[webkit-changes] [227742] trunk

Mon, 29 Jan 2018 11:14:20 -0800

Title: [227742] trunk
Revision
227742
Author
msab...@apple.com
Date
2018-01-29 11:13:45 -0800 (Mon, 29 Jan 2018)

Log Message

REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
https://bugs.webkit.org/show_bug.cgi?id=182249

Reviewed by Keith Miller.

JSTests:

New regression test.

* stress/compare-clobber-untypeduse.js: Added.

Source/_javascript_Core:

Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
Untyped and Object values when compared against built in types.  Such comparisons can
invoke toNumber() or other methods.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (227741 => 227742)


--- trunk/JSTests/ChangeLog	2018-01-29 18:37:48 UTC (rev 227741)
+++ trunk/JSTests/ChangeLog	2018-01-29 19:13:45 UTC (rev 227742)
@@ -1,3 +1,14 @@
+2018-01-29  Michael Saboff  <msab...@apple.com>
+
+        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+        https://bugs.webkit.org/show_bug.cgi?id=182249
+
+        Reviewed by Keith Miller.
+
+        New regression test.
+
+        * stress/compare-clobber-untypeduse.js: Added.
+
 2018-01-29  Matt Lewis  <jlew...@apple.com>
 
         Unreviewed, rolling out r227725.

Added: trunk/JSTests/stress/compare-clobber-untypeduse.js (0 => 227742)


--- trunk/JSTests/stress/compare-clobber-untypeduse.js	                        (rev 0)
+++ trunk/JSTests/stress/compare-clobber-untypeduse.js	2018-01-29 19:13:45 UTC (rev 227742)
@@ -0,0 +1,12 @@
+// Test that we properly clobber untyped uses.  This test should throw or crash.
+
+let val;
+
+for (var i = 0; i < 100000; i++)
+    val = 42;
+
+for (let i = 0; i < 1e6; i++) {
+    if (val != null && val == 2) {
+        throw "Val should be 42, but is 2";
+    }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (227741 => 227742)


--- trunk/Source/_javascript_Core/ChangeLog	2018-01-29 18:37:48 UTC (rev 227741)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-01-29 19:13:45 UTC (rev 227742)
@@ -1,3 +1,17 @@
+2018-01-29  Michael Saboff  <msab...@apple.com>
+
+        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+        https://bugs.webkit.org/show_bug.cgi?id=182249
+
+        Reviewed by Keith Miller.
+
+        Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
+        Untyped and Object values when compared against built in types.  Such comparisons can
+        invoke toNumber() or other methods.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2018-01-29  Matt Lewis  <jlew...@apple.com>
 
         Unreviewed, rolling out r227725.

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (227741 => 227742)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2018-01-29 18:37:48 UTC (rev 227741)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2018-01-29 19:13:45 UTC (rev 227742)
@@ -1545,12 +1545,19 @@
             write(HeapObjectCount);
             return;
         }
-        if (!node->isBinaryUseKind(UntypedUse)) {
+
+        if (node->op() == CompareEq && node->isBinaryUseKind(ObjectUse)) {
             def(PureValue(node));
             return;
         }
-        read(World);
-        write(Heap);
+        if (node->child1().useKind() == UntypedUse || node->child1().useKind() == ObjectUse
+            || node->child2().useKind() == UntypedUse || node->child2().useKind() == ObjectUse) {
+            read(World);
+            write(Heap);
+            return;
+        }
+
+        def(PureValue(node));
         return;
 
     case ToNumber: {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to