Changeset 230423 in webkit
- Timestamp:
- Apr 9, 2018 6:33:13 AM (6 years ago)
- Location:
- releases/WebKitGTK/webkit-2.20
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog
r230422 r230423 1 2018-03-31 Filip Pizlo <fpizlo@apple.com> 2 3 JSC crash in JIT code with for-of loop and Array/Set iterators 4 https://bugs.webkit.org/show_bug.cgi?id=183174 5 6 Reviewed by Saam Barati. 7 8 * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x. 9 (foo): 10 * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed. 11 (f): 12 1 13 2018-03-30 Robin Morisset <rmorisset@apple.com> 2 14 -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/ChangeLog
r230422 r230423 1 2018-03-31 Filip Pizlo <fpizlo@apple.com> 2 3 JSC crash in JIT code with for-of loop and Array/Set iterators 4 https://bugs.webkit.org/show_bug.cgi?id=183174 5 6 Reviewed by Saam Barati. 7 8 * dfg/DFGSafeToExecute.h: 9 (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site. 10 1 11 2018-03-30 Robin Morisset <rmorisset@apple.com> 2 12 -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
r229238 r230423 1 1 /* 2 * Copyright (C) 2013-201 7Apple Inc. All rights reserved.2 * Copyright (C) 2013-2018 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 504 504 case GetGetterSetterByOffset: 505 505 case PutByOffset: { 506 PropertyOffset offset = node->storageAccessData().offset; 507 508 if (state.structureClobberState() == StructuresAreWatched) { 506 StorageAccessData& data = node->storageAccessData(); 507 PropertyOffset offset = data.offset; 508 UniquedStringImpl* uid = graph.identifiers()[data.identifierNumber]; 509 510 InferredType::Descriptor inferredType; 511 switch (node->op()) { 512 case GetByOffset: 513 case GetGetterSetterByOffset: 514 inferredType = data.inferredType; 515 break; 516 case PutByOffset: 517 // PutByOffset knows about inferred types because it's the enforcer of that type rather 518 // than the consumer of that type. Therefore, PutByOffset expects TOP for the purpose of 519 // safe-to-execute in the sense that it will be happy with anything as general as TOP 520 // (so any type). 521 inferredType = InferredType::Top; 522 break; 523 default: 524 DFG_CRASH(graph, node, "Bad opcode"); 525 break; 526 } 527 528 // Graph::isSafeToLoad() is all about proofs derived from PropertyConditions. Those don't 529 // know anything about inferred types. But if we have a proof derived from watching a 530 // structure that has a type proof, then the next case below will deal with it. 531 if (state.structureClobberState() == StructuresAreWatched 532 && inferredType.kind() == InferredType::Top) { 509 533 if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) { 510 534 if (graph.isSafeToLoad(knownBase, offset)) … … 517 541 return false; 518 542 for (unsigned i = value.size(); i--;) { 519 if (!value[i]->isValidOffset(offset)) 543 Structure* thisStructure = value[i].get(); 544 if (!thisStructure->isValidOffset(offset)) 520 545 return false; 546 if (inferredType.kind() != InferredType::Top) { 547 InferredType::Descriptor thisInferredType = 548 graph.inferredTypeForProperty(thisStructure, uid); 549 if (!inferredType.subsumes(thisInferredType)) 550 return false; 551 } 521 552 } 522 553 return true;
Note: See TracChangeset
for help on using the changeset viewer.