Title: [205522] trunk/Source/_javascript_Core
- Revision
- 205522
- Author
- sbar...@apple.com
- Date
- 2016-09-06 16:51:24 -0700 (Tue, 06 Sep 2016)
Log Message
Member call on NULL pointer in _javascript_Core/dfg/DFGAbstractInterpretterInlines.h
https://bugs.webkit.org/show_bug.cgi?id=160870
Reviewed by Darin Adler.
Credit goes to Jonathan Bedard for finding this bug using the undefined
behavior sanitizer.
The rule for MaterializeNewObject inside AI was assuming that the graph
is in SSA form. This used to be true when MaterializeNewObject was only
inserted by the allocation sinking phase. However, Filip added more uses
of MaterializeNewObject in his RegExp constant folding patch. This fixes
the bug by using the structure set inside the Node's OpInfo rather than
generating it from m_phiChildren inside AI.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (205521 => 205522)
--- trunk/Source/_javascript_Core/ChangeLog 2016-09-06 23:36:36 UTC (rev 205521)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-09-06 23:51:24 UTC (rev 205522)
@@ -1,5 +1,25 @@
2016-09-06 Saam Barati <sbar...@apple.com>
+ Member call on NULL pointer in _javascript_Core/dfg/DFGAbstractInterpretterInlines.h
+ https://bugs.webkit.org/show_bug.cgi?id=160870
+
+ Reviewed by Darin Adler.
+
+ Credit goes to Jonathan Bedard for finding this bug using the undefined
+ behavior sanitizer.
+
+ The rule for MaterializeNewObject inside AI was assuming that the graph
+ is in SSA form. This used to be true when MaterializeNewObject was only
+ inserted by the allocation sinking phase. However, Filip added more uses
+ of MaterializeNewObject in his RegExp constant folding patch. This fixes
+ the bug by using the structure set inside the Node's OpInfo rather than
+ generating it from m_phiChildren inside AI.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+2016-09-06 Saam Barati <sbar...@apple.com>
+
Make JSMap and JSSet faster
https://bugs.webkit.org/show_bug.cgi?id=160989
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (205521 => 205522)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2016-09-06 23:36:36 UTC (rev 205521)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2016-09-06 23:51:24 UTC (rev 205522)
@@ -1965,15 +1965,7 @@
break;
case MaterializeNewObject: {
- StructureSet set;
-
- m_phiChildren->forAllTransitiveIncomingValues(
- m_graph.varArgChild(node, 0).node(),
- [&] (Node* incoming) {
- set.add(incoming->castConstant<Structure*>());
- });
-
- forNode(node).set(m_graph, set);
+ forNode(node).set(m_graph, node->structureSet());
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes