Context Navigation

← Previous Change
Next Change →

BytecodeGenerator.cpp

Timestamp:

Dec 1, 2008, 5:57:56 PM (17 years ago)

Author:

[email protected]

Message:

2008-12-01 Cameron Zwarich <[email protected]>

Reviewed by Oliver Hunt.

Bug 20340: SegmentedVector segment allocations can lead to unsafe use of temporary registers
<https://bugs.webkit.org/show_bug.cgi?id=20340>

SegmentedVector currently frees segments and reallocates them when used
as a stack. This can lead to unsafe use of pointers into freed segments.

In order to fix this problem, SegmentedVector will be changed to only
grow and never shrink. Also, rename the reserveCapacity() member
function to grow() to match the actual usage in BytecodeGenerator, where
this function is used to allocate a group of registers at once, rather
than merely saving space for them.

bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): Use grow() instead of reserveCapacity().
bytecompiler/SegmentedVector.h: (JSC::SegmentedVector::SegmentedVector): (JSC::SegmentedVector::last): (JSC::SegmentedVector::append): (JSC::SegmentedVector::removeLast): (JSC::SegmentedVector::grow): Renamed from reserveCapacity(). (JSC::SegmentedVector::clear):

File:

: 1 edited

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

-              r38856
+              r38887
     // Add previously defined symbols to bookkeeping.
     m_globals.reserveCapacity(symbolTable->size());
+    m_globals.grow(symbolTable->size());
     SymbolTable::iterator end = symbolTable->end();
     for (SymbolTable::iterator it = symbolTable->begin(); it != end; ++it)
 …
     size_t parameterCount = functionBody->parameterCount();
     m_nextParameterIndex = -RegisterFile::CallFrameHeaderSize - parameterCount - 1;
     m_parameters.reserveCapacity(1 + parameterCount); // reserve space for "this"
+    m_parameters.grow(1 + parameterCount); // reserve space for "this"
     // Add "this" as a parameter

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 38887 in webkit for trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

Legend:

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

Download in other formats: