Diff
Modified: trunk/JSTests/ChangeLog (226208 => 226209)
--- trunk/JSTests/ChangeLog 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/JSTests/ChangeLog 2017-12-21 01:58:28 UTC (rev 226209)
@@ -1,3 +1,13 @@
+2017-12-19 Yusuke Suzuki <utatane....@gmail.com>
+
+ [JSC] Do not check isValid() in op_new_regexp
+ https://bugs.webkit.org/show_bug.cgi?id=180970
+
+ Reviewed by Saam Barati.
+
+ * stress/regexp-syntax-error-invalid-flags.js: Added.
+ (shouldThrow):
+
2017-12-18 Guillaume Emont <guijem...@igalia.com>
Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
Added: trunk/JSTests/stress/regexp-syntax-error-invalid-flags.js (0 => 226209)
--- trunk/JSTests/stress/regexp-syntax-error-invalid-flags.js (rev 0)
+++ trunk/JSTests/stress/regexp-syntax-error-invalid-flags.js 2017-12-21 01:58:28 UTC (rev 226209)
@@ -0,0 +1,23 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+function test()
+{
+ return /Hello/cocoa;
+}
+noInline(test);
+
+for (var i = 0; i < 1e4; ++i)
+ shouldThrow(test, `SyntaxError: Invalid regular _expression_: invalid flags`);
Modified: trunk/Source/_javascript_Core/ChangeLog (226208 => 226209)
--- trunk/Source/_javascript_Core/ChangeLog 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-12-21 01:58:28 UTC (rev 226209)
@@ -1,3 +1,24 @@
+2017-12-19 Yusuke Suzuki <utatane....@gmail.com>
+
+ [JSC] Do not check isValid() in op_new_regexp
+ https://bugs.webkit.org/show_bug.cgi?id=180970
+
+ Reviewed by Saam Barati.
+
+ We should not check `isValid()` inside op_new_regexp.
+ This simplifies the semantics of NewRegexp node in DFG.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::RegExpNode::emitBytecode):
+ * dfg/DFGMayExit.cpp:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewRegexp):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+ * jit/JITOperations.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
2017-12-20 Saam Barati <sbar...@apple.com>
GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (226208 => 226209)
--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2017-12-21 01:58:28 UTC (rev 226209)
@@ -141,8 +141,14 @@
RegisterID* RegExpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
{
if (dst == generator.ignoredResult())
- return 0;
- return generator.emitNewRegExp(generator.finalDestination(dst), RegExp::create(*generator.vm(), m_pattern.string(), regExpFlags(m_flags.string())));
+ return nullptr;
+ RegExp* regExp = RegExp::create(*generator.vm(), m_pattern.string(), regExpFlags(m_flags.string()));
+ if (regExp->isValid())
+ return generator.emitNewRegExp(generator.finalDestination(dst), regExp);
+ const char* messageCharacters = regExp->errorMessage();
+ const Identifier& message = generator.parserArena().identifierArena().makeIdentifier(generator.vm(), bitwise_cast<const LChar*>(messageCharacters), strlen(messageCharacters));
+ generator.emitThrowStaticError(ErrorType::SyntaxError, message);
+ return generator.emitLoad(generator.finalDestination(dst), jsUndefined());
}
// ------------------------------ ThisNode -------------------------------------
Modified: trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp (226208 => 226209)
--- trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp 2017-12-21 01:58:28 UTC (rev 226209)
@@ -116,6 +116,7 @@
case NewAsyncFunction:
case NewAsyncGeneratorFunction:
case NewStringObject:
+ case NewRegexp:
case ToNumber:
result = ExitsForExceptions;
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (226208 => 226209)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-12-21 01:58:28 UTC (rev 226209)
@@ -9127,20 +9127,8 @@
void SpeculativeJIT::compileNewRegexp(Node* node)
{
RegExp* regexp = node->castOperand<RegExp*>();
+ ASSERT(regexp->isValid());
- // FIXME: If the RegExp is invalid, we should emit a different bytecode.
- // https://bugs.webkit.org/show_bug.cgi?id=180970
- if (!regexp->isValid()) {
- flushRegisters();
- GPRFlushedCallResult result(this);
-
- callOperation(operationNewRegexp, result.gpr(), regexp);
- m_jit.exceptionCheck();
-
- cellResult(result.gpr(), node);
- return;
- }
-
GPRTemporary result(this);
GPRTemporary scratch1(this);
GPRTemporary scratch2(this);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (226208 => 226209)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-12-21 01:58:28 UTC (rev 226209)
@@ -10270,19 +10270,8 @@
{
FrozenValue* regexp = m_node->cellOperand();
ASSERT(regexp->cell()->inherits(vm(), RegExp::info()));
+ ASSERT(m_node->castOperand<RegExp*>()->isValid());
- // FIXME: If the RegExp is invalid, we should emit a different bytecode.
- // https://bugs.webkit.org/show_bug.cgi?id=180970
- if (!m_node->castOperand<RegExp*>()->isValid()) {
- LValue result = vmCall(
- pointerType(),
- m_out.operation(operationNewRegexp), m_callFrame,
- frozenPointer(regexp));
-
- setJSValue(result);
- return;
- }
-
LBasicBlock slowCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (226208 => 226209)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2017-12-21 01:58:28 UTC (rev 226209)
@@ -1264,17 +1264,9 @@
SuperSamplerScope superSamplerScope(false);
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
- auto scope = DECLARE_THROW_SCOPE(vm);
RegExp* regexp = static_cast<RegExp*>(regexpPtr);
-
- // FIXME: If the RegExp is invalid, we should emit a different bytecode.
- // https://bugs.webkit.org/show_bug.cgi?id=180970
- if (!regexp->isValid()) {
- throwException(exec, scope, createSyntaxError(exec, regexp->errorMessage()));
- return nullptr;
- }
-
+ ASSERT(regexp->isValid());
return RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regexp);
}
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (226208 => 226209)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2017-12-21 01:54:46 UTC (rev 226208)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2017-12-21 01:58:28 UTC (rev 226209)
@@ -552,11 +552,7 @@
{
LLINT_BEGIN();
RegExp* regExp = exec->codeBlock()->regexp(pc[2].u.operand);
-
- // FIXME: If the RegExp is invalid, we should emit a different bytecode.
- // https://bugs.webkit.org/show_bug.cgi?id=180970
- if (!regExp->isValid())
- LLINT_THROW(createSyntaxError(exec, regExp->errorMessage()));
+ ASSERT(regExp->isValid());
LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
}