[webkit-changes] [236198] releases/WebKitGTK/webkit-2.22

Wed, 19 Sep 2018 06:50:24 -0700

Title: [236198] releases/WebKitGTK/webkit-2.22
Revision
236198
Author
carlo...@webkit.org
Date
2018-09-19 06:49:18 -0700 (Wed, 19 Sep 2018)

Log Message

Merge r236089 - We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
https://bugs.webkit.org/show_bug.cgi?id=189676
<rdar://problem/39682897>

Reviewed by Michael Saboff.

JSTests:

* typeProfiler/check-structure-or-empty-in-fixup.js: Added.
(A):
(K):
(i.catch):

Source/_javascript_Core:

Because the incoming value may be TDZ, CheckStructure may end up crashing.
Since the Type Profile does not currently record TDZ values in any of its
data structures, this is not a semantic change in how it will show you data.
It just fixes crashes when we emit a CheckStructure and the incoming value
is TDZ.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToCheckStructureOrEmpty):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (236197 => 236198)


--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-09-19 13:49:11 UTC (rev 236197)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-09-19 13:49:18 UTC (rev 236198)
@@ -1,3 +1,16 @@
+2018-09-17  Saam barati  <sbar...@apple.com>
+
+        We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
+        https://bugs.webkit.org/show_bug.cgi?id=189676
+        <rdar://problem/39682897>
+
+        Reviewed by Michael Saboff.
+
+        * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
+        (A):
+        (K):
+        (i.catch):
+
 2018-09-14  Saam barati  <sbar...@apple.com>
 
         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed

Added: releases/WebKitGTK/webkit-2.22/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js (0 => 236198)


--- releases/WebKitGTK/webkit-2.22/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/typeProfiler/check-structure-or-empty-in-fixup.js	2018-09-19 13:49:18 UTC (rev 236198)
@@ -0,0 +1,16 @@
+class A {
+}
+class K extends A {
+    constructor(i) {
+        if (i % 2 !== 0)
+            super();
+        if (i % 2 === 0 && maxCount !== i)
+            super();
+    }
+}
+let maxCount = 150000;
+for (var i = 0; i <= maxCount; i++) {
+    try {
+        new K(i);
+    } catch(e) { }
+}

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236197 => 236198)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-19 13:49:11 UTC (rev 236197)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-19 13:49:18 UTC (rev 236198)
@@ -1,3 +1,22 @@
+2018-09-17  Saam barati  <sbar...@apple.com>
+
+        We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
+        https://bugs.webkit.org/show_bug.cgi?id=189676
+        <rdar://problem/39682897>
+
+        Reviewed by Michael Saboff.
+
+        Because the incoming value may be TDZ, CheckStructure may end up crashing.
+        Since the Type Profile does not currently record TDZ values in any of its
+        data structures, this is not a semantic change in how it will show you data.
+        It just fixes crashes when we emit a CheckStructure and the incoming value
+        is TDZ.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToCheckStructureOrEmpty):
+
 2018-09-14  Saam barati  <sbar...@apple.com>
 
         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (236197 => 236198)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2018-09-19 13:49:11 UTC (rev 236197)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2018-09-19 13:49:18 UTC (rev 236198)
@@ -1783,7 +1783,7 @@
                 }
                 if (!set.isEmpty()) {
                     fixEdge<CellUse>(node->child1());
-                    node->convertToCheckStructure(m_graph.addStructureSet(set));
+                    node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
                 }
             }

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGNode.h (236197 => 236198)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGNode.h	2018-09-19 13:49:11 UTC (rev 236197)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGNode.h	2018-09-19 13:49:18 UTC (rev 236198)
@@ -461,6 +461,15 @@
         m_opInfo = set;
     }
 
+    void convertToCheckStructureOrEmpty(RegisteredStructureSet* set)
+    {
+        if (SpecCellCheck & SpecEmpty)
+            setOpAndDefaultFlags(CheckStructureOrEmpty);
+        else
+            setOpAndDefaultFlags(CheckStructure);
+        m_opInfo = set;
+    }
+
     void convertCheckStructureOrEmptyToCheckStructure()
     {
         ASSERT(op() == CheckStructureOrEmpty);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to