Changeset 207500 in webkit


Ignore:
Timestamp:
Oct 18, 2016 4:40:10 PM (8 years ago)
Author:
keith_miller@apple.com
Message:

GetByVal to GetById conversion in the DFG is incorrect for getters with control flow
https://bugs.webkit.org/show_bug.cgi?id=163629

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/get-by-val-to-id-with-getter.js: Added.

(foo):
(o.get hello):

Source/JavaScriptCore:

This patch fixes a bug in the DFG when attempt to convert a
GetByVal into a GetById. While converting the GetByVal, during
handleGetById in the Bytecode parser, we would mistakenly use the
opcode length of op_get_by_id rather than op_get_by_val. This causes
the new basic block we create to point to the wrong offset. In the
added test this will cause us to infinite loop.

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r207475 r207500  
     12016-10-18  Keith Miller  <keith_miller@apple.com>
     2
     3        GetByVal to GetById conversion in the DFG is incorrect for getters with control flow
     4        https://bugs.webkit.org/show_bug.cgi?id=163629
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        * stress/get-by-val-to-id-with-getter.js: Added.
     9        (foo):
     10        (o.get hello):
     11
    1122016-10-15  Filip Pizlo  <fpizlo@apple.com>
    213

  • trunk/Source/JavaScriptCore/ChangeLog

    r207499 r207500  
     12016-10-18  Keith Miller  <keith_miller@apple.com>
     2
     3        GetByVal to GetById conversion in the DFG is incorrect for getters with control flow
     4        https://bugs.webkit.org/show_bug.cgi?id=163629
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        This patch fixes a bug in the DFG when attempt to convert a
     9        GetByVal into a GetById. While converting the GetByVal, during
     10        handleGetById in the Bytecode parser, we would mistakenly use the
     11        opcode length of op_get_by_id rather than op_get_by_val. This causes
     12        the new basic block we create to point to the wrong offset. In the
     13        added test this will cause us to infinite loop.
     14
     15        * dfg/DFGByteCodeParser.cpp:
     16        (JSC::DFG::ByteCodeParser::handleGetById):
     17        (JSC::DFG::ByteCodeParser::parseBlock):
     18
    1192016-10-18  Dean Jackson  <dino@apple.com>
    220

  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r207475 r207500  
    240240
    241241    void handleGetById(
    242         int destinationOperand, SpeculatedType, Node* base, unsigned identifierNumber, GetByIdStatus, AccessType);
     242        int destinationOperand, SpeculatedType, Node* base, unsigned identifierNumber, GetByIdStatus, AccessType, unsigned instructionSize);
    243243    void emitPutById(
    244244        Node* base, unsigned identifierNumber, Node* value,  const PutByIdStatus&, bool isDirect);
     
    32733273void ByteCodeParser::handleGetById(
    32743274    int destinationOperand, SpeculatedType prediction, Node* base, unsigned identifierNumber,
    3275     GetByIdStatus getByIdStatus, AccessType type)
     3275    GetByIdStatus getByIdStatus, AccessType type, unsigned instructionSize)
    32763276{
    32773277    // Attempt to reduce the set of things in the GetByIdStatus.
     
    34353435   
    34363436    handleCall(
    3437         destinationOperand, Call, InlineCallFrame::GetterCall, OPCODE_LENGTH(op_get_by_id),
     3437        destinationOperand, Call, InlineCallFrame::GetterCall, instructionSize,
    34383438        getter, numberOfParameters - 1, registerOffset, *variant.callLinkStatus(), prediction);
    34393439}
     
    42114211
    42124212            if (compiledAsGetById)
    4213                 handleGetById(currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, AccessType::Get);
     4213                handleGetById(currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, AccessType::Get, OPCODE_LENGTH(op_get_by_val));
    42144214            else {
    42154215                ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
     
    43494349                currentCodeOrigin(), uid);
    43504350            AccessType type = op_try_get_by_id == opcodeID ? AccessType::GetPure : AccessType::Get;
    4351            
     4351
     4352            unsigned opcodeLength = opcodeID == op_try_get_by_id ? OPCODE_LENGTH(op_try_get_by_id) : OPCODE_LENGTH(op_get_by_id);
     4353
    43524354            handleGetById(
    4353                 currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, type);
     4355                currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, type, opcodeLength);
    43544356
    43554357            if (op_try_get_by_id == opcodeID)
Note: See TracChangeset for help on using the changeset viewer.