Changeset 254434 in webkit
- Timestamp:
- Jan 13, 2020 9:19:56 AM (4 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 4 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/check-neutered-clobberize-reads-jstype.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r254420 r254434 1 2020-01-11 Keith Miller <keith_miller@apple.com> 2 3 CheckNeutered needs to claim it reads JSType in clobberize. 4 https://bugs.webkit.org/show_bug.cgi?id=206136 5 6 Reviewed by Yusuke Suzuki. 7 8 * stress/check-neutered-clobberize-reads-jstype.js: Added. 9 (foo): 10 1 11 2020-01-12 Yusuke Suzuki <ysuzuki@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r254420 r254434 1 2020-01-11 Keith Miller <keith_miller@apple.com> 2 3 CheckNeutered needs to claim it reads JSType in clobberize. 4 https://bugs.webkit.org/show_bug.cgi?id=206136 5 6 Reviewed by Yusuke Suzuki. 7 8 CheckNeutered needs to read JSType otherwise it can get hoisted 9 past the TypedArray check guarding it. 10 11 * dfg/DFGAbstractInterpreterInlines.h: 12 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 13 * dfg/DFGClobberize.h: 14 (JSC::DFG::clobberize): 15 1 16 2020-01-12 Yusuke Suzuki <ysuzuki@apple.com> 2 17 -
trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
r254252 r254434 3362 3362 3363 3363 case CheckNeutered: { 3364 DFG_ASSERT(m_graph, node, speculationChecked(forNode(node->child1()).m_type, SpecTypedArrayView)); 3364 3365 break; 3365 3366 } -
trunk/Source/JavaScriptCore/dfg/DFGClobberize.h
r254252 r254434 1103 1103 1104 1104 case CheckNeutered: 1105 read(JSCell_typeInfoType); 1106 read(JSCell_structureID); 1105 1107 read(MiscFields); 1106 1108 return;
Note: See TracChangeset
for help on using the changeset viewer.
