[webkit-changes] [205522] trunk/Source/JavaScriptCore

Tue, 06 Sep 2016 16:51:59 -0700

Title: [205522] trunk/Source/_javascript_Core
Revision
205522
Author
sbar...@apple.com
Date
2016-09-06 16:51:24 -0700 (Tue, 06 Sep 2016)

Log Message

Member call on NULL pointer in _javascript_Core/dfg/DFGAbstractInterpretterInlines.h
https://bugs.webkit.org/show_bug.cgi?id=160870

Reviewed by Darin Adler.

Credit goes to Jonathan Bedard for finding this bug using the undefined
behavior sanitizer.

The rule for MaterializeNewObject inside AI was assuming that the graph
is in SSA form. This used to be true when MaterializeNewObject was only
inserted by the allocation sinking phase. However, Filip added more uses
of MaterializeNewObject in his RegExp constant folding patch. This fixes
the bug by using the structure set inside the Node's OpInfo rather than
generating it from m_phiChildren inside AI.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (205521 => 205522)


--- trunk/Source/_javascript_Core/ChangeLog	2016-09-06 23:36:36 UTC (rev 205521)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-09-06 23:51:24 UTC (rev 205522)
@@ -1,5 +1,25 @@
 2016-09-06  Saam Barati  <sbar...@apple.com>
 
+        Member call on NULL pointer in _javascript_Core/dfg/DFGAbstractInterpretterInlines.h
+        https://bugs.webkit.org/show_bug.cgi?id=160870
+
+        Reviewed by Darin Adler.
+
+        Credit goes to Jonathan Bedard for finding this bug using the undefined
+        behavior sanitizer.
+
+        The rule for MaterializeNewObject inside AI was assuming that the graph
+        is in SSA form. This used to be true when MaterializeNewObject was only
+        inserted by the allocation sinking phase. However, Filip added more uses
+        of MaterializeNewObject in his RegExp constant folding patch. This fixes
+        the bug by using the structure set inside the Node's OpInfo rather than
+        generating it from m_phiChildren inside AI.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+2016-09-06  Saam Barati  <sbar...@apple.com>
+
         Make JSMap and JSSet faster
         https://bugs.webkit.org/show_bug.cgi?id=160989

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (205521 => 205522)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2016-09-06 23:36:36 UTC (rev 205521)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2016-09-06 23:51:24 UTC (rev 205522)
@@ -1965,15 +1965,7 @@
         break;
         
     case MaterializeNewObject: {
-        StructureSet set;
-        
-        m_phiChildren->forAllTransitiveIncomingValues(
-            m_graph.varArgChild(node, 0).node(),
-            [&] (Node* incoming) {
-                set.add(incoming->castConstant<Structure*>());
-            });
-        
-        forNode(node).set(m_graph, set);
+        forNode(node).set(m_graph, node->structureSet());
         break;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to