RESOLVED FIXED 68746
wtf/BitVector.h has a variety of bugs which manifest when the vector grows beyond 63 bits
https://bugs.webkit.org/show_bug.cgi?id=68746
Summary wtf/BitVector.h has a variety of bugs which manifest when the vector grows be...
Filip Pizlo
Reported 2011-09-23 17:49:13 PDT
- The number of bytes that need to be malloc'd is miscomputed. - The index into the uintptr_t* is miscomputed. - resize() sometimes exits too early. - Far too much code is inline, when it could be trivially out-of-line.
Attachments
the patch (16.87 KB, patch)
2011-09-23 17:54 PDT, Filip Pizlo
oliver: review+
the patch - fix style, review (16.45 KB, patch)
2011-09-23 18:33 PDT, Filip Pizlo
no flags
Filip Pizlo
Comment 1 2011-09-23 17:54:47 PDT
Created attachment 108570 [details] the patch
WebKit Review Bot
Comment 2 2011-09-23 17:56:50 PDT
Attachment 108570 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/wtf/BitVector.h:143: The parameter name "outOfLineBits" adds no information, so it should be removed. [readability/parameter_name] [5] Total errors found: 1 in 8 files If any of these errors are false positives, please file a bug against check-webkit-style.
Oliver Hunt
Comment 3 2011-09-23 18:00:08 PDT
Comment on attachment 108570 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=108570&action=review r=me, but it would be worth considering whether ensureSize() should be inline or outline before landing > Source/JavaScriptCore/wtf/BitVector.h:79 > - void ensureSize(size_t numBits) > - { > - if (numBits <= size()) > - return; > - resizeOutOfLine(numBits); > - } > + void ensureSize(size_t numBits); Do you really want to take ensureSize out of line? you already have resizeOutOfLine so it seems overkill to hoist the entire function out
Filip Pizlo
Comment 4 2011-09-23 18:02:36 PDT
(In reply to comment #3) > (From update of attachment 108570 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=108570&action=review > > r=me, but it would be worth considering whether ensureSize() should be inline or outline before landing > > > Source/JavaScriptCore/wtf/BitVector.h:79 > > - void ensureSize(size_t numBits) > > - { > > - if (numBits <= size()) > > - return; > > - resizeOutOfLine(numBits); > > - } > > + void ensureSize(size_t numBits); > > Do you really want to take ensureSize out of line? you already have resizeOutOfLine so it seems overkill to hoist the entire function out That's a really good point. I'll change that so that ensureSize() inlines the trivial path, and land.
Filip Pizlo
Comment 5 2011-09-23 18:33:01 PDT
Created attachment 108573 [details] the patch - fix style, review This is the patch I intend to land manually once I finish running the last batch of tests.
Filip Pizlo
Comment 6 2011-09-23 18:36:58 PDT
It appears that this is a speed-up on a few benchmarks, presumably because previously we had corrupt liveness settings and OSR would fail spuriously. I cannot find any other change in behavior, since any bugs arising from a corrupt OSR bitvector would be horribly annoying to track down.
Filip Pizlo
Comment 7 2011-09-23 19:07:22 PDT
Landed in r95895.
Darin Adler
Comment 8 2011-09-23 20:24:29 PDT
Comment on attachment 108570 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=108570&action=review > Source/JavaScriptCore/wtf/BitVector.cpp:38 > + (*this) = other; No need for these parentheses. > Source/JavaScriptCore/wtf/BitVector.cpp:41 > +BitVector& BitVector::operator=(const BitVector& other) It’s normally considered better style to write a swap function and a copy constructor and build the assignment operator from the copy constructor instead of the other way around. Easier to get rid too.
Note You need to log in before you can comment on or make changes to this bug.