- Revision
- 178264
- Author
- carlo...@webkit.org
- Date
- 2015-01-12 06:48:03 -0800 (Mon, 12 Jan 2015)
Log Message
Merge r176399 - WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
<https://webkit.org/b/137642>
Reviewed by Filip Pizlo.
Source/_javascript_Core:
In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
phases have already transpired. Hence, Identity nodes introduced in the
ConstantFolding phase will be left in the node graph. Subsequently, the
DFG code generator asserts that CSE phases have consumed all Identity nodes.
This turns out to not be true. Hence, the crash. We fix this by teaching
the DFG code generator to emit code for Identity nodes.
Unlike the DFG, the FTL does not have this issue. That is because the FTL
plan has GlobalCSE phases that come after ConstantFolding and any other
phases that can generate Identity nodes. Hence, for the FTL, it is true that
CSE will consume all Identity nodes, and the code generator should not see any
Identity nodes.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
LayoutTests:
* js/dfg-inline-identity-expected.txt: Added.
* js/dfg-inline-identity.html: Added.
* js/script-tests/dfg-inline-identity.js: Added.
(o.toKey):
(foo):
(test):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog (178263 => 178264)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2015-01-12 14:41:49 UTC (rev 178263)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2015-01-12 14:48:03 UTC (rev 178264)
@@ -1,3 +1,17 @@
+2014-11-20 Mark Lam <mark....@apple.com>
+
+ WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
+ <https://webkit.org/b/137642>
+
+ Reviewed by Filip Pizlo.
+
+ * js/dfg-inline-identity-expected.txt: Added.
+ * js/dfg-inline-identity.html: Added.
+ * js/script-tests/dfg-inline-identity.js: Added.
+ (o.toKey):
+ (foo):
+ (test):
+
2014-11-18 Chris Dumez <cdu...@apple.com>
Crash when setting 'z-index' / 'flex-shrink' CSS properties to a calculated value
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/js/dfg-inline-identity-expected.txt (0 => 178264)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/js/dfg-inline-identity-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/js/dfg-inline-identity-expected.txt 2015-01-12 14:48:03 UTC (rev 178264)
@@ -0,0 +1,9 @@
+This tests that an identity node in the inlined function does not crash the DFG's code generator.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/js/dfg-inline-identity.html (0 => 178264)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/js/dfg-inline-identity.html (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/js/dfg-inline-identity.html 2015-01-12 14:48:03 UTC (rev 178264)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/js/script-tests/dfg-inline-identity.js (0 => 178264)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/js/script-tests/dfg-inline-identity.js (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/js/script-tests/dfg-inline-identity.js 2015-01-12 14:48:03 UTC (rev 178264)
@@ -0,0 +1,35 @@
+description(
+"This tests that an identity node in the inlined function does not crash the DFG's code generator."
+);
+
+var o = {
+ x1: 0,
+ x2: 0,
+ x3: 0,
+ toKey: function() {
+ return this.x1 + "," + this.x2 + "," + this.x3;
+ },
+};
+
+var a = [];
+
+var x1Adjust = 1.3;
+var x2Adjust = 2.7;
+var x3Adjust = 1.2;
+
+function foo(i) {
+ o.x1 += x1Adjust;
+ o.x2 += x2Adjust;
+ o.x3 += x3Adjust;
+
+ a[i] = o.toKey();
+}
+
+function test() {
+ for (var i = 0; i < 1000; i++)
+ foo(i);
+}
+
+test();
+
+var successfullyParsed = true;
Modified: releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/ChangeLog (178263 => 178264)
--- releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/ChangeLog 2015-01-12 14:41:49 UTC (rev 178263)
+++ releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/ChangeLog 2015-01-12 14:48:03 UTC (rev 178264)
@@ -1,3 +1,28 @@
+2014-11-19 Mark Lam <mark....@apple.com>
+
+ WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
+ <https://webkit.org/b/137642>
+
+ Reviewed by Filip Pizlo.
+
+ In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
+ phases have already transpired. Hence, Identity nodes introduced in the
+ ConstantFolding phase will be left in the node graph. Subsequently, the
+ DFG code generator asserts that CSE phases have consumed all Identity nodes.
+ This turns out to not be true. Hence, the crash. We fix this by teaching
+ the DFG code generator to emit code for Identity nodes.
+
+ Unlike the DFG, the FTL does not have this issue. That is because the FTL
+ plan has GlobalCSE phases that come after ConstantFolding and any other
+ phases that can generate Identity nodes. Hence, for the FTL, it is true that
+ CSE will consume all Identity nodes, and the code generator should not see any
+ Identity nodes.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2014-11-01 Carlos Garcia Campos <cgar...@igalia.com>
REGRESSION(CMake): Make it possible to build without introspection
Modified: releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (178263 => 178264)
--- releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2015-01-12 14:41:49 UTC (rev 178263)
+++ releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2015-01-12 14:48:03 UTC (rev 178264)
@@ -1692,7 +1692,26 @@
break;
case Identity: {
- RELEASE_ASSERT_NOT_REACHED();
+ speculate(node, node->child1());
+ switch (node->child1().useKind()) {
+ case DoubleRepUse:
+ case DoubleRepRealUse: {
+ SpeculateDoubleOperand op(this, node->child1());
+ doubleResult(op.fpr(), node);
+ break;
+ }
+ case Int52RepUse:
+ case MachineIntUse:
+ case DoubleRepMachineIntUse: {
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+ default: {
+ JSValueOperand op(this, node->child1());
+ jsValueResult(op.tagGPR(), op.payloadGPR(), node);
+ break;
+ }
+ } // switch
break;
}
Modified: releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (178263 => 178264)
--- releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2015-01-12 14:41:49 UTC (rev 178263)
+++ releases/WebKitGTK/webkit-2.6/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2015-01-12 14:48:03 UTC (rev 178264)
@@ -1795,8 +1795,26 @@
break;
case Identity: {
- // CSE should always eliminate this.
- DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
+ speculate(node, node->child1());
+ switch (node->child1().useKind()) {
+ case DoubleRepUse:
+ case DoubleRepRealUse:
+ case DoubleRepMachineIntUse: {
+ SpeculateDoubleOperand op(this, node->child1());
+ doubleResult(op.fpr(), node);
+ break;
+ }
+ case Int52RepUse: {
+ SpeculateInt52Operand op(this, node->child1());
+ int52Result(op.gpr(), node);
+ break;
+ }
+ default: {
+ JSValueOperand op(this, node->child1());
+ jsValueResult(op.gpr(), node);
+ break;
+ }
+ } // switch
break;
}
