Changeset 199935 in webkit

Timestamp:

Apr 22, 2016, 4:48:44 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

javascript jit bug affecting Google Maps.
​https://bugs.webkit.org/show_bug.cgi?id=153431

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

The issue was due to the abstract interpreter wrongly marking the type of the
value read from the Uint3Array as SpecInt52, which precludes it from being an
Int32. This proves to be false, and the generated code failed to handle the case
where the read value is actually an Int32.

The fix is to have the abstract interpreter use SpecMachineInt instead of
SpecInt52.

• bytecode/SpeculatedType.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

LayoutTests:

• js/regress/bug-153431-expected.txt: Added.
• js/regress/bug-153431.html: Added.
• js/regress/script-tests/bug-153431.js: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/bug-153431-expected.txt (added)
• LayoutTests/js/regress/bug-153431.html (added)
• LayoutTests/js/regress/script-tests/bug-153431.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-04-22  Mark Lam  <mark.lam@apple.com>
+
+        javascript jit bug affecting Google Maps.
+        https://bugs.webkit.org/show_bug.cgi?id=153431
+
+        Reviewed by Filip Pizlo.
+
+        * js/regress/bug-153431-expected.txt: Added.
+        * js/regress/bug-153431.html: Added.
+        * js/regress/script-tests/bug-153431.js: Added.
+
 2016-04-22  Geoffrey Garen  <ggaren@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-04-22  Mark Lam  <mark.lam@apple.com>
+
+        javascript jit bug affecting Google Maps.
+        https://bugs.webkit.org/show_bug.cgi?id=153431
+
+        Reviewed by Filip Pizlo.
+
+        The issue was due to the abstract interpreter wrongly marking the type of the
+        value read from the Uint3Array as SpecInt52, which precludes it from being an
+        Int32.  This proves to be false, and the generated code failed to handle the case
+        where the read value is actually an Int32.
+
+        The fix is to have the abstract interpreter use SpecMachineInt instead of
+        SpecInt52.
+
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2016-04-22  Benjamin Poulain  <bpoulain@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -68 +68 @@
 static const SpeculatedType SpecNonBoolInt32       = 1u << 22; // It's definitely an Int32 with value other than 0 or 1.
 static const SpeculatedType SpecInt32              = SpecBoolInt32 | SpecNonBoolInt32; // It's definitely an Int32.
-static const SpeculatedType SpecInt52              = 1u << 23; // It's definitely an Int52 and we intend it to unbox it.
+static const SpeculatedType SpecInt52              = 1u << 23; // It's definitely an Int52 and we intend it to unbox it. It's also definitely not an Int32.
 static const SpeculatedType SpecMachineInt         = SpecInt32 | SpecInt52; // It's something that we can do machine int arithmetic on.
 static const SpeculatedType SpecInt52AsDouble      = 1u << 24; // It's definitely an Int52 and it's inside a double.

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1563 +1563 @@
                 forNode(node).setType(SpecInt32);
             else if (enableInt52() && node->shouldSpeculateMachineInt())
-                forNode(node).setType(SpecInt52);
+                forNode(node).setType(SpecMachineInt);
             else
                 forNode(node).setType(SpecInt52AsDouble);