<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[212706] releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/212706">212706</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2017-02-21 00:38:40 -0800 (Tue, 21 Feb 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/212640">r212640</a> - BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
https://bugs.webkit.org/show_bug.cgi?id=168585
Reviewed by Yusuke Suzuki.
This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
consecutive indices in the vector are not guaranteed to be consecutive in memory
layout. Instead, we should be using indexing instead.
This issue was detected by the marathon.js test from
https://bugs.webkit.org/show_bug.cgi?id=168580.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog (212705 => 212706)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog 2017-02-21 08:38:29 UTC (rev 212705)
+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog 2017-02-21 08:38:40 UTC (rev 212706)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2017-02-19 Mark Lam <mark.lam@apple.com>
+
+ BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
+ https://bugs.webkit.org/show_bug.cgi?id=168585
+
+ Reviewed by Yusuke Suzuki.
+
+ This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
+ consecutive indices in the vector are not guaranteed to be consecutive in memory
+ layout. Instead, we should be using indexing instead.
+
+ This issue was detected by the marathon.js test from
+ https://bugs.webkit.org/show_bug.cgi?id=168580.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
+ (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
+
</ins><span class="cx"> 2017-02-20 Manuel Rego Casasnovas <rego@igalia.com>
</span><span class="cx">
</span><span class="cx"> [css-grid] Remove compilation flag ENABLE_CSS_GRID_LAYOUT
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216SourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (212705 => 212706)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2017-02-21 08:38:29 UTC (rev 212705)
+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2017-02-21 08:38:40 UTC (rev 212706)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008-2009, 2012-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
</span><span class="cx"> * Copyright (C) 2012 Igalia, S.L.
</span><span class="cx"> *
</span><span class="lines">@@ -4822,25 +4822,23 @@
</span><span class="cx"> bool BytecodeGenerator::emitJumpViaFinallyIfNeeded(int targetLabelScopeDepth, Label& jumpTarget)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(labelScopeDepth() - targetLabelScopeDepth >= 0);
</span><del>- size_t scopeDelta = labelScopeDepth() - targetLabelScopeDepth;
- ASSERT(scopeDelta <= m_controlFlowScopeStack.size());
- if (!scopeDelta)
- return false; // No finallys to thread through.
</del><ins>+ size_t numberOfScopesToCheckForFinally = labelScopeDepth() - targetLabelScopeDepth;
+ ASSERT(numberOfScopesToCheckForFinally <= m_controlFlowScopeStack.size());
+ if (!numberOfScopesToCheckForFinally)
+ return false;
</ins><span class="cx">
</span><del>- ControlFlowScope* topScope = &m_controlFlowScopeStack.last();
- ControlFlowScope* bottomScope = &m_controlFlowScopeStack.last() - scopeDelta;
-
</del><span class="cx"> FinallyContext* innermostFinallyContext = nullptr;
</span><span class="cx"> FinallyContext* outermostFinallyContext = nullptr;
</span><del>- while (topScope > bottomScope) {
- if (topScope->isFinallyScope()) {
- FinallyContext* finallyContext = &topScope->finallyContext;
</del><ins>+ size_t scopeIndex = m_controlFlowScopeStack.size() - 1;
+ while (numberOfScopesToCheckForFinally--) {
+ ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex--];
+ if (scope->isFinallyScope()) {
+ FinallyContext* finallyContext = &scope->finallyContext;
</ins><span class="cx"> if (!innermostFinallyContext)
</span><span class="cx"> innermostFinallyContext = finallyContext;
</span><span class="cx"> outermostFinallyContext = finallyContext;
</span><span class="cx"> finallyContext->incNumberOfBreaksOrContinues();
</span><span class="cx"> }
</span><del>- --topScope;
</del><span class="cx"> }
</span><span class="cx"> if (!outermostFinallyContext)
</span><span class="cx"> return false; // No finallys to thread through.
</span><span class="lines">@@ -4856,21 +4854,20 @@
</span><span class="cx">
</span><span class="cx"> bool BytecodeGenerator::emitReturnViaFinallyIfNeeded(RegisterID* returnRegister)
</span><span class="cx"> {
</span><del>- if (!m_controlFlowScopeStack.size())
- return false; // No finallys to thread through.
</del><ins>+ size_t numberOfScopesToCheckForFinally = m_controlFlowScopeStack.size();
+ if (!numberOfScopesToCheckForFinally)
+ return false;
</ins><span class="cx">
</span><del>- ControlFlowScope* topScope = &m_controlFlowScopeStack.last();
- ControlFlowScope* bottomScope = &m_controlFlowScopeStack.first();
-
</del><span class="cx"> FinallyContext* innermostFinallyContext = nullptr;
</span><del>- while (topScope >= bottomScope) {
- if (topScope->isFinallyScope()) {
- FinallyContext* finallyContext = &topScope->finallyContext;
</del><ins>+ while (numberOfScopesToCheckForFinally) {
+ size_t scopeIndex = --numberOfScopesToCheckForFinally;
+ ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex];
+ if (scope->isFinallyScope()) {
+ FinallyContext* finallyContext = &scope->finallyContext;
</ins><span class="cx"> if (!innermostFinallyContext)
</span><span class="cx"> innermostFinallyContext = finallyContext;
</span><span class="cx"> finallyContext->setHandlesReturns();
</span><span class="cx"> }
</span><del>- --topScope;
</del><span class="cx"> }
</span><span class="cx"> if (!innermostFinallyContext)
</span><span class="cx"> return false; // No finallys to thread through.
</span></span></pre>
</div>
</div>
</body>
</html>