Bug 200148

Summary: [JSC] Use unalignedLoad for JSRopeString fiber accesses
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch mark.lam: review+

Description Yusuke Suzuki 2019-07-25 18:46:59 PDT 
[JSC] Use unalignedLoad for JSRopeString fiber accesses
Comment 1 Yusuke Suzuki 2019-07-25 18:48:15 PDT 
Created attachment 374930 [details]
Patch
Comment 2 Yusuke Suzuki 2019-07-25 19:59:10 PDT 
Created attachment 374934 [details]
Patch
Comment 3 Mark Lam 2019-07-25 21:06:51 PDT 
Comment on attachment 374934 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374934&action=review

r=me

> Source/JavaScriptCore/heap/MarkedBlock.h:305
> +    // Some of JSCell types assume that the last JSCell in a MarkedBlock has a subsequent memory region (Footer) that can still safely accesible.

/accesible/accessed/

> Source/JavaScriptCore/heap/MarkedBlock.h:306
> +    // For example, JSRopeString assumes that it can safely access some subsquent bytes of JSRopeString cell.

I suggest rephrasing "some subsquent bytes of JSRopeString cell" as "up to 2 bytes beyond the JSRopeString cell".
Comment 4 Yusuke Suzuki 2019-07-25 21:42:23 PDT 
Comment on attachment 374934 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374934&action=review

>> Source/JavaScriptCore/heap/MarkedBlock.h:305
>> +    // Some of JSCell types assume that the last JSCell in a MarkedBlock has a subsequent memory region (Footer) that can still safely accesible.
> 
> /accesible/accessed/

Fixed.

>> Source/JavaScriptCore/heap/MarkedBlock.h:306
>> +    // For example, JSRopeString assumes that it can safely access some subsquent bytes of JSRopeString cell.
> 
> I suggest rephrasing "some subsquent bytes of JSRopeString cell" as "up to 2 bytes beyond the JSRopeString cell".

Fixed.
Comment 5 Yusuke Suzuki 2019-07-25 21:58:13 PDT 
Committed r247854: <https://trac.webkit.org/changeset/247854>
Comment 6 Radar WebKit Bug Importer 2019-07-25 21:59:26 PDT 
<rdar://problem/53574198>