Diff
Modified: branches/safari-612-branch/JSTests/ChangeLog (282154 => 282155)
--- branches/safari-612-branch/JSTests/ChangeLog 2021-09-08 17:22:37 UTC (rev 282154)
+++ branches/safari-612-branch/JSTests/ChangeLog 2021-09-08 17:22:40 UTC (rev 282155)
@@ -1,5 +1,44 @@
2021-09-08 Alan Coon <alanc...@apple.com>
+ Cherry-pick r282042. rdar://problem/82877251
+
+ [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
+ https://bugs.webkit.org/show_bug.cgi?id=229898
+ rdar://82714439
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * complex.yaml:
+ * complex/for-in-clobberize.js: Added.
+
+ Source/_javascript_Core:
+
+ Clobberizing rule and AI does not match for EnumeratorNextUpdateIndexAndMode node.
+ We fix both cases: isSaneChain is not related to this node. So we should use isInBounds
+ as we are doing for HasIndexedProperty node.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282042 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-03 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
+ https://bugs.webkit.org/show_bug.cgi?id=229898
+ rdar://82714439
+
+ Reviewed by Saam Barati.
+
+ * complex.yaml:
+ * complex/for-in-clobberize.js: Added.
+
+2021-09-08 Alan Coon <alanc...@apple.com>
+
Cherry-pick r282014. rdar://problem/82877307
[JSC] Validate JSPropertyNameEnumerator via watchpoints
Added: branches/safari-612-branch/JSTests/complex/for-in-clobberize.js (0 => 282155)
--- branches/safari-612-branch/JSTests/complex/for-in-clobberize.js (rev 0)
+++ branches/safari-612-branch/JSTests/complex/for-in-clobberize.js 2021-09-08 17:22:40 UTC (rev 282155)
@@ -0,0 +1,6 @@
+Array.prototype.__proto__ = {};
+let a = [];
+for (let i=0; i<100; i++) {
+ a.unshift(undefined);
+ for (let x in a);
+}
Modified: branches/safari-612-branch/JSTests/complex.yaml (282154 => 282155)
--- branches/safari-612-branch/JSTests/complex.yaml 2021-09-08 17:22:37 UTC (rev 282154)
+++ branches/safari-612-branch/JSTests/complex.yaml 2021-09-08 17:22:40 UTC (rev 282155)
@@ -46,3 +46,6 @@
- path: complex/intl-timezone-check.js
cmd: runComplexTest [], [], "TZ=America/Los_Angeles", "--useDollarVM=1"
+
+- path: complex/for-in-clobberize.js
+ cmd: runComplexTest [], [], "", "--destroy-vm"
Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (282154 => 282155)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-09-08 17:22:37 UTC (rev 282154)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-09-08 17:22:40 UTC (rev 282155)
@@ -1,5 +1,50 @@
2021-09-08 Alan Coon <alanc...@apple.com>
+ Cherry-pick r282042. rdar://problem/82877251
+
+ [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
+ https://bugs.webkit.org/show_bug.cgi?id=229898
+ rdar://82714439
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * complex.yaml:
+ * complex/for-in-clobberize.js: Added.
+
+ Source/_javascript_Core:
+
+ Clobberizing rule and AI does not match for EnumeratorNextUpdateIndexAndMode node.
+ We fix both cases: isSaneChain is not related to this node. So we should use isInBounds
+ as we are doing for HasIndexedProperty node.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282042 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-03 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
+ https://bugs.webkit.org/show_bug.cgi?id=229898
+ rdar://82714439
+
+ Reviewed by Saam Barati.
+
+ Clobberizing rule and AI does not match for EnumeratorNextUpdateIndexAndMode node.
+ We fix both cases: isSaneChain is not related to this node. So we should use isInBounds
+ as we are doing for HasIndexedProperty node.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
+2021-09-08 Alan Coon <alanc...@apple.com>
+
Cherry-pick r282014. rdar://problem/82877307
[JSC] Validate JSPropertyNameEnumerator via watchpoints
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (282154 => 282155)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-09-08 17:22:37 UTC (rev 282154)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-09-08 17:22:40 UTC (rev 282155)
@@ -4280,11 +4280,26 @@
case EnumeratorNextUpdateIndexAndMode: {
ArrayMode arrayMode = node->arrayMode();
- if (arrayMode.isSaneChain())
- ASSERT(node->enumeratorMetadata() == JSPropertyNameEnumerator::IndexedMode);
- else if (node->enumeratorMetadata() != JSPropertyNameEnumerator::OwnStructureMode || m_graph.varArgChild(node, 0).useKind() != CellUse)
+ if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && m_graph.varArgChild(node, 0).useKind() == CellUse) {
+ // Do nothing.
+ } else if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode)
clobberWorld();
-
+ else {
+ switch (arrayMode.type()) {
+ case Array::Int32:
+ case Array::Double:
+ case Array::Contiguous:
+ case Array::ArrayStorage: {
+ if (arrayMode.isInBounds())
+ break;
+ FALLTHROUGH;
+ }
+ default: {
+ clobberWorld();
+ break;
+ }
+ }
+ }
setNonCellTypeForNode(node, SpecBytecodeNumber);
break;
}
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGClobberize.h (282154 => 282155)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2021-09-08 17:22:37 UTC (rev 282154)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2021-09-08 17:22:40 UTC (rev 282155)
@@ -351,73 +351,22 @@
return;
}
- case EnumeratorNextUpdateIndexAndMode: {
- read(JSObject_butterfly);
- if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) {
- read(NamedProperties);
- read(JSCell_structureID);
- return;
- }
-
- if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) {
- clobberTop();
- return;
- }
-
- ArrayMode mode = node->arrayMode();
- switch (mode.type()) {
- case Array::ForceExit: {
- write(SideState);
- return;
- }
- case Array::Int32: {
- if (mode.isSaneChain()) {
- read(Butterfly_publicLength);
- read(IndexedInt32Properties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ case EnumeratorNextUpdateIndexAndMode:
+ case HasIndexedProperty: {
+ if (node->op() == EnumeratorNextUpdateIndexAndMode) {
+ if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) {
+ read(JSObject_butterfly);
+ read(NamedProperties);
+ read(JSCell_structureID);
return;
}
- break;
- }
- case Array::Double: {
- if (mode.isSaneChain()) {
- read(Butterfly_publicLength);
- read(IndexedDoubleProperties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) {
+ clobberTop();
return;
}
- break;
}
- case Array::Contiguous: {
- if (mode.isSaneChain()) {
- read(Butterfly_publicLength);
- read(IndexedContiguousProperties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
- return;
- }
- break;
- }
-
- case Array::ArrayStorage: {
- if (mode.isInBounds()) {
- read(Butterfly_vectorLength);
- read(IndexedArrayStorageProperties);
- return;
- }
- break;
- }
-
- default:
- break;
- }
-
- clobberTop();
- return;
- }
-
- case HasIndexedProperty: {
read(JSObject_butterfly);
ArrayMode mode = node->arrayMode();
switch (mode.type()) {
