Changeset 41544 in webkit for trunk/JavaScriptCore/assembler

Timestamp:

Mar 9, 2009, 6:09:44 PM (16 years ago)

Author:

[email protected]

Message:

Bug 24447: REGRESSION (r41508): Google Maps does not complete initialization
<rdar://problem/6657774>

Reviewed by Gavin Barraclough

r41508 actually exposed a pre-existing bug where we were not invalidating the result
register cache at jump targets. This causes problems when condition loads occur in an

expression -- namely through the ?: and

operators. This patch corrects these issues

by marking the target of all forward jumps as being a jump target, and then clears the
result register cache when ever it starts generating code for a targeted instruction.

I do not believe it is possible to cause this class of failure outside of a single
expression, and expressions only provide forward branches, so this should resolve this
entire class of bug. That said i've included a test case that gets as close as possible
to hitting this bug with a back branch, to hopefully prevent anyone from introducing the
problem in future.

Location:

trunk/JavaScriptCore/assembler

Files:

• AbstractMacroAssembler.h (modified) (1 diff)
• X86Assembler.h (modified) (1 diff)

trunk/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -207 +207 @@
         }
         
+        bool isUsed() const { return m_label.isUsed(); }
+        void used() { m_label.used(); }
     private:
         JmpDst m_label;

trunk/JavaScriptCore/assembler/X86Assembler.h

@@ -242 +242 @@
         JmpDst()
             : m_offset(-1)
-        {
-        }
-
+            , m_used(false)
+        {
+        }
+
+        bool isUsed() const { return m_used; }
+        void used() { m_used = true; }
     private:
         JmpDst(int offset)
             : m_offset(offset)
-        {
-        }
-
-        int m_offset;
+            , m_used(false)
+        {
+            ASSERT(m_offset == offset);
+        }
+
+        int m_offset : 31;
+        bool m_used : 1;
     };