Title: [274312] trunk
- Revision
- 274312
- Author
- tzaga...@apple.com
- Date
- 2021-03-11 16:47:20 -0800 (Thu, 11 Mar 2021)
Log Message
AI validator patchpoint should read heap top
https://bugs.webkit.org/show_bug.cgi?id=223052
<rdar://75087095>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/private-methods-inheritance.js: Added.
(A):
(A.prototype.x):
(B.prototype.y):
(B):
Source/_javascript_Core:
Currently, the patchpoint doesn't specify any reads, which allows it to be moved around by B3
and can cause false positives since it at least read the structure ID for comparing values.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::validateAIState):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (274311 => 274312)
--- trunk/JSTests/ChangeLog 2021-03-12 00:43:27 UTC (rev 274311)
+++ trunk/JSTests/ChangeLog 2021-03-12 00:47:20 UTC (rev 274312)
@@ -1,3 +1,17 @@
+2021-03-11 Tadeu Zagallo <tzaga...@apple.com>
+
+ AI validator patchpoint should read heap top
+ https://bugs.webkit.org/show_bug.cgi?id=223052
+ <rdar://75087095>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/private-methods-inheritance.js: Added.
+ (A):
+ (A.prototype.x):
+ (B.prototype.y):
+ (B):
+
2021-03-11 Alexey Shvayka <shvaikal...@gmail.com>
Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
Added: trunk/JSTests/stress/private-methods-inheritance.js (0 => 274312)
--- trunk/JSTests/stress/private-methods-inheritance.js (rev 0)
+++ trunk/JSTests/stress/private-methods-inheritance.js 2021-03-12 00:47:20 UTC (rev 274312)
@@ -0,0 +1,13 @@
+//@ runDefault("--validateAbstractInterpreterState=1", "--validateAbstractInterpreterStateProbability=1", "--forceEagerCompilation=true")
+class A {
+ constructor(a) {}
+ #x() {}
+}
+class B extends A {
+ #y() {}
+}
+
+let arr = [];
+for (let i = 0; i < 1e5; ++i) {
+ arr.push(new B(undefined));
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (274311 => 274312)
--- trunk/Source/_javascript_Core/ChangeLog 2021-03-12 00:43:27 UTC (rev 274311)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-03-12 00:47:20 UTC (rev 274312)
@@ -1,3 +1,17 @@
+2021-03-11 Tadeu Zagallo <tzaga...@apple.com>
+
+ AI validator patchpoint should read heap top
+ https://bugs.webkit.org/show_bug.cgi?id=223052
+ <rdar://75087095>
+
+ Reviewed by Yusuke Suzuki.
+
+ Currently, the patchpoint doesn't specify any reads, which allows it to be moved around by B3
+ and can cause false positives since it at least read the structure ID for comparing values.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
+
2021-03-11 Alexey Shvayka <shvaikal...@gmail.com>
Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (274311 => 274312)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-03-12 00:43:27 UTC (rev 274311)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-03-12 00:47:20 UTC (rev 274312)
@@ -637,6 +637,7 @@
PatchpointValue* patchpoint = m_out.patchpoint(Void);
patchpoint->effects = Effects::none();
+ patchpoint->effects.reads = HeapRange::top();
patchpoint->effects.writesLocalState = true;
patchpoint->appendSomeRegister(input);
patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
