1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# HG changeset patch
# User Steve Fink <sfink@mozilla.com>
# Date 1536603384 25200
# Mon Sep 10 11:16:24 2018 -0700
# Node ID f598dceb588d1adf503d30acf4e0915d07d34006
# Parent b7dd3969261896020d7a9449d22f350a97e3517a
# EXP-Topic b1488552.enD
Bug 1488552 - JSString flags bit must alias the low 32 bits of JSObject.group_, not the high 32. r=tcampbell
diff --git a/js/src/gc/RelocationOverlay.h b/js/src/gc/RelocationOverlay.h
--- a/js/src/gc/RelocationOverlay.h
+++ b/js/src/gc/RelocationOverlay.h
@@ -29,24 +29,35 @@ struct Cell;
* This structure overlays a Cell that has been moved and provides a way to find
* its new location. It's used during generational and compacting GC.
*/
class RelocationOverlay
{
/* See comment in js/public/HeapAPI.h. */
static const uint32_t Relocated = js::gc::Relocated;
+#if MOZ_LITTLE_ENDIAN
/*
- * Keep the low 32 bits untouched. Use them to distinguish strings from
+ * Keep the first 32 bits untouched. Use them to distinguish strings from
* objects in the nursery.
*/
uint32_t preserve_;
/* Set to Relocated when moved. */
uint32_t magic_;
+#elif JS_BITS_PER_WORD == 64
+ /*
+ * On big-endian, we need to reorder to keep preserve_ lined up with the
+ * low 32 bits of the aligned group_ pointer in JSObject.
+ */
+ uint32_t magic_;
+ uint32_t preserve_;
+#else
+# error "Support for 32-bit big-endian architectures is untested. See bug 1488552."
+#endif
/* The location |this| was moved to. */
Cell* newLocation_;
/* A list entry to track all relocated things. */
RelocationOverlay* next_;
public:
diff --git a/js/src/vm/StringType.h b/js/src/vm/StringType.h
--- a/js/src/vm/StringType.h
+++ b/js/src/vm/StringType.h
@@ -2,16 +2,17 @@
* vim: set ts=8 sts=4 et sw=4 tw=99:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef vm_StringType_h
#define vm_StringType_h
+#include "mozilla/EndianUtils.h"
#include "mozilla/MemoryReporting.h"
#include "mozilla/PodOperations.h"
#include "mozilla/Range.h"
#include "jsapi.h"
#include "jsfriendapi.h"
#include "builtin/String.h"
@@ -161,18 +162,30 @@ class JSString : public js::gc::Cell
static const size_t NUM_INLINE_CHARS_LATIN1 = 2 * sizeof(void*) / sizeof(JS::Latin1Char);
static const size_t NUM_INLINE_CHARS_TWO_BYTE = 2 * sizeof(void*) / sizeof(char16_t);
/* Fields only apply to string types commented on the right. */
struct Data
{
union {
struct {
+#if MOZ_LITTLE_ENDIAN
uint32_t flags; /* JSString */
uint32_t length; /* JSString */
+#elif JS_BITS_PER_WORD == 64
+ /*
+ * On big-endian, we need to reorder to keep flags lined up
+ * with the low 32 bits of the aligned group_ pointer in
+ * JSObject.
+ */
+ uint32_t length; /* JSString */
+ uint32_t flags; /* JSString */
+#else
+# error "Support for 32-bit big-endian architectures is untested. See bug 1488552."
+#endif
};
uintptr_t flattenData; /* JSRope (temporary while flattening) */
} u1;
union {
union {
/* JS(Fat)InlineString */
JS::Latin1Char inlineStorageLatin1[NUM_INLINE_CHARS_LATIN1];
char16_t inlineStorageTwoByte[NUM_INLINE_CHARS_TWO_BYTE];
--- thunderbird-60.2.1/js/src/gc/Marking-inl.h.old 2018-10-01 14:51:12.000000000 +0000
+++ thunderbird-60.2.1/js/src/gc/Marking-inl.h 2018-10-12 19:08:28.260000000 +0000
@@ -92,10 +92,10 @@
MOZ_ASSERT(!isForwarded());
// The location of magic_ is important because it must never be valid to see
// the value Relocated there in a GC thing that has not been moved.
- static_assert(offsetof(RelocationOverlay, magic_) == offsetof(JSObject, group_) + sizeof(uint32_t),
- "RelocationOverlay::magic_ is in the wrong location");
- static_assert(offsetof(RelocationOverlay, magic_) == offsetof(js::Shape, base_) + sizeof(uint32_t),
- "RelocationOverlay::magic_ is in the wrong location");
+ //static_assert(offsetof(RelocationOverlay, magic_) == offsetof(JSObject, group_) + sizeof(uint32_t),
+ // "RelocationOverlay::magic_ is in the wrong location");
+ //static_assert(offsetof(RelocationOverlay, magic_) == offsetof(js::Shape, base_) + sizeof(uint32_t),
+ // "RelocationOverlay::magic_ is in the wrong location");
static_assert(offsetof(RelocationOverlay, magic_) == offsetof(JSString, d.u1.length),
"RelocationOverlay::magic_ is in the wrong location");
magic_ = Relocated;
--- thunderbird-60.2.1/js/src/jsfriendapi.h.old 2018-10-01 14:51:13.000000000 +0000
+++ thunderbird-60.2.1/js/src/jsfriendapi.h 2018-10-12 19:12:06.190000000 +0000
@@ -9,6 +9,7 @@
#include "mozilla/Atomics.h"
#include "mozilla/Casting.h"
+#include "mozilla/EndianUtils.h"
#include "mozilla/Maybe.h"
#include "mozilla/MemoryReporting.h"
#include "mozilla/UniquePtr.h"
@@ -640,8 +641,15 @@
static const uint32_t LATIN1_CHARS_BIT = JS_BIT(6);
static const uint32_t EXTERNAL_FLAGS = LINEAR_BIT | NON_ATOM_BIT | JS_BIT(5);
static const uint32_t TYPE_FLAGS_MASK = JS_BIT(6) - 1;
+#if MOZ_LITTLE_ENDIAN
uint32_t flags;
uint32_t length;
+#elif JS_BITS_PER_WORD == 64
+ uint32_t length;
+ uint32_t flags;
+#else
+# error "Support for 32-bit big-endian architectures is untested. See bug 1488552."
+#endif
union {
const JS::Latin1Char* nonInlineCharsLatin1;
const char16_t* nonInlineCharsTwoByte;
|
