Diff
Modified: trunk/JSTests/ChangeLog (282041 => 282042)
--- trunk/JSTests/ChangeLog 2021-09-04 02:58:54 UTC (rev 282041)
+++ trunk/JSTests/ChangeLog 2021-09-04 03:24:14 UTC (rev 282042)
@@ -1,5 +1,16 @@
2021-09-03 Yusuke Suzuki <ysuz...@apple.com>
+ [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
+ https://bugs.webkit.org/show_bug.cgi?id=229898
+ rdar://82714439
+
+ Reviewed by Saam Barati.
+
+ * complex.yaml:
+ * complex/for-in-clobberize.js: Added.
+
+2021-09-03 Yusuke Suzuki <ysuz...@apple.com>
+
[JSC] Implement Temporal.TimeZone
https://bugs.webkit.org/show_bug.cgi?id=229703
Added: trunk/JSTests/complex/for-in-clobberize.js (0 => 282042)
--- trunk/JSTests/complex/for-in-clobberize.js (rev 0)
+++ trunk/JSTests/complex/for-in-clobberize.js 2021-09-04 03:24:14 UTC (rev 282042)
@@ -0,0 +1,6 @@
+Array.prototype.__proto__ = {};
+let a = [];
+for (let i=0; i<100; i++) {
+ a.unshift(undefined);
+ for (let x in a);
+}
Modified: trunk/JSTests/complex.yaml (282041 => 282042)
--- trunk/JSTests/complex.yaml 2021-09-04 02:58:54 UTC (rev 282041)
+++ trunk/JSTests/complex.yaml 2021-09-04 03:24:14 UTC (rev 282042)
@@ -52,3 +52,6 @@
- path: complex/temporal-now-timezone-with-broken-tz.js
cmd: runComplexTest [], [], "TZ=UNDEFINED", "--useDollarVM=1", "--useTemporal=1"
+
+- path: complex/for-in-clobberize.js
+ cmd: runComplexTest [], [], "", "--destroy-vm"
Modified: trunk/Source/_javascript_Core/ChangeLog (282041 => 282042)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-04 02:58:54 UTC (rev 282041)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-04 03:24:14 UTC (rev 282042)
@@ -1,3 +1,20 @@
+2021-09-03 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
+ https://bugs.webkit.org/show_bug.cgi?id=229898
+ rdar://82714439
+
+ Reviewed by Saam Barati.
+
+ Clobberizing rule and AI does not match for EnumeratorNextUpdateIndexAndMode node.
+ We fix both cases: isSaneChain is not related to this node. So we should use isInBounds
+ as we are doing for HasIndexedProperty node.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
2021-09-03 Ross Kirsling <ross.kirsl...@sony.com>
Unreviewed, non-unified JSC build fix following 241222@main.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (282041 => 282042)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-09-04 02:58:54 UTC (rev 282041)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-09-04 03:24:14 UTC (rev 282042)
@@ -4280,11 +4280,26 @@
case EnumeratorNextUpdateIndexAndMode: {
ArrayMode arrayMode = node->arrayMode();
- if (arrayMode.isSaneChain())
- ASSERT(node->enumeratorMetadata() == JSPropertyNameEnumerator::IndexedMode);
- else if (node->enumeratorMetadata() != JSPropertyNameEnumerator::OwnStructureMode || m_graph.varArgChild(node, 0).useKind() != CellUse)
+ if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && m_graph.varArgChild(node, 0).useKind() == CellUse) {
+ // Do nothing.
+ } else if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode)
clobberWorld();
-
+ else {
+ switch (arrayMode.type()) {
+ case Array::Int32:
+ case Array::Double:
+ case Array::Contiguous:
+ case Array::ArrayStorage: {
+ if (arrayMode.isInBounds())
+ break;
+ FALLTHROUGH;
+ }
+ default: {
+ clobberWorld();
+ break;
+ }
+ }
+ }
setNonCellTypeForNode(node, SpecBytecodeNumber);
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (282041 => 282042)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2021-09-04 02:58:54 UTC (rev 282041)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2021-09-04 03:24:14 UTC (rev 282042)
@@ -351,73 +351,22 @@
return;
}
- case EnumeratorNextUpdateIndexAndMode: {
- read(JSObject_butterfly);
- if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) {
- read(NamedProperties);
- read(JSCell_structureID);
- return;
- }
-
- if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) {
- clobberTop();
- return;
- }
-
- ArrayMode mode = node->arrayMode();
- switch (mode.type()) {
- case Array::ForceExit: {
- write(SideState);
- return;
- }
- case Array::Int32: {
- if (mode.isSaneChain()) {
- read(Butterfly_publicLength);
- read(IndexedInt32Properties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ case EnumeratorNextUpdateIndexAndMode:
+ case HasIndexedProperty: {
+ if (node->op() == EnumeratorNextUpdateIndexAndMode) {
+ if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) {
+ read(JSObject_butterfly);
+ read(NamedProperties);
+ read(JSCell_structureID);
return;
}
- break;
- }
- case Array::Double: {
- if (mode.isSaneChain()) {
- read(Butterfly_publicLength);
- read(IndexedDoubleProperties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) {
+ clobberTop();
return;
}
- break;
}
- case Array::Contiguous: {
- if (mode.isSaneChain()) {
- read(Butterfly_publicLength);
- read(IndexedContiguousProperties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
- return;
- }
- break;
- }
-
- case Array::ArrayStorage: {
- if (mode.isInBounds()) {
- read(Butterfly_vectorLength);
- read(IndexedArrayStorageProperties);
- return;
- }
- break;
- }
-
- default:
- break;
- }
-
- clobberTop();
- return;
- }
-
- case HasIndexedProperty: {
read(JSObject_butterfly);
ArrayMode mode = node->arrayMode();
switch (mode.type()) {