Title: [231503] branches/safari-605-branch
- Revision
- 231503
- Author
- [email protected]
- Date
- 2018-05-08 12:42:12 -0700 (Tue, 08 May 2018)
Log Message
Cherry-pick r231034. rdar://problem/40050717
In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=184773
<rdar://problem/37773612>
Reviewed by Filip Pizlo.
JSTests:
This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
so I decided to add it to the stress tests nonetheless.
* stress/create-rest-while-having-a-bad-time.js: Added.
(f):
(g):
(h):
Source/_javascript_Core:
We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (231502 => 231503)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-05-08 19:42:09 UTC (rev 231502)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-05-08 19:42:12 UTC (rev 231503)
@@ -1,5 +1,55 @@
2018-05-08 Jason Marcell <[email protected]>
+ Cherry-pick r231034. rdar://problem/40050717
+
+ In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+ https://bugs.webkit.org/show_bug.cgi?id=184773
+ <rdar://problem/37773612>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
+ so I decided to add it to the stress tests nonetheless.
+
+ * stress/create-rest-while-having-a-bad-time.js: Added.
+ (f):
+ (g):
+ (h):
+
+ Source/_javascript_Core:
+
+ We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
+ arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
+ This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
+ We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
+ This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-25 Robin Morisset <[email protected]>
+
+ In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+ https://bugs.webkit.org/show_bug.cgi?id=184773
+ <rdar://problem/37773612>
+
+ Reviewed by Filip Pizlo.
+
+ This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
+ so I decided to add it to the stress tests nonetheless.
+
+ * stress/create-rest-while-having-a-bad-time.js: Added.
+ (f):
+ (g):
+ (h):
+
+2018-05-08 Jason Marcell <[email protected]>
+
Cherry-pick r230740. rdar://problem/40050731
A put is not an ExistingProperty put when we transition a structure because of an attributes change
Added: branches/safari-605-branch/JSTests/stress/create-rest-while-having-a-bad-time.js (0 => 231503)
--- branches/safari-605-branch/JSTests/stress/create-rest-while-having-a-bad-time.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/create-rest-while-having-a-bad-time.js 2018-05-08 19:42:12 UTC (rev 231503)
@@ -0,0 +1,16 @@
+"use strict";
+function f(...v) {
+ return g(v);
+}
+function g() {
+ return h();
+}
+function h() {
+}
+
+for (let i = 0; i < 10000; ++i) {
+ f(0);
+ f(0, 0);
+}
+
+Object.defineProperty(Array.prototype, "42", {});
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (231502 => 231503)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-08 19:42:09 UTC (rev 231502)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-08 19:42:12 UTC (rev 231503)
@@ -1,5 +1,56 @@
2018-05-08 Jason Marcell <[email protected]>
+ Cherry-pick r231034. rdar://problem/40050717
+
+ In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+ https://bugs.webkit.org/show_bug.cgi?id=184773
+ <rdar://problem/37773612>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
+ so I decided to add it to the stress tests nonetheless.
+
+ * stress/create-rest-while-having-a-bad-time.js: Added.
+ (f):
+ (g):
+ (h):
+
+ Source/_javascript_Core:
+
+ We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
+ arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
+ This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
+ We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
+ This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-25 Robin Morisset <[email protected]>
+
+ In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+ https://bugs.webkit.org/show_bug.cgi?id=184773
+ <rdar://problem/37773612>
+
+ Reviewed by Filip Pizlo.
+
+ We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
+ arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
+ This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
+ We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
+ This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+
+2018-05-08 Jason Marcell <[email protected]>
+
Cherry-pick r230740. rdar://problem/40050731
A put is not an ExistingProperty put when we transition a structure because of an attributes change
Modified: branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (231502 => 231503)
--- branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-05-08 19:42:09 UTC (rev 231502)
+++ branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-05-08 19:42:12 UTC (rev 231503)
@@ -5032,7 +5032,7 @@
LValue arrayLength = lowInt32(m_node->child1());
LBasicBlock loopStart = m_out.newBlock();
JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
- RegisteredStructure structure = m_graph.registerStructure(globalObject->restParameterStructure());
+ RegisteredStructure structure = m_graph.registerStructure(globalObject->originalRestParameterStructure());
ArrayValues arrayValues = allocateUninitializedContiguousJSArray(arrayLength, structure);
LValue array = arrayValues.array;
LValue butterfly = arrayValues.butterfly;
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSGlobalObject.h (231502 => 231503)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSGlobalObject.h 2018-05-08 19:42:09 UTC (rev 231502)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSGlobalObject.h 2018-05-08 19:42:12 UTC (rev 231503)
@@ -670,6 +670,7 @@
Structure* proxyRevokeStructure() const { return m_proxyRevokeStructure.get(); }
Structure* moduleLoaderStructure() const { return m_moduleLoaderStructure.get(); }
Structure* restParameterStructure() const { return arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous); }
+ Structure* originalRestParameterStructure() const { return originalArrayStructureForIndexingType(ArrayWithContiguous); }
#if ENABLE(WEBASSEMBLY)
Structure* webAssemblyModuleRecordStructure() const { return m_webAssemblyModuleRecordStructure.get(); }
Structure* webAssemblyFunctionStructure() const { return m_webAssemblyFunctionStructure.get(); }
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
