Changeset 38856 in webkit for trunk/JavaScriptCore/bytecompiler/SegmentedVector.h

Timestamp:

Dec 1, 2008, 1:07:07 AM (16 years ago)

Author:

[email protected]

Message:

2008-12-01 Cameron Zwarich <​[email protected]>

Reviewed by Sam Weinig.

Preliminary work for bug 20340: SegmentedVector segment allocations can lead to unsafe use of temporary registers
<​https://bugs.webkit.org/show_bug.cgi?id=20340>

SegmentedVector currently frees segments and reallocates them when used
as a stack. This can lead to unsafe use of pointers into freed segments.

In order to fix this problem, SegmentedVector will be changed to only
grow and never shrink, with the sole exception of clearing all of its
data, a capability that is required by Lexer. This patch changes the
public interface to only allow for these capabilities.

• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): Use reserveCapacity() instead of resize() for m_globals and m_parameters.
• bytecompiler/SegmentedVector.h: (JSC::SegmentedVector::resize): Removed. (JSC::SegmentedVector::reserveCapacity): Added. (JSC::SegmentedVector::clear): Added. (JSC::SegmentedVector::shrink): Removed. (JSC::SegmentedVector::grow): Removed.
• parser/Lexer.cpp: (JSC::Lexer::clear): Use clear() instead of resize(0).

File:

• trunk/JavaScriptCore/bytecompiler/SegmentedVector.h (modified) (3 diffs)

trunk/JavaScriptCore/bytecompiler/SegmentedVector.h

@@ -86 +86 @@
         }
 
-        void resize(size_t size)
+        void reserveCapacity(size_t newCapacity)
         {
-            if (size < m_size)
-                shrink(size);
-            else if (size > m_size)
-                grow(size);
-            ASSERT(size == m_size);
-        }
+            if (newCapacity <= m_size)
+                return;
 
-    private:
-        void shrink(size_t size)
-        {
-            ASSERT(size < m_size);
-            size_t numSegments = size / SegmentSize;
-            size_t extra = size % SegmentSize;
-            if (extra)
-                numSegments++;
-            if (!numSegments) {
-                for (size_t i = 1; i < m_segments.size(); i++)
-                    delete m_segments[i];
-                m_segments.resize(1);
-                m_inlineSegment.resize(0);
-                m_size = size;
+            if (newCapacity <= SegmentSize) {
+                m_inlineSegment.resize(newCapacity);
+                m_size = newCapacity;
                 return;
             }
 
-            for (size_t i = numSegments; i < m_segments.size(); i++)
-                delete m_segments[i];
-
-            m_segments.resize(numSegments);
-            if (extra)
-                m_segments.last()->resize(extra);
-            m_size = size;
-        }
-
-        void grow(size_t size)
-        {
-            ASSERT(size > m_size);
-            if (size <= SegmentSize) {
-                m_inlineSegment.resize(size);
-                m_size = size;
-                return;
-            }
-
-            size_t numSegments = size / SegmentSize;
-            size_t extra = size % SegmentSize;
+            size_t numSegments = newCapacity / SegmentSize;
+            size_t extra = newCapacity % SegmentSize;
             if (extra)
                 numSegments++;
@@ -138 +105 @@
             if (numSegments == oldSize) {
                 m_segments.last()->resize(extra);
-                m_size = size;
+                m_size = newCapacity;
                 return;
             }
@@ -156 +123 @@
             segment->resize(extra ? extra : SegmentSize);
             m_segments[numSegments - 1] = segment;
-            m_size = size;
+            m_size = newCapacity;
         }
 
+        void clear()
+        {
+            for (size_t i = 1; i < m_segments.size(); i++)
+                delete m_segments[i];
+            m_segments.resize(1);
+            m_inlineSegment.resize(0);
+            m_size = 0;
+        }
+
+    private:
         typedef Vector<T, SegmentSize> Segment;
         size_t m_size;