[webkit-changes] [171354] trunk/Source/JavaScriptCore

[fpizlo]

Title: [171354] trunk/Source/_javascript_Core

Revision

171354

Author

fpi...@apple.com

Date

2014-07-22 12:46:41 -0700 (Tue, 22 Jul 2014)

Log Message

ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
https://bugs.webkit.org/show_bug.cgi?id=135155
<rdar://problem/17763909>

Reviewed by Oliver Hunt.
        
The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
contradiction, and that this is OK. In this case, we were speculating cell on an int.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
* tests/stress/regress-135155.js: Added.
(run.t.length):
(run):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp

Added Paths

• trunk/Source/_javascript_Core/tests/stress/regress-135155.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (171353 => 171354)

--- trunk/Source/_javascript_Core/ChangeLog	2014-07-22 19:36:46 UTC (rev 171353)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-07-22 19:46:41 UTC (rev 171354)
@@ -1,3 +1,20 @@
+2014-07-22  Filip Pizlo  <fpi...@apple.com>
+
+        ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
+        https://bugs.webkit.org/show_bug.cgi?id=135155
+        <rdar://problem/17763909>
+
+        Reviewed by Oliver Hunt.
+        
+        The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
+        contradiction, and that this is OK. In this case, we were speculating cell on an int.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        * tests/stress/regress-135155.js: Added.
+        (run.t.length):
+        (run):
+
 2014-07-18  Filip Pizlo  <fpi...@apple.com>
 
         Extend exception fuzzing to the LLInt

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (171353 => 171354)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2014-07-22 19:36:46 UTC (rev 171353)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2014-07-22 19:46:41 UTC (rev 171354)
@@ -1019,7 +1019,12 @@
             terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
             return gpr;
         }
-        RELEASE_ASSERT(info.spillFormat() & DataFormatJS);
+        
+        if (!(info.spillFormat() & DataFormatJS)) {
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+            return gpr;
+        }
+        
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
         m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
 

Added: trunk/Source/_javascript_Core/tests/stress/regress-135155.js (0 => 171354)

--- trunk/Source/_javascript_Core/tests/stress/regress-135155.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-135155.js	2014-07-22 19:46:41 UTC (rev 171354)
@@ -0,0 +1,9 @@
+function run() {
+    for (var t = 1, i = 0; i < 10000; t++, i++) {
+        t.length = function() {
+            var foo = iv.charCodeAt(foo, undefined);
+        };
+    }
+}
+
+run();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes