Context Navigation

← Previous Changeset
Next Changeset →

Changeset 248271 in webkit

Timestamp:

Aug 5, 2019 1:02:51 PM (5 years ago)

Author:

msaboff@apple.com

Message:

JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
https://bugs.webkit.org/show_bug.cgi?id=199997

Reviewed by Saam Barati.

JSTests:

New test.

stress/typedarray-no-alreadyChecked-assert.js: Added.

(checkIntArray):
(checkFloatArray):

Source/JavaScriptCore:

No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where
it won't be set.

dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/typedarray-no-alreadyChecked-assert.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r248187
+                      r248271
+-08-05  Michael Saboff  <msaboff@apple.com>
+        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=199997
+        Reviewed by Saam Barati.
+        New test.
+        * stress/typedarray-no-alreadyChecked-assert.js: Added.
+        (checkIntArray):
+        (checkFloatArray):
 -08-02  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r248201
+                      r248271
+-08-05  Michael Saboff  <msaboff@apple.com>
+        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=199997
+        Reviewed by Saam Barati.
+        No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+        and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+        CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+        and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
+        it won't be set.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
 -08-03  Devin Rousso  <drousso@apple.com>

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

-                      r248192
+                      r248271
     GPRReg resultReg = result.gpr();
-    ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))));
     emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
     loadFromIntTypedArray(storageReg, propertyReg, resultReg, type);
 …
     GPRReg propertyReg = property.gpr();
     GPRReg storageReg = storage.gpr();
-    ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))));
     FPRTemporary result(this);

Note: See TracChangeset for help on using the changeset viewer.