Changeset 248185 in webkit
- Timestamp:
- Aug 2, 2019 3:20:54 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r248149 r248185 1 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> 2 3 [JSC] LazyJSValue should be robust for empty JSValue 4 https://bugs.webkit.org/show_bug.cgi?id=200388 5 6 Reviewed by Saam Barati. 7 8 * stress/switch-constant-child-becomes-empty.js: Added. 9 (foo): 10 1 11 2019-08-01 Yusuke Suzuki <ysuzuki@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r248179 r248185 1 2019-08-02 Yusuke Suzuki <ysuzuki@apple.com> 2 3 [JSC] LazyJSValue should be robust for empty JSValue 4 https://bugs.webkit.org/show_bug.cgi?id=200388 5 6 Reviewed by Saam Barati. 7 8 If the Switch DFG node is preceded by ForceOSRExit or something that invalidates the basic block, 9 it can take a FrozenValue as a child which includes empty value instead of string, number etc. 10 If this Switch node is kept and we reached to DFGCFGSimplificationPhase, it will use this FrozenValue. 11 However, LazyJSValue using this FrozenValue strongly assumes that FrozenValue is never holding empty value. 12 But this assumption is wrong. This patch makes LazyJSValue robust for empty value. 13 14 * dfg/DFGLazyJSValue.cpp: 15 (JSC::DFG::LazyJSValue::tryGetStringImpl const): 16 (JSC::DFG::LazyJSValue::tryGetString const): 17 (JSC::DFG::LazyJSValue::strictEqual const): 18 (JSC::DFG::LazyJSValue::switchLookupValue const): 19 1 20 2019-08-02 Devin Rousso <drousso@apple.com> 2 21 -
trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.cpp
r246490 r248185 101 101 return nullptr; 102 102 103 default:103 case SingleCharacterString: 104 104 return nullptr; 105 105 } 106 RELEASE_ASSERT_NOT_REACHED(); 107 return nullptr; 106 108 } 107 109 … … 115 117 return String(&u.character, 1); 116 118 117 default: 119 case KnownValue: 120 case KnownStringImpl: 118 121 if (const StringImpl* string = tryGetStringImpl(graph.m_vm)) { 119 122 unsigned ginormousStringLength = 10000; … … 129 132 return String(); 130 133 } 134 RELEASE_ASSERT_NOT_REACHED(); 135 return String(); 131 136 } 132 137 … … 136 141 case KnownValue: 137 142 switch (other.m_kind) { 138 case KnownValue: 143 case KnownValue: { 144 if (!value()->value() || !other.value()->value()) 145 return value()->value() == other.value()->value() ? TrueTriState : FalseTriState; 139 146 return JSValue::pureStrictEqual(value()->value(), other.value()->value()); 140 case SingleCharacterString: 147 } 148 case SingleCharacterString: { 149 if (!value()->value()) 150 return FalseTriState; 141 151 return equalToSingleCharacter(value()->value(), other.character()); 152 } 142 153 case KnownStringImpl: 143 case NewStringImpl: 154 case NewStringImpl: { 155 if (!value()->value()) 156 return FalseTriState; 144 157 return equalToStringImpl(value()->value(), other.stringImpl()); 158 } 145 159 } 146 160 break; … … 154 168 return FalseTriState; 155 169 return triState(other.stringImpl()->at(0) == character()); 156 default:170 case KnownValue: 157 171 return other.strictEqual(*this); 158 172 } … … 164 178 case NewStringImpl: 165 179 return triState(WTF::equal(stringImpl(), other.stringImpl())); 166 default: 180 case SingleCharacterString: 181 case KnownValue: 167 182 return other.strictEqual(*this); 168 183 } … … 182 197 switch (kind) { 183 198 case SwitchImm: 184 return value()->value().asInt32(); 199 if (value()->value()) 200 return value()->value().asInt32(); 201 return 0; 185 202 case SwitchCell: 186 return bitwise_cast<uintptr_t>(value()->value().asCell()); 203 if (value()->value()) 204 return bitwise_cast<uintptr_t>(value()->value().asCell()); 205 return 0; 187 206 default: 188 207 RELEASE_ASSERT_NOT_REACHED(); … … 197 216 return 0; 198 217 } 199 default: 218 case KnownStringImpl: 219 case NewStringImpl: 200 220 RELEASE_ASSERT_NOT_REACHED(); 201 221 return 0; 202 222 } 223 RELEASE_ASSERT_NOT_REACHED(); 224 return 0; 203 225 } 204 226
Note: See TracChangeset
for help on using the changeset viewer.