Title: [281473] trunk
- Revision
- 281473
- Author
- sbar...@apple.com
- Date
- 2021-08-23 14:44:19 -0700 (Mon, 23 Aug 2021)
Log Message
compileEnumeratorHasProperty uses flushRegisters incorrectly
https://bugs.webkit.org/show_bug.cgi?id=229412
<rdar://82020767>
Reviewed by Keith Miller.
JSTests:
* stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
(foo):
* stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
(a.toString):
Source/_javascript_Core:
We were calling flushRegisters() inside code that isn't always runs inside the
EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
flushRegisters() must be used, since flushRegisters() updates global register
allocation state, and therefore must run each time a node is run. To fix, we
move flushRegisters() before the code starts emitting branches.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (281472 => 281473)
--- trunk/JSTests/ChangeLog 2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/JSTests/ChangeLog 2021-08-23 21:44:19 UTC (rev 281473)
@@ -1,3 +1,16 @@
+2021-08-23 Saam Barati <sbar...@apple.com>
+
+ compileEnumeratorHasProperty uses flushRegisters incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=229412
+ <rdar://82020767>
+
+ Reviewed by Keith Miller.
+
+ * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
+ (foo):
+ * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
+ (a.toString):
+
2021-08-22 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Remove already-shipped wasm option flags
Added: trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (0 => 281473)
--- trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (rev 0)
+++ trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js 2021-08-23 21:44:19 UTC (rev 281473)
@@ -0,0 +1,11 @@
+function foo(o) {
+ for (let p in o) {
+ o.hasOwnProperty(p);
+ o.__proto__ = undefined;
+ }
+}
+
+for (let i = 0; i < 100000; ++i) {
+ foo({f:42});
+}
+
Added: trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (0 => 281473)
--- trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (rev 0)
+++ trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-23 21:44:19 UTC (rev 281473)
@@ -0,0 +1,13 @@
+const a = [undefined];
+a.toString = ()=>{};
+
+function foo() {
+ for (let x in a) {
+ x in a;
+ +x;
+ }
+}
+
+for (let i=0; i<10000; i++) {
+ foo();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (281472 => 281473)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-23 21:44:19 UTC (rev 281473)
@@ -1,3 +1,20 @@
+2021-08-23 Saam Barati <sbar...@apple.com>
+
+ compileEnumeratorHasProperty uses flushRegisters incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=229412
+ <rdar://82020767>
+
+ Reviewed by Keith Miller.
+
+ We were calling flushRegisters() inside code that isn't always runs inside the
+ EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
+ flushRegisters() must be used, since flushRegisters() updates global register
+ allocation state, and therefore must run each time a node is run. To fix, we
+ move flushRegisters() before the code starts emitting branches.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
2021-08-23 Yusuke Suzuki <ysuz...@apple.com>
[JSC] emitArrayProfilingSiteWithCell should not load indexingType unnecessarily
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281472 => 281473)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-23 21:44:19 UTC (rev 281473)
@@ -13692,6 +13692,8 @@
GPRReg modeGPR = mode.gpr();
GPRReg enumeratorGPR = enumerator.gpr();
+ flushRegisters();
+
JSValueRegsTemporary result(this);
JSValueRegs resultRegs = result.regs();
@@ -13711,7 +13713,6 @@
operationCases.link(&m_jit);
- flushRegisters();
#if USE(JSVALUE32_64)
m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes