Changeset 244314 in webkit


Ignore:
Timestamp:
Apr 15, 2019 5:39:26 PM (5 years ago)
Author:
sbarati@apple.com
Message:

SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
https://bugs.webkit.org/show_bug.cgi?id=196945
<rdar://problem/49802750>

Reviewed by Filip Pizlo.

JSTests:

  • stress/get-by-offset-should-use-correct-child.js: Added.

(foo.bar):
(foo):

Source/JavaScriptCore:

  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r244313 r244314  
     12019-04-15  Saam barati  <sbarati@apple.com>
     2
     3        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
     4        https://bugs.webkit.org/show_bug.cgi?id=196945
     5        <rdar://problem/49802750>
     6
     7        Reviewed by Filip Pizlo.
     8
     9        * stress/get-by-offset-should-use-correct-child.js: Added.
     10        (foo.bar):
     11        (foo):
     12
    1132019-04-15  Robin Morisset  <rmorisset@apple.com>
    214
  • trunk/Source/JavaScriptCore/ChangeLog

    r244313 r244314  
     12019-04-15  Saam barati  <sbarati@apple.com>
     2
     3        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
     4        https://bugs.webkit.org/show_bug.cgi?id=196945
     5        <rdar://problem/49802750>
     6
     7        Reviewed by Filip Pizlo.
     8
     9        * dfg/DFGSafeToExecute.h:
     10        (JSC::DFG::safeToExecute):
     11
    1122019-04-15  Robin Morisset  <rmorisset@apple.com>
    213
  • trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

    r244193 r244314  
    546546        // structure that has a type proof, then the next case below will deal with it.
    547547        if (state.structureClobberState() == StructuresAreWatched) {
    548             if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
     548            if (JSObject* knownBase = node->child2()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
    549549                if (graph.isSafeToLoad(knownBase, offset))
    550550                    return true;
     
    552552        }
    553553       
    554         StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
     554        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
    555555        if (value.isInfinite())
    556556            return false;
Note: See TracChangeset for help on using the changeset viewer.