Changeset 241968 in webkit


Ignore:
Timestamp:
Feb 22, 2019 4:05:11 PM (5 years ago)
Author:
rmorisset@apple.com
Message:

DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
https://bugs.webkit.org/show_bug.cgi?id=194953
<rdar://problem/47595253>

Reviewed by Saam Barati.

JSTests:

I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.

  • stress/has-indexed-property-with-worsening-array-mode.js: Added.

Source/JavaScriptCore:

For each node that
(a) may or may not clobberExit depending on their arrayMode
(b) and get their arrayMode from profiling information in DFGBytecodeParser
(c) and can have their arrayMode refined by DFGFixupPhase,
We must make sure to be conservative in the DFGBytecodeParser and treat it as if it unconditionnally clobbered the exit.
Otherwise we will hit a validation failure after fixup if the next node was marked ExitValid and exits to the same semantic origin.

The list of nodes that fit (a) is:

  • StringCharAt
  • HasIndexProperty
  • GetByVal
  • PutByValDirect
  • PutByVal
  • PutByValAlias
  • GetIndexedPropertyStorage

Out of these, the following also fit (b) and (c):

  • HasIndexedProperty
  • GetByVal
  • PutByValDirect
  • PutByVal

GetByVal already had "m_exitOK = false; GetByVal must be treated as if it clobbers exit state, since FixupPhase may make it generic."
So we just have to fix the other three the same way.

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r241787 r241968  
     12019-02-22  Robin Morisset  <rmorisset@apple.com>
     2
     3        DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
     4        https://bugs.webkit.org/show_bug.cgi?id=194953
     5        <rdar://problem/47595253>
     6
     7        Reviewed by Saam Barati.
     8
     9        I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
     10
     11        * stress/has-indexed-property-with-worsening-array-mode.js: Added.
     12
    1132019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
    214

  • trunk/Source/JavaScriptCore/ChangeLog

    r241964 r241968  
     12019-02-22  Robin Morisset  <rmorisset@apple.com>
     2
     3        DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
     4        https://bugs.webkit.org/show_bug.cgi?id=194953
     5        <rdar://problem/47595253>
     6
     7        Reviewed by Saam Barati.
     8
     9        For each node that
     10        (a) may or may not clobberExit depending on their arrayMode
     11        (b) and get their arrayMode from profiling information in DFGBytecodeParser
     12        (c) and can have their arrayMode refined by DFGFixupPhase,
     13        We must make sure to be conservative in the DFGBytecodeParser and treat it as if it unconditionnally clobbered the exit.
     14        Otherwise we will hit a validation failure after fixup if the next node was marked ExitValid and exits to the same semantic origin.
     15
     16        The list of nodes that fit (a) is:
     17        - StringCharAt
     18        - HasIndexProperty
     19        - GetByVal
     20        - PutByValDirect
     21        - PutByVal
     22        - PutByValAlias
     23        - GetIndexedPropertyStorage
     24
     25        Out of these, the following also fit (b) and (c):
     26        - HasIndexedProperty
     27        - GetByVal
     28        - PutByValDirect
     29        - PutByVal
     30
     31        GetByVal already had "m_exitOK = false; // GetByVal must be treated as if it clobbers exit state, since FixupPhase may make it generic."
     32        So we just have to fix the other three the same way.
     33
     34        * dfg/DFGByteCodeParser.cpp:
     35        (JSC::DFG::ByteCodeParser::parseBlock):
     36        (JSC::DFG::ByteCodeParser::handlePutByVal):
     37
    1382019-02-22  Robin Morisset  <rmorisset@apple.com>
    239

  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r241228 r241968  
    68356835            addVarArgChild(nullptr);
    68366836            Node* hasIterableProperty = addToGraph(Node::VarArg, HasIndexedProperty, OpInfo(arrayMode.asWord()), OpInfo(static_cast<uint32_t>(PropertySlot::InternalMethodType::GetOwnProperty)));
     6837            m_exitOK = false; // HasIndexedProperty must be treated as if it clobbers exit state, since FixupPhase may make it generic.
    68376838            set(bytecode.m_dst, hasIterableProperty);
    68386839            NEXT_OPCODE(op_has_indexed_property);
     
    72137214        addVarArgChild(0); // Leave room for length.
    72147215        addToGraph(Node::VarArg, isDirect ? PutByValDirect : PutByVal, OpInfo(arrayMode.asWord()), OpInfo(0));
     7216        m_exitOK = false; // PutByVal and PutByValDirect must be treated as if they clobber exit state, since FixupPhase may make them generic.
    72157217    }
    72167218}
Note: See TracChangeset for help on using the changeset viewer.