Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (168641 => 168642)
--- trunk/Source/_javascript_Core/ChangeLog 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-05-12 20:42:24 UTC (rev 168642)
@@ -1,3 +1,53 @@
+2014-05-12 pe...@outlook.com <pe...@outlook.com>
+
+ [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
+ https://bugs.webkit.org/show_bug.cgi?id=132772
+
+ Reviewed by Geoffrey Garen.
+
+ Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
+ This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
+ This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
+ The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::loadDouble):
+ (JSC::MacroAssemblerARM::storeDouble):
+ * assembler/MacroAssemblerARM64.h:
+ (JSC::MacroAssemblerARM64::loadDouble):
+ (JSC::MacroAssemblerARM64::storeDouble):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::loadDouble):
+ (JSC::MacroAssemblerARMv7::storeDouble):
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::loadDouble):
+ (JSC::MacroAssemblerMIPS::storeDouble):
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::loadDouble):
+ (JSC::MacroAssemblerSH4::storeDouble):
+ * assembler/MacroAssemblerX86.h:
+ (JSC::MacroAssemblerX86::storeDouble):
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::absDouble):
+ (JSC::MacroAssemblerX86Common::negateDouble):
+ (JSC::MacroAssemblerX86Common::loadDouble):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ (JSC::DFG::compileClampDoubleToByte):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::purifyNaN):
+ * jit/JITInlines.h:
+ (JSC::JIT::emitLoadDouble):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+ * jit/ThunkGenerators.cpp:
+ (JSC::floorThunkGenerator):
+ (JSC::roundThunkGenerator):
+ (JSC::powThunkGenerator):
+
2014-05-12 Andreas Kling <akl...@apple.com>
0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -1121,9 +1121,9 @@
m_assembler.baseIndexTransferFloat(ARMAssembler::LoadDouble, dest, address.base, address.index, static_cast<int>(address.scale), address.offset);
}
- void loadDouble(const void* address, FPRegisterID dest)
+ void loadDouble(TrustedImmPtr address, FPRegisterID dest)
{
- move(TrustedImm32(reinterpret_cast<ARMWord>(address)), ARMRegisters::S0);
+ move(TrustedImm32(reinterpret_cast<ARMWord>(address.m_value)), ARMRegisters::S0);
m_assembler.doubleDtrUp(ARMAssembler::LoadDouble, dest, ARMRegisters::S0, 0);
}
@@ -1142,9 +1142,9 @@
m_assembler.baseIndexTransferFloat(ARMAssembler::StoreDouble, src, address.base, address.index, static_cast<int>(address.scale), address.offset);
}
- void storeDouble(FPRegisterID src, const void* address)
+ void storeDouble(FPRegisterID src, TrustedImmPtr address)
{
- move(TrustedImm32(reinterpret_cast<ARMWord>(address)), ARMRegisters::S0);
+ move(TrustedImm32(reinterpret_cast<ARMWord>(address.m_value)), ARMRegisters::S0);
m_assembler.dataTransferFloat(ARMAssembler::StoreDouble, src, ARMRegisters::S0, 0);
}
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -1310,9 +1310,9 @@
m_assembler.ldr<64>(dest, address.base, memoryTempRegister);
}
- void loadDouble(const void* address, FPRegisterID dest)
+ void loadDouble(TrustedImmPtr address, FPRegisterID dest)
{
- moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
+ moveToCachedReg(address, m_cachedMemoryTempRegister);
m_assembler.ldr<64>(dest, memoryTempRegister, ARM64Registers::zr);
}
@@ -1378,9 +1378,9 @@
m_assembler.str<64>(src, address.base, memoryTempRegister);
}
- void storeDouble(FPRegisterID src, const void* address)
+ void storeDouble(FPRegisterID src, TrustedImmPtr address)
{
- moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
+ moveToCachedReg(address, m_cachedMemoryTempRegister);
m_assembler.str<64>(src, memoryTempRegister, ARM64Registers::zr);
}
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -875,9 +875,9 @@
m_assembler.vmov(dest, src);
}
- void loadDouble(const void* address, FPRegisterID dest)
+ void loadDouble(TrustedImmPtr address, FPRegisterID dest)
{
- move(TrustedImmPtr(address), addressTempRegister);
+ move(address, addressTempRegister);
m_assembler.vldr(dest, addressTempRegister, 0);
}
@@ -911,9 +911,9 @@
m_assembler.fsts(ARMRegisters::asSingle(src), base, offset);
}
- void storeDouble(FPRegisterID src, const void* address)
+ void storeDouble(FPRegisterID src, TrustedImmPtr address)
{
- move(TrustedImmPtr(address), addressTempRegister);
+ move(address, addressTempRegister);
storeDouble(src, addressTempRegister);
}
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -2268,7 +2268,7 @@
#endif
}
- void loadDouble(const void* address, FPRegisterID dest)
+ void loadDouble(TrustedImmPtr address, FPRegisterID dest)
{
#if WTF_MIPS_ISA(1)
/*
@@ -2276,7 +2276,7 @@
lwc1 dest, 0(addrTemp)
lwc1 dest+1, 4(addrTemp)
*/
- move(TrustedImmPtr(address), addrTempRegister);
+ move(address, addrTempRegister);
m_assembler.lwc1(dest, addrTempRegister, 0);
m_assembler.lwc1(FPRegisterID(dest + 1), addrTempRegister, 4);
#else
@@ -2284,7 +2284,7 @@
li addrTemp, address
ldc1 dest, 0(addrTemp)
*/
- move(TrustedImmPtr(address), addrTempRegister);
+ move(address, addrTempRegister);
m_assembler.ldc1(dest, addrTempRegister, 0);
#endif
}
@@ -2406,14 +2406,14 @@
#endif
}
- void storeDouble(FPRegisterID src, const void* address)
+ void storeDouble(FPRegisterID src, TrustedImmPtr address)
{
#if WTF_MIPS_ISA(1)
- move(TrustedImmPtr(address), addrTempRegister);
+ move(address, addrTempRegister);
m_assembler.swc1(src, addrTempRegister, 0);
m_assembler.swc1(FPRegisterID(src + 1), addrTempRegister, 4);
#else
- move(TrustedImmPtr(address), addrTempRegister);
+ move(address, addrTempRegister);
m_assembler.sdc1(src, addrTempRegister, 0);
#endif
}
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerSH4.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerSH4.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerSH4.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -1155,10 +1155,10 @@
releaseScratch(scr);
}
- void loadDouble(const void* address, FPRegisterID dest)
+ void loadDouble(TrustedImmPtr address, FPRegisterID dest)
{
RegisterID scr = claimScratch();
- move(TrustedImmPtr(address), scr);
+ move(address, scr);
m_assembler.fmovsReadrminc(scr, (FPRegisterID)(dest + 1));
m_assembler.fmovsReadrm(scr, dest);
releaseScratch(scr);
@@ -1204,10 +1204,10 @@
}
}
- void storeDouble(FPRegisterID src, const void* address)
+ void storeDouble(FPRegisterID src, TrustedImmPtr address)
{
RegisterID scr = claimScratch();
- m_assembler.loadConstant(reinterpret_cast<uint32_t>(const_cast<void*>(address)) + 8, scr);
+ m_assembler.loadConstant(reinterpret_cast<uint32_t>(const_cast<void*>(address.m_value)) + 8, scr);
m_assembler.fmovsWriterndec(src, scr);
m_assembler.fmovsWriterndec((FPRegisterID)(src + 1), scr);
releaseScratch(scr);
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -123,11 +123,11 @@
m_assembler.addsd_mr(address.m_ptr, dest);
}
- void storeDouble(FPRegisterID src, const void* address)
+ void storeDouble(FPRegisterID src, TrustedImmPtr address)
{
ASSERT(isSSE2Present());
- ASSERT(address);
- m_assembler.movsd_rm(src, address);
+ ASSERT(address.m_value);
+ m_assembler.movsd_rm(src, address.m_value);
}
void convertInt32ToDouble(AbsoluteAddress src, FPRegisterID dest)
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h (168641 => 168642)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -448,7 +448,7 @@
{
ASSERT(src != dst);
static const double negativeZeroConstant = -0.0;
- loadDouble(&negativeZeroConstant, dst);
+ loadDouble(TrustedImmPtr(&negativeZeroConstant), dst);
m_assembler.andnpd_rr(src, dst);
}
@@ -456,7 +456,7 @@
{
ASSERT(src != dst);
static const double negativeZeroConstant = -0.0;
- loadDouble(&negativeZeroConstant, dst);
+ loadDouble(TrustedImmPtr(&negativeZeroConstant), dst);
m_assembler.xorpd_rr(src, dst);
}
@@ -684,13 +684,13 @@
m_assembler.movsd_rr(src, dest);
}
- void loadDouble(const void* address, FPRegisterID dest)
+ void loadDouble(TrustedImmPtr address, FPRegisterID dest)
{
#if CPU(X86)
ASSERT(isSSE2Present());
- m_assembler.movsd_mr(address, dest);
+ m_assembler.movsd_mr(address.m_value, dest);
#else
- move(TrustedImmPtr(address), scratchRegister);
+ move(address, scratchRegister);
loadDouble(scratchRegister, dest);
#endif
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (168641 => 168642)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2014-05-12 20:42:24 UTC (rev 168642)
@@ -553,7 +553,7 @@
m_jit.move(TrustedImm32(JSValue::BooleanTag), plan.gpr());
break;
case SetDoubleConstant:
- m_jit.loadDouble(addressOfDoubleConstant(plan.node()), plan.fpr());
+ m_jit.loadDouble(TrustedImmPtr(addressOfDoubleConstant(plan.node())), plan.fpr());
break;
#endif
case Load32Tag:
@@ -2254,12 +2254,12 @@
static const double zero = 0;
static const double byteMax = 255;
static const double half = 0.5;
- jit.loadDouble(&zero, scratch);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&zero), scratch);
MacroAssembler::Jump tooSmall = jit.branchDouble(MacroAssembler::DoubleLessThanOrEqualOrUnordered, source, scratch);
- jit.loadDouble(&byteMax, scratch);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&byteMax), scratch);
MacroAssembler::Jump tooBig = jit.branchDouble(MacroAssembler::DoubleGreaterThan, source, scratch);
- jit.loadDouble(&half, scratch);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&half), scratch);
// FIXME: This should probably just use a floating point round!
// https://bugs.webkit.org/show_bug.cgi?id=72054
jit.addDouble(source, scratch);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (168641 => 168642)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-05-12 20:42:24 UTC (rev 168642)
@@ -836,7 +836,7 @@
if (edge->hasConstant()) {
RELEASE_ASSERT(isNumberConstant(edge.node()));
FPRReg fpr = fprAllocate();
- m_jit.loadDouble(addressOfDoubleConstant(edge.node()), fpr);
+ m_jit.loadDouble(TrustedImmPtr(addressOfDoubleConstant(edge.node())), fpr);
m_fprs.retain(fpr, virtualRegister, SpillOrderConstant);
info.fillDouble(*m_stream, fpr);
return fpr;
@@ -3126,7 +3126,7 @@
JSValueRegs(), use, SpecFullRealNumber,
m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, opFPR, opFPR));
- m_jit.storeDouble(opFPR, reinterpret_cast<char*>(buffer + operandIdx));
+ m_jit.storeDouble(opFPR, TrustedImmPtr(reinterpret_cast<char*>(buffer + operandIdx)));
break;
}
case ALL_INT32_INDEXING_TYPES: {
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp (168641 => 168642)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2014-05-12 20:42:24 UTC (rev 168642)
@@ -58,7 +58,7 @@
{
MacroAssembler::Jump notNaN = branchDouble(DoubleEqual, fpr, fpr);
static const double NaN = PNaN;
- loadDouble(&NaN, fpr);
+ loadDouble(TrustedImmPtr(&NaN), fpr);
notNaN.link(this);
}
Modified: trunk/Source/_javascript_Core/jit/JITInlines.h (168641 => 168642)
--- trunk/Source/_javascript_Core/jit/JITInlines.h 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/jit/JITInlines.h 2014-05-12 20:42:24 UTC (rev 168642)
@@ -816,7 +816,7 @@
{
if (m_codeBlock->isConstantRegisterIndex(index)) {
WriteBarrier<Unknown>& inConstantPool = m_codeBlock->constantRegister(index);
- loadDouble(&inConstantPool, value);
+ loadDouble(TrustedImmPtr(&inConstantPool), value);
} else
loadDouble(addressFor(index), value);
}
@@ -1016,7 +1016,7 @@
{
if (m_codeBlock->isConstantRegisterIndex(index)) {
WriteBarrier<Unknown>& inConstantPool = m_codeBlock->constantRegister(index);
- loadDouble(&inConstantPool, value);
+ loadDouble(TrustedImmPtr(&inConstantPool), value);
} else
loadDouble(addressFor(index), value);
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (168641 => 168642)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2014-05-12 20:42:24 UTC (rev 168642)
@@ -1240,7 +1240,7 @@
Jump notNaN = branchDouble(DoubleEqual, fpRegT0, fpRegT0);
static const double NaN = PNaN;
- loadDouble(&NaN, fpRegT0);
+ loadDouble(TrustedImmPtr(&NaN), fpRegT0);
notNaN.link(this);
#if USE(JSVALUE64)
Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (168641 => 168642)
--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2014-05-12 20:31:29 UTC (rev 168641)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2014-05-12 20:42:24 UTC (rev 168642)
@@ -740,7 +740,7 @@
SpecializedThunkJIT::Jump intResult;
SpecializedThunkJIT::JumpList doubleResult;
if (jit.supportsFloatingPointTruncate()) {
- jit.loadDouble(&zeroConstant, SpecializedThunkJIT::fpRegT1);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&zeroConstant), SpecializedThunkJIT::fpRegT1);
doubleResult.append(jit.branchDouble(MacroAssembler::DoubleEqual, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
SpecializedThunkJIT::JumpList slowPath;
// Handle the negative doubles in the slow path for now.
@@ -796,12 +796,12 @@
SpecializedThunkJIT::Jump intResult;
SpecializedThunkJIT::JumpList doubleResult;
if (jit.supportsFloatingPointTruncate()) {
- jit.loadDouble(&zeroConstant, SpecializedThunkJIT::fpRegT1);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&zeroConstant), SpecializedThunkJIT::fpRegT1);
doubleResult.append(jit.branchDouble(MacroAssembler::DoubleEqual, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
SpecializedThunkJIT::JumpList slowPath;
// Handle the negative doubles in the slow path for now.
slowPath.append(jit.branchDouble(MacroAssembler::DoubleLessThanOrUnordered, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
- jit.loadDouble(&halfConstant, SpecializedThunkJIT::fpRegT1);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&halfConstant), SpecializedThunkJIT::fpRegT1);
jit.addDouble(SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1);
slowPath.append(jit.branchTruncateDoubleToInt32(SpecializedThunkJIT::fpRegT1, SpecializedThunkJIT::regT0));
intResult = jit.jump();
@@ -869,7 +869,7 @@
if (!jit.supportsFloatingPoint())
return MacroAssemblerCodeRef::createSelfManagedCodeRef(vm->jitStubs->ctiNativeCall(vm));
- jit.loadDouble(&oneConstant, SpecializedThunkJIT::fpRegT1);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&oneConstant), SpecializedThunkJIT::fpRegT1);
jit.loadDoubleArgument(0, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT0);
MacroAssembler::Jump nonIntExponent;
jit.loadInt32Argument(1, SpecializedThunkJIT::regT0, nonIntExponent);
@@ -897,7 +897,7 @@
if (jit.supportsFloatingPointSqrt()) {
nonIntExponent.link(&jit);
- jit.loadDouble(&negativeHalfConstant, SpecializedThunkJIT::fpRegT3);
+ jit.loadDouble(MacroAssembler::TrustedImmPtr(&negativeHalfConstant), SpecializedThunkJIT::fpRegT3);
jit.loadDoubleArgument(1, SpecializedThunkJIT::fpRegT2, SpecializedThunkJIT::regT0);
jit.appendFailure(jit.branchDouble(MacroAssembler::DoubleLessThanOrEqual, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
jit.appendFailure(jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, SpecializedThunkJIT::fpRegT2, SpecializedThunkJIT::fpRegT3));
