Skip to site navigation (Press enter)

[webkit-changes] [204570] trunk

mark . lam Wed, 17 Aug 2016 14:01:05 -0700

Title: [204570] trunk

Revision: 204570
Author: [email protected]
Date: 2016-08-17 14:00:45 -0700 (Wed, 17 Aug 2016)

Log Message

Remove an invalid assertion in the DFG backend's GetById emitter.
https://bugs.webkit.org/show_bug.cgi?id=160925
<rdar://problem/27248961>


Reviewed by Filip Pizlo.

JSTests:

* stress/dfg-get-by-id-should-not-assert-non-null-prediction.js: Added.

Source/_javascript_Core:

The DFG backend's GetById assertion that the node's prediction not be SpecNone
is just plain wrong.  It assumes that we can never have a GetById node without a
type prediction, but this is not true.  The following test case proves otherwise:

    function foo() {
        "use strict";
        return --arguments["callee"];
    }

Will remove the assertion.  Nothing else needs to change as the DFG is working
correctly without the assertion.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp

Added Paths

trunk/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js

Diff

Modified: trunk/JSTests/ChangeLog (204569 => 204570)


--- trunk/JSTests/ChangeLog	2016-08-17 20:41:18 UTC (rev 204569)
+++ trunk/JSTests/ChangeLog	2016-08-17 21:00:45 UTC (rev 204570)
@@ -1,3 +1,13 @@
+2016-08-17  Mark Lam  <[email protected]>
+
+        Remove an invalid assertion in the DFG backend's GetById emitter.
+        https://bugs.webkit.org/show_bug.cgi?id=160925
+        <rdar://problem/27248961>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/dfg-get-by-id-should-not-assert-non-null-prediction.js: Added.
+
 2016-08-16  Ryan Haddad  <[email protected]>
 
         Unreviewed, rolling out r204464.

Added: trunk/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js (0 => 204570)


--- trunk/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js	                        (rev 0)
+++ trunk/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js	2016-08-17 21:00:45 UTC (rev 204570)
@@ -0,0 +1,18 @@
+//@ runDefault
+// This test should not crash.
+
+function foo() {
+    "use strict";
+    return --arguments["callee"];
+};
+
+function test() {
+    for (var i = 0; i < 10000; i++) {
+        try {
+            foo();
+        } catch(e) {
+        }
+    }
+}
+
+test();

Modified: trunk/Source/_javascript_Core/ChangeLog (204569 => 204570)


--- trunk/Source/_javascript_Core/ChangeLog	2016-08-17 20:41:18 UTC (rev 204569)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-08-17 21:00:45 UTC (rev 204570)
@@ -1,3 +1,28 @@
+2016-08-17  Mark Lam  <[email protected]>
+
+        Remove an invalid assertion in the DFG backend's GetById emitter.
+        https://bugs.webkit.org/show_bug.cgi?id=160925
+        <rdar://problem/27248961>
+
+        Reviewed by Filip Pizlo.
+
+        The DFG backend's GetById assertion that the node's prediction not be SpecNone
+        is just plain wrong.  It assumes that we can never have a GetById node without a
+        type prediction, but this is not true.  The following test case proves otherwise:
+
+            function foo() {
+                "use strict";
+                return --arguments["callee"];
+            }
+
+        Will remove the assertion.  Nothing else needs to change as the DFG is working
+        correctly without the assertion.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2016-08-16  Mark Lam  <[email protected]>
 
         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (204569 => 204570)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-08-17 20:41:18 UTC (rev 204569)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-08-17 21:00:45 UTC (rev 204570)
@@ -4175,8 +4175,6 @@
     }
 
     case GetById: {
-        ASSERT(node->prediction());
-        
         switch (node->child1().useKind()) {
         case CellUse: {
             SpeculateCellOperand base(this, node->child1());

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (204569 => 204570)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2016-08-17 20:41:18 UTC (rev 204569)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2016-08-17 21:00:45 UTC (rev 204570)
@@ -4120,8 +4120,6 @@
     }
 
     case GetById: {
-        ASSERT(node->prediction());
-
         switch (node->child1().useKind()) {
         case CellUse: {
             SpeculateCellOperand base(this, node->child1());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes