Bug 774760 - Fix unaligned PCCounts double access (r=luke)
authorChao-ying Fu <fu@mips.com>
Tue, 24 Jul 2012 11:11:44 -0700
changeset 105806 9ead721069f451c3115afbf71c470082936dc9eb
parent 105805 21f18a7f5f9dabda3fb0d5ee2367af311e3b9e5a
child 105807 8e4a64b0e87fc69e47360613be9d521291af72d0
push idunknown
push userunknown
push dateunknown
reviewersluke
bugs774760
milestone17.0a1
Bug 774760 - Fix unaligned PCCounts double access (r=luke)
js/src/jsopcode.h
js/src/jsscript.cpp
--- a/js/src/jsopcode.h
+++ b/js/src/jsopcode.h
@@ -492,16 +492,18 @@ FlowsIntoNext(JSOp op)
  * coherent fashion.
  */
 class PCCounts
 {
     friend struct ::JSScript;
     double *counts;
 #ifdef DEBUG
     size_t capacity;
+#elif JS_BITS_PER_WORD == 32
+    void *padding;
 #endif
 
  public:
 
     enum BaseCounts {
         BASE_INTERP = 0,
         BASE_METHODJIT,
 
@@ -610,16 +612,19 @@ class PCCounts
     }
 
     /* Boolean conversion, for 'if (counters) ...' */
     operator void*() const {
         return counts;
     }
 };
 
+/* Necessary for alignment with the script. */
+JS_STATIC_ASSERT(sizeof(PCCounts) % sizeof(Value) == 0);
+
 } /* namespace js */
 
 #if defined(DEBUG)
 /*
  * Disassemblers, for debugging only.
  */
 extern JS_FRIEND_API(JSBool)
 js_Disassemble(JSContext *cx, JSScript *script, JSBool lines, js::Sprinter *sp);
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -848,16 +848,17 @@ JSScript::initScriptCounts(JSContext *cx
 
     DebugOnly<char *> base = cursor;
 
     ScriptCounts scriptCounts;
     scriptCounts.pcCountsVector = (PCCounts *) cursor;
     cursor += length * sizeof(PCCounts);
 
     for (pc = code; pc < code + length; pc = next) {
+        JS_ASSERT(uintptr_t(cursor) % sizeof(double) == 0);
         scriptCounts.pcCountsVector[pc - code].counts = (double *) cursor;
         size_t capacity = PCCounts::numCounts(JSOp(*pc));
 #ifdef DEBUG
         scriptCounts.pcCountsVector[pc - code].capacity = capacity;
 #endif
         cursor += capacity * sizeof(double);
         next = pc + GetBytecodeLength(pc);
     }