Title: [282821] trunk
- Revision
- 282821
- Author
- justin_mich...@apple.com
- Date
- 2021-09-21 09:06:01 -0700 (Tue, 21 Sep 2021)
Log Message
Differential testing: live statement don't execute
https://bugs.webkit.org/show_bug.cgi?id=229939
Reviewed by Saam Barati.
JSTests:
* stress/in-by-val-should-throw.js: Added.
(doesThrow):
(noInline.doesThrow.noFTL.doesThrow.blackbox):
(noInline.blackbox.doesNotThrow):
(noInline.doesNotThrow.noFTL.doesNotThrow.main):
Source/_javascript_Core:
In statements are supposed to throw if they are applied to a non-object. We incorrectly converted
InByVals into HasIndexedProperty any time they were a cell, so we silently converted non-objects. Before converting
an InByVal, we first speculate that the base is an object now.
We do not always require an object edge for HasIndexedProperty because enumerator next() does not
throw if it encounters a cell that requires conversion during the call to toObject (for example, a
string literal). That is, we should silently convert the string during enumeration, but not for an
In statement, and so HasIndexedProperty is prepared to handle both cases.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::convertToHasIndexedProperty):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (282820 => 282821)
--- trunk/JSTests/ChangeLog 2021-09-21 15:55:59 UTC (rev 282820)
+++ trunk/JSTests/ChangeLog 2021-09-21 16:06:01 UTC (rev 282821)
@@ -1,3 +1,16 @@
+2021-09-21 Justin Michaud <justin_mich...@apple.com>
+
+ Differential testing: live statement don't execute
+ https://bugs.webkit.org/show_bug.cgi?id=229939
+
+ Reviewed by Saam Barati.
+
+ * stress/in-by-val-should-throw.js: Added.
+ (doesThrow):
+ (noInline.doesThrow.noFTL.doesThrow.blackbox):
+ (noInline.blackbox.doesNotThrow):
+ (noInline.doesNotThrow.noFTL.doesNotThrow.main):
+
2021-09-20 Mikhail R. Gadelha <mikh...@igalia.com>
Skip stress/json-stringify-stack-overflow.js only on memory limited systems
Added: trunk/JSTests/stress/in-by-val-should-throw.js (0 => 282821)
--- trunk/JSTests/stress/in-by-val-should-throw.js (rev 0)
+++ trunk/JSTests/stress/in-by-val-should-throw.js 2021-09-21 16:06:01 UTC (rev 282821)
@@ -0,0 +1,85 @@
+function doesThrow() {
+ try {
+ 1 in ""
+ return false
+ } catch(v45) {
+ return true
+ }
+}
+noInline(doesThrow)
+noFTL(doesThrow)
+
+function doesThrowFTL() {
+ try {
+ 1 in ""
+ return false
+ } catch(v45) {
+ return true
+ }
+}
+noInline(doesThrowFTL)
+
+function blackbox() {
+ return { }
+}
+noInline(blackbox)
+
+function doesNotThrow() {
+ try {
+ 1 in blackbox()
+ return false
+ } catch(v45) {
+ return true
+ }
+}
+noInline(doesNotThrow)
+noFTL(doesNotThrow)
+
+function trickster(o) {
+ try {
+ 1 in o
+ return false
+ } catch(v45) {
+ return true
+ }
+}
+noInline(trickster)
+
+// Does not throw
+function enumeratorTest(o) {
+ let sum = 0
+ for (let i in o)
+ sum += o[i]
+ return sum
+}
+noInline(enumeratorTest)
+noInline(enumeratorTest)
+
+let indexedObject = []
+indexedObject.length = 10
+indexedObject.fill(1)
+
+function main() {
+ for (let j = 0; j < 50000; j++) {
+ if (!doesThrow())
+ throw new Error("Should throw!")
+ if (!doesThrowFTL())
+ throw new Error("Should throw!")
+ if (doesNotThrow())
+ throw new Error("Should not throw!")
+
+ let o = {}
+ o["a" + j] = 0
+ if (trickster(o))
+ throw new Error("Should not throw!")
+
+ enumeratorTest(indexedObject)
+ }
+ if (!trickster(""))
+ throw new Error("Should throw!")
+ enumeratorTest("")
+}
+noDFG(main)
+noFTL(main)
+noInline(main)
+main()
\ No newline at end of file
Modified: trunk/Source/_javascript_Core/ChangeLog (282820 => 282821)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-21 15:55:59 UTC (rev 282820)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-21 16:06:01 UTC (rev 282821)
@@ -1,3 +1,23 @@
+2021-09-21 Justin Michaud <justin_mich...@apple.com>
+
+ Differential testing: live statement don't execute
+ https://bugs.webkit.org/show_bug.cgi?id=229939
+
+ Reviewed by Saam Barati.
+
+ In statements are supposed to throw if they are applied to a non-object. We incorrectly converted
+ InByVals into HasIndexedProperty any time they were a cell, so we silently converted non-objects. Before converting
+ an InByVal, we first speculate that the base is an object now.
+
+ We do not always require an object edge for HasIndexedProperty because enumerator next() does not
+ throw if it encounters a cell that requires conversion during the call to toObject (for example, a
+ string literal). That is, we should silently convert the string during enumeration, but not for an
+ In statement, and so HasIndexedProperty is prepared to handle both cases.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
+
2021-09-21 Mikhail R. Gadelha <mikh...@igalia.com>
Prevent test from accessing FP registers if they are not available (e.g., arm softFP)
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (282820 => 282821)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2021-09-21 15:55:59 UTC (rev 282820)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2021-09-21 16:06:01 UTC (rev 282821)
@@ -2077,7 +2077,8 @@
}
case InByVal: {
- if (node->child2()->shouldSpeculateInt32()) {
+ if (node->child1()->shouldSpeculateObject()
+ && node->child2()->shouldSpeculateInt32()) {
convertToHasIndexedProperty(node);
break;
}
@@ -4132,7 +4133,7 @@
if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds)
setSaneChainIfPossible(node, Array::InBoundsSaneChain);
- fixEdge<CellUse>(m_graph.varArgChild(node, 0));
+ fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (282820 => 282821)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-21 15:55:59 UTC (rev 282820)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-21 16:06:01 UTC (rev 282821)
@@ -15183,12 +15183,16 @@
void SpeculativeJIT::compileHasIndexedProperty(Node* node, S_JITOperation_GCZ slowPathOperation, const ScopedLambda<std::tuple<GPRReg, GPRReg>()>& prefix)
{
- SpeculateCellOperand base(this, m_graph.varArgChild(node, 0));
+ auto baseEdge = m_graph.varArgChild(node, 0);
+ SpeculateCellOperand base(this, baseEdge);
GPRReg baseGPR = base.gpr();
GPRReg indexGPR = InvalidGPRReg;
GPRReg resultGPR = InvalidGPRReg;
+ if (baseEdge.useKind() == ObjectUse)
+ speculateObject(baseEdge, baseGPR);
+
MacroAssembler::JumpList slowCases;
ArrayMode mode = node->arrayMode();
switch (mode.type()) {
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (282820 => 282821)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-09-21 15:55:59 UTC (rev 282820)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-09-21 16:06:01 UTC (rev 282821)
@@ -13182,9 +13182,13 @@
LValue compileHasIndexedPropertyImpl(LValue index, S_JITOperation_GCZ slowPathOperation)
{
JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
- LValue base = lowCell(m_graph.varArgChild(m_node, 0));
ArrayMode mode = m_node->arrayMode();
+ auto baseEdge = m_graph.varArgChild(m_node, 0);
+ LValue base = lowCell(baseEdge);
+ if (baseEdge.useKind() == ObjectUse)
+ speculateObject(baseEdge, base);
+
switch (m_node->arrayMode().type()) {
case Array::Int32:
case Array::Contiguous: {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
