Changeset 205522 in webkit


Ignore:
Timestamp:
Sep 6, 2016 4:51:24 PM (8 years ago)
Author:
sbarati@apple.com
Message:

Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
https://bugs.webkit.org/show_bug.cgi?id=160870

Reviewed by Darin Adler.

Credit goes to Jonathan Bedard for finding this bug using the undefined
behavior sanitizer.

The rule for MaterializeNewObject inside AI was assuming that the graph
is in SSA form. This used to be true when MaterializeNewObject was only
inserted by the allocation sinking phase. However, Filip added more uses
of MaterializeNewObject in his RegExp constant folding patch. This fixes
the bug by using the structure set inside the Node's OpInfo rather than
generating it from m_phiChildren inside AI.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r205520 r205522  
     12016-09-06  Saam Barati  <sbarati@apple.com>
     2
     3        Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
     4        https://bugs.webkit.org/show_bug.cgi?id=160870
     5
     6        Reviewed by Darin Adler.
     7
     8        Credit goes to Jonathan Bedard for finding this bug using the undefined
     9        behavior sanitizer.
     10
     11        The rule for MaterializeNewObject inside AI was assuming that the graph
     12        is in SSA form. This used to be true when MaterializeNewObject was only
     13        inserted by the allocation sinking phase. However, Filip added more uses
     14        of MaterializeNewObject in his RegExp constant folding patch. This fixes
     15        the bug by using the structure set inside the Node's OpInfo rather than
     16        generating it from m_phiChildren inside AI.
     17
     18        * dfg/DFGAbstractInterpreterInlines.h:
     19        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     20
    1212016-09-06  Saam Barati  <sbarati@apple.com>
    222

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r205520 r205522  
    19661966       
    19671967    case MaterializeNewObject: {
    1968         StructureSet set;
    1969        
    1970         m_phiChildren->forAllTransitiveIncomingValues(
    1971             m_graph.varArgChild(node, 0).node(),
    1972             [&] (Node* incoming) {
    1973                 set.add(incoming->castConstant<Structure*>());
    1974             });
    1975        
    1976         forNode(node).set(m_graph, set);
     1968        forNode(node).set(m_graph, node->structureSet());
    19771969        break;
    19781970    }
Note: See TracChangeset for help on using the changeset viewer.