Title: [226351] trunk
- Revision
- 226351
- Author
- sbar...@apple.com
- Date
- 2018-01-02 19:59:16 -0800 (Tue, 02 Jan 2018)
Log Message
Incorrect assertion inside AccessCase
https://bugs.webkit.org/show_bug.cgi?id=181200
<rdar://problem/35494754>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
(ctor):
(theFunc):
(run):
Source/_javascript_Core:
Consider a PutById compiled to a setter in a function like so:
```
function foo(o) { o.f = o; }
```
The DFG will often assign the same registers to the baseGPR (o in o.f) and the
valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
to the same register. However, we're asserting that they're not the same register.
This patch just removes this invalid assertion.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (226350 => 226351)
--- trunk/JSTests/ChangeLog 2018-01-03 03:44:01 UTC (rev 226350)
+++ trunk/JSTests/ChangeLog 2018-01-03 03:59:16 UTC (rev 226351)
@@ -1,3 +1,16 @@
+2018-01-02 Saam Barati <sbar...@apple.com>
+
+ Incorrect assertion inside AccessCase
+ https://bugs.webkit.org/show_bug.cgi?id=181200
+ <rdar://problem/35494754>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
+ (ctor):
+ (theFunc):
+ (run):
+
2018-01-02 Caio Lima <ticaiol...@gmail.com>
[ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
Added: trunk/JSTests/stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js (0 => 226351)
--- trunk/JSTests/stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js (rev 0)
+++ trunk/JSTests/stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js 2018-01-03 03:59:16 UTC (rev 226351)
@@ -0,0 +1,17 @@
+function ctor() {}
+ctor.prototype.__defineSetter__("f", function () { });
+
+function theFunc(o) {
+ o.f = o;
+}
+noInline(theFunc);
+function run(o) {
+ theFunc(o);
+}
+
+for (let i = 0; i < 100000; ++i) {
+ run(new ctor())
+ let o = new ctor();
+ o.g = 54;
+ run(o);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (226350 => 226351)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-03 03:44:01 UTC (rev 226350)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-03 03:59:16 UTC (rev 226351)
@@ -1,3 +1,25 @@
+2018-01-02 Saam Barati <sbar...@apple.com>
+
+ Incorrect assertion inside AccessCase
+ https://bugs.webkit.org/show_bug.cgi?id=181200
+ <rdar://problem/35494754>
+
+ Reviewed by Yusuke Suzuki.
+
+ Consider a PutById compiled to a setter in a function like so:
+
+ ```
+ function foo(o) { o.f = o; }
+ ```
+
+ The DFG will often assign the same registers to the baseGPR (o in o.f) and the
+ valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
+ to the same register. However, we're asserting that they're not the same register.
+ This patch just removes this invalid assertion.
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateImpl):
+
2018-01-02 Caio Lima <ticaiol...@gmail.com>
[ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (226350 => 226351)
--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2018-01-03 03:44:01 UTC (rev 226350)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2018-01-03 03:59:16 UTC (rev 226351)
@@ -692,7 +692,7 @@
if (m_type == Getter || m_type == Setter) {
auto& access = this->as<GetterSetterAccessCase>();
ASSERT(baseGPR != loadedValueGPR);
- ASSERT(m_type != Setter || (baseGPR != valueRegsPayloadGPR && loadedValueGPR != valueRegsPayloadGPR));
+ ASSERT(m_type != Setter || valueRegsPayloadGPR != loadedValueGPR);
// Create a JS call using a JS call inline cache. Assume that:
//
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
