[webkit-changes] [217050] trunk

[fpizlo]

Title: [217050] trunk

Revision

217050

Author

fpi...@apple.com

Date

2017-05-18 10:46:38 -0700 (Thu, 18 May 2017)

Log Message

DFG inlining should be hardened for the no-result case
https://bugs.webkit.org/show_bug.cgi?id=172290

Reviewed by Saam Barati.
JSTests:


* stress/array-constructor-no-result.js: Added.
(foo):
* stress/pow-no-result.js: Added.
(foo):

Source/_javascript_Core:

        
Previously, if we were inlining a setter call, we might have a bad time because the setter's
result register is the invalid VirtualRegister(), and much of the intrinsic handling code
assumes that the result register is valid.
        
This doesn't usually cause problems because people don't usually point a setter at something
that we recognize as an intrinsic.
        
* CMakeLists.txt:
* _javascript_Core.xcodeproj/project.pbxproj:
* b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
* dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
(JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
(JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
* runtime/Intrinsic.cpp: Added. I needed this to debug.
(JSC::intrinsicName):
(WTF::printInternal):
* runtime/Intrinsic.h:

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/CMakeLists.txt
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
• trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackByLinearScan.cpp
• trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
• trunk/Source/_javascript_Core/runtime/Intrinsic.h

Added Paths

• trunk/JSTests/stress/array-constructor-no-result.js
• trunk/JSTests/stress/pow-no-result.js
• trunk/Source/_javascript_Core/runtime/Intrinsic.cpp

Diff

Modified: trunk/JSTests/ChangeLog (217049 => 217050)

--- trunk/JSTests/ChangeLog	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/JSTests/ChangeLog	2017-05-18 17:46:38 UTC (rev 217050)
@@ -1,3 +1,15 @@
+2017-05-18  Filip Pizlo  <fpi...@apple.com>
+
+        DFG inlining should be hardened for the no-result case
+        https://bugs.webkit.org/show_bug.cgi?id=172290
+
+        Reviewed by Saam Barati.
+
+        * stress/array-constructor-no-result.js: Added.
+        (foo):
+        * stress/pow-no-result.js: Added.
+        (foo):
+
 2017-05-18  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r217031, r217032, and r217037.

Added: trunk/JSTests/stress/array-constructor-no-result.js (0 => 217050)

--- trunk/JSTests/stress/array-constructor-no-result.js	                        (rev 0)
+++ trunk/JSTests/stress/array-constructor-no-result.js	2017-05-18 17:46:38 UTC (rev 217050)
@@ -0,0 +1,13 @@
+var o = {};
+o.__defineSetter__("foo", Array);
+
+function foo()
+{
+    o.foo = 42;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i)
+    foo();
+

Added: trunk/JSTests/stress/pow-no-result.js (0 => 217050)

--- trunk/JSTests/stress/pow-no-result.js	                        (rev 0)
+++ trunk/JSTests/stress/pow-no-result.js	2017-05-18 17:46:38 UTC (rev 217050)
@@ -0,0 +1,13 @@
+var o = {};
+o.__defineSetter__("foo", Math.pow);
+
+function foo()
+{
+    o.foo = 42;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i)
+    foo();
+

Modified: trunk/Source/_javascript_Core/CMakeLists.txt (217049 => 217050)

--- trunk/Source/_javascript_Core/CMakeLists.txt	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/Source/_javascript_Core/CMakeLists.txt	2017-05-18 17:46:38 UTC (rev 217050)
@@ -753,6 +753,7 @@
     runtime/InitializeThreading.cpp
     runtime/InspectorInstrumentationObject.cpp
     runtime/InternalFunction.cpp
+    runtime/Intrinsic.cpp
     runtime/IntlCollator.cpp
     runtime/IntlCollatorConstructor.cpp
     runtime/IntlCollatorPrototype.cpp

Modified: trunk/Source/_javascript_Core/ChangeLog (217049 => 217050)

--- trunk/Source/_javascript_Core/ChangeLog	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-05-18 17:46:38 UTC (rev 217050)
@@ -1,3 +1,29 @@
+2017-05-18  Filip Pizlo  <fpi...@apple.com>
+
+        DFG inlining should be hardened for the no-result case
+        https://bugs.webkit.org/show_bug.cgi?id=172290
+
+        Reviewed by Saam Barati.
+        
+        Previously, if we were inlining a setter call, we might have a bad time because the setter's
+        result register is the invalid VirtualRegister(), and much of the intrinsic handling code
+        assumes that the result register is valid.
+        
+        This doesn't usually cause problems because people don't usually point a setter at something
+        that we recognize as an intrinsic.
+        
+        * CMakeLists.txt:
+        * _javascript_Core.xcodeproj/project.pbxproj:
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
+        * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
+        * runtime/Intrinsic.cpp: Added. I needed this to debug.
+        (JSC::intrinsicName):
+        (WTF::printInternal):
+        * runtime/Intrinsic.h:
+
 2017-05-18  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r217031, r217032, and r217037.

Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (217049 => 217050)

--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2017-05-18 17:46:38 UTC (rev 217050)
@@ -192,6 +192,7 @@
 		0F25F1B2181635F300522F39 /* FTLSlowPathCall.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F25F1AB181635F300522F39 /* FTLSlowPathCall.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		0F25F1B3181635F300522F39 /* FTLSlowPathCallKey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F25F1AC181635F300522F39 /* FTLSlowPathCallKey.cpp */; };
 		0F25F1B4181635F300522F39 /* FTLSlowPathCallKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F25F1AD181635F300522F39 /* FTLSlowPathCallKey.h */; settings = {ATTRIBUTES = (Private, ); }; };
+		0F275F2D1ECE079800620D47 /* Intrinsic.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F275F2C1ECE079600620D47 /* Intrinsic.cpp */; };
 		0F2AC5661E8A0B770001EE3F /* AirFixSpillsAfterTerminals.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2AC5641E8A0B760001EE3F /* AirFixSpillsAfterTerminals.cpp */; };
 		0F2AC5671E8A0B790001EE3F /* AirFixSpillsAfterTerminals.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2AC5651E8A0B760001EE3F /* AirFixSpillsAfterTerminals.h */; };
 		0F2AC56A1E8A0BD30001EE3F /* AirAllocateRegistersAndStackByLinearScan.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2AC5681E8A0BD10001EE3F /* AirAllocateRegistersAndStackByLinearScan.cpp */; };
@@ -2772,6 +2773,7 @@
 		0F25F1AB181635F300522F39 /* FTLSlowPathCall.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLSlowPathCall.h; path = ftl/FTLSlowPathCall.h; sourceTree = "<group>"; };
 		0F25F1AC181635F300522F39 /* FTLSlowPathCallKey.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLSlowPathCallKey.cpp; path = ftl/FTLSlowPathCallKey.cpp; sourceTree = "<group>"; };
 		0F25F1AD181635F300522F39 /* FTLSlowPathCallKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLSlowPathCallKey.h; path = ftl/FTLSlowPathCallKey.h; sourceTree = "<group>"; };
+		0F275F2C1ECE079600620D47 /* Intrinsic.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Intrinsic.cpp; sourceTree = "<group>"; };
 		0F2AC5641E8A0B760001EE3F /* AirFixSpillsAfterTerminals.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = AirFixSpillsAfterTerminals.cpp; path = b3/air/AirFixSpillsAfterTerminals.cpp; sourceTree = "<group>"; };
 		0F2AC5651E8A0B760001EE3F /* AirFixSpillsAfterTerminals.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AirFixSpillsAfterTerminals.h; path = b3/air/AirFixSpillsAfterTerminals.h; sourceTree = "<group>"; };
 		0F2AC5681E8A0BD10001EE3F /* AirAllocateRegistersAndStackByLinearScan.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = AirAllocateRegistersAndStackByLinearScan.cpp; path = b3/air/AirAllocateRegistersAndStackByLinearScan.cpp; sourceTree = "<group>"; };
@@ -6599,9 +6601,9 @@
 				A7E5A3A61797432D00E893C0 /* CompilationResult.h */,
 				969A09220ED1E09C00F1F681 /* Completion.cpp */,
 				F5BB2BC5030F772101FCFE1D /* Completion.h */,
+				0FDB2CE9174896C7007B3C1B /* ConcurrentJSLock.h */,
 				658824B01E5CFDF400FB7359 /* ConfigFile.cpp */,
 				658824AE1E5CFDB000FB7359 /* ConfigFile.h */,
-				0FDB2CE9174896C7007B3C1B /* ConcurrentJSLock.h */,
 				A5B6A74C18C6DBA600F11E91 /* ConsoleClient.cpp */,
 				A53CE08918BC21C300BEDF76 /* ConsoleClient.h */,
 				A55714BC1CD8048E0004D2C6 /* ConsoleObject.cpp */,
@@ -6627,8 +6629,6 @@
 				14A1563010966365006FA260 /* DateInstanceCache.h */,
 				BCD203470E17135E002C7E82 /* DatePrototype.cpp */,
 				BCD203480E17135E002C7E82 /* DatePrototype.h */,
-				534638761E71E06E00F12AC1 /* PromiseDeferredTimer.cpp */,
-				534638741E70DDEC00F12AC1 /* PromiseDeferredTimer.h */,
 				169948EDE68D4054B01EF797 /* DefinePropertyAttributes.h */,
 				0FE0500F1AA9091100D33B33 /* DirectArguments.cpp */,
 				0FE050101AA9091100D33B33 /* DirectArguments.h */,
@@ -6718,9 +6718,9 @@
 				E178633F0D9BEC0000D74E75 /* InitializeThreading.h */,
 				E35E035D1B7AB43E0073AD2A /* InspectorInstrumentationObject.cpp */,
 				E35E035E1B7AB43E0073AD2A /* InspectorInstrumentationObject.h */,
+				A7A8AF2B17ADB5F3005AB174 /* Int8Array.h */,
 				A7A8AF2C17ADB5F3005AB174 /* Int16Array.h */,
 				A7A8AF2D17ADB5F3005AB174 /* Int32Array.h */,
-				A7A8AF2B17ADB5F3005AB174 /* Int8Array.h */,
 				BC9BB95B0E19680600DF8855 /* InternalFunction.cpp */,
 				BC11667A0E199C05008066DD /* InternalFunction.h */,
 				A1B9E2331B4E0D6700BC7FED /* IntlCollator.cpp */,
@@ -6744,6 +6744,7 @@
 				A12BBFF31B044A9800664B69 /* IntlObject.cpp */,
 				A12BBFF11B044A8B00664B69 /* IntlObject.h */,
 				708EBE231CE8F35000453146 /* IntlObjectInlines.h */,
+				0F275F2C1ECE079600620D47 /* Intrinsic.cpp */,
 				86BF642A148DB2B5004DE36A /* Intrinsic.h */,
 				8B9F6D551D5912FA001C739F /* IterationKind.h */,
 				FE4D55B71AE716CA0052E459 /* IterationStatus.h */,
@@ -6815,9 +6816,9 @@
 				BC756FC60E2031B200DE7D12 /* JSGlobalObjectFunctions.cpp */,
 				BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */,
 				79B819921DD25CF500DDC714 /* JSGlobalObjectInlines.h */,
+				0F2B66C917B6B5AB00A7AE3F /* JSInt8Array.h */,
 				0F2B66CA17B6B5AB00A7AE3F /* JSInt16Array.h */,
 				0F2B66CB17B6B5AB00A7AE3F /* JSInt32Array.h */,
-				0F2B66C917B6B5AB00A7AE3F /* JSInt8Array.h */,
 				E33F507E1B8429A400413856 /* JSInternalPromise.cpp */,
 				E33F507F1B8429A400413856 /* JSInternalPromise.h */,
 				E33F50761B84225700413856 /* JSInternalPromiseConstructor.cpp */,
@@ -6865,6 +6866,8 @@
 				E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */,
 				862553CE16136AA5009F17D0 /* JSProxy.cpp */,
 				862553CF16136AA5009F17D0 /* JSProxy.h */,
+				534638721E70D01500F12AC1 /* JSRunLoopTimer.cpp */,
+				534638701E70CF3D00F12AC1 /* JSRunLoopTimer.h */,
 				14874AE115EBDE4A002E3587 /* JSScope.cpp */,
 				14874AE215EBDE4A002E3587 /* JSScope.h */,
 				11C197C2624848EDA84CED7F /* JSScriptFetcher.cpp */,
@@ -6905,10 +6908,10 @@
 				53F256E11B87E28000B4B768 /* JSTypedArrayViewPrototype.cpp */,
 				53917E7C1B791106000EBD33 /* JSTypedArrayViewPrototype.h */,
 				6507D2970E871E4A00D7D896 /* JSTypeInfo.h */,
+				0F2B66D217B6B5AB00A7AE3F /* JSUint8Array.h */,
+				0F2B66D317B6B5AB00A7AE3F /* JSUint8ClampedArray.h */,
 				0F2B66D417B6B5AB00A7AE3F /* JSUint16Array.h */,
 				0F2B66D517B6B5AB00A7AE3F /* JSUint32Array.h */,
-				0F2B66D217B6B5AB00A7AE3F /* JSUint8Array.h */,
-				0F2B66D317B6B5AB00A7AE3F /* JSUint8ClampedArray.h */,
 				A7CA3AE117DA41AE006538AF /* JSWeakMap.cpp */,
 				A7CA3AE217DA41AE006538AF /* JSWeakMap.h */,
 				709FB8611AE335C60039D069 /* JSWeakSet.cpp */,
@@ -6926,6 +6929,7 @@
 				A7E2EA690FB460CF00601F06 /* LiteralParser.h */,
 				F692A8680255597D01FF60F7 /* Lookup.cpp */,
 				F692A8690255597D01FF60F7 /* Lookup.h */,
+				28806E21155E478A93FA7B02 /* MachineContext.h */,
 				795B19951D78BE3500262FA0 /* MapBase.cpp */,
 				795B19961D78BE3500262FA0 /* MapBase.h */,
 				A700873717CBE85300C3E643 /* MapConstructor.cpp */,
@@ -6979,6 +6983,8 @@
 				868916A9155F285400CB2B9A /* PrivateName.h */,
 				147341DF1DC2CE9600AA29BA /* ProgramExecutable.cpp */,
 				147341D31DC02E6D00AA29BA /* ProgramExecutable.h */,
+				534638761E71E06E00F12AC1 /* PromiseDeferredTimer.cpp */,
+				534638741E70DDEC00F12AC1 /* PromiseDeferredTimer.h */,
 				A7FB60A3103F7DC20017A286 /* PropertyDescriptor.cpp */,
 				A7FB604B103F5EAB0017A286 /* PropertyDescriptor.h */,
 				BC95437C0EBA70FD0072B6D3 /* PropertyMapHashTable.h */,
@@ -7021,8 +7027,6 @@
 				0F7C39FC1C8F659500480151 /* RegExpObjectInlines.h */,
 				BCD202BF0E1706A7002C7E82 /* RegExpPrototype.cpp */,
 				BCD202C00E1706A7002C7E82 /* RegExpPrototype.h */,
-				534638721E70D01500F12AC1 /* JSRunLoopTimer.cpp */,
-				534638701E70CF3D00F12AC1 /* JSRunLoopTimer.h */,
 				70B0A9D01A9B66200001306A /* RuntimeFlags.h */,
 				527773DD1AAF83AC00BDE7E8 /* RuntimeType.cpp */,
 				52C0611D1AA51E1B00B4ADBA /* RuntimeType.h */,
@@ -7119,11 +7123,11 @@
 				0F2D4DE019832D91007D4B19 /* TypeProfilerLog.h */,
 				0F2D4DE319832D91007D4B19 /* TypeSet.cpp */,
 				0F2D4DE419832D91007D4B19 /* TypeSet.h */,
+				A7A8AF3017ADB5F3005AB174 /* Uint8Array.h */,
+				A7A8AF3117ADB5F3005AB174 /* Uint8ClampedArray.h */,
 				A7A8AF3217ADB5F3005AB174 /* Uint16Array.h */,
 				866739D113BFDE710023D87C /* Uint16WithFraction.h */,
 				A7A8AF3317ADB5F3005AB174 /* Uint32Array.h */,
-				A7A8AF3017ADB5F3005AB174 /* Uint8Array.h */,
-				A7A8AF3117ADB5F3005AB174 /* Uint8ClampedArray.h */,
 				0FE050231AA9095600D33B33 /* VarOffset.cpp */,
 				0FE050241AA9095600D33B33 /* VarOffset.h */,
 				E18E3A570DF9278C00D90B34 /* VM.cpp */,
@@ -7149,7 +7153,6 @@
 				709FB8661AE335C60039D069 /* WeakSetPrototype.h */,
 				A7DCB77912E3D90500911940 /* WriteBarrier.h */,
 				C2B6D75218A33793004A9301 /* WriteBarrierInlines.h */,
-				28806E21155E478A93FA7B02 /* MachineContext.h */,
 			);
 			path = runtime;
 			sourceTree = "<group>";
@@ -11067,6 +11070,7 @@
 				863C6D9C1521111A00585E4E /* YarrCanonicalizeUCS2.cpp in Sources */,
 				65FB63A41C8EA09C0020719B /* YarrCanonicalizeUnicode.cpp in Sources */,
 				86704B8412DBA33700A9FE7B /* YarrInterpreter.cpp in Sources */,
+				0F275F2D1ECE079800620D47 /* Intrinsic.cpp in Sources */,
 				86704B8612DBA33700A9FE7B /* YarrJIT.cpp in Sources */,
 				86704B8912DBA33700A9FE7B /* YarrPattern.cpp in Sources */,
 				86704B4212DB8A8100A9FE7B /* YarrSyntaxChecker.cpp in Sources */,

Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackByLinearScan.cpp (217049 => 217050)

--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackByLinearScan.cpp	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackByLinearScan.cpp	2017-05-18 17:46:38 UTC (rev 217050)
@@ -237,9 +237,8 @@
             
             auto record = [&] (unsigned instIndex) {
                 // FIXME: This could get the register sets from somewhere else, like the
-                // liveness constraints. Except we want those constraints to be laid out like
-                // how they would have been by RegLiveness, since we want to separate the lates
-                // of one inst from the earlies of the next.
+                // liveness constraints. Except we want those constraints to separate the late
+                // actions of one instruction from the early actions of the next.
                 // https://bugs.webkit.org/show_bug.cgi?id=170850
                 const RegisterSet& regs = localCalc.live();
                 if (Inst* prev = block->get(instIndex - 1)) {

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (217049 => 217050)

--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2017-05-18 17:46:38 UTC (rev 217050)
@@ -64,6 +64,23 @@
 
 namespace JSC { namespace DFG {
 
+namespace {
+
+NO_RETURN_DUE_TO_CRASH NEVER_INLINE void crash()
+{
+    CRASH();
+}
+
+#undef RELEASE_ASSERT
+#define RELEASE_ASSERT(assertion) do { \
+    if (UNLIKELY(!(assertion))) { \
+        WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
+        crash(); \
+    } \
+} while (0)
+
+} // anonymous namespace
+
 static const bool verbose = false;
 
 class ConstantBufferKey {
@@ -1189,6 +1206,7 @@
             , m_operand(operand)
             , m_value(value)
         {
+            RELEASE_ASSERT(operand.isValid());
         }
         
         Node* execute(ByteCodeParser* parser, SetMode setMode = NormalSet)
@@ -2146,6 +2164,18 @@
 template<typename ChecksFunctor>
 bool ByteCodeParser::handleIntrinsicCall(Node* callee, int resultOperand, Intrinsic intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks)
 {
+    if (Options::verboseDFGByteCodeParsing())
+        dataLog("       The intrinsic is ", intrinsic, "\n");
+    
+    // It so happens that the code below doesn't handle the invalid result case. We could fix that, but
+    // it would only benefit intrinsics called as setters, like if you do:
+    //
+    //     o.__defineSetter__("foo", Math.pow)
+    //
+    // Which is extremely amusing, but probably not worth optimizing.
+    if (!VirtualRegister(resultOperand).isValid())
+        return false;
+    
     switch (intrinsic) {
 
     // Intrinsic Functions:
@@ -3078,8 +3108,13 @@
     Node* callTargetNode, int resultOperand, InternalFunction* function, int registerOffset,
     int argumentCountIncludingThis, CodeSpecializationKind kind, SpeculatedType prediction, const ChecksFunctor& insertChecks)
 {
-    if (verbose)
+    if (Options::verboseDFGByteCodeParsing())
         dataLog("    Handling constant internal function ", JSValue(function), "\n");
+    
+    // It so happens that the code below assumes that the result operand is valid. It's extremely
+    // unlikely that the result operand would be invalid - you'd have to call this via a setter call.
+    if (!VirtualRegister(resultOperand).isValid())
+        return false;
 
     if (kind == CodeForConstruct) {
         Node* newTargetNode = get(virtualRegisterForArgument(0, registerOffset));

Added: trunk/Source/_javascript_Core/runtime/Intrinsic.cpp (0 => 217050)

--- trunk/Source/_javascript_Core/runtime/Intrinsic.cpp	                        (rev 0)
+++ trunk/Source/_javascript_Core/runtime/Intrinsic.cpp	2017-05-18 17:46:38 UTC (rev 217050)
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "Intrinsic.h"
+
+#include <wtf/PrintStream.h>
+
+namespace JSC {
+
+const char* intrinsicName(Intrinsic intrinsic)
+{
+    switch (intrinsic) {
+    case NoIntrinsic:
+        return "NoIntrinsic";
+    case AbsIntrinsic:
+        return "AbsIntrinsic";
+    case ACosIntrinsic:
+        return "ACosIntrinsic";
+    case ASinIntrinsic:
+        return "ASinIntrinsic";
+    case ATanIntrinsic:
+        return "ATanIntrinsic";
+    case ACoshIntrinsic:
+        return "ACoshIntrinsic";
+    case ASinhIntrinsic:
+        return "ASinhIntrinsic";
+    case ATanhIntrinsic:
+        return "ATanhIntrinsic";
+    case MinIntrinsic:
+        return "MinIntrinsic";
+    case MaxIntrinsic:
+        return "MaxIntrinsic";
+    case SqrtIntrinsic:
+        return "SqrtIntrinsic";
+    case SinIntrinsic:
+        return "SinIntrinsic";
+    case CbrtIntrinsic:
+        return "CbrtIntrinsic";
+    case Clz32Intrinsic:
+        return "Clz32Intrinsic";
+    case CosIntrinsic:
+        return "CosIntrinsic";
+    case TanIntrinsic:
+        return "TanIntrinsic";
+    case CoshIntrinsic:
+        return "CoshIntrinsic";
+    case SinhIntrinsic:
+        return "SinhIntrinsic";
+    case TanhIntrinsic:
+        return "TanhIntrinsic";
+    case ArrayPushIntrinsic:
+        return "ArrayPushIntrinsic";
+    case ArrayPopIntrinsic:
+        return "ArrayPopIntrinsic";
+    case ArraySliceIntrinsic:
+        return "ArraySliceIntrinsic";
+    case CharCodeAtIntrinsic:
+        return "CharCodeAtIntrinsic";
+    case CharAtIntrinsic:
+        return "CharAtIntrinsic";
+    case FromCharCodeIntrinsic:
+        return "FromCharCodeIntrinsic";
+    case PowIntrinsic:
+        return "PowIntrinsic";
+    case FloorIntrinsic:
+        return "FloorIntrinsic";
+    case CeilIntrinsic:
+        return "CeilIntrinsic";
+    case RoundIntrinsic:
+        return "RoundIntrinsic";
+    case ExpIntrinsic:
+        return "ExpIntrinsic";
+    case Expm1Intrinsic:
+        return "Expm1Intrinsic";
+    case LogIntrinsic:
+        return "LogIntrinsic";
+    case Log10Intrinsic:
+        return "Log10Intrinsic";
+    case Log1pIntrinsic:
+        return "Log1pIntrinsic";
+    case Log2Intrinsic:
+        return "Log2Intrinsic";
+    case RegExpExecIntrinsic:
+        return "RegExpExecIntrinsic";
+    case RegExpTestIntrinsic:
+        return "RegExpTestIntrinsic";
+    case RegExpTestFastIntrinsic:
+        return "RegExpTestFastIntrinsic";
+    case StringPrototypeValueOfIntrinsic:
+        return "StringPrototypeValueOfIntrinsic";
+    case StringPrototypeReplaceIntrinsic:
+        return "StringPrototypeReplaceIntrinsic";
+    case StringPrototypeReplaceRegExpIntrinsic:
+        return "StringPrototypeReplaceRegExpIntrinsic";
+    case StringPrototypeToLowerCaseIntrinsic:
+        return "StringPrototypeToLowerCaseIntrinsic";
+    case NumberPrototypeToStringIntrinsic:
+        return "NumberPrototypeToStringIntrinsic";
+    case IMulIntrinsic:
+        return "IMulIntrinsic";
+    case RandomIntrinsic:
+        return "RandomIntrinsic";
+    case FRoundIntrinsic:
+        return "FRoundIntrinsic";
+    case TruncIntrinsic:
+        return "TruncIntrinsic";
+    case IsTypedArrayViewIntrinsic:
+        return "IsTypedArrayViewIntrinsic";
+    case BoundThisNoArgsFunctionCallIntrinsic:
+        return "BoundThisNoArgsFunctionCallIntrinsic";
+    case JSMapGetIntrinsic:
+        return "JSMapGetIntrinsic";
+    case JSMapHasIntrinsic:
+        return "JSMapHasIntrinsic";
+    case JSSetHasIntrinsic:
+        return "JSSetHasIntrinsic";
+    case HasOwnPropertyIntrinsic:
+        return "HasOwnPropertyIntrinsic";
+    case AtomicsAddIntrinsic:
+        return "AtomicsAddIntrinsic";
+    case AtomicsAndIntrinsic:
+        return "AtomicsAndIntrinsic";
+    case AtomicsCompareExchangeIntrinsic:
+        return "AtomicsCompareExchangeIntrinsic";
+    case AtomicsExchangeIntrinsic:
+        return "AtomicsExchangeIntrinsic";
+    case AtomicsIsLockFreeIntrinsic:
+        return "AtomicsIsLockFreeIntrinsic";
+    case AtomicsLoadIntrinsic:
+        return "AtomicsLoadIntrinsic";
+    case AtomicsOrIntrinsic:
+        return "AtomicsOrIntrinsic";
+    case AtomicsStoreIntrinsic:
+        return "AtomicsStoreIntrinsic";
+    case AtomicsSubIntrinsic:
+        return "AtomicsSubIntrinsic";
+    case AtomicsWaitIntrinsic:
+        return "AtomicsWaitIntrinsic";
+    case AtomicsWakeIntrinsic:
+        return "AtomicsWakeIntrinsic";
+    case AtomicsXorIntrinsic:
+        return "AtomicsXorIntrinsic";
+    case ParseIntIntrinsic:
+        return "ParseIntIntrinsic";
+    case TypedArrayLengthIntrinsic:
+        return "TypedArrayLengthIntrinsic";
+    case TypedArrayByteLengthIntrinsic:
+        return "TypedArrayByteLengthIntrinsic";
+    case TypedArrayByteOffsetIntrinsic:
+        return "TypedArrayByteOffsetIntrinsic";
+    case DFGTrueIntrinsic:
+        return "DFGTrueIntrinsic";
+    case OSRExitIntrinsic:
+        return "OSRExitIntrinsic";
+    case IsFinalTierIntrinsic:
+        return "IsFinalTierIntrinsic";
+    case SetInt32HeapPredictionIntrinsic:
+        return "SetInt32HeapPredictionIntrinsic";
+    case CheckInt32Intrinsic:
+        return "CheckInt32Intrinsic";
+    case FiatInt52Intrinsic:
+        return "FiatInt52Intrinsic";
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+    return nullptr;
+}
+
+} // namespace JSC
+
+namespace WTF {
+
+void printInternal(PrintStream& out, JSC::Intrinsic intrinsic)
+{
+    out.print(JSC::intrinsicName(intrinsic));
+}
+
+} // namespace WTF
+

Modified: trunk/Source/_javascript_Core/runtime/Intrinsic.h (217049 => 217050)

--- trunk/Source/_javascript_Core/runtime/Intrinsic.h	2017-05-18 17:42:43 UTC (rev 217049)
+++ trunk/Source/_javascript_Core/runtime/Intrinsic.h	2017-05-18 17:46:38 UTC (rev 217050)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -111,4 +111,16 @@
     FiatInt52Intrinsic,
 };
 
+const char* intrinsicName(Intrinsic);
+
 } // namespace JSC
+
+namespace WTF {
+
+class PrintStream;
+
+void printInternal(PrintStream&, JSC::Intrinsic);
+
+} // namespace WTF
+
+

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes