Title: [286070] trunk
- Revision
- 286070
- Author
- sbar...@apple.com
- Date
- 2021-11-19 11:36:35 -0800 (Fri, 19 Nov 2021)
Log Message
Fix assertion added in r285592
https://bugs.webkit.org/show_bug.cgi?id=233373
JSTests:
Reviewed by Keith Miller.
* stress/validate-assert-uid-is-not-index-or-it-is-symbol.js: Added.
(main.v11):
(main.v29):
(main):
Source/_javascript_Core:
rdar://85451012
Reviewed by Keith Miller.
The assertion added in r285592 should not apply to Symbols. This patch
fixes that error. We don't care if a Symbol can be parsed as an index
since the string value in a Symbol is just its description, not the
actual property.
* dfg/DFGValidate.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (286069 => 286070)
--- trunk/JSTests/ChangeLog 2021-11-19 19:17:04 UTC (rev 286069)
+++ trunk/JSTests/ChangeLog 2021-11-19 19:36:35 UTC (rev 286070)
@@ -1,3 +1,15 @@
+2021-11-19 Saam Barati <sbar...@apple.com>
+
+ Fix assertion added in r285592
+ https://bugs.webkit.org/show_bug.cgi?id=233373
+
+ Reviewed by Keith Miller.
+
+ * stress/validate-assert-uid-is-not-index-or-it-is-symbol.js: Added.
+ (main.v11):
+ (main.v29):
+ (main):
+
2021-11-19 Joseph Griego <jgri...@igalia.com>
[JSC] Shadow realms: set correct Function prototype on wrapped functions
Added: trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js (0 => 286070)
--- trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js (rev 0)
+++ trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js 2021-11-19 19:36:35 UTC (rev 286070)
@@ -0,0 +1,26 @@
+//@ runDefault("--validateGraphAtEachPhase=1", "--useConcurrentJIT=false", "--thresholdForJITAfterWarmUp=1")
+
+function main() {
+ let v8 = 0;
+ let v9 = Symbol(v8);
+
+ let v10 = 0;
+ function v11(v12,v13) {
+ ++v10;
+ }
+
+ let v27 = 0;
+ while (v27 < 4096) {
+ function v29(v30,v31) {
+ do {
+ arguments[v9] = ReferenceError;
+ const v42 = v8++;
+ } while (v8 < 3);
+ v51 = ++v27;
+ }
+ const v53 = new Promise(v29);
+ }
+}
+noDFG(main);
+noFTL(main);
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (286069 => 286070)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-19 19:17:04 UTC (rev 286069)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-19 19:36:35 UTC (rev 286070)
@@ -1,3 +1,18 @@
+2021-11-19 Saam Barati <sbar...@apple.com>
+
+ Fix assertion added in r285592
+ https://bugs.webkit.org/show_bug.cgi?id=233373
+ rdar://85451012
+
+ Reviewed by Keith Miller.
+
+ The assertion added in r285592 should not apply to Symbols. This patch
+ fixes that error. We don't care if a Symbol can be parsed as an index
+ since the string value in a Symbol is just its description, not the
+ actual property.
+
+ * dfg/DFGValidate.cpp:
+
2021-11-19 Joseph Griego <jgri...@igalia.com>
[JSC] Shadow realms: set correct Function prototype on wrapped functions
Modified: trunk/Source/_javascript_Core/dfg/DFGValidate.cpp (286069 => 286070)
--- trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-19 19:17:04 UTC (rev 286069)
+++ trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-19 19:36:35 UTC (rev 286070)
@@ -238,7 +238,7 @@
if (node->hasCacheableIdentifier()) {
auto* uid = node->cacheableIdentifier().uid();
- VALIDATE((node), !parseIndex(*uid));
+ VALIDATE((node), uid->isSymbol() || !parseIndex(*uid));
}
switch (node->op()) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
