[webkit-changes] [98299] trunk

Mon, 24 Oct 2011 16:59:17 -0700

Title: [98299] trunk
Revision
98299
Author
fpi...@apple.com
Date
2011-10-24 17:00:14 -0700 (Mon, 24 Oct 2011)

Log Message

Object-or-other branch speculation may corrupt the state for OSR if the child of the
branch is an integer
https://bugs.webkit.org/show_bug.cgi?id=70777

Reviewed by Oliver Hunt.

Source/_javascript_Core: 

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

LayoutTests: 

* fast/js/dfg-other-branch-expected.txt: Added.
* fast/js/dfg-other-branch.html: Added.
* fast/js/script-tests/dfg-other-branch.js: Added.
(foo):
(bar):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (98298 => 98299)


--- trunk/LayoutTests/ChangeLog	2011-10-24 23:45:13 UTC (rev 98298)
+++ trunk/LayoutTests/ChangeLog	2011-10-25 00:00:14 UTC (rev 98299)
@@ -1,3 +1,17 @@
+2011-10-24  Filip Pizlo  <fpi...@apple.com>
+
+        Object-or-other branch speculation may corrupt the state for OSR if the child of the
+        branch is an integer
+        https://bugs.webkit.org/show_bug.cgi?id=70777
+
+        Reviewed by Oliver Hunt.
+
+        * fast/js/dfg-other-branch-expected.txt: Added.
+        * fast/js/dfg-other-branch.html: Added.
+        * fast/js/script-tests/dfg-other-branch.js: Added.
+        (foo):
+        (bar):
+
 2011-10-24  Julien Chaffraix  <jchaffr...@webkit.org>
 
         Unreviewed gardening.

Added: trunk/LayoutTests/fast/js/dfg-other-branch-expected.txt (0 => 98299)


--- trunk/LayoutTests/fast/js/dfg-other-branch-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-other-branch-expected.txt	2011-10-25 00:00:14 UTC (rev 98299)
@@ -0,0 +1,29 @@
+This tests that speculating other on a branch does not corrupt state.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo({f:i}) is "no"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS foo({f:i}) is "yes"
+PASS bar({f:i}) is true
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS bar({f:i}) is false
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-other-branch.html (0 => 98299)


--- trunk/LayoutTests/fast/js/dfg-other-branch.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-other-branch.html	2011-10-25 00:00:14 UTC (rev 98299)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/dfg-other-branch.js (0 => 98299)


--- trunk/LayoutTests/fast/js/script-tests/dfg-other-branch.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-other-branch.js	2011-10-25 00:00:14 UTC (rev 98299)
@@ -0,0 +1,28 @@
+description(
+"This tests that speculating other on a branch does not corrupt state."
+);
+
+function foo(a) {
+    if (a.f)
+        return "yes";
+    else
+        return "no";
+}
+
+function bar(a) {
+    return !a.f;
+}
+
+for (var i = 0; i < 100; ++i)
+    foo({f:void(0)});
+
+for (var i = 0; i < 10; ++i)
+    shouldBe("foo({f:i})", i ? "\"yes\"" : "\"no\"");
+
+for (var i = 0; i < 100; ++i)
+    bar({f:void(0)});
+
+for (var i = 0; i < 10; ++i)
+    shouldBe("bar({f:i})", i ? "false" : "true");
+
+var successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (98298 => 98299)


--- trunk/Source/_javascript_Core/ChangeLog	2011-10-24 23:45:13 UTC (rev 98298)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-25 00:00:14 UTC (rev 98299)
@@ -1,5 +1,16 @@
 2011-10-24  Filip Pizlo  <fpi...@apple.com>
 
+        Object-or-other branch speculation may corrupt the state for OSR if the child of the
+        branch is an integer
+        https://bugs.webkit.org/show_bug.cgi?id=70777
+
+        Reviewed by Oliver Hunt.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+
+2011-10-24  Filip Pizlo  <fpi...@apple.com>
+
         op_new_array_buffer is not inlined correctly
         https://bugs.webkit.org/show_bug.cgi?id=70770

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (98298 => 98299)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2011-10-24 23:45:13 UTC (rev 98298)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2011-10-25 00:00:14 UTC (rev 98299)
@@ -682,7 +682,9 @@
 void SpeculativeJIT::emitObjectOrOtherBranch(NodeIndex nodeIndex, BlockIndex taken, BlockIndex notTaken, void *vptr, bool needSpeculationCheck)
 {
     JSValueOperand value(this, nodeIndex);
+    GPRTemporary scratch(this);
     GPRReg valueGPR = value.gpr();
+    GPRReg scratchGPR = scratch.gpr();
     
     MacroAssembler::Jump notCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
     if (needSpeculationCheck)
@@ -692,8 +694,9 @@
     notCell.link(&m_jit);
     
     if (needSpeculationCheck) {
-        m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), valueGPR);
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, valueGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+        m_jit.move(valueGPR, scratchGPR);
+        m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), scratchGPR);
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
     }
     if (notTaken != (m_block + 1))
         addBranch(m_jit.jump(), notTaken);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to