Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (138307 => 138308)
--- trunk/Source/_javascript_Core/ChangeLog 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-12-20 23:20:30 UTC (rev 138308)
@@ -1,3 +1,37 @@
+2012-12-20 Michael Saboff <msab...@apple.com>
+
+ JIT: Change uninitialized pointer value -1 to constant
+ https://bugs.webkit.org/show_bug.cgi?id=105576
+
+ Rubber stamped by Gavin Barraclough.
+
+ Changed the use of -1 as a pointer value in the JITs to be the constant unusedPointer defined in the
+ new file jit/UnusedPointer.h. Made it's value 0xd1e7beef, which is a bad pointer on most architectures
+ because it is odd, and to distinguish it from other common values.
+
+ * GNUmakefile.list.am:
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::dfgResetGetByID):
+ (JSC::DFG::dfgResetPutByID):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::cachedGetById):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::cachedGetById):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ * jit/JIT.h:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::resetPatchGetById):
+ (JSC::JIT::resetPatchPutById):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::resetPatchGetById):
+ (JSC::JIT::resetPatchPutById):
+ * jit/JITWriteBarrier.h:
+ (JSC::JITWriteBarrierBase::clearToUnusedPointer):
+ (JSC::JITWriteBarrierBase::get):
+ * jit/UnusedPointer.h: Added.
+
2012-12-20 Filip Pizlo <fpi...@apple.com>
DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to
Modified: trunk/Source/_javascript_Core/GNUmakefile.list.am (138307 => 138308)
--- trunk/Source/_javascript_Core/GNUmakefile.list.am 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/GNUmakefile.list.am 2012-12-20 23:20:30 UTC (rev 138308)
@@ -438,6 +438,7 @@
Source/_javascript_Core/jit/SpecializedThunkJIT.h \
Source/_javascript_Core/jit/ThunkGenerators.cpp \
Source/_javascript_Core/jit/ThunkGenerators.h \
+ Source/_javascript_Core/jit/UnusedPointer.h \
Source/_javascript_Core/llint/LLIntCommon.h \
Source/_javascript_Core/llint/LLIntCLoop.cpp \
Source/_javascript_Core/llint/LLIntCLoop.h \
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (138307 => 138308)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2012-12-20 23:20:30 UTC (rev 138308)
@@ -1291,6 +1291,7 @@
65621E6B089E859700760F35 /* PropertySlot.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PropertySlot.cpp; sourceTree = "<group>"; tabWidth = 8; };
65621E6C089E859700760F35 /* PropertySlot.h */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = PropertySlot.h; sourceTree = "<group>"; tabWidth = 8; };
65987F2C167FE84B003C2F8D /* DFGOSRExitCompilationInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGOSRExitCompilationInfo.h; path = dfg/DFGOSRExitCompilationInfo.h; sourceTree = "<group>"; };
+ 65987F2F16828A7E003C2F8D /* UnusedPointer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UnusedPointer.h; sourceTree = "<group>"; };
65C02FBB0637462A003E7EE6 /* Protect.h */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = Protect.h; sourceTree = "<group>"; tabWidth = 8; };
65C7A1710A8EAACB00FA37EA /* JSWrapperObject.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = JSWrapperObject.cpp; sourceTree = "<group>"; };
65C7A1720A8EAACB00FA37EA /* JSWrapperObject.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = JSWrapperObject.h; sourceTree = "<group>"; };
@@ -1897,6 +1898,7 @@
children = (
0F73D7AB165A142A00ACAB71 /* ClosureCallStubRoutine.cpp */,
0F73D7AC165A142A00ACAB71 /* ClosureCallStubRoutine.h */,
+ 65987F2F16828A7E003C2F8D /* UnusedPointer.h */,
0FD82E37141AB14200179C94 /* CompactJITCodeMap.h */,
A7B48DB60EE74CFC00DCBDB6 /* ExecutableAllocator.cpp */,
A7B48DB50EE74CFC00DCBDB6 /* ExecutableAllocator.h */,
Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (138307 => 138308)
--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-12-20 23:20:30 UTC (rev 138308)
@@ -1258,9 +1258,9 @@
MacroAssembler::Address(
static_cast<MacroAssembler::RegisterID>(stubInfo.patch.dfg.baseGPR),
JSCell::structureOffset()),
- reinterpret_cast<void*>(-1));
+ reinterpret_cast<void*>(unusedPointer));
}
- repatchBuffer.repatch(structureLabel, reinterpret_cast<void*>(-1));
+ repatchBuffer.repatch(structureLabel, reinterpret_cast<void*>(unusedPointer));
#if USE(JSVALUE64)
repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.dfg.deltaCallToLoadOrStore), 0);
#else
@@ -1292,9 +1292,9 @@
MacroAssembler::Address(
static_cast<MacroAssembler::RegisterID>(stubInfo.patch.dfg.baseGPR),
JSCell::structureOffset()),
- reinterpret_cast<void*>(-1));
+ reinterpret_cast<void*>(unusedPointer));
}
- repatchBuffer.repatch(structureLabel, reinterpret_cast<void*>(-1));
+ repatchBuffer.repatch(structureLabel, reinterpret_cast<void*>(unusedPointer));
#if USE(JSVALUE64)
repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.dfg.deltaCallToLoadOrStore), 0);
#else
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (138307 => 138308)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-12-20 23:20:30 UTC (rev 138308)
@@ -509,7 +509,7 @@
void SpeculativeJIT::cachedGetById(CodeOrigin codeOrigin, GPRReg baseTagGPROrNone, GPRReg basePayloadGPR, GPRReg resultTagGPR, GPRReg resultPayloadGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget, SpillRegistersMode spillMode)
{
JITCompiler::DataLabelPtr structureToCompare;
- JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(basePayloadGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
+ JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(basePayloadGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(unusedPointer)));
JITCompiler::ConvertibleLoadLabel propertyStorageLoad = m_jit.convertibleLoadPtr(JITCompiler::Address(basePayloadGPR, JSObject::butterflyOffset()), resultPayloadGPR);
JITCompiler::DataLabelCompact tagLoadWithPatch = m_jit.load32WithCompactAddressOffsetPatch(JITCompiler::Address(resultPayloadGPR, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)), resultTagGPR);
@@ -564,7 +564,7 @@
void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, Edge valueUse, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
{
JITCompiler::DataLabelPtr structureToCompare;
- JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(basePayloadGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
+ JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(basePayloadGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(unusedPointer)));
writeBarrier(basePayloadGPR, valueTagGPR, valueUse, WriteBarrierForPropertyAccess, scratchGPR);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (138307 => 138308)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2012-12-20 23:20:30 UTC (rev 138308)
@@ -498,7 +498,7 @@
void SpeculativeJIT::cachedGetById(CodeOrigin codeOrigin, GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget, SpillRegistersMode spillMode)
{
JITCompiler::DataLabelPtr structureToCompare;
- JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
+ JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(unusedPointer)));
JITCompiler::ConvertibleLoadLabel propertyStorageLoad =
m_jit.convertibleLoadPtr(JITCompiler::Address(baseGPR, JSObject::butterflyOffset()), resultGPR);
@@ -532,7 +532,7 @@
{
JITCompiler::DataLabelPtr structureToCompare;
- JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
+ JITCompiler::PatchableJump structureCheck = m_jit.patchableBranchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(unusedPointer)));
writeBarrier(baseGPR, valueGPR, valueUse, WriteBarrierForPropertyAccess, scratchGPR);
Modified: trunk/Source/_javascript_Core/jit/JIT.h (138307 => 138308)
--- trunk/Source/_javascript_Core/jit/JIT.h 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/jit/JIT.h 2012-12-20 23:20:30 UTC (rev 138308)
@@ -50,6 +50,7 @@
#include "JSInterfaceJIT.h"
#include "LegacyProfiler.h"
#include "Opcode.h"
+#include "UnusedPointer.h"
#include <bytecode/SamplingTool.h>
namespace JSC {
@@ -292,7 +293,7 @@
using MacroAssembler::JumpList;
using MacroAssembler::Label;
- static const int patchGetByIdDefaultStructure = -1;
+ static const uintptr_t patchGetByIdDefaultStructure = unusedPointer;
static const int patchGetByIdDefaultOffset = 0;
// Magic number - initial offset cannot be representable as a signed 8bit value, or the X86Assembler
// will compress the displacement, and we may not be able to fit a patched offset.
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (138307 => 138308)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-12-20 23:20:30 UTC (rev 138308)
@@ -1241,7 +1241,7 @@
void JIT::resetPatchGetById(RepatchBuffer& repatchBuffer, StructureStubInfo* stubInfo)
{
repatchBuffer.relink(stubInfo->callReturnLocation, cti_op_get_by_id);
- repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.get.structureToCompare), reinterpret_cast<void*>(-1));
+ repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.get.structureToCompare), reinterpret_cast<void*>(unusedPointer));
repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelCompactAtOffset(stubInfo->patch.baseline.u.get.displacementLabel), 0);
repatchBuffer.relink(stubInfo->hotPathBegin.jumpAtOffset(stubInfo->patch.baseline.u.get.structureCheck), stubInfo->callReturnLocation.labelAtOffset(-stubInfo->patch.baseline.u.get.coldPathBegin));
}
@@ -1252,7 +1252,7 @@
repatchBuffer.relink(stubInfo->callReturnLocation, cti_op_put_by_id_direct);
else
repatchBuffer.relink(stubInfo->callReturnLocation, cti_op_put_by_id);
- repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.put.structureToCompare), reinterpret_cast<void*>(-1));
+ repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.put.structureToCompare), reinterpret_cast<void*>(unusedPointer));
repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabel32AtOffset(stubInfo->patch.baseline.u.put.displacementLabel), 0);
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (138307 => 138308)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-12-20 23:20:30 UTC (rev 138308)
@@ -1298,7 +1298,7 @@
void JIT::resetPatchGetById(RepatchBuffer& repatchBuffer, StructureStubInfo* stubInfo)
{
repatchBuffer.relink(stubInfo->callReturnLocation, cti_op_get_by_id);
- repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.get.structureToCompare), reinterpret_cast<void*>(-1));
+ repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.get.structureToCompare), reinterpret_cast<void*>(unusedPointer));
repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelCompactAtOffset(stubInfo->patch.baseline.u.get.displacementLabel1), 0);
repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelCompactAtOffset(stubInfo->patch.baseline.u.get.displacementLabel2), 0);
repatchBuffer.relink(stubInfo->hotPathBegin.jumpAtOffset(stubInfo->patch.baseline.u.get.structureCheck), stubInfo->callReturnLocation.labelAtOffset(-stubInfo->patch.baseline.u.get.coldPathBegin));
@@ -1310,7 +1310,7 @@
repatchBuffer.relink(stubInfo->callReturnLocation, cti_op_put_by_id_direct);
else
repatchBuffer.relink(stubInfo->callReturnLocation, cti_op_put_by_id);
- repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.put.structureToCompare), reinterpret_cast<void*>(-1));
+ repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabelPtrAtOffset(stubInfo->patch.baseline.u.put.structureToCompare), reinterpret_cast<void*>(unusedPointer));
repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabel32AtOffset(stubInfo->patch.baseline.u.put.displacementLabel1), 0);
repatchBuffer.repatch(stubInfo->hotPathBegin.dataLabel32AtOffset(stubInfo->patch.baseline.u.put.displacementLabel2), 0);
}
Modified: trunk/Source/_javascript_Core/jit/JITWriteBarrier.h (138307 => 138308)
--- trunk/Source/_javascript_Core/jit/JITWriteBarrier.h 2012-12-20 23:20:13 UTC (rev 138307)
+++ trunk/Source/_javascript_Core/jit/JITWriteBarrier.h 2012-12-20 23:20:30 UTC (rev 138308)
@@ -31,6 +31,7 @@
#include "MacroAssembler.h"
#include "SlotVisitor.h"
#include "WriteBarrier.h"
+#include "jit/UnusedPointer.h"
namespace JSC {
@@ -69,7 +70,7 @@
}
void clear() { clear(0); }
- void clearToMaxUnsigned() { clear(reinterpret_cast<void*>(-1)); }
+ void clearToUnusedPointer() { clear(reinterpret_cast<void*>(unusedPointer)); }
protected:
JITWriteBarrierBase()
@@ -90,8 +91,7 @@
if (!m_location || m_location.executableAddress() == JITWriteBarrierFlag)
return 0;
void* result = static_cast<JSCell*>(MacroAssembler::readPointer(m_location));
- // We use -1 to indicate a "safe" empty value in the instruction stream
- if (result == (void*)-1)
+ if (result == reinterpret_cast<void*>(unusedPointer))
return 0;
return static_cast<JSCell*>(result);
}
Added: trunk/Source/_javascript_Core/jit/UnusedPointer.h (0 => 138308)
--- trunk/Source/_javascript_Core/jit/UnusedPointer.h (rev 0)
+++ trunk/Source/_javascript_Core/jit/UnusedPointer.h 2012-12-20 23:20:30 UTC (rev 138308)
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef UnusedPointer_h
+#define UnusedPointer_h
+
+namespace JSC {
+
+static const uintptr_t unusedPointer = 0xd1e7beef;
+
+} // namespace JSC
+
+using JSC::unusedPointer;
+
+#endif // UnusedPointer_h
