[webkit-changes] [195683] trunk/Source/JavaScriptCore

[fpizlo]

Title: [195683] trunk/Source/_javascript_Core

Revision

195683

Author

fpi...@apple.com

Date

2016-01-27 12:10:55 -0800 (Wed, 27 Jan 2016)

Log Message

Air::TmpWidth uses a stale pointer into its HashMap after it calls add()
https://bugs.webkit.org/show_bug.cgi?id=153546

Reviewed by Saam Barati.

* b3/air/AirTmpWidth.cpp:
(JSC::B3::Air::TmpWidth::recompute):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/b3/air/AirTmpWidth.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (195682 => 195683)

--- trunk/Source/_javascript_Core/ChangeLog	2016-01-27 20:09:50 UTC (rev 195682)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-01-27 20:10:55 UTC (rev 195683)
@@ -1,3 +1,13 @@
+2016-01-27  Filip Pizlo  <fpi...@apple.com>
+
+        Air::TmpWidth uses a stale pointer into its HashMap after it calls add()
+        https://bugs.webkit.org/show_bug.cgi?id=153546
+
+        Reviewed by Saam Barati.
+
+        * b3/air/AirTmpWidth.cpp:
+        (JSC::B3::Air::TmpWidth::recompute):
+
 2016-01-27  Alexey Proskuryakov  <a...@apple.com>
 
         Remove ENABLE_CURRENTSRC

Modified: trunk/Source/_javascript_Core/b3/air/AirTmpWidth.cpp (195682 => 195683)

--- trunk/Source/_javascript_Core/b3/air/AirTmpWidth.cpp	2016-01-27 20:09:50 UTC (rev 195682)
+++ trunk/Source/_javascript_Core/b3/air/AirTmpWidth.cpp	2016-01-27 20:10:55 UTC (rev 195683)
@@ -90,6 +90,11 @@
         for (Inst& inst : *block) {
             if (inst.opcode == Move && inst.args[1].isTmp()) {
                 if (inst.args[0].isTmp()) {
+                    // Make sure that both sides of the Move have a width already initialized. The
+                    // fixpoint below assumes that it never has to add things to the HashMap.
+                    m_width.add(inst.args[0].tmp(), Widths(Arg::GP));
+                    m_width.add(inst.args[1].tmp(), Widths(Arg::GP));
+                    
                     moves.append(&inst);
                     continue;
                 }
@@ -133,10 +138,14 @@
             ASSERT(move->opcode == Move);
             ASSERT(move->args[0].isTmp());
             ASSERT(move->args[1].isTmp());
-            
-            Widths& srcWidths = m_width.add(move->args[0].tmp(), Widths(Arg::GP)).iterator->value;
-            Widths& dstWidths = m_width.add(move->args[1].tmp(), Widths(Arg::GP)).iterator->value;
 
+            // We already ensure that both tmps are added to the width map. That's important
+            // because you cannot add both tmps here while simultaneously getting a reference to
+            // their values, since the second add would invalidate the reference returned by the
+            // first one.
+            Widths& srcWidths = m_width.find(move->args[0].tmp())->value;
+            Widths& dstWidths = m_width.find(move->args[1].tmp())->value;
+
             // Legend:
             //
             //     Move %src, %dst

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes