Title: [274263] trunk
- Revision
- 274263
- Author
- [email protected]
- Date
- 2021-03-10 18:39:16 -0800 (Wed, 10 Mar 2021)
Log Message
AI validator patchpoint should read heap top
https://bugs.webkit.org/show_bug.cgi?id=223052
<rdar://75087095>
Reviewed by Saam Barati.
JSTests:
* stress/private-methods-inheritance.js: Added.
(A):
(A.prototype.x):
(B.prototype.y):
(B):
Source/_javascript_Core:
Currently, the patchpoint doesn't specify any reads, which allows it to be moved around by B3
and can cause false positives since it at least read the structure ID for comparing values.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::validateAIState):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (274262 => 274263)
--- trunk/JSTests/ChangeLog 2021-03-11 02:17:43 UTC (rev 274262)
+++ trunk/JSTests/ChangeLog 2021-03-11 02:39:16 UTC (rev 274263)
@@ -1,3 +1,17 @@
+2021-03-10 Tadeu Zagallo <[email protected]>
+
+ AI validator patchpoint should read heap top
+ https://bugs.webkit.org/show_bug.cgi?id=223052
+ <rdar://75087095>
+
+ Reviewed by Saam Barati.
+
+ * stress/private-methods-inheritance.js: Added.
+ (A):
+ (A.prototype.x):
+ (B.prototype.y):
+ (B):
+
2021-03-09 Keith Miller <[email protected]>
JSC Crash in makeString() while creating Error object.
Added: trunk/JSTests/stress/private-methods-inheritance.js (0 => 274263)
--- trunk/JSTests/stress/private-methods-inheritance.js (rev 0)
+++ trunk/JSTests/stress/private-methods-inheritance.js 2021-03-11 02:39:16 UTC (rev 274263)
@@ -0,0 +1,12 @@
+class A {
+ constructor(a) {}
+ #x() {}
+}
+class B extends A {
+ #y() {}
+}
+
+let arr = [];
+for (let i = 0; i < 10000000; ++i) {
+ arr.push(new B(undefined));
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (274262 => 274263)
--- trunk/Source/_javascript_Core/ChangeLog 2021-03-11 02:17:43 UTC (rev 274262)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-03-11 02:39:16 UTC (rev 274263)
@@ -1,3 +1,17 @@
+2021-03-10 Tadeu Zagallo <[email protected]>
+
+ AI validator patchpoint should read heap top
+ https://bugs.webkit.org/show_bug.cgi?id=223052
+ <rdar://75087095>
+
+ Reviewed by Saam Barati.
+
+ Currently, the patchpoint doesn't specify any reads, which allows it to be moved around by B3
+ and can cause false positives since it at least read the structure ID for comparing values.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
+
2021-03-10 Chris Dumez <[email protected]>
Use RetainPtr<> / OSObjectPtr<> more in WebKit
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (274262 => 274263)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-03-11 02:17:43 UTC (rev 274262)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-03-11 02:39:16 UTC (rev 274263)
@@ -637,6 +637,7 @@
PatchpointValue* patchpoint = m_out.patchpoint(Void);
patchpoint->effects = Effects::none();
+ patchpoint->effects.reads = HeapRange::top();
patchpoint->effects.writesLocalState = true;
patchpoint->appendSomeRegister(input);
patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
