Context Navigation

← Previous Changeset
Next Changeset →

Changeset 225844 in webkit

Timestamp:

Dec 13, 2017 9:19:24 AM (6 years ago)

Author:

sbarati@apple.com

Message:

TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
https://bugs.webkit.org/show_bug.cgi?id=180734
<rdar://problem/35640547>

Reviewed by Yusuke Suzuki.

JSTests:

stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.

(isPropertyOfType):
(getProperties):
(getObjects):
(getRandomObject):
(theClass.):
(theClass):
(childClass):
(counter.catch):

Source/JavaScriptCore:

The |this| value may be TDZ. If type check hoisting phase
hoists a CheckStructure to it, it will crash. This patch
makes it so we emit CheckStructureOrEmpty for |this|.

dfg/DFGTypeCheckHoistingPhase.cpp:

(JSC::DFG::TypeCheckHoistingPhase::run):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r225834
+                      r225844
+-12-13  Saam Barati  <sbarati@apple.com>
+        TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
+        https://bugs.webkit.org/show_bug.cgi?id=180734
+        <rdar://problem/35640547>
+        Reviewed by Yusuke Suzuki.
+        * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
+        (__isPropertyOfType):
+        (__getProperties):
+        (__getObjects):
+        (__getRandomObject):
+        (theClass.):
+        (theClass):
+        (childClass):
+        (counter.catch):
 -12-12  Saam Barati  <sbarati@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r225840
+                      r225844
+-12-13  Saam Barati  <sbarati@apple.com>
+        TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
+        https://bugs.webkit.org/show_bug.cgi?id=180734
+        <rdar://problem/35640547>
+        Reviewed by Yusuke Suzuki.
+        The |this| value may be TDZ. If type check hoisting phase
+        hoists a CheckStructure to it, it will crash. This patch
+        makes it so we emit CheckStructureOrEmpty for |this|.
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
 -12-12  Yusuke Suzuki  <utatane.tea@gmail.com>

trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp

-                      r225307
+                      r225844
                         OpInfo(variable), Edge(node));
                     if (iter->value.m_structure) {
+                        auto checkOp = CheckStructure;
+                        VirtualRegister local = node->variableAccessData()->local();
+                        auto* inlineCallFrame = node->origin.semantic.inlineCallFrame;
+                        if ((local - (inlineCallFrame ? inlineCallFrame->stackOffset : 0)) == virtualRegisterForArgument(0)) {
+                            // |this| can be the TDZ value. The call entrypoint won't have |this| as TDZ,
+                            // but a catch or a loop OSR entry may have |this| be TDZ.
+                            checkOp = CheckStructureOrEmpty;
+                        }
                         insertionSet.insertNode(
                             indexInBlock + 1, SpecNone, CheckStructure, origin,
+                            indexInBlock + 1, SpecNone, checkOp, origin,
                             OpInfo(m_graph.addStructureSet(iter->value.m_structure)),
                             Edge(getLocal, CellUse));

Note: See TracChangeset for help on using the changeset viewer.