Changeset 231990 in webkit


Ignore:
Timestamp:
May 18, 2018 4:16:09 PM (6 years ago)
Author:
keith_miller@apple.com
Message:

op_in should mark if it sees out of bounds accesses
https://bugs.webkit.org/show_bug.cgi?id=185792

Reviewed by Filip Pizlo.

JSTests:

  • stress/has-indexed-property-array-storage-ftl.js:

(test2):

  • stress/has-indexed-property-slow-put-array-storage-ftl.js:

(test2):

Source/JavaScriptCore:

This would used to cause us to OSR loop since we would always speculate
we were in bounds in HasIndexedProperty.

  • bytecode/ArrayProfile.cpp:

(JSC::ArrayProfile::observeIndexedRead):

  • bytecode/ArrayProfile.h:
  • runtime/CommonSlowPaths.h:

(JSC::CommonSlowPaths::opIn):

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r231983 r231990  
     12018-05-18  Keith Miller  <keith_miller@apple.com>
     2
     3        op_in should mark if it sees out of bounds accesses
     4        https://bugs.webkit.org/show_bug.cgi?id=185792
     5
     6        Reviewed by Filip Pizlo.
     7
     8        * stress/has-indexed-property-array-storage-ftl.js:
     9        (test2):
     10        * stress/has-indexed-property-slow-put-array-storage-ftl.js:
     11        (test2):
     12
    1132018-05-18  Mark Lam  <mark.lam@apple.com>
    214
  • trunk/JSTests/stress/has-indexed-property-array-storage-ftl.js

    r229057 r231990  
    3333{
    3434    didFTLCompile = ftlTrue();
    35     return 2 in array;
     35    return 13 in array;
    3636}
    3737noInline(test2);
    3838
    39 var array1 = [1, 2, 3, 4];
     39var array1 = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14];
    4040ensureArrayStorage(array1);
    4141var array2 = [1, 2];
  • trunk/JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js

    r229057 r231990  
    4444{
    4545    didFTLCompile = ftlTrue();
    46     return 2 in array;
     46    return 9 in array;
    4747}
    4848noInline(test2);
    4949
    50 var array1 = [1, 2, 3, 4];
     50var array1 = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
    5151array1.__proto__ = object;
    5252ensureArrayStorage(array1);
  • trunk/Source/JavaScriptCore/ChangeLog

    r231983 r231990  
     12018-05-18  Keith Miller  <keith_miller@apple.com>
     2
     3        op_in should mark if it sees out of bounds accesses
     4        https://bugs.webkit.org/show_bug.cgi?id=185792
     5
     6        Reviewed by Filip Pizlo.
     7
     8        This would used to cause us to OSR loop since we would always speculate
     9        we were in bounds in HasIndexedProperty.
     10
     11        * bytecode/ArrayProfile.cpp:
     12        (JSC::ArrayProfile::observeIndexedRead):
     13        * bytecode/ArrayProfile.h:
     14        * runtime/CommonSlowPaths.h:
     15        (JSC::CommonSlowPaths::opIn):
     16
    1172018-05-18  Mark Lam  <mark.lam@apple.com>
    218
  • trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp

    r225618 r231990  
    122122}
    123123
     124void ArrayProfile::observeIndexedRead(VM& vm, JSCell* cell, unsigned index)
     125{
     126    m_lastSeenStructureID = cell->structureID();
     127
     128    if (JSObject* object = jsDynamicCast<JSObject*>(vm, cell)) {
     129        if (hasAnyArrayStorage(object->indexingType()) && index >= object->getVectorLength())
     130            setOutOfBounds();
     131        else if (index >= object->getArrayLength())
     132            setOutOfBounds();
     133    }
     134
     135    if (JSString* string = jsDynamicCast<JSString*>(vm, cell)) {
     136        if (index >= string->length())
     137            setOutOfBounds();
     138    }
     139}
     140
    124141CString ArrayProfile::briefDescription(const ConcurrentJSLocker& locker, CodeBlock* codeBlock)
    125142{
  • trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h

    r222871 r231990  
    215215        m_lastSeenStructureID = structure->id();
    216216    }
    217    
     217
    218218    void computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock*);
    219219    void computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock*, Structure* lastSeenStructure);
    220220   
    221221    void observeArrayMode(ArrayModes mode) { m_observedArrayModes |= mode; }
     222    void observeIndexedRead(VM&, JSCell*, unsigned index);
     223
    222224    ArrayModes observedArrayModes(const ConcurrentJSLocker&) const { return m_observedArrayModes; }
    223225    bool mayInterceptIndexedAccesses(const ConcurrentJSLocker&) const { return m_mayInterceptIndexedAccesses; }
  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

    r231976 r231990  
    101101    uint32_t i;
    102102    if (propName.getUInt32(i)) {
     103        if (arrayProfile)
     104            arrayProfile->observeIndexedRead(vm, baseObj, i);
    103105        scope.release();
    104106        return baseObj->hasProperty(exec, i);
Note: See TracChangeset for help on using the changeset viewer.