[webkit-changes] [230241] branches/safari-605-branch

Tue, 03 Apr 2018 20:28:41 -0700

Title: [230241] branches/safari-605-branch
Revision
230241
Author
jmarc...@apple.com
Date
2018-04-03 20:27:50 -0700 (Tue, 03 Apr 2018)

Log Message

Cherry-pick r230143. rdar://problem/39155381

    JSC crash in JIT code with for-of loop and Array/Set iterators
    https://bugs.webkit.org/show_bug.cgi?id=183174

    Reviewed by Saam Barati.

    JSTests:

    * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
    (foo):
    * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
    (f):

    Source/_javascript_Core:

    * dfg/DFGSafeToExecute.h:
    (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-605-branch/JSTests/ChangeLog (230240 => 230241)


--- branches/safari-605-branch/JSTests/ChangeLog	2018-04-04 03:27:47 UTC (rev 230240)
+++ branches/safari-605-branch/JSTests/ChangeLog	2018-04-04 03:27:50 UTC (rev 230241)
@@ -1,5 +1,42 @@
 2018-04-03  Jason Marcell  <jmarc...@apple.com>
 
+        Cherry-pick r230143. rdar://problem/39155381
+
+    JSC crash in JIT code with for-of loop and Array/Set iterators
+    https://bugs.webkit.org/show_bug.cgi?id=183174
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
+    (foo):
+    * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
+    (f):
+    
+    Source/_javascript_Core:
+    
+    * dfg/DFGSafeToExecute.h:
+    (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-03-31  Filip Pizlo  <fpi...@apple.com>
+
+            JSC crash in JIT code with for-of loop and Array/Set iterators
+            https://bugs.webkit.org/show_bug.cgi?id=183174
+
+            Reviewed by Saam Barati.
+
+            * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
+            (foo):
+            * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
+            (f):
+
+2018-04-03  Jason Marcell  <jmarc...@apple.com>
+
         Cherry-pick r230119. rdar://problem/39155070
 
     WebAssembly compilation from DataView

Added: branches/safari-605-branch/JSTests/microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js (0 => 230241)


--- branches/safari-605-branch/JSTests/microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js	                        (rev 0)
+++ branches/safari-605-branch/JSTests/microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js	2018-04-04 03:27:50 UTC (rev 230241)
@@ -0,0 +1,19 @@
+function foo(o)
+{
+    var result = 0;
+    for (var i = 0; i < 100; ++i)
+        result += o.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z;
+    return result;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 1000; ++i) {
+    var o = {f:{g:{h:{i:{j:{k:{l:{m:{n:{o:{p:{q:{r:{s:{t:{u:{v:{w:{x:{y:{z:42}}}}}}}}}}}}}}}}}}}}};
+    for (var j = 0; j < 100; ++j) {
+        var result = foo(o);
+        if (result != 4200)
+            throw "Bad result in loop: " + result;
+    }
+}
+

Added: branches/safari-605-branch/JSTests/stress/hoist-get-by-offset-with-control-dependent-inferred-type.js (0 => 230241)


--- branches/safari-605-branch/JSTests/stress/hoist-get-by-offset-with-control-dependent-inferred-type.js	                        (rev 0)
+++ branches/safari-605-branch/JSTests/stress/hoist-get-by-offset-with-control-dependent-inferred-type.js	2018-04-04 03:27:50 UTC (rev 230241)
@@ -0,0 +1,14 @@
+function f() {
+    var a = Array(100).fill(0);
+    var ta = new Set(a.map((v,k)=>k));
+    var xs = [a, ta];
+    var q = 0;
+    var t = Date.now();
+    for (var i = 0; i < 100000; ++i) {
+        for (var x of xs[i&1]) q+=x;
+    }
+    return [Date.now()-t,q];
+}
+noInline(f);
+f();
+

Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (230240 => 230241)


--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog	2018-04-04 03:27:47 UTC (rev 230240)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog	2018-04-04 03:27:50 UTC (rev 230241)
@@ -1,5 +1,40 @@
 2018-04-03  Jason Marcell  <jmarc...@apple.com>
 
+        Cherry-pick r230143. rdar://problem/39155381
+
+    JSC crash in JIT code with for-of loop and Array/Set iterators
+    https://bugs.webkit.org/show_bug.cgi?id=183174
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
+    (foo):
+    * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
+    (f):
+    
+    Source/_javascript_Core:
+    
+    * dfg/DFGSafeToExecute.h:
+    (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-03-31  Filip Pizlo  <fpi...@apple.com>
+
+            JSC crash in JIT code with for-of loop and Array/Set iterators
+            https://bugs.webkit.org/show_bug.cgi?id=183174
+
+            Reviewed by Saam Barati.
+
+            * dfg/DFGSafeToExecute.h:
+            (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
+
+2018-04-03  Jason Marcell  <jmarc...@apple.com>
+
         Cherry-pick r230119. rdar://problem/39155070
 
     WebAssembly compilation from DataView

Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h (230240 => 230241)


--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h	2018-04-04 03:27:47 UTC (rev 230240)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h	2018-04-04 03:27:50 UTC (rev 230241)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -497,9 +497,33 @@
     case GetByOffset:
     case GetGetterSetterByOffset:
     case PutByOffset: {
-        PropertyOffset offset = node->storageAccessData().offset;
+        StorageAccessData& data = ""
+        PropertyOffset offset = data.offset;
+        UniquedStringImpl* uid = graph.identifiers()[data.identifierNumber];
 
-        if (state.structureClobberState() == StructuresAreWatched) {
+        InferredType::Descriptor inferredType;
+        switch (node->op()) {
+        case GetByOffset:
+        case GetGetterSetterByOffset:
+            inferredType = data.inferredType;
+            break;
+        case PutByOffset:
+            // PutByOffset knows about inferred types because it's the enforcer of that type rather
+            // than the consumer of that type. Therefore, PutByOffset expects TOP for the purpose of
+            // safe-to-execute in the sense that it will be happy with anything as general as TOP
+            // (so any type).
+            inferredType = InferredType::Top;
+            break;
+        default:
+            DFG_CRASH(graph, node, "Bad opcode");
+            break;
+        }
+
+        // Graph::isSafeToLoad() is all about proofs derived from PropertyConditions. Those don't
+        // know anything about inferred types. But if we have a proof derived from watching a
+        // structure that has a type proof, then the next case below will deal with it.
+        if (state.structureClobberState() == StructuresAreWatched
+            && inferredType.kind() == InferredType::Top) {
             if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
                 if (graph.isSafeToLoad(knownBase, offset))
                     return true;
@@ -510,8 +534,15 @@
         if (value.isInfinite())
             return false;
         for (unsigned i = value.size(); i--;) {
-            if (!value[i]->isValidOffset(offset))
+            Structure* thisStructure = value[i].get();
+            if (!thisStructure->isValidOffset(offset))
                 return false;
+            if (inferredType.kind() != InferredType::Top) {
+                InferredType::Descriptor thisInferredType =
+                    graph.inferredTypeForProperty(thisStructure, uid);
+                if (!inferredType.subsumes(thisInferredType))
+                    return false;
+            }
         }
         return true;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to