[webkit-changes] [185600] trunk/Source/JavaScriptCore

Tue, 16 Jun 2015 12:18:20 -0700

Title: [185600] trunk/Source/_javascript_Core
Revision
185600
Author
fpi...@apple.com
Date
2015-06-16 12:17:40 -0700 (Tue, 16 Jun 2015)

Log Message

FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case
https://bugs.webkit.org/show_bug.cgi?id=146002

Reviewed by Darin Adler.

* ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code.
(JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug.
* tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases.
(foo):

Modified Paths

Added Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (185599 => 185600)


--- trunk/Source/_javascript_Core/ChangeLog	2015-06-16 18:41:21 UTC (rev 185599)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-06-16 19:17:40 UTC (rev 185600)
@@ -1,3 +1,15 @@
+2015-06-15  Filip Pizlo  <fpi...@apple.com>
+
+        FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case
+        https://bugs.webkit.org/show_bug.cgi?id=146002
+
+        Reviewed by Darin Adler.
+
+        * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code.
+        (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug.
+        * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases.
+        (foo):
+
 2015-06-16  Andreas Kling  <akl...@apple.com>
 
         [JSC] Pre-bake final Structure for RegExp matches arrays.

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (185599 => 185600)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp	2015-06-16 18:41:21 UTC (rev 185599)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp	2015-06-16 19:17:40 UTC (rev 185600)
@@ -63,8 +63,10 @@
 
 using namespace DFG;
 
-static std::atomic<int> compileCounter;
+namespace {
 
+std::atomic<int> compileCounter;
+
 #if ASSERT_DISABLED
 NO_RETURN_DUE_TO_CRASH static void ftlUnreachable()
 {
@@ -6301,7 +6303,7 @@
             else {
                 LBasicBlock masqueradesCase = FTL_NEW_BLOCK(m_out, ("Boolify untyped masquerades case"));
                 
-                results.append(m_out.anchor(m_out.booleanFalse));
+                results.append(m_out.anchor(m_out.booleanTrue));
                 
                 m_out.branch(
                     m_out.testIsZero8(
@@ -8660,6 +8662,8 @@
     unsigned m_tbaaStructKind;
 };
 
+} // anonymous namespace
+
 void lowerDFGToLLVM(State& state)
 {
     LowerDFGToLLVM lowering(state);

Added: trunk/Source/_javascript_Core/tests/stress/logical-not-masquerades.js (0 => 185600)


--- trunk/Source/_javascript_Core/tests/stress/logical-not-masquerades.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/logical-not-masquerades.js	2015-06-16 19:17:40 UTC (rev 185600)
@@ -0,0 +1,33 @@
+function foo(value) {
+    return !!value;
+}
+
+noInline(foo);
+
+var tests = [
+    [0, false],
+    [1, true],
+    [0/0, false],
+    [0/-1, false],
+    [0.0, false],
+    ["", false],
+    ["f", true],
+    ["hello", true],
+    [{}, true],
+    [[], true],
+    [null, false],
+    [void 0, false],
+    [false, false],
+    [true, true],
+    [makeMasquerader(), false]
+];
+
+for (var i = 0; i < 10000; ++i) {
+    for (var j = 0; j < tests.length; ++j) {
+        var input = tests[j][0];
+        var expected = tests[j][1];
+        var result = foo(input);
+        if (result !== expected)
+            throw "Error: bad result for " + input + ": " + result;
+    }
+}

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to