Changeset 168729 in webkit for trunk/Source/JavaScriptCore/assembler/MacroAssemblerSH4.h

Timestamp:

May 13, 2014, 1:57:07 PM (11 years ago)

Author:

[email protected]

Message:

[Win] Enum type with value zero is compatible with void*, potential cause of crashes.
​https://bugs.webkit.org/show_bug.cgi?id=132772

Patch by ​[email protected] <​[email protected]> on 2014-05-13
Reviewed by Geoffrey Garen.

Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.

• assembler/MacroAssemblerARM.h:

(JSC::MacroAssemblerARM::loadDouble):
(JSC::MacroAssemblerARM::storeDouble):

• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::storeDouble):

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::loadDouble):
(JSC::MacroAssemblerARMv7::storeDouble):

• assembler/MacroAssemblerMIPS.h:

(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeDouble):

• assembler/MacroAssemblerSH4.h:

(JSC::MacroAssemblerSH4::loadDouble):
(JSC::MacroAssemblerSH4::storeDouble):

• assembler/MacroAssemblerX86.h:

(JSC::MacroAssemblerX86::storeDouble):

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::absDouble):
(JSC::MacroAssemblerX86Common::negateDouble):
(JSC::MacroAssemblerX86Common::loadDouble):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::compileClampDoubleToByte):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::purifyNaN):

• jit/JITInlines.h:

(JSC::JIT::emitLoadDouble):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitFloatTypedArrayGetByVal):

• jit/ThunkGenerators.cpp:

(JSC::floorThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::powThunkGenerator):

File:

• trunk/Source/JavaScriptCore/assembler/MacroAssemblerSH4.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/assembler/MacroAssemblerSH4.h

@@ -1156 +1156 @@
     }
 
-    void loadDouble(const void* address, FPRegisterID dest)
-    {
-        RegisterID scr = claimScratch();
-        move(TrustedImmPtr(address), scr);
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
+    {
+        RegisterID scr = claimScratch();
+        move(address, scr);
         m_assembler.fmovsReadrminc(scr, (FPRegisterID)(dest + 1));
         m_assembler.fmovsReadrm(scr, dest);
@@ -1205 +1205 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
-    {
-        RegisterID scr = claimScratch();
-        m_assembler.loadConstant(reinterpret_cast<uint32_t>(const_cast<void*>(address)) + 8, scr);
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
+    {
+        RegisterID scr = claimScratch();
+        m_assembler.loadConstant(reinterpret_cast<uint32_t>(const_cast<void*>(address.m_value)) + 8, scr);
         m_assembler.fmovsWriterndec(src, scr);
         m_assembler.fmovsWriterndec((FPRegisterID)(src + 1), scr);
@@ -1221 +1221 @@
     void addDouble(AbsoluteAddress address, FPRegisterID dest)
     {
-        loadDouble(address.m_ptr, fscratch);
+        loadDouble(TrustedImmPtr(address.m_ptr), fscratch);
         addDouble(fscratch, dest);
     }