Title: [248612] branches/safari-608-branch
- Revision
- 248612
- Author
- alanc...@apple.com
- Date
- 2019-08-13 13:00:47 -0700 (Tue, 13 Aug 2019)
Log Message
Cherry-pick r248271. rdar://problem/54237771
JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
https://bugs.webkit.org/show_bug.cgi?id=199997
Reviewed by Saam Barati.
JSTests:
New test.
* stress/typedarray-no-alreadyChecked-assert.js: Added.
(checkIntArray):
(checkFloatArray):
Source/_javascript_Core:
No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where
it won't be set.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248271 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-608-branch/JSTests/ChangeLog (248611 => 248612)
--- branches/safari-608-branch/JSTests/ChangeLog 2019-08-13 20:00:44 UTC (rev 248611)
+++ branches/safari-608-branch/JSTests/ChangeLog 2019-08-13 20:00:47 UTC (rev 248612)
@@ -1,5 +1,50 @@
2019-08-13 Alan Coon <alanc...@apple.com>
+ Cherry-pick r248271. rdar://problem/54237771
+
+ JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=199997
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ New test.
+
+ * stress/typedarray-no-alreadyChecked-assert.js: Added.
+ (checkIntArray):
+ (checkFloatArray):
+
+ Source/_javascript_Core:
+
+ No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+ and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+ CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+ and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where
+ it won't be set.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248271 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-08-05 Michael Saboff <msab...@apple.com>
+
+ JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=199997
+
+ Reviewed by Saam Barati.
+
+ New test.
+
+ * stress/typedarray-no-alreadyChecked-assert.js: Added.
+ (checkIntArray):
+ (checkFloatArray):
+
+2019-08-13 Alan Coon <alanc...@apple.com>
+
Cherry-pick r248149. rdar://problem/54237692
GetterSetter type confusion during DFG compilation
Added: branches/safari-608-branch/JSTests/stress/typedarray-no-alreadyChecked-assert.js (0 => 248612)
--- branches/safari-608-branch/JSTests/stress/typedarray-no-alreadyChecked-assert.js (rev 0)
+++ branches/safari-608-branch/JSTests/stress/typedarray-no-alreadyChecked-assert.js 2019-08-13 20:00:47 UTC (rev 248612)
@@ -0,0 +1,26 @@
+// This test should not cause an ASSERT in Debug builds.
+
+function checkIntArray(arr) {
+ let x = arr;
+ arr instanceof Uint32Array;
+ arr[65537];
+ x[0];
+}
+
+function checkFloatArray(arr) {
+ let x = arr;
+ arr instanceof Float64Array;
+ arr[65537];
+ x[0];
+}
+
+
+var intArray = new Uint32Array(1024);
+for (let i = 0; i < 10000; i++)
+ checkIntArray(intArray);
+
+var floatArray = new Float64Array(1024);
+for (let i = 0; i < 10000; i++)
+ checkFloatArray(floatArray);
+
+
Modified: branches/safari-608-branch/Source/_javascript_Core/ChangeLog (248611 => 248612)
--- branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-08-13 20:00:44 UTC (rev 248611)
+++ branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-08-13 20:00:47 UTC (rev 248612)
@@ -1,5 +1,54 @@
2019-08-13 Alan Coon <alanc...@apple.com>
+ Cherry-pick r248271. rdar://problem/54237771
+
+ JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=199997
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ New test.
+
+ * stress/typedarray-no-alreadyChecked-assert.js: Added.
+ (checkIntArray):
+ (checkFloatArray):
+
+ Source/_javascript_Core:
+
+ No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+ and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+ CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+ and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where
+ it won't be set.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248271 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-08-05 Michael Saboff <msab...@apple.com>
+
+ JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=199997
+
+ Reviewed by Saam Barati.
+
+ No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+ and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+ CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+ and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where
+ it won't be set.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+
+2019-08-13 Alan Coon <alanc...@apple.com>
+
Cherry-pick r248149. rdar://problem/54237692
GetterSetter type confusion during DFG compilation
Modified: branches/safari-608-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (248611 => 248612)
--- branches/safari-608-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-08-13 20:00:44 UTC (rev 248611)
+++ branches/safari-608-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-08-13 20:00:47 UTC (rev 248612)
@@ -2963,8 +2963,6 @@
GPRTemporary result(this);
GPRReg resultReg = result.gpr();
- ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))));
-
emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
loadFromIntTypedArray(storageReg, propertyReg, resultReg, type);
bool canSpeculate = true;
@@ -3193,8 +3191,6 @@
GPRReg propertyReg = property.gpr();
GPRReg storageReg = storage.gpr();
- ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))));
-
FPRTemporary result(this);
FPRReg resultReg = result.fpr();
emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
