Changeset 230423 in webkit


Ignore:
Timestamp:
Apr 9, 2018 6:33:13 AM (6 years ago)
Author:
Carlos Garcia Campos
Message:

Merge r230143 - JSC crash in JIT code with for-of loop and Array/Set iterators
https://bugs.webkit.org/show_bug.cgi?id=183174

Reviewed by Saam Barati.

JSTests:

  • microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.

(foo):

  • stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.

(f):

Source/JavaScriptCore:

  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.

Location:
releases/WebKitGTK/webkit-2.20
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog

    r230422 r230423  
     12018-03-31  Filip Pizlo  <fpizlo@apple.com>
     2
     3        JSC crash in JIT code with for-of loop and Array/Set iterators
     4        https://bugs.webkit.org/show_bug.cgi?id=183174
     5
     6        Reviewed by Saam Barati.
     7
     8        * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
     9        (foo):
     10        * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
     11        (f):
     12
    1132018-03-30  Robin Morisset  <rmorisset@apple.com>
    214

  • releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/ChangeLog

    r230422 r230423  
     12018-03-31  Filip Pizlo  <fpizlo@apple.com>
     2
     3        JSC crash in JIT code with for-of loop and Array/Set iterators
     4        https://bugs.webkit.org/show_bug.cgi?id=183174
     5
     6        Reviewed by Saam Barati.
     7
     8        * dfg/DFGSafeToExecute.h:
     9        (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
     10
    1112018-03-30  Robin Morisset  <rmorisset@apple.com>
    212

  • releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

    r229238 r230423  
    11/*
    2  * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    504504    case GetGetterSetterByOffset:
    505505    case PutByOffset: {
    506         PropertyOffset offset = node->storageAccessData().offset;
    507 
    508         if (state.structureClobberState() == StructuresAreWatched) {
     506        StorageAccessData& data = node->storageAccessData();
     507        PropertyOffset offset = data.offset;
     508        UniquedStringImpl* uid = graph.identifiers()[data.identifierNumber];
     509
     510        InferredType::Descriptor inferredType;
     511        switch (node->op()) {
     512        case GetByOffset:
     513        case GetGetterSetterByOffset:
     514            inferredType = data.inferredType;
     515            break;
     516        case PutByOffset:
     517            // PutByOffset knows about inferred types because it's the enforcer of that type rather
     518            // than the consumer of that type. Therefore, PutByOffset expects TOP for the purpose of
     519            // safe-to-execute in the sense that it will be happy with anything as general as TOP
     520            // (so any type).
     521            inferredType = InferredType::Top;
     522            break;
     523        default:
     524            DFG_CRASH(graph, node, "Bad opcode");
     525            break;
     526        }
     527
     528        // Graph::isSafeToLoad() is all about proofs derived from PropertyConditions. Those don't
     529        // know anything about inferred types. But if we have a proof derived from watching a
     530        // structure that has a type proof, then the next case below will deal with it.
     531        if (state.structureClobberState() == StructuresAreWatched
     532            && inferredType.kind() == InferredType::Top) {
    509533            if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
    510534                if (graph.isSafeToLoad(knownBase, offset))
     
    517541            return false;
    518542        for (unsigned i = value.size(); i--;) {
    519             if (!value[i]->isValidOffset(offset))
     543            Structure* thisStructure = value[i].get();
     544            if (!thisStructure->isValidOffset(offset))
    520545                return false;
     546            if (inferredType.kind() != InferredType::Top) {
     547                InferredType::Descriptor thisInferredType =
     548                    graph.inferredTypeForProperty(thisStructure, uid);
     549                if (!inferredType.subsumes(thisInferredType))
     550                    return false;
     551            }
    521552        }
    522553        return true;
Note: See TracChangeset for help on using the changeset viewer.