mandreel throws a checksum error on 32-bit x86.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 29 Mar 2014 00:37:10 +0000 (00:37 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 29 Mar 2014 00:37:10 +0000 (00:37 +0000)
commitee65427c3c44917ada518400d91451f055b5ceee
tree6d3e448b1d0f3ba1528ca82f6c8c9d74e76fe037
parent21beb39b364f20f9908f8c9c9fcffde2aec06a22
mandreel throws a checksum error on 32-bit x86.
<https://webkit.org/b/125706>

Reviewed by Filip Pizlo.

The 32-bit DFG can emit code that loads double constants from its
CodeBlock's m_constantRegisters vector.  The emitted instruction will
embed the address of the constant from the vector's backing store.
Subsequently, while inserting new constants, the DFG may resize the
vector, thereby reallocating the backing store.  This renders the
previously embedded constant addresses stale.

The fix is to use a dedicated doubles constant pool stored in the DFG
CommonData instead.  This constant pool won't be reallocated, and
hence will not manifest this issue.

* dfg/DFGCommonData.h:
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166440 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCommonData.h
Source/JavaScriptCore/dfg/DFGGraph.h
Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
Source/JavaScriptCore/dfg/DFGJITCompiler.h