Title: [225844] trunk
- Revision
- 225844
- Author
- [email protected]
- Date
- 2017-12-13 09:19:24 -0800 (Wed, 13 Dec 2017)
Log Message
TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
https://bugs.webkit.org/show_bug.cgi?id=180734
<rdar://problem/35640547>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
(__isPropertyOfType):
(__getProperties):
(__getObjects):
(__getRandomObject):
(theClass.):
(theClass):
(childClass):
(counter.catch):
Source/_javascript_Core:
The |this| value may be TDZ. If type check hoisting phase
hoists a CheckStructure to it, it will crash. This patch
makes it so we emit CheckStructureOrEmpty for |this|.
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::run):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (225843 => 225844)
--- trunk/JSTests/ChangeLog 2017-12-13 12:39:42 UTC (rev 225843)
+++ trunk/JSTests/ChangeLog 2017-12-13 17:19:24 UTC (rev 225844)
@@ -1,3 +1,21 @@
+2017-12-13 Saam Barati <[email protected]>
+
+ TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
+ https://bugs.webkit.org/show_bug.cgi?id=180734
+ <rdar://problem/35640547>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
+ (__isPropertyOfType):
+ (__getProperties):
+ (__getObjects):
+ (__getRandomObject):
+ (theClass.):
+ (theClass):
+ (childClass):
+ (counter.catch):
+
2017-12-12 Saam Barati <[email protected]>
We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
Added: trunk/JSTests/stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js (0 => 225844)
--- trunk/JSTests/stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js (rev 0)
+++ trunk/JSTests/stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js 2017-12-13 17:19:24 UTC (rev 225844)
@@ -0,0 +1,51 @@
+function __isPropertyOfType(obj, name, type) {
+ desc = Object.getOwnPropertyDescriptor(obj, name)
+ return typeof type === 'undefined' || typeof desc.value === type;
+}
+function __getProperties(obj, type) {
+ let properties = [];
+ for (let name of Object.getOwnPropertyNames(obj)) {
+ if (__isPropertyOfType(obj, name, type)) properties.push(name);
+ }
+ let proto = Object.getPrototypeOf(obj);
+ while (proto && proto != Object.prototype) {
+ Object.getOwnPropertyNames(proto).forEach(name => {
+ });
+ proto = Object.getPrototypeOf(proto);
+ }
+ return properties;
+}
+function* __getObjects(root = this, level = 0) {
+ if (level > 4) return;
+ let obj_names = __getProperties(root, 'object');
+ for (let obj_name of obj_names) {
+ let obj = root[obj_name];
+ yield* __getObjects(obj, level + 1);
+ }
+}
+function __getRandomObject() {
+ for (let obj of __getObjects()) {
+ }
+}
+var theClass = class {
+ constructor() {
+ if (242487 != null && typeof __getRandomObject() == "object") try {
+ } catch (e) {}
+ }
+};
+var childClass = class Class extends theClass {
+ constructor() {
+ var arrow = () => {
+ try {
+ super();
+ } catch (e) {}
+ this.idValue
+ };
+ arrow()()();
+ }
+};
+for (var counter = 0; counter < 1000; counter++) {
+ try {
+ new childClass();
+ } catch (e) {}
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (225843 => 225844)
--- trunk/Source/_javascript_Core/ChangeLog 2017-12-13 12:39:42 UTC (rev 225843)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-12-13 17:19:24 UTC (rev 225844)
@@ -1,3 +1,18 @@
+2017-12-13 Saam Barati <[email protected]>
+
+ TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
+ https://bugs.webkit.org/show_bug.cgi?id=180734
+ <rdar://problem/35640547>
+
+ Reviewed by Yusuke Suzuki.
+
+ The |this| value may be TDZ. If type check hoisting phase
+ hoists a CheckStructure to it, it will crash. This patch
+ makes it so we emit CheckStructureOrEmpty for |this|.
+
+ * dfg/DFGTypeCheckHoistingPhase.cpp:
+ (JSC::DFG::TypeCheckHoistingPhase::run):
+
2017-12-12 Yusuke Suzuki <[email protected]>
[JSC] Optimize Object.assign by single transition acceleration
Modified: trunk/Source/_javascript_Core/dfg/DFGTypeCheckHoistingPhase.cpp (225843 => 225844)
--- trunk/Source/_javascript_Core/dfg/DFGTypeCheckHoistingPhase.cpp 2017-12-13 12:39:42 UTC (rev 225843)
+++ trunk/Source/_javascript_Core/dfg/DFGTypeCheckHoistingPhase.cpp 2017-12-13 17:19:24 UTC (rev 225844)
@@ -144,8 +144,17 @@
indexInBlock + 1, variable->prediction(), GetLocal, origin,
OpInfo(variable), Edge(node));
if (iter->value.m_structure) {
+ auto checkOp = CheckStructure;
+ VirtualRegister local = node->variableAccessData()->local();
+ auto* inlineCallFrame = node->origin.semantic.inlineCallFrame;
+ if ((local - (inlineCallFrame ? inlineCallFrame->stackOffset : 0)) == virtualRegisterForArgument(0)) {
+ // |this| can be the TDZ value. The call entrypoint won't have |this| as TDZ,
+ // but a catch or a loop OSR entry may have |this| be TDZ.
+ checkOp = CheckStructureOrEmpty;
+ }
+
insertionSet.insertNode(
- indexInBlock + 1, SpecNone, CheckStructure, origin,
+ indexInBlock + 1, SpecNone, checkOp, origin,
OpInfo(m_graph.addStructureSet(iter->value.m_structure)),
Edge(getLocal, CellUse));
} else if (iter->value.m_arrayModeIsValid) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
