[webkit-changes] [176399] trunk

Thu, 20 Nov 2014 09:43:48 -0800

Title: [176399] trunk
Revision
176399
Author
[email protected]
Date
2014-11-20 09:42:58 -0800 (Thu, 20 Nov 2014)

Log Message

WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
<https://webkit.org/b/137642>

Reviewed by Filip Pizlo.

Source/_javascript_Core:

In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
phases have already transpired.  Hence, Identity nodes introduced in the
ConstantFolding phase will be left in the node graph.  Subsequently, the
DFG code generator asserts that CSE phases have consumed all Identity nodes.
This turns out to not be true.  Hence, the crash.  We fix this by teaching
the DFG code generator to emit code for Identity nodes.

Unlike the DFG, the FTL does not have this issue.  That is because the FTL
plan has GlobalCSE phases that come after ConstantFolding and any other
phases that can generate Identity nodes.  Hence, for the FTL, it is true that
CSE will consume all Identity nodes, and the code generator should not see any
Identity nodes.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

* js/dfg-inline-identity-expected.txt: Added.
* js/dfg-inline-identity.html: Added.
* js/script-tests/dfg-inline-identity.js: Added.
(o.toKey):
(foo):
(test):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (176398 => 176399)


--- trunk/LayoutTests/ChangeLog	2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/LayoutTests/ChangeLog	2014-11-20 17:42:58 UTC (rev 176399)
@@ -1,3 +1,17 @@
+2014-11-20  Mark Lam  <[email protected]>
+
+        WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
+        <https://webkit.org/b/137642>
+
+        Reviewed by Filip Pizlo.
+
+        * js/dfg-inline-identity-expected.txt: Added.
+        * js/dfg-inline-identity.html: Added.
+        * js/script-tests/dfg-inline-identity.js: Added.
+        (o.toKey):
+        (foo):
+        (test):
+
 2014-11-20  Commit Queue  <[email protected]>
 
         Unreviewed, rolling out r176396.

Added: trunk/LayoutTests/js/dfg-inline-identity-expected.txt (0 => 176399)


--- trunk/LayoutTests/js/dfg-inline-identity-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/dfg-inline-identity-expected.txt	2014-11-20 17:42:58 UTC (rev 176399)
@@ -0,0 +1,9 @@
+This tests that an identity node in the inlined function does not crash the DFG's code generator.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/dfg-inline-identity.html (0 => 176399)


--- trunk/LayoutTests/js/dfg-inline-identity.html	                        (rev 0)
+++ trunk/LayoutTests/js/dfg-inline-identity.html	2014-11-20 17:42:58 UTC (rev 176399)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/script-tests/dfg-inline-identity.js (0 => 176399)


--- trunk/LayoutTests/js/script-tests/dfg-inline-identity.js	                        (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-inline-identity.js	2014-11-20 17:42:58 UTC (rev 176399)
@@ -0,0 +1,35 @@
+description(
+"This tests that an identity node in the inlined function does not crash the DFG's code generator."
+);
+
+var o = {
+    x1: 0,
+    x2: 0,
+    x3: 0,
+    toKey: function() {
+        return this.x1 + "," + this.x2 + "," + this.x3;
+    },
+};
+
+var a = [];
+
+var x1Adjust = 1.3;
+var x2Adjust = 2.7;
+var x3Adjust = 1.2;
+
+function foo(i) {
+    o.x1 += x1Adjust;
+    o.x2 += x2Adjust;
+    o.x3 += x3Adjust;
+
+    a[i] = o.toKey();
+}
+
+function test() {
+    for (var i = 0; i < 1000; i++)
+        foo(i);
+}
+
+test();
+
+var successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (176398 => 176399)


--- trunk/Source/_javascript_Core/ChangeLog	2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-11-20 17:42:58 UTC (rev 176399)
@@ -1,3 +1,28 @@
+2014-11-19  Mark Lam  <[email protected]>
+
+        WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
+        <https://webkit.org/b/137642>
+
+        Reviewed by Filip Pizlo.
+
+        In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
+        phases have already transpired.  Hence, Identity nodes introduced in the
+        ConstantFolding phase will be left in the node graph.  Subsequently, the
+        DFG code generator asserts that CSE phases have consumed all Identity nodes.
+        This turns out to not be true.  Hence, the crash.  We fix this by teaching
+        the DFG code generator to emit code for Identity nodes.
+
+        Unlike the DFG, the FTL does not have this issue.  That is because the FTL
+        plan has GlobalCSE phases that come after ConstantFolding and any other
+        phases that can generate Identity nodes.  Hence, for the FTL, it is true that
+        CSE will consume all Identity nodes, and the code generator should not see any
+        Identity nodes.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2014-11-19  Joseph Pecoraro  <[email protected]>
 
         Web Inspector: JSContext inspection Resource search does not work

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (176398 => 176399)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2014-11-20 17:42:58 UTC (rev 176399)
@@ -1692,7 +1692,26 @@
         break;
 
     case Identity: {
-        RELEASE_ASSERT_NOT_REACHED();
+        speculate(node, node->child1());
+        switch (node->child1().useKind()) {
+        case DoubleRepUse:
+        case DoubleRepRealUse: {
+            SpeculateDoubleOperand op(this, node->child1());
+            doubleResult(op.fpr(), node);
+            break;
+        }
+        case Int52RepUse: 
+        case MachineIntUse:
+        case DoubleRepMachineIntUse: {
+            RELEASE_ASSERT_NOT_REACHED();   
+            break;
+        }
+        default: {
+            JSValueOperand op(this, node->child1());
+            jsValueResult(op.tagGPR(), op.payloadGPR(), node);
+            break;
+        }
+        } // switch
         break;
     }

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (176398 => 176399)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2014-11-20 17:42:58 UTC (rev 176399)
@@ -1793,8 +1793,26 @@
         break;
 
     case Identity: {
-        // CSE should always eliminate this.
-        DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
+        speculate(node, node->child1());
+        switch (node->child1().useKind()) {
+        case DoubleRepUse:
+        case DoubleRepRealUse:
+        case DoubleRepMachineIntUse: {
+            SpeculateDoubleOperand op(this, node->child1());
+            doubleResult(op.fpr(), node);
+            break;
+        }
+        case Int52RepUse: {
+            SpeculateInt52Operand op(this, node->child1());
+            int52Result(op.gpr(), node);
+            break;
+        }
+        default: {
+            JSValueOperand op(this, node->child1());
+            jsValueResult(op.gpr(), node);
+            break;
+        }
+        } // switch
         break;
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to