Changeset 224735 in webkit
- Timestamp:
- Nov 12, 2017 7:34:23 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 11 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/regress-179562.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
-
Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
-
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGUseKind.cpp (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGUseKind.h (modified) (2 diffs)
-
Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
-
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r224603 r224735 1 2017-11-12 Mark Lam <mark.lam@apple.com> 2 3 We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments. 4 https://bugs.webkit.org/show_bug.cgi?id=179562 5 <rdar://problem/35467022> 6 7 Reviewed by Saam Barati. 8 9 * regress-179562.js: Added. 10 1 11 2017-11-08 Saam Barati <sbarati@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r224726 r224735 1 2017-11-12 Mark Lam <mark.lam@apple.com> 2 3 We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments. 4 https://bugs.webkit.org/show_bug.cgi?id=179562 5 <rdar://problem/35467022> 6 7 Reviewed by Saam Barati. 8 9 * dfg/DFGFixupPhase.cpp: 10 (JSC::DFG::FixupPhase::fixupNode): 11 * dfg/DFGOperations.cpp: 12 * dfg/DFGSafeToExecute.h: 13 (JSC::DFG::SafeToExecuteEdge::operator()): 14 * dfg/DFGSpeculativeJIT.cpp: 15 (JSC::DFG::SpeculativeJIT::speculateNotSymbol): 16 (JSC::DFG::SpeculativeJIT::speculate): 17 * dfg/DFGSpeculativeJIT.h: 18 * dfg/DFGUseKind.cpp: 19 (WTF::printInternal): 20 * dfg/DFGUseKind.h: 21 (JSC::DFG::typeFilterFor): 22 * ftl/FTLCapabilities.cpp: 23 (JSC::FTL::canCompile): 24 * ftl/FTLLowerDFGToB3.cpp: 25 (JSC::FTL::DFG::LowerDFGToB3::speculate): 26 (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol): 27 1 28 2017-11-11 Devin Rousso <webkit@devinrousso.com> 2 29 -
trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
r224594 r224735 201 201 [&] (Edge& edge) { 202 202 fixEdge<KnownPrimitiveUse>(edge); 203 // StrCat automatically coerces the values into strings before concatenating them. 204 // The ECMA spec says that we're not allowed to automatically coerce a Symbol into 205 // a string. If a Symbol is encountered, a TypeError will be thrown. As a result, 206 // our runtime functions for this slow path expect that they will never be passed 207 // Symbols. 208 m_insertionSet.insertNode( 209 m_indexInBlock, SpecNone, Check, node->origin, 210 Edge(edge.node(), NotSymbolUse)); 203 211 }); 204 212 break; -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r224335 r224735 1986 1986 auto scope = DECLARE_THROW_SCOPE(vm); 1987 1987 1988 ASSERT(!JSValue::decode(a).isSymbol()); 1989 ASSERT(!JSValue::decode(b).isSymbol()); 1988 1990 JSString* str1 = JSValue::decode(a).toString(exec); 1989 scope.assertNoException(); // Impossible, since we must have been given primitives.1991 scope.assertNoException(); // Impossible, since we must have been given non-Symbol primitives. 1990 1992 JSString* str2 = JSValue::decode(b).toString(exec); 1991 1993 scope.assertNoException(); … … 2001 2003 auto scope = DECLARE_THROW_SCOPE(vm); 2002 2004 2005 ASSERT(!JSValue::decode(a).isSymbol()); 2006 ASSERT(!JSValue::decode(b).isSymbol()); 2007 ASSERT(!JSValue::decode(c).isSymbol()); 2003 2008 JSString* str1 = JSValue::decode(a).toString(exec); 2004 scope.assertNoException(); // Impossible, since we must have been given primitives.2009 scope.assertNoException(); // Impossible, since we must have been given non-Symbol primitives. 2005 2010 JSString* str2 = JSValue::decode(b).toString(exec); 2006 2011 scope.assertNoException(); -
trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
r224594 r224735 74 74 case StringOrStringObjectUse: 75 75 case NotStringVarUse: 76 case NotSymbolUse: 76 77 case NotCellUse: 77 78 case OtherUse: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r224594 r224735 9543 9543 } 9544 9544 9545 void SpeculativeJIT::speculateNotSymbol(Edge edge) 9546 { 9547 if (!needsTypeCheck(edge, ~SpecSymbol)) 9548 return; 9549 9550 JSValueOperand operand(this, edge, ManualOperandSpeculation); 9551 auto valueRegs = operand.jsValueRegs(); 9552 GPRReg value = valueRegs.payloadGPR(); 9553 JITCompiler::Jump notCell; 9554 9555 bool needsCellCheck = needsTypeCheck(edge, SpecCell); 9556 if (needsCellCheck) 9557 notCell = m_jit.branchIfNotCell(valueRegs); 9558 9559 speculationCheck(BadType, JSValueSource::unboxedCell(value), edge.node(), m_jit.branchIfSymbol(value)); 9560 9561 if (needsCellCheck) 9562 notCell.link(&m_jit); 9563 9564 m_interpreter.filter(edge, ~SpecSymbol); 9565 } 9566 9545 9567 void SpeculativeJIT::speculateSymbol(Edge edge, GPRReg cell) 9546 9568 { … … 9731 9753 case NotStringVarUse: 9732 9754 speculateNotStringVar(edge); 9755 break; 9756 case NotSymbolUse: 9757 speculateNotSymbol(edge); 9733 9758 break; 9734 9759 case NotCellUse: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
r224280 r224735 3159 3159 void speculateStringOrOther(Edge); 3160 3160 void speculateNotStringVar(Edge); 3161 void speculateNotSymbol(Edge); 3161 3162 template<typename StructureLocationType> 3162 3163 void speculateStringObjectForStructure(Edge, StructureLocationType); -
trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp
r221959 r224735 146 146 out.print("NotStringVar"); 147 147 return; 148 case NotSymbolUse: 149 out.print("NotSymbol"); 150 return; 148 151 case NotCellUse: 149 152 out.print("NotCell"); -
trunk/Source/JavaScriptCore/dfg/DFGUseKind.h
r221959 r224735 73 73 StringOrStringObjectUse, 74 74 NotStringVarUse, 75 NotSymbolUse, 75 76 NotCellUse, 76 77 OtherUse, … … 162 163 case NotStringVarUse: 163 164 return ~SpecStringVar; 165 case NotSymbolUse: 166 return ~SpecSymbol; 164 167 case NotCellUse: 165 168 return ~SpecCellCheck; -
trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
r224594 r224735 513 513 case StringIdentUse: 514 514 case NotStringVarUse: 515 case NotSymbolUse: 515 516 case AnyIntUse: 516 517 case DoubleRepAnyIntUse: -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r224594 r224735 13853 13853 speculateNotStringVar(edge); 13854 13854 break; 13855 case NotSymbolUse: 13856 speculateNotSymbol(edge); 13857 break; 13855 13858 case NotCellUse: 13856 13859 speculateNotCell(edge); … … 14442 14445 } 14443 14446 14447 void speculateNotSymbol(Edge edge) 14448 { 14449 if (!m_interpreter.needsTypeCheck(edge, ~SpecSymbol)) 14450 return; 14451 14452 ASSERT(mayHaveTypeCheck(edge.useKind())); 14453 LValue value = lowJSValue(edge, ManualOperandSpeculation); 14454 14455 LBasicBlock isCellCase = m_out.newBlock(); 14456 LBasicBlock continuation = m_out.newBlock(); 14457 14458 m_out.branch(isCell(value, provenType(edge)), unsure(isCellCase), unsure(continuation)); 14459 14460 LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation); 14461 speculate(BadType, jsValueValue(value), edge.node(), isSymbol(value)); 14462 m_out.jump(continuation); 14463 14464 m_out.appendTo(continuation, lastNext); 14465 14466 m_interpreter.filter(edge, ~SpecSymbol); 14467 } 14468 14444 14469 void speculateOther(Edge edge) 14445 14470 {
Note: See TracChangeset
for help on using the changeset viewer.
