if ENABLE(GGC)
- emitLoadTag(value, regT0);
Jump valueNotCell;
- if (mode == ShouldFilterValue || mode == ShouldFilterBaseAndValue)
+ if (mode == ShouldFilterValue || mode == ShouldFilterBaseAndValue) {
+ emitLoadTag(value, regT0);
valueNotCell = branch32(NotEqual, regT0, TrustedImm32(JSValue::CellTag));
+ }
emitLoad(owner, regT0, regT1);
Jump ownerNotCell;
- if (mode == ShouldFilterBaseAndValue)
+ if (mode == ShouldFilterBase || mode == ShouldFilterBaseAndValue)
ownerNotCell = branch32(NotEqual, regT0, TrustedImm32(JSValue::CellTag));
Jump ownerNotMarkedOrAlreadyRemembered = checkMarkByte(regT1);
callOperation(operationUnconditionalWriteBarrier, regT1);
ownerNotMarkedOrAlreadyRemembered.link(this);
- if (mode == ShouldFilterBaseAndValue)
+ if (mode == ShouldFilterBase || mode == ShouldFilterBaseAndValue)
ownerNotCell.link(this);
if (mode == ShouldFilterValue || mode == ShouldFilterBaseAndValue)
valueNotCell.link(this);
@@ -961,10 +962,11 @@
void JIT::emitWriteBarrier(JSCell* owner, unsigned value, WriteBarrierMode mode)
{
#if ENABLE(GGC)
- emitLoadTag(value, regT0);
Jump valueNotCell;
- if (mode == ShouldFilterValue)
+ if (mode == ShouldFilterValue) {
+ emitLoadTag(value, regT0);
valueNotCell = branch32(NotEqual, regT0, TrustedImm32(JSValue::CellTag));
+ }
emitWriteBarrier(owner);
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (167287 => 167288)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2014-04-15 00:55:15 UTC (rev 167287)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2014-04-15 02:20:17 UTC (rev 167288)
@@ -515,7 +515,7 @@
int value = currentInstruction[3].u.operand;
int direct = currentInstruction[8].u.operand;
- emitWriteBarrier(base, value, ShouldFilterBaseAndValue);
+ emitWriteBarrier(base, value, ShouldFilterBase);
emitLoad2(base, regT1, regT0, value, regT3, regT2);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
