Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: eaa5055b2d7c51fb00f980a69892baa69efd9dff
https://github.com/WebKit/WebKit/commit/eaa5055b2d7c51fb00f980a69892baa69efd9dff
Author: Yusuke Suzuki <ysuz...@apple.com>
Date: 2023-07-19 (Wed, 19 Jul 2023)
Changed paths:
A JSTests/stress/proxy-get-with-complex-string.js
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
Log Message:
-----------
[JSC] We should have accept-any-value case generation for IC
https://bugs.webkit.org/show_bug.cgi?id=259327
rdar://112502090
Reviewed by Michael Saboff.
When we generate IC for get-by-val / get-by-val-with-this, we check whether
each IC needs Int32 / String / Symbol checks.
And if we find some of IC case requires it, then we do this check and
generating code. But we are missing that we generate
accept-any-value case in this path (which is IndexedProxyObjectLoad). This is
clearly wrong, and attached script is repeatedly
compiling IC because we are not generating IndexedProxyObjectLoad case.
And if this IC site is requiring some register spills, then it leads to
release-assert-crash because
1. It says doesJSCalls = true
2. But not setting spillStateForJSCall
So, we will encounter empty spillStateForJSCall.
It is actually super hard to reproduce this issue, and we cannot find a case.
But anyway, this fixes the obvious issue, which is
not generating listed IC, which is tested in the attached test.
* JSTests/stress/proxy-get-with-complex-string.js: Added.
(test):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::regenerate):
Canonical link: https://commits.webkit.org/266164@main
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
