Title: [231580] branches/safari-605-branch
- Revision
- 231580
- Author
- [email protected]
- Date
- 2018-05-09 12:00:28 -0700 (Wed, 09 May 2018)
Log Message
Apply patch. rdar://problem/40050713
Modified Paths
Added Paths
Diff
Added: branches/safari-605-branch/JSTests/stress/regexp-exec-test-effectful-last-index.js (0 => 231580)
--- branches/safari-605-branch/JSTests/stress/regexp-exec-test-effectful-last-index.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/regexp-exec-test-effectful-last-index.js 2018-05-09 19:00:28 UTC (rev 231580)
@@ -0,0 +1,50 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+let outer = 42;
+
+function foo(r, s) {
+ let y = outer;
+ r.test(s);
+ return y + outer;
+}
+noInline(foo);
+
+for (let i = 0; i < 10000; ++i) {
+ let r = /foo/g;
+ regexLastIndex = {};
+ regexLastIndex.toString = function() {
+ outer = 1;
+ return "1";
+ };
+
+ r.lastIndex = regexLastIndex;
+ let result = foo(r, "bar");
+ assert(result === 43);
+
+ outer = 42;
+}
+
+function bar(r, s) {
+ let y = outer;
+ r.exec(s);
+ return y + outer;
+}
+noInline(bar);
+
+for (let i = 0; i < 10000; ++i) {
+ let r = /foo/g;
+ regexLastIndex = {};
+ regexLastIndex.toString = function() {
+ outer = 1;
+ return "1";
+ };
+
+ r.lastIndex = regexLastIndex;
+ let result = bar(r, "bar");
+ assert(result === 43);
+
+ outer = 42;
+}
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (231579 => 231580)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-05-09 18:42:05 UTC (rev 231579)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-05-09 19:00:28 UTC (rev 231580)
@@ -1978,11 +1978,10 @@
}
case RegExpExec:
- if (node->child2().useKind() == RegExpObjectUse
- && node->child3().useKind() == StringUse) {
- // This doesn't clobber the world since there are no conversions to perform.
- } else
- clobberWorld(node->origin.semantic, clobberLimit);
+ // Even if we've proven known input types as RegExpObject and String,
+ // accessing lastIndex is effectful if it's a global regexp.
+ clobberWorld(node->origin.semantic, clobberLimit);
+
if (JSValue globalObjectValue = forNode(node->child1()).m_value) {
if (JSGlobalObject* globalObject = jsDynamicCast<JSGlobalObject*>(m_vm, globalObjectValue)) {
if (!globalObject->isHavingABadTime()) {
@@ -2000,11 +1999,9 @@
break;
case RegExpTest:
- if (node->child2().useKind() == RegExpObjectUse
- && node->child3().useKind() == StringUse) {
- // This doesn't clobber the world since there are no conversions to perform.
- } else
- clobberWorld(node->origin.semantic, clobberLimit);
+ // Even if we've proven known input types as RegExpObject and String,
+ // accessing lastIndex is effectful if it's a global regexp.
+ clobberWorld(node->origin.semantic, clobberLimit);
forNode(node).setType(SpecBoolean);
break;
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h (231579 => 231580)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2018-05-09 18:42:05 UTC (rev 231579)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2018-05-09 19:00:28 UTC (rev 231580)
@@ -1515,14 +1515,8 @@
case RegExpExec:
case RegExpTest:
- if (node->child2().useKind() == RegExpObjectUse
- && node->child3().useKind() == StringUse) {
- read(RegExpState);
- read(RegExpObject_lastIndex);
- write(RegExpState);
- write(RegExpObject_lastIndex);
- return;
- }
+ // Even if we've proven known input types as RegExpObject and String,
+ // accessing lastIndex is effectful if it's a global regexp.
read(World);
write(Heap);
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
