[webkit-reviews] review granted: [Bug 98606] JSC should infer when indexed storage contains only integers or doubles : [Attachment 172625] rebase
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 6 16:57:57 PST 2012
Oliver Hunt <oliver at apple.com> has granted Filip Pizlo <fpizlo at apple.com>'s
request for review:
Bug 98606: JSC should infer when indexed storage contains only integers or
doubles
https://bugs.webkit.org/show_bug.cgi?id=98606
Attachment 172625: rebase
https://bugs.webkit.org/attachment.cgi?id=172625&action=review
------- Additional Comments from Oliver Hunt <oliver at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=172625&action=review
r=me, one concern i have (although not introduced by this patch) is that there
are a number of places where we are multiplying an attacker controlled value
and using that to control an allocation size.
I don't think op_new_array_buffer really needs a profile as we should be able
to just record that when we originally generate the instruction.
Also couldn't we use this information to improve the GC? If we know the
indexing type is int or double then there is no need to mark the array storage.
Anyhoo, r=me with the exception of windows bustage this seems fine to land.
> Source/JavaScriptCore/jit/JITExceptions.cpp:45
> ExceptionHandler genericThrow(JSGlobalData* globalData, ExecState*
callFrame, JSValue exceptionValue, unsigned vPCIndex)
> {
> ASSERT(exceptionValue);
> -
> +
> globalData->exception = JSValue();
> HandlerInfo* handler =
globalData->interpreter->throwException(callFrame, exceptionValue, vPCIndex);
// This may update callFrame & exceptionValue!
> globalData->exception = exceptionValue;
Reverteration here
More information about the webkit-reviews
mailing list