[webkit-changes] [281474] branches/safari-612-branch

Mon, 23 Aug 2021 15:01:32 -0700

Title: [281474] branches/safari-612-branch
Revision
281474
Author
repst...@apple.com
Date
2021-08-23 15:00:37 -0700 (Mon, 23 Aug 2021)

Log Message

Cherry-pick r281473. rdar://problem/82262986

    compileEnumeratorHasProperty uses flushRegisters incorrectly
    https://bugs.webkit.org/show_bug.cgi?id=229412
    <rdar://82020767>

    Reviewed by Keith Miller.

    JSTests:

    * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
    (foo):
    * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
    (a.toString):

    Source/_javascript_Core:

    We were calling flushRegisters() inside code that isn't always runs inside the
    EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
    flushRegisters() must be used, since flushRegisters() updates global register
    allocation state, and therefore must run each time a node is run. To fix, we
    move flushRegisters() before the code starts emitting branches.

    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281473 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-612-branch/JSTests/ChangeLog (281473 => 281474)


--- branches/safari-612-branch/JSTests/ChangeLog	2021-08-23 21:44:19 UTC (rev 281473)
+++ branches/safari-612-branch/JSTests/ChangeLog	2021-08-23 22:00:37 UTC (rev 281474)
@@ -1,3 +1,47 @@
+2021-08-23  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r281473. rdar://problem/82262986
+
+    compileEnumeratorHasProperty uses flushRegisters incorrectly
+    https://bugs.webkit.org/show_bug.cgi?id=229412
+    <rdar://82020767>
+    
+    Reviewed by Keith Miller.
+    
+    JSTests:
+    
+    * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
+    (foo):
+    * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
+    (a.toString):
+    
+    Source/_javascript_Core:
+    
+    We were calling flushRegisters() inside code that isn't always runs inside the
+    EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
+    flushRegisters() must be used, since flushRegisters() updates global register
+    allocation state, and therefore must run each time a node is run. To fix, we
+    move flushRegisters() before the code starts emitting branches.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281473 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-08-23  Saam Barati  <sbar...@apple.com>
+
+            compileEnumeratorHasProperty uses flushRegisters incorrectly
+            https://bugs.webkit.org/show_bug.cgi?id=229412
+            <rdar://82020767>
+
+            Reviewed by Keith Miller.
+
+            * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
+            (foo):
+            * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
+            (a.toString):
+
 2021-08-17  Mikhail R. Gadelha  <mikh...@igalia.com>
 
         Unreviewed. Skip failing MIPS tests

Added: branches/safari-612-branch/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (0 => 281474)


--- branches/safari-612-branch/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js	                        (rev 0)
+++ branches/safari-612-branch/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js	2021-08-23 22:00:37 UTC (rev 281474)
@@ -0,0 +1,11 @@
+function foo(o) {
+    for (let p in o) {
+        o.hasOwnProperty(p);
+        o.__proto__ = undefined;
+    }
+}
+
+for (let i = 0; i < 100000; ++i) {
+    foo({f:42});
+}
+

Added: branches/safari-612-branch/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (0 => 281474)


--- branches/safari-612-branch/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js	                        (rev 0)
+++ branches/safari-612-branch/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js	2021-08-23 22:00:37 UTC (rev 281474)
@@ -0,0 +1,13 @@
+const a = [undefined];
+a.toString = ()=>{};
+
+function foo() {
+    for (let x in a) {
+      x in a;
+      +x;
+    }
+}
+
+for (let i=0; i<10000; i++) {
+  foo();
+}

Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (281473 => 281474)


--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2021-08-23 21:44:19 UTC (rev 281473)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2021-08-23 22:00:37 UTC (rev 281474)
@@ -1,3 +1,51 @@
+2021-08-23  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r281473. rdar://problem/82262986
+
+    compileEnumeratorHasProperty uses flushRegisters incorrectly
+    https://bugs.webkit.org/show_bug.cgi?id=229412
+    <rdar://82020767>
+    
+    Reviewed by Keith Miller.
+    
+    JSTests:
+    
+    * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
+    (foo):
+    * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
+    (a.toString):
+    
+    Source/_javascript_Core:
+    
+    We were calling flushRegisters() inside code that isn't always runs inside the
+    EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
+    flushRegisters() must be used, since flushRegisters() updates global register
+    allocation state, and therefore must run each time a node is run. To fix, we
+    move flushRegisters() before the code starts emitting branches.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281473 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-08-23  Saam Barati  <sbar...@apple.com>
+
+            compileEnumeratorHasProperty uses flushRegisters incorrectly
+            https://bugs.webkit.org/show_bug.cgi?id=229412
+            <rdar://82020767>
+
+            Reviewed by Keith Miller.
+
+            We were calling flushRegisters() inside code that isn't always runs inside the
+            EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
+            flushRegisters() must be used, since flushRegisters() updates global register
+            allocation state, and therefore must run each time a node is run. To fix, we
+            move flushRegisters() before the code starts emitting branches.
+
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
 2021-08-18  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] Remove op_has_indexed_property related code

Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281473 => 281474)


--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-08-23 21:44:19 UTC (rev 281473)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-08-23 22:00:37 UTC (rev 281474)
@@ -13743,6 +13743,8 @@
         GPRReg modeGPR = mode.gpr();
         GPRReg enumeratorGPR = enumerator.gpr();
 
+        flushRegisters();
+
         JSValueRegsTemporary result(this);
         JSValueRegs resultRegs = result.regs();
 
@@ -13762,7 +13764,6 @@
 
         operationCases.link(&m_jit);
 
-        flushRegisters();
 #if USE(JSVALUE32_64)
         m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
         auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to