JIT snippet generator JumpLists should be returned as references.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Nov 2015 18:00:18 +0000 (18:00 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Nov 2015 18:00:18 +0000 (18:00 +0000)
https://bugs.webkit.org/show_bug.cgi?id=151445

Reviewed by Gavin Barraclough.

The JumpLists were being returned by value.  As a result, new jumps added to
them in the client are actually added to a temporary copy and promptly discarded.
Those jumps never get linked, resulting in infinite loops in DFG generated code
that used the snippets.

* jit/JITAddGenerator.h:
(JSC::JITAddGenerator::endJumpList):
(JSC::JITAddGenerator::slowPathJumpList):
* jit/JITMulGenerator.h:
(JSC::JITMulGenerator::endJumpList):
(JSC::JITMulGenerator::slowPathJumpList):
* jit/JITSubGenerator.h:
(JSC::JITSubGenerator::endJumpList):
(JSC::JITSubGenerator::slowPathJumpList):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@192632 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITAddGenerator.h
Source/JavaScriptCore/jit/JITMulGenerator.h
Source/JavaScriptCore/jit/JITSubGenerator.h

index 9db3de2..ec8d1f2 100644 (file)
@@ -1,3 +1,25 @@
+2015-11-19  Mark Lam  <mark.lam@apple.com>
+
+        JIT snippet generator JumpLists should be returned as references.
+        https://bugs.webkit.org/show_bug.cgi?id=151445
+
+        Reviewed by Gavin Barraclough.
+
+        The JumpLists were being returned by value.  As a result, new jumps added to
+        them in the client are actually added to a temporary copy and promptly discarded.
+        Those jumps never get linked, resulting in infinite loops in DFG generated code
+        that used the snippets.
+
+        * jit/JITAddGenerator.h:
+        (JSC::JITAddGenerator::endJumpList):
+        (JSC::JITAddGenerator::slowPathJumpList):
+        * jit/JITMulGenerator.h:
+        (JSC::JITMulGenerator::endJumpList):
+        (JSC::JITMulGenerator::slowPathJumpList):
+        * jit/JITSubGenerator.h:
+        (JSC::JITSubGenerator::endJumpList):
+        (JSC::JITSubGenerator::slowPathJumpList):
+
 2015-11-19  Csaba Osztrogon√°c  <ossy@webkit.org>
 
         Unreviewed CLOOP buildfix after r192624.
index 34fb653..1f32c11 100644 (file)
@@ -59,8 +59,8 @@ public:
     void generateFastPath(CCallHelpers&);
 
     bool didEmitFastPath() const { return m_didEmitFastPath; }
-    CCallHelpers::JumpList endJumpList() { return m_endJumpList; }
-    CCallHelpers::JumpList slowPathJumpList() { return m_slowPathJumpList; }
+    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
+    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
 
 private:
     JSValueRegs m_result;
index 690e595..5d28f80 100644 (file)
@@ -60,8 +60,8 @@ public:
     void generateFastPath(CCallHelpers&);
 
     bool didEmitFastPath() const { return m_didEmitFastPath; }
-    CCallHelpers::JumpList endJumpList() { return m_endJumpList; }
-    CCallHelpers::JumpList slowPathJumpList() { return m_slowPathJumpList; }
+    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
+    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
 
 private:
     JSValueRegs m_result;
index 447ce9d..603aa2e 100644 (file)
@@ -52,8 +52,8 @@ public:
     void generateFastPath(CCallHelpers&);
 
     bool didEmitFastPath() const { return m_didEmitFastPath; }
-    CCallHelpers::JumpList endJumpList() { return m_endJumpList; }
-    CCallHelpers::JumpList slowPathJumpList() { return m_slowPathJumpList; }
+    CCallHelpers::JumpList& endJumpList() { return m_endJumpList; }
+    CCallHelpers::JumpList& slowPathJumpList() { return m_slowPathJumpList; }
 
 private:
     JSValueRegs m_result;