Title: [231145] trunk
- Revision
- 231145
- Author
- [email protected]
- Date
- 2018-04-28 18:17:06 -0700 (Sat, 28 Apr 2018)
Log Message
We don't model regexp effects properly
https://bugs.webkit.org/show_bug.cgi?id=185059
<rdar://problem/39736150>
Reviewed by Filip Pizlo.
JSTests:
* stress/regexp-exec-test-effectful-last-index.js: Added.
(assert):
(foo):
(i.regexLastIndex.toString):
(bar):
Source/_javascript_Core:
RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
the regexp is global.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (231144 => 231145)
--- trunk/JSTests/ChangeLog 2018-04-29 00:51:35 UTC (rev 231144)
+++ trunk/JSTests/ChangeLog 2018-04-29 01:17:06 UTC (rev 231145)
@@ -1,3 +1,17 @@
+2018-04-28 Saam Barati <[email protected]>
+
+ We don't model regexp effects properly
+ https://bugs.webkit.org/show_bug.cgi?id=185059
+ <rdar://problem/39736150>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/regexp-exec-test-effectful-last-index.js: Added.
+ (assert):
+ (foo):
+ (i.regexLastIndex.toString):
+ (bar):
+
2018-04-28 Rick Waldron <[email protected]>
Token misspelled "tocken" in error message string
Added: trunk/JSTests/stress/regexp-exec-test-effectful-last-index.js (0 => 231145)
--- trunk/JSTests/stress/regexp-exec-test-effectful-last-index.js (rev 0)
+++ trunk/JSTests/stress/regexp-exec-test-effectful-last-index.js 2018-04-29 01:17:06 UTC (rev 231145)
@@ -0,0 +1,50 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+let outer = 42;
+
+function foo(r, s) {
+ let y = outer;
+ r.test(s);
+ return y + outer;
+}
+noInline(foo);
+
+for (let i = 0; i < 10000; ++i) {
+ let r = /foo/g;
+ regexLastIndex = {};
+ regexLastIndex.toString = function() {
+ outer = 1;
+ return "1";
+ };
+
+ r.lastIndex = regexLastIndex;
+ let result = foo(r, "bar");
+ assert(result === 43);
+
+ outer = 42;
+}
+
+function bar(r, s) {
+ let y = outer;
+ r.exec(s);
+ return y + outer;
+}
+noInline(bar);
+
+for (let i = 0; i < 10000; ++i) {
+ let r = /foo/g;
+ regexLastIndex = {};
+ regexLastIndex.toString = function() {
+ outer = 1;
+ return "1";
+ };
+
+ r.lastIndex = regexLastIndex;
+ let result = bar(r, "bar");
+ assert(result === 43);
+
+ outer = 42;
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (231144 => 231145)
--- trunk/Source/_javascript_Core/ChangeLog 2018-04-29 00:51:35 UTC (rev 231144)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-04-29 01:17:06 UTC (rev 231145)
@@ -1,3 +1,19 @@
+2018-04-28 Saam Barati <[email protected]>
+
+ We don't model regexp effects properly
+ https://bugs.webkit.org/show_bug.cgi?id=185059
+ <rdar://problem/39736150>
+
+ Reviewed by Filip Pizlo.
+
+ RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
+ the regexp is global.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
2018-04-28 Rick Waldron <[email protected]>
Token misspelled "tocken" in error message string
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (231144 => 231145)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-04-29 00:51:35 UTC (rev 231144)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-04-29 01:17:06 UTC (rev 231145)
@@ -2010,11 +2010,9 @@
case RegExpExec:
case RegExpExecNonGlobalOrSticky:
if (node->op() == RegExpExec) {
- if (node->child2().useKind() == RegExpObjectUse
- && node->child3().useKind() == StringUse) {
- // This doesn't clobber the world since there are no conversions to perform.
- } else
- clobberWorld(node->origin.semantic, clobberLimit);
+ // Even if we've proven known input types as RegExpObject and String,
+ // accessing lastIndex is effectful if it's a global regexp.
+ clobberWorld(node->origin.semantic, clobberLimit);
}
if (JSValue globalObjectValue = forNode(node->child1()).m_value) {
@@ -2034,11 +2032,9 @@
break;
case RegExpTest:
- if (node->child2().useKind() == RegExpObjectUse
- && node->child3().useKind() == StringUse) {
- // This doesn't clobber the world since there are no conversions to perform.
- } else
- clobberWorld(node->origin.semantic, clobberLimit);
+ // Even if we've proven known input types as RegExpObject and String,
+ // accessing lastIndex is effectful if it's a global regexp.
+ clobberWorld(node->origin.semantic, clobberLimit);
forNode(node).setType(SpecBoolean);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (231144 => 231145)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2018-04-29 00:51:35 UTC (rev 231144)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2018-04-29 01:17:06 UTC (rev 231145)
@@ -1513,19 +1513,19 @@
case RegExpExec:
case RegExpTest:
- case RegExpMatchFast:
- if (node->child2().useKind() == RegExpObjectUse
- && node->child3().useKind() == StringUse) {
- read(RegExpState);
- read(RegExpObject_lastIndex);
- write(RegExpState);
- write(RegExpObject_lastIndex);
- return;
- }
+ // Even if we've proven known input types as RegExpObject and String,
+ // accessing lastIndex is effectful if it's a global regexp.
read(World);
write(Heap);
return;
+ case RegExpMatchFast:
+ read(RegExpState);
+ read(RegExpObject_lastIndex);
+ write(RegExpState);
+ write(RegExpObject_lastIndex);
+ return;
+
case RegExpExecNonGlobalOrSticky:
case RegExpMatchFastGlobal:
read(RegExpState);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
