Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (231933 => 231934)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-05-18 00:17:46 UTC (rev 231934)
@@ -1,3 +1,78 @@
+2018-05-17 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r231871. rdar://problem/40346090
+
+ DFG models InstanceOf incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=185694
+
+ Reviewed by Keith Miller.
+ JSTests:
+
+ * stress/instanceof-proxy-check-structure.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+ (i.new.Bar):
+ (new.Bar):
+ * stress/instanceof-proxy-loop.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+ * stress/instanceof-proxy.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+
+ Source/_javascript_Core:
+
+ Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
+ hoist it.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNodeType.h:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231871 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-05-16 Filip Pizlo <fpi...@apple.com>
+
+ DFG models InstanceOf incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=185694
+
+ Reviewed by Keith Miller.
+
+ * stress/instanceof-proxy-check-structure.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+ (i.new.Bar):
+ (new.Bar):
+ * stress/instanceof-proxy-loop.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+ * stress/instanceof-proxy.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+
2018-05-08 Jason Marcell <jmarc...@apple.com>
Cherry-pick r230972. rdar://problem/40050818
Added: branches/safari-605-branch/JSTests/stress/instanceof-proxy-check-structure.js (0 => 231934)
--- branches/safari-605-branch/JSTests/stress/instanceof-proxy-check-structure.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/instanceof-proxy-check-structure.js 2018-05-18 00:17:46 UTC (rev 231934)
@@ -0,0 +1,59 @@
+class Foo { }
+
+function Bar() { }
+
+var numberOfGetPrototypeOfCalls = 0;
+
+var doBadThings = function() { };
+
+Bar.prototype = new Proxy(
+ {},
+ {
+ getPrototypeOf()
+ {
+ numberOfGetPrototypeOfCalls++;
+ doBadThings();
+ return Foo.prototype;
+ }
+ });
+
+// Break some watchpoints.
+var o = {f:42};
+o.g = 43;
+
+function foo(o, p, q)
+{
+ var result = o.f;
+ var _ = p instanceof Foo;
+ q.f = 11;
+ return result + o.f;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo({f:42}, new Bar(), {f:0});
+ if (result != 84)
+ throw "Error: bad result in loop: " + result;
+}
+
+if (numberOfGetPrototypeOfCalls != 10000)
+ throw "Error: did not call getPrototypeOf() the right number of times";
+
+var globalO = {f:42};
+var didCallGetter = false;
+doBadThings = function() {
+ delete globalO.f;
+ globalO.__defineGetter__("f", function() {
+ didCallGetter = true;
+ return 43;
+ });
+};
+
+var result = foo(globalO, new Bar(), {f:0});
+if (result != 85)
+ throw "Error: bad result at end: " + result;
+if (!didCallGetter)
+ throw "Error: did not call getter";
+if (numberOfGetPrototypeOfCalls != 10001)
+ throw "Error: did not call getPrototypeOf() the right number of times at end";
Added: branches/safari-605-branch/JSTests/stress/instanceof-proxy-loop.js (0 => 231934)
--- branches/safari-605-branch/JSTests/stress/instanceof-proxy-loop.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/instanceof-proxy-loop.js 2018-05-18 00:17:46 UTC (rev 231934)
@@ -0,0 +1,59 @@
+class Foo { }
+
+function Bar() { }
+
+var numberOfGetPrototypeOfCalls = 0;
+
+var doBadThings = function() { };
+
+Bar.prototype = new Proxy(
+ {},
+ {
+ getPrototypeOf()
+ {
+ numberOfGetPrototypeOfCalls++;
+ doBadThings();
+ return Foo.prototype;
+ }
+ });
+
+// Break some watchpoints.
+var o = {f:42};
+o.g = 43;
+
+function foo(o, p)
+{
+ var result = o.f;
+ for (var i = 0; i < 5; ++i)
+ var _ = p instanceof Foo;
+ return result + o.f;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo({f:42}, new Bar());
+ if (result != 84)
+ throw "Error: bad result in loop: " + result;
+}
+
+if (numberOfGetPrototypeOfCalls != 10000 * 5)
+ throw "Error: did not call getPrototypeOf() the right number of times";
+
+var globalO = {f:42};
+var didCallGetter = false;
+doBadThings = function() {
+ delete globalO.f;
+ globalO.__defineGetter__("f", function() {
+ didCallGetter = true;
+ return 43;
+ });
+};
+
+var result = foo(globalO, new Bar());
+if (result != 85)
+ throw "Error: bad result at end: " + result;
+if (!didCallGetter)
+ throw "Error: did not call getter";
+if (numberOfGetPrototypeOfCalls != 10001 * 5)
+ throw "Error: did not call getPrototypeOf() the right number of times at end";
Added: branches/safari-605-branch/JSTests/stress/instanceof-proxy.js (0 => 231934)
--- branches/safari-605-branch/JSTests/stress/instanceof-proxy.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/instanceof-proxy.js 2018-05-18 00:17:46 UTC (rev 231934)
@@ -0,0 +1,47 @@
+class Foo { }
+
+function Bar() { }
+
+var numberOfGetPrototypeOfCalls = 0;
+
+var doBadThings = function() { };
+
+Bar.prototype = new Proxy(
+ {},
+ {
+ getPrototypeOf()
+ {
+ numberOfGetPrototypeOfCalls++;
+ doBadThings();
+ return Foo.prototype;
+ }
+ });
+
+var o = {f:42};
+
+function foo(o, p)
+{
+ var result = o.f;
+ var _ = p instanceof Foo;
+ return result + o.f;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo({f:42}, new Bar());
+ if (result != 84)
+ throw "Error: bad result in loop: " + result;
+}
+
+var globalO = {f:42};
+var didCallGetter = false;
+doBadThings = function() {
+ globalO.f = 43;
+};
+
+var result = foo(globalO, new Bar());
+if (result != 85)
+ throw "Error: bad result at end: " + result;
+if (numberOfGetPrototypeOfCalls != 10001)
+ throw "Error: did not call getPrototypeOf() the right number of times at end";
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (231933 => 231934)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-18 00:17:46 UTC (rev 231934)
@@ -1,3 +1,69 @@
+2018-05-17 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r231871. rdar://problem/40346090
+
+ DFG models InstanceOf incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=185694
+
+ Reviewed by Keith Miller.
+ JSTests:
+
+ * stress/instanceof-proxy-check-structure.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+ (i.new.Bar):
+ (new.Bar):
+ * stress/instanceof-proxy-loop.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+ * stress/instanceof-proxy.js: Added.
+ (Foo):
+ (Bar):
+ (doBadThings):
+ (getPrototypeOf):
+ (foo):
+
+ Source/_javascript_Core:
+
+ Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
+ hoist it.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNodeType.h:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231871 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-05-16 Filip Pizlo <fpi...@apple.com>
+
+ DFG models InstanceOf incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=185694
+
+ Reviewed by Keith Miller.
+
+ Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
+ hoist it.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNodeType.h:
+
2018-05-15 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r230485. rdar://problem/39988105
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (231933 => 231934)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-05-18 00:17:46 UTC (rev 231934)
@@ -3290,6 +3290,7 @@
case InstanceOf:
// Sadly, we don't propagate the fact that we've done InstanceOf
forNode(node).setType(SpecBoolean);
+ clobberWorld(node->origin.semantic, clobberLimit);
break;
case InstanceOfCustom:
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h (231933 => 231934)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2018-05-18 00:17:46 UTC (rev 231934)
@@ -633,6 +633,7 @@
case ToNumber:
case NumberToStringWithRadix:
case CreateThis:
+ case InstanceOf:
read(World);
write(Heap);
return;
@@ -1035,11 +1036,6 @@
def(HeapLocation(OverridesHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
return;
- case InstanceOf:
- read(JSCell_structureID);
- def(HeapLocation(InstanceOfLoc, JSCell_structureID, node->child1(), node->child2()), LazyNode(node));
- return;
-
case PutStructure:
read(JSObject_butterfly);
write(JSCell_structureID);
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGHeapLocation.cpp (231933 => 231934)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGHeapLocation.cpp 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGHeapLocation.cpp 2018-05-18 00:17:46 UTC (rev 231934)
@@ -144,10 +144,6 @@
out.print("IndexedPropertyStorageLoc");
return;
- case InstanceOfLoc:
- out.print("InstanceOfLoc");
- return;
-
case NamedPropertyLoc:
out.print("NamedPropertyLoc");
return;
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGHeapLocation.h (231933 => 231934)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGHeapLocation.h 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGHeapLocation.h 2018-05-18 00:17:46 UTC (rev 231934)
@@ -52,7 +52,6 @@
IndexedPropertyInt52Loc,
IndexedPropertyJSLoc,
IndexedPropertyStorageLoc,
- InstanceOfLoc,
InvalidationPointLoc,
IsFunctionLoc,
IsObjectOrNullLoc,
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGNodeType.h (231933 => 231934)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGNodeType.h 2018-05-18 00:17:42 UTC (rev 231933)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGNodeType.h 2018-05-18 00:17:46 UTC (rev 231934)
@@ -339,7 +339,7 @@
\
/* Nodes for misc operations. */\
macro(OverridesHasInstance, NodeMustGenerate | NodeResultBoolean) \
- macro(InstanceOf, NodeResultBoolean) \
+ macro(InstanceOf, NodeMustGenerate | NodeResultBoolean) \
macro(InstanceOfCustom, NodeMustGenerate | NodeResultBoolean) \
\
macro(IsCellWithType, NodeResultBoolean) \
