RESOLVED FIXED129657
AbstractMacroAssembler::CachedTempRegister should start out invalid 
https://bugs.webkit.org/show_bug.cgi?id=129657
Summary AbstractMacroAssembler::CachedTempRegister should start out invalid
Michael Saboff
Reported 2014-03-03 21:18:30 PST
Currently AbstractMacroAssembler::CachedTempRegister() are initialized with a value of 0 and that the contents are valid. Instead they should be mark as invalid as we don't know the prior contents before the first use.
Attachments
Patch (1.51 KB, patch)
2014-03-03 21:30 PST, Michael Saboff 		msaboff: review-
DetailsFormatted DiffDiff
Updated patch (1.30 KB, patch)
2014-03-03 22:01 PST, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-03-03 21:27:52 PST
<rdar://problem/16214527>
Michael Saboff
Comment 2 2014-03-03 21:30:28 PST
Created attachment 225738 [details] Patch
Mark Lam
Comment 3 2014-03-03 21:39:39 PST
Comment on attachment 225738 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=225738&action=review > Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:881 > + , m_validBit(0 << static_cast<unsigned>(registerID)) Why not just "m_validBit(0)”?
Michael Saboff
Comment 4 2014-03-03 21:43:49 PST
(In reply to comment #3) > (From update of attachment 225738 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=225738&action=review > > > Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:881 > > + , m_validBit(0 << static_cast<unsigned>(registerID)) > > Why not just "m_validBit(0)”? Actually, the is the wrong value to clear. Updated patch coming.
Geoffrey Garen
Comment 5 2014-03-03 21:55:53 PST
Comment on attachment 225738 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=225738&action=review > Source/JavaScriptCore/ChangeLog:12 > + - Changed the setting of the valid bit to 0 (not valid) in the constructor as > + we don't know the contents of the register at the entry to the block we > + are going to generate code for. Are you assuming that all JITs -- including the baseline JIT, the DFG, and the CSS selector JIT -- instantiate a new MacroAssembler at the head of each basic block?
Michael Saboff
Comment 6 2014-03-03 22:01:50 PST
Created attachment 225741 [details] Updated patch Updated after Mark caught that I was invalidating incorrectly. (In reply to comment #5) > (From update of attachment 225738 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=225738&action=review > > > Source/JavaScriptCore/ChangeLog:12 > > + - Changed the setting of the valid bit to 0 (not valid) in the constructor as > > + we don't know the contents of the register at the entry to the block we > > + are going to generate code for. > > Are you assuming that all JITs -- including the baseline JIT, the DFG, and the CSS selector JIT -- instantiate a new MacroAssembler at the head of each basic block? Poor choice of words. I changed "block" to "code". This fix has nothing to do with basic blocks. Whenever we create a MacroAssembler, we need to start with the cached register values as invalid. In the case that triggered this issue, we were generating small stubs and used the temporary registers to materialize constants that fit in 16 bits.
Michael Saboff
Comment 7 2014-03-03 22:32:45 PST
Committed r165038: <http://trac.webkit.org/changeset/165038>
Darin Adler
Comment 8 2014-04-24 16:46:03 PDT
Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.
Note You need to log in before you can comment on or make changes to this bug.