Changeset 251178 in webkit


Ignore:
Timestamp:
Oct 15, 2019 9:01:18 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
https://bugs.webkit.org/show_bug.cgi?id=202312
<rdar://problem/55782280>

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings.js: Added.
  • stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings2.js: Added.
  • stress/switch-on-char-llint-rope.js:
  • Changed this test to make a new rope string for each iterations. Otherwise, the rope will get resolved, and subsequent tiers will not be testing with a rope.

Source/JavaScriptCore:

operationSwitchCharWithUnknownKeyType() can only dispatch to a case handler
if the key string is of length 1. All other cases should dispatch to the default
handler. This patch also adds the missing OOME check.

Also fixed a bug in SpeculativeJIT::emitSwitchCharStringJump() where the slow
path rope resolution was returning after the length check. It needs to return to
the point before the length check.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):

  • jit/JITOperations.cpp:
Location:
trunk
Files:
2 added
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r251088 r251178  
     12019-10-15  Mark Lam  <mark.lam@apple.com>
     2
     3        operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
     4        https://bugs.webkit.org/show_bug.cgi?id=202312
     5        <rdar://problem/55782280>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings.js: Added.
     10        * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings2.js: Added.
     11        * stress/switch-on-char-llint-rope.js:
     12        - Changed this test to make a new rope string for each iterations.  Otherwise,
     13          the rope will get resolved, and subsequent tiers will not be testing with a rope.
     14
    1152019-10-14  Yusuke Suzuki  <ysuzuki@apple.com>
    216

  • trunk/JSTests/stress/switch-on-char-llint-rope.js

    r242519 r251178  
    1515noInline(foo);
    1616
    17 let str = 'a' + constStr();
    1817for (let i = 0; i < 10000; ++i) {
     18    let str = 'a' + constStr();
    1919    let result = foo(str);
    2020    if (result !== 2)

  • trunk/Source/JavaScriptCore/ChangeLog

    r251160 r251178  
     12019-10-15  Mark Lam  <mark.lam@apple.com>
     2
     3        operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
     4        https://bugs.webkit.org/show_bug.cgi?id=202312
     5        <rdar://problem/55782280>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        operationSwitchCharWithUnknownKeyType() can only dispatch to a case handler
     10        if the key string is of length 1.  All other cases should dispatch to the default
     11        handler.  This patch also adds the missing OOME check.
     12
     13        Also fixed a bug in SpeculativeJIT::emitSwitchCharStringJump() where the slow
     14        path rope resolution was returning after the length check.  It needs to return to
     15        the point before the length check.
     16
     17        * dfg/DFGSpeculativeJIT.cpp:
     18        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
     19        * jit/JITOperations.cpp:
     20
    1212019-10-15  Peng Liu  <peng.liu6@apple.com>
    222

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r251106 r251178  
    1072010720    m_jit.loadPtr(MacroAssembler::Address(value, JSString::offsetOfValue()), scratch);
    1072110721    auto isRope = m_jit.branchIfRopeStringImpl(scratch);
    10722 
     10722    addSlowPathGenerator(slowPathCall(isRope, this, operationResolveRope, scratch, value));
     10723   
    1072310724    addBranch(
    1072410725        m_jit.branch32(
     
    1072710728            TrustedImm32(1)),
    1072810729        data->fallThrough.block);
    10729    
    10730     addSlowPathGenerator(slowPathCall(isRope, this, operationResolveRope, scratch, value));
    10731    
     10730
    1073210731    m_jit.loadPtr(MacroAssembler::Address(scratch, StringImpl::dataOffset()), value);
    1073310732   

  • trunk/Source/JavaScriptCore/jit/JITOperations.cpp

    r251106 r251178  
    23042304    VM& vm = exec->vm();
    23052305    NativeCallFrameTracer tracer(vm, exec);
     2306    auto throwScope = DECLARE_THROW_SCOPE(vm);
    23062307    JSValue key = JSValue::decode(encodedKey);
    23072308    CodeBlock* codeBlock = exec->codeBlock();
     
    23112312
    23122313    if (key.isString()) {
    2313         StringImpl* value = asString(key)->value(exec).impl();
    2314         if (value->length() == 1)
    2315             result = jumpTable.ctiForValue((*value)[0]).executableAddress();
     2314        JSString* string = asString(key);
     2315        if (string->length() == 1) {
     2316            String value = string->value(exec);
     2317            RETURN_IF_EXCEPTION(throwScope, nullptr);
     2318            result = jumpTable.ctiForValue(value[0]).executableAddress();
     2319        }
    23162320    }
    23172321
Note: See TracChangeset for help on using the changeset viewer.