Skip to site navigation (Press enter)

[webkit-changes] [232384] trunk/Source/JavaScriptCore

sbarati Thu, 31 May 2018 20:08:45 -0700

Title: [232384] trunk/Source/_javascript_Core

Revision: 232384
Author: sbar...@apple.com
Date: 2018-05-31 20:06:25 -0700 (Thu, 31 May 2018)

Log Message

PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
https://bugs.webkit.org/show_bug.cgi?id=186169


Reviewed by Mark Lam.

If we don't do this, the CFA validation rule about StructureID being
clobbered but AI not clobbering or folding a clobber will cause us
to crash. Simon was running into this yesterday on arstechnica.com.
I couldn't come up with a test case for this, but it's obvious
what the issue is by looking at the IR dump at the time of the crash.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (232383 => 232384)


--- trunk/Source/_javascript_Core/ChangeLog	2018-06-01 00:43:19 UTC (rev 232383)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-06-01 03:06:25 UTC (rev 232384)
@@ -1,5 +1,21 @@
 2018-05-31  Saam Barati  <sbar...@apple.com>
 
+        PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
+        https://bugs.webkit.org/show_bug.cgi?id=186169
+
+        Reviewed by Mark Lam.
+
+        If we don't do this, the CFA validation rule about StructureID being
+        clobbered but AI not clobbering or folding a clobber will cause us
+        to crash. Simon was running into this yesterday on arstechnica.com.
+        I couldn't come up with a test case for this, but it's obvious
+        what the issue is by looking at the IR dump at the time of the crash.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+2018-05-31  Saam Barati  <sbar...@apple.com>
+
         JSImmutableButterfly should align its variable storage
         https://bugs.webkit.org/show_bug.cgi?id=186159

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (232383 => 232384)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2018-06-01 00:43:19 UTC (rev 232383)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2018-06-01 03:06:25 UTC (rev 232384)
@@ -2763,6 +2763,9 @@
                     clobberLimit, node->transition()->previous, node->transition()->next);
                 forNode(node->child1()).changeStructure(m_graph, node->transition()->next);
             }
+        } else {
+            // We're going to exit before we get here, but for the sake of validation, we've folded our write to StructureID.
+            didFoldClobberStructures();
         }
         break;
     case GetButterfly:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes