Ignore:
Timestamp:
Apr 18, 2014, 11:53:46 PM (11 years ago)
Author:
[email protected]
Message:

REGRESSION(r164205): WebKit crash @StructureIDTable::get.
<https://webkit.org/b/130539>

Reviewed by Geoffrey Garen.

prepareOSREntry() prepares for OSR entry by first copying the local var
values from the baseline frame to a scartch buffer, which is then used
to fill in the locals in their new position in the DFG frame. Unfortunately,
prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
size of the baseline frame. As a result, some values of locals in the
baseline frame were not saved off, and the DFG frame may get initialized
with random content that happened to be in the uninitialized (and possibly
unallocated) portions of the scratch buffer.

The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
number of locals in the baseline frame that we want to copy to the scratch
buffer.

Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
at offset 0 in the scratch buffer. So, we continue to write that value
there, not the baseline frame size.

  • dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

    r166493 r167532  
    206206
    207207    unsigned frameSize = jitCode->common.frameRegisterCount;
    208    
    209     Register* scratch = bitwise_cast<Register*>(vm->scratchBufferForSize(sizeof(Register) * (2 + JSStack::CallFrameHeaderSize + frameSize))->dataBuffer());
     208    unsigned baselineFrameSize = entry->m_expectedValues.numberOfLocals();
     209    unsigned maxFrameSize = std::max(frameSize, baselineFrameSize);
     210
     211    Register* scratch = bitwise_cast<Register*>(vm->scratchBufferForSize(sizeof(Register) * (2 + JSStack::CallFrameHeaderSize + maxFrameSize))->dataBuffer());
    210212   
    211213    *bitwise_cast<size_t*>(scratch + 0) = frameSize;
     
    219221    Register* pivot = scratch + 2 + JSStack::CallFrameHeaderSize;
    220222   
    221     for (int index = -JSStack::CallFrameHeaderSize; index < static_cast<int>(frameSize); ++index) {
     223    for (int index = -JSStack::CallFrameHeaderSize; index < static_cast<int>(baselineFrameSize); ++index) {
    222224        VirtualRegister reg(-1 - index);
    223225       
Note: See TracChangeset for help on using the changeset viewer.