Changeset 203413 in webkit for trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp

Timestamp:

Jul 19, 2016, 12:20:02 PM (9 years ago)

Author:

[email protected]

Message:

B3 methods that mutate the successors array should take FrequentedBlock by value
​https://bugs.webkit.org/show_bug.cgi?id=159935

Reviewed by Michael Saboff.

This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
caller that caused the ASan crash was doing:

block->setSuccessors(block->notTaken())

So, inside setSuccessors(), after we resize() the successors array, the const
FrequentedBlock& points to nonsense.

The fix is to pass FrequentedBlock by value in all of these kinds of methods.

No new tests, but ASan testing catches this instantly for anything that triggers CFG
simplification in B3. So like half of our tests.

• b3/B3BasicBlock.cpp:

(JSC::B3::BasicBlock::clearSuccessors):
(JSC::B3::BasicBlock::appendSuccessor):
(JSC::B3::BasicBlock::setSuccessors):

• b3/B3BasicBlock.h:

(JSC::B3::BasicBlock::successors):
(JSC::B3::BasicBlock::successorBlock):

• b3/B3Value.cpp:

(JSC::B3::Value::replaceWithPhi):
(JSC::B3::Value::replaceWithJump):
(JSC::B3::Value::replaceWithOops):

• b3/B3Value.h:

File:

• trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp

@@ -91 +91 @@
 }
 
-void BasicBlock::appendSuccessor(const FrequentedBlock& target)
+void BasicBlock::appendSuccessor(FrequentedBlock target)
 {
     m_successors.append(target);
 }
 
-void BasicBlock::setSuccessors(const FrequentedBlock& target)
+void BasicBlock::setSuccessors(FrequentedBlock target)
 {
     m_successors.resize(1);
@@ -102 +102 @@
 }
 
-void BasicBlock::setSuccessors(const FrequentedBlock& taken, const FrequentedBlock& notTaken)
+void BasicBlock::setSuccessors(FrequentedBlock taken, FrequentedBlock notTaken)
 {
     m_successors.resize(2);