Changeset 41544 in webkit for trunk/JavaScriptCore/jit/JIT.cpp


Ignore:
Timestamp:
Mar 9, 2009, 6:09:44 PM (16 years ago)
Author:
[email protected]
Message:

Bug 24447: REGRESSION (r41508): Google Maps does not complete initialization
<rdar://problem/6657774>

Reviewed by Gavin Barraclough

r41508 actually exposed a pre-existing bug where we were not invalidating the result
register cache at jump targets. This causes problems when condition loads occur in an

expression -- namely through the ?: and
operators. This patch corrects these issues

by marking the target of all forward jumps as being a jump target, and then clears the
result register cache when ever it starts generating code for a targeted instruction.

I do not believe it is possible to cause this class of failure outside of a single
expression, and expressions only provide forward branches, so this should resolve this
entire class of bug. That said i've included a test case that gets as close as possible
to hitting this bug with a back branch, to hopefully prevent anyone from introducing the
problem in future.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/jit/JIT.cpp

    r41508 r41544  
    283283    }
    284284
     285#define RECORD_JUMP_TARGET(targetOffset) \
     286   do { m_labels[m_bytecodeIndex + (targetOffset)].used(); } while (false)
     287
    285288void JIT::privateCompileMainPass()
    286289{
     
    300303#endif
    301304
     305        if (m_labels[m_bytecodeIndex].isUsed())
     306            killLastResultRegister();
     307       
    302308        m_labels[m_bytecodeIndex] = label();
    303309        OpcodeID opcodeID = m_interpreter->getOpcodeID(currentInstruction->u.opcode);
     
    340346            unsigned target = currentInstruction[1].u.operand;
    341347            addJump(jump(), target + 1);
     348            RECORD_JUMP_TARGET(target + 1);
    342349            NEXT_OPCODE(op_jmp);
    343350        }
     
    746753                addJump(branch32(GreaterThanOrEqual, regT0, regT1), target + 3);
    747754            }
     755            RECORD_JUMP_TARGET(target + 3);
    748756            NEXT_OPCODE(op_jnless);
    749757        }
     
    767775
    768776            isNonZero.link(this);
     777            RECORD_JUMP_TARGET(target + 2);
    769778            NEXT_OPCODE(op_jfalse);
    770779        };
     
    787796
    788797            wasNotImmediate.link(this);
     798            RECORD_JUMP_TARGET(target + 2);
    789799            NEXT_OPCODE(op_jeq_null);
    790800        };
     
    807817
    808818            wasNotImmediate.link(this);
     819            RECORD_JUMP_TARGET(target + 2);
    809820            NEXT_OPCODE(op_jneq_null);
    810821        }
     
    825836            addJump(jump(), target + 2);
    826837            m_jsrSites.append(JSRInfo(storeLocation, label()));
     838            killLastResultRegister();
     839            RECORD_JUMP_TARGET(target + 2);
    827840            NEXT_OPCODE(op_jsr);
    828841        }
    829842        case op_sret: {
    830843            jump(Address(callFrameRegister, sizeof(Register) * currentInstruction[1].u.operand));
     844            killLastResultRegister();
    831845            NEXT_OPCODE(op_sret);
    832846        }
     
    893907
    894908            isZero.link(this);
     909            RECORD_JUMP_TARGET(target + 2);
    895910            NEXT_OPCODE(op_jtrue);
    896911        }
     
    10321047            unsigned target = currentInstruction[2].u.operand;
    10331048            addJump(jump(), target + 2);
     1049            RECORD_JUMP_TARGET(target + 2);
    10341050            NEXT_OPCODE(op_jmp_scopes);
    10351051        }
Note: See TracChangeset for help on using the changeset viewer.