Skip to site navigation (Press enter)

[webkit-changes] [236089] trunk

sbarati Mon, 17 Sep 2018 15:23:16 -0700

Title: [236089] trunk

Revision: 236089
Author: sbar...@apple.com
Date: 2018-09-17 15:21:32 -0700 (Mon, 17 Sep 2018)

Log Message

We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
https://bugs.webkit.org/show_bug.cgi?id=189676
<rdar://problem/39682897>


Reviewed by Michael Saboff.

JSTests:

* typeProfiler/check-structure-or-empty-in-fixup.js: Added.
(A):
(K):
(i.catch):

Source/_javascript_Core:

Because the incoming value may be TDZ, CheckStructure may end up crashing.
Since the Type Profile does not currently record TDZ values in any of its
data structures, this is not a semantic change in how it will show you data.
It just fixes crashes when we emit a CheckStructure and the incoming value
is TDZ.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToCheckStructureOrEmpty):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGNode.h

Added Paths

trunk/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js

Diff

Modified: trunk/JSTests/ChangeLog (236088 => 236089)


--- trunk/JSTests/ChangeLog	2018-09-17 22:05:45 UTC (rev 236088)
+++ trunk/JSTests/ChangeLog	2018-09-17 22:21:32 UTC (rev 236089)
@@ -1,3 +1,16 @@
+2018-09-17  Saam barati  <sbar...@apple.com>
+
+        We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
+        https://bugs.webkit.org/show_bug.cgi?id=189676
+        <rdar://problem/39682897>
+
+        Reviewed by Michael Saboff.
+
+        * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
+        (A):
+        (K):
+        (i.catch):
+
 2018-09-14  Saam barati  <sbar...@apple.com>
 
         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed

Added: trunk/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js (0 => 236089)


--- trunk/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js	                        (rev 0)
+++ trunk/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js	2018-09-17 22:21:32 UTC (rev 236089)
@@ -0,0 +1,16 @@
+class A {
+}
+class K extends A {
+    constructor(i) {
+        if (i % 2 !== 0)
+            super();
+        if (i % 2 === 0 && maxCount !== i)
+            super();
+    }
+}
+let maxCount = 150000;
+for (var i = 0; i <= maxCount; i++) {
+    try {
+        new K(i);
+    } catch(e) { }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (236088 => 236089)


--- trunk/Source/_javascript_Core/ChangeLog	2018-09-17 22:05:45 UTC (rev 236088)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-09-17 22:21:32 UTC (rev 236089)
@@ -1,3 +1,22 @@
+2018-09-17  Saam barati  <sbar...@apple.com>
+
+        We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
+        https://bugs.webkit.org/show_bug.cgi?id=189676
+        <rdar://problem/39682897>
+
+        Reviewed by Michael Saboff.
+
+        Because the incoming value may be TDZ, CheckStructure may end up crashing.
+        Since the Type Profile does not currently record TDZ values in any of its
+        data structures, this is not a semantic change in how it will show you data.
+        It just fixes crashes when we emit a CheckStructure and the incoming value
+        is TDZ.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToCheckStructureOrEmpty):
+
 2018-09-17  Darin Adler  <da...@apple.com>
 
         Use OpaqueJSString rather than JSRetainPtr inside WebKit

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (236088 => 236089)


--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2018-09-17 22:05:45 UTC (rev 236088)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2018-09-17 22:21:32 UTC (rev 236089)
@@ -1783,7 +1783,7 @@
                 }
                 if (!set.isEmpty()) {
                     fixEdge<CellUse>(node->child1());
-                    node->convertToCheckStructure(m_graph.addStructureSet(set));
+                    node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
                 }
             }

Modified: trunk/Source/_javascript_Core/dfg/DFGNode.h (236088 => 236089)


--- trunk/Source/_javascript_Core/dfg/DFGNode.h	2018-09-17 22:05:45 UTC (rev 236088)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.h	2018-09-17 22:21:32 UTC (rev 236089)
@@ -461,6 +461,15 @@
         m_opInfo = set;
     }
 
+    void convertToCheckStructureOrEmpty(RegisteredStructureSet* set)
+    {
+        if (SpecCellCheck & SpecEmpty)
+            setOpAndDefaultFlags(CheckStructureOrEmpty);
+        else
+            setOpAndDefaultFlags(CheckStructure);
+        m_opInfo = set;
+    }
+
     void convertCheckStructureOrEmptyToCheckStructure()
     {
         ASSERT(op() == CheckStructureOrEmpty);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes