- Revision
- 234075
- Author
- msab...@apple.com
- Date
- 2018-07-20 16:48:16 -0700 (Fri, 20 Jul 2018)
Log Message
DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
https://bugs.webkit.org/show_bug.cgi?id=187827
rdar://problem/42146858
Reviewed by Saam Barati.
JSTests:
New regression tests.
* stress/direct-arguments-check-array.js: Added.
(setup.f2):
(setup):
(forOfArray):
(forOfArgs):
(callEveryOnArgs):
* stress/scoped-arguments-check-array.js: Added.
(setup.foo):
(setup.f2):
(setup):
(forOfArray):
(forOfArgs):
(callEveryOnArgs):
Source/_javascript_Core:
When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
putByIndex() path that doesn't change the shape.
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (234074 => 234075)
--- trunk/JSTests/ChangeLog 2018-07-20 23:43:01 UTC (rev 234074)
+++ trunk/JSTests/ChangeLog 2018-07-20 23:48:16 UTC (rev 234075)
@@ -1,3 +1,27 @@
+2018-07-20 Michael Saboff <msab...@apple.com>
+
+ DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+ https://bugs.webkit.org/show_bug.cgi?id=187827
+ rdar://problem/42146858
+
+ Reviewed by Saam Barati.
+
+ New regression tests.
+
+ * stress/direct-arguments-check-array.js: Added.
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+ * stress/scoped-arguments-check-array.js: Added.
+ (setup.foo):
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+
2018-07-20 Yusuke Suzuki <utatane....@gmail.com>
[DFG] Fold GetByVal if Array is CoW
Added: trunk/JSTests/stress/direct-arguments-check-array.js (0 => 234075)
--- trunk/JSTests/stress/direct-arguments-check-array.js (rev 0)
+++ trunk/JSTests/stress/direct-arguments-check-array.js 2018-07-20 23:48:16 UTC (rev 234075)
@@ -0,0 +1,40 @@
+//@ defaultRun
+//@ runNoLLInt("--useConcurrentJIT=false", "--forceEagerCompilation=True")
+
+// This is a regression test that verifies we handle direct arguments as ArrayStorage. This test should complete and not crash.
+// It is a reduction of a fuzzing bug produced testcase. All of the code present was needed to reproduce the issue.
+
+let a;
+let f2;
+let args;
+
+function setup() {
+ a = [0];
+ a.unshift(0);
+ for (let z of [4, 4, 4, 4, 4]) {};
+ new Float64Array(a);
+ f2 = function() {};
+ args = arguments;
+ args.length = 0;
+};
+
+function forOfArray() {
+ for (let z of [true, true, true, true, true, true, true]) {
+ }
+}
+
+function forOfArgs() {
+ for (let v of args) {
+ }
+}
+
+function callEveryOnArgs() {
+ for (i = 0; i < 1000; ++i) {
+ Array.prototype.every.call(args, f2, {});
+ }
+}
+
+setup();
+forOfArray();
+forOfArgs();
+callEveryOnArgs();
Added: trunk/JSTests/stress/scoped-arguments-check-array.js (0 => 234075)
--- trunk/JSTests/stress/scoped-arguments-check-array.js (rev 0)
+++ trunk/JSTests/stress/scoped-arguments-check-array.js 2018-07-20 23:48:16 UTC (rev 234075)
@@ -0,0 +1,41 @@
+//@ defaultRun
+//@ runNoLLInt("--useConcurrentJIT=false", "--forceEagerCompilation=True")
+
+// This is a regression test that verifies we handle direct arguments as ArrayStorage. This test should complete and not crash.
+// It is a reduction of a fuzzing bug produced testcase. All of the code present was needed to reproduce the issue.
+
+let a;
+let f2;
+let args;
+
+function setup(arg1) {
+ function foo() { return arg1; }
+ a = [0];
+ a.unshift(0);
+ for (let z of [4, 4, 4, 4, 4]) {};
+ new Float64Array(a);
+ f2 = function() {};
+ args = arguments;
+ args.length = 0;
+};
+
+function forOfArray() {
+ for (let z of [true, true, true, true, true, true, true]) {
+ }
+}
+
+function forOfArgs() {
+ for (let v of args) {
+ }
+}
+
+function callEveryOnArgs() {
+ for (i = 0; i < 1000; ++i) {
+ Array.prototype.every.call(args, f2, {});
+ }
+}
+
+setup();
+forOfArray();
+forOfArgs();
+callEveryOnArgs();
Modified: trunk/Source/_javascript_Core/ChangeLog (234074 => 234075)
--- trunk/Source/_javascript_Core/ChangeLog 2018-07-20 23:43:01 UTC (rev 234074)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-07-20 23:48:16 UTC (rev 234075)
@@ -1,3 +1,20 @@
+2018-07-20 Michael Saboff <msab...@apple.com>
+
+ DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+ https://bugs.webkit.org/show_bug.cgi?id=187827
+ rdar://problem/42146858
+
+ Reviewed by Saam Barati.
+
+ When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
+ that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
+ We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
+ InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
+ putByIndex() path that doesn't change the shape.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+
2018-07-20 Yusuke Suzuki <utatane....@gmail.com>
[DFG] Fold GetByVal if Array is CoW
Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (234074 => 234075)
--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h 2018-07-20 23:43:01 UTC (rev 234074)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h 2018-07-20 23:48:16 UTC (rev 234075)
@@ -442,6 +442,9 @@
return arrayModesWithIndexingShape(ArrayStorageShape);
case Array::SlowPutArrayStorage:
return arrayModesWithIndexingShapes(SlowPutArrayStorageShape, ArrayStorageShape);
+ case Array::DirectArguments:
+ case Array::ScopedArguments:
+ return arrayModesWithIndexingShapes(ArrayStorageShape, NonArray);
default:
return asArrayModes(NonArray);
}
