[webkit-changes] [143994] trunk/Source/JavaScriptCore

Mon, 25 Feb 2013 18:08:01 -0800

Title: [143994] trunk/Source/_javascript_Core
Revision
143994
Author
msab...@apple.com
Date
2013-02-25 18:10:02 -0800 (Mon, 25 Feb 2013)

Log Message

For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset
https://bugs.webkit.org/show_bug.cgi?id=110828

Reviewed by Oliver Hunt.

* runtime/JSObject.h:
(JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets.
That way this function will return the offset farthest from 0 needed to access either the payload
or tag.

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (143993 => 143994)


--- trunk/Source/_javascript_Core/ChangeLog	2013-02-26 02:06:12 UTC (rev 143993)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-02-26 02:10:02 UTC (rev 143994)
@@ -1,3 +1,15 @@
+2013-02-25  Michael Saboff  <msab...@apple.com>
+
+        For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset
+        https://bugs.webkit.org/show_bug.cgi?id=110828
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/JSObject.h:
+        (JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets.
+        That way this function will return the offset farthest from 0 needed to access either the payload
+        or tag.
+
 2013-02-25  Jeffrey Pfau  <jp...@apple.com>
 
         Optionally partition cache to prevent using cache for tracking

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (143993 => 143994)


--- trunk/Source/_javascript_Core/runtime/JSObject.h	2013-02-26 02:06:12 UTC (rev 143993)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2013-02-26 02:10:02 UTC (rev 143994)
@@ -1421,15 +1421,15 @@
     return JSObject::offsetOfInlineStorage() - JSObject::butterflyOffset() + sizeof(EncodedJSValue) * offsetInInlineStorage(offset);
 }
 
-// Returns the maximum offset a load instruction will encode.
+// Returns the maximum offset (away from zero) a load instruction will encode.
 inline size_t maxOffsetRelativeToPatchedStorage(PropertyOffset offset)
 {
+    ptrdiff_t addressOffset = static_cast<ptrdiff_t>(offsetRelativeToPatchedStorage(offset));
 #if USE(JSVALUE32_64)
-    return offsetRelativeToPatchedStorage(offset)
-        + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag);
-#else
-    return offsetRelativeToPatchedStorage(offset);
+    if (addressOffset >= 0)
+        return static_cast<size_t>(addressOffset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag);
 #endif
+    return static_cast<size_t>(addressOffset);
 }
 
 inline int indexRelativeToBase(PropertyOffset offset)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to