Title: [230115] trunk
- Revision
- 230115
- Author
- fpi...@apple.com
- Date
- 2018-03-30 13:31:00 -0700 (Fri, 30 Mar 2018)
Log Message
Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
https://bugs.webkit.org/show_bug.cgi?id=184189
Reviewed by JF Bastien.
JSTests:
* stress/load-hole-from-scope-into-live-var.js: Added.
(result.eval.try.switch):
(catch):
Source/_javascript_Core:
* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::emitBytecode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (230114 => 230115)
--- trunk/JSTests/ChangeLog 2018-03-30 20:25:26 UTC (rev 230114)
+++ trunk/JSTests/ChangeLog 2018-03-30 20:31:00 UTC (rev 230115)
@@ -1,3 +1,14 @@
+2018-03-30 Filip Pizlo <fpi...@apple.com>
+
+ Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
+ https://bugs.webkit.org/show_bug.cgi?id=184189
+
+ Reviewed by JF Bastien.
+
+ * stress/load-hole-from-scope-into-live-var.js: Added.
+ (result.eval.try.switch):
+ (catch):
+
2018-03-30 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r230102.
Added: trunk/JSTests/stress/load-hole-from-scope-into-live-var.js (0 => 230115)
--- trunk/JSTests/stress/load-hole-from-scope-into-live-var.js (rev 0)
+++ trunk/JSTests/stress/load-hole-from-scope-into-live-var.js 2018-03-30 20:31:00 UTC (rev 230115)
@@ -0,0 +1,14 @@
+//@ runDefault
+var result = eval(`
+try {
+ switch (0) {
+ case 1:
+ let x = eval();
+ default:
+ x;
+ }
+} catch (e) {
+}
+`);
+if (result !== void 0)
+ throw "Bad result: " + result;
Modified: trunk/Source/_javascript_Core/ChangeLog (230114 => 230115)
--- trunk/Source/_javascript_Core/ChangeLog 2018-03-30 20:25:26 UTC (rev 230114)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-03-30 20:31:00 UTC (rev 230115)
@@ -1,3 +1,13 @@
+2018-03-30 Filip Pizlo <fpi...@apple.com>
+
+ Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
+ https://bugs.webkit.org/show_bug.cgi?id=184189
+
+ Reviewed by JF Bastien.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ResolveNode::emitBytecode):
+
2018-03-30 Mark Lam <mark....@apple.com>
Add pointer profiling support to Wasm.
Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (230114 => 230115)
--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-03-30 20:25:26 UTC (rev 230114)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-03-30 20:31:00 UTC (rev 230115)
@@ -252,10 +252,12 @@
generator.emitExpressionInfo(divot, m_start, divot);
RefPtr<RegisterID> scope = generator.emitResolveScope(dst, var);
RegisterID* finalDest = generator.finalDestination(dst);
- RegisterID* result = generator.emitGetFromScope(finalDest, scope.get(), var, ThrowIfNotFound);
- generator.emitTDZCheckIfNecessary(var, finalDest, nullptr);
+ RefPtr<RegisterID> uncheckedResult = generator.newTemporary();
+ generator.emitGetFromScope(uncheckedResult.get(), scope.get(), var, ThrowIfNotFound);
+ generator.emitTDZCheckIfNecessary(var, uncheckedResult.get(), nullptr);
+ generator.emitMove(finalDest, uncheckedResult.get());
generator.emitProfileType(finalDest, var, m_position, JSTextPosition(-1, m_position.offset + m_ident.length(), -1));
- return result;
+ return finalDest;
}
// ------------------------------ TemplateStringNode -----------------------------------
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
