Title: [227488] releases/WebKitGTK/webkit-2.18
- Revision
- 227488
- Author
- carlo...@webkit.org
- Date
- 2018-01-24 01:36:52 -0800 (Wed, 24 Jan 2018)
Log Message
Merge r224349 - AI does not correctly model the clobber case of ArithClz32
https://bugs.webkit.org/show_bug.cgi?id=179188
Reviewed by Michael Saboff.
JSTests:
* stress/arith-clz32-effects.js: Added.
(foo):
(valueOf):
Source/_javascript_Core:
The non-Int32 case clobbers the world because it may call valueOf.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (227487 => 227488)
--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2018-01-24 09:36:46 UTC (rev 227487)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2018-01-24 09:36:52 UTC (rev 227488)
@@ -1,3 +1,14 @@
+2017-11-02 Filip Pizlo <fpi...@apple.com>
+
+ AI does not correctly model the clobber case of ArithClz32
+ https://bugs.webkit.org/show_bug.cgi?id=179188
+
+ Reviewed by Michael Saboff.
+
+ * stress/arith-clz32-effects.js: Added.
+ (foo):
+ (valueOf):
+
2017-11-01 Michael Saboff <msab...@apple.com>
Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/arith-clz32-effects.js (0 => 227488)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/arith-clz32-effects.js (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/arith-clz32-effects.js 2018-01-24 09:36:52 UTC (rev 227488)
@@ -0,0 +1,30 @@
+function foo(o, v)
+{
+ var result = o.f;
+ Math.clz32(v);
+ return result + o.f;
+}
+
+noInline(foo);
+
+var o = {f: 42};
+o.g = 43; // Bust the transition watchpoint of {f}.
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo({f: 42}, "42");
+ if (result != 84)
+ throw "Error: bad result in loop: " + result;
+}
+
+var o = {f: 43};
+var result = foo(o, {
+ valueOf: function()
+ {
+ delete o.f;
+ o.__defineGetter__("f", function() { return 44; });
+ }
+});
+
+if (result != 87)
+ throw "Error: bad result at end: " + result;
+
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (227487 => 227488)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2018-01-24 09:36:46 UTC (rev 227487)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2018-01-24 09:36:52 UTC (rev 227488)
@@ -1,3 +1,15 @@
+2017-11-02 Filip Pizlo <fpi...@apple.com>
+
+ AI does not correctly model the clobber case of ArithClz32
+ https://bugs.webkit.org/show_bug.cgi?id=179188
+
+ Reviewed by Michael Saboff.
+
+ The non-Int32 case clobbers the world because it may call valueOf.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2017-11-01 Michael Saboff <msab...@apple.com>
Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (227487 => 227488)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-01-24 09:36:46 UTC (rev 227487)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-01-24 09:36:52 UTC (rev 227488)
@@ -563,6 +563,14 @@
setConstant(node, jsNumber(clz32(value)));
break;
}
+ switch (node->child1().useKind()) {
+ case Int32Use:
+ case KnownInt32Use:
+ break;
+ default:
+ clobberWorld(node->origin.semantic, clobberLimit);
+ break;
+ }
forNode(node).setType(SpecInt32Only);
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes