- Revision
- 234095
- Author
- [email protected]
- Date
- 2018-07-23 00:09:54 -0700 (Mon, 23 Jul 2018)
Log Message
Cherry-pick r234075. rdar://problem/42451525
DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
https://bugs.webkit.org/show_bug.cgi?id=187827
rdar://problem/42146858
Reviewed by Saam Barati.
JSTests:
New regression tests.
* stress/direct-arguments-check-array.js: Added.
(setup.f2):
(setup):
(forOfArray):
(forOfArgs):
(callEveryOnArgs):
* stress/scoped-arguments-check-array.js: Added.
(setup.foo):
(setup.f2):
(setup):
(forOfArray):
(forOfArgs):
(callEveryOnArgs):
Source/_javascript_Core:
When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
putByIndex() path that doesn't change the shape.
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234075 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-606-branch/JSTests/ChangeLog (234094 => 234095)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-07-23 07:09:50 UTC (rev 234094)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-07-23 07:09:54 UTC (rev 234095)
@@ -1,3 +1,69 @@
+2018-07-23 Babak Shafiei <[email protected]>
+
+ Cherry-pick r234075. rdar://problem/42451525
+
+ DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+ https://bugs.webkit.org/show_bug.cgi?id=187827
+ rdar://problem/42146858
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ New regression tests.
+
+ * stress/direct-arguments-check-array.js: Added.
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+ * stress/scoped-arguments-check-array.js: Added.
+ (setup.foo):
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+
+ Source/_javascript_Core:
+
+ When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
+ that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
+ We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
+ InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
+ putByIndex() path that doesn't change the shape.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234075 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-07-20 Michael Saboff <[email protected]>
+
+ DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+ https://bugs.webkit.org/show_bug.cgi?id=187827
+ rdar://problem/42146858
+
+ Reviewed by Saam Barati.
+
+ New regression tests.
+
+ * stress/direct-arguments-check-array.js: Added.
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+ * stress/scoped-arguments-check-array.js: Added.
+ (setup.foo):
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+
2018-07-11 Ryan Haddad <[email protected]>
Skip JSC test stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js
Added: branches/safari-606-branch/JSTests/stress/direct-arguments-check-array.js (0 => 234095)
--- branches/safari-606-branch/JSTests/stress/direct-arguments-check-array.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/direct-arguments-check-array.js 2018-07-23 07:09:54 UTC (rev 234095)
@@ -0,0 +1,40 @@
+//@ defaultRun
+//@ runNoLLInt("--useConcurrentJIT=false", "--forceEagerCompilation=True")
+
+// This is a regression test that verifies we handle direct arguments as ArrayStorage. This test should complete and not crash.
+// It is a reduction of a fuzzing bug produced testcase. All of the code present was needed to reproduce the issue.
+
+let a;
+let f2;
+let args;
+
+function setup() {
+ a = [0];
+ a.unshift(0);
+ for (let z of [4, 4, 4, 4, 4]) {};
+ new Float64Array(a);
+ f2 = function() {};
+ args = arguments;
+ args.length = 0;
+};
+
+function forOfArray() {
+ for (let z of [true, true, true, true, true, true, true]) {
+ }
+}
+
+function forOfArgs() {
+ for (let v of args) {
+ }
+}
+
+function callEveryOnArgs() {
+ for (i = 0; i < 1000; ++i) {
+ Array.prototype.every.call(args, f2, {});
+ }
+}
+
+setup();
+forOfArray();
+forOfArgs();
+callEveryOnArgs();
Added: branches/safari-606-branch/JSTests/stress/scoped-arguments-check-array.js (0 => 234095)
--- branches/safari-606-branch/JSTests/stress/scoped-arguments-check-array.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/scoped-arguments-check-array.js 2018-07-23 07:09:54 UTC (rev 234095)
@@ -0,0 +1,41 @@
+//@ defaultRun
+//@ runNoLLInt("--useConcurrentJIT=false", "--forceEagerCompilation=True")
+
+// This is a regression test that verifies we handle direct arguments as ArrayStorage. This test should complete and not crash.
+// It is a reduction of a fuzzing bug produced testcase. All of the code present was needed to reproduce the issue.
+
+let a;
+let f2;
+let args;
+
+function setup(arg1) {
+ function foo() { return arg1; }
+ a = [0];
+ a.unshift(0);
+ for (let z of [4, 4, 4, 4, 4]) {};
+ new Float64Array(a);
+ f2 = function() {};
+ args = arguments;
+ args.length = 0;
+};
+
+function forOfArray() {
+ for (let z of [true, true, true, true, true, true, true]) {
+ }
+}
+
+function forOfArgs() {
+ for (let v of args) {
+ }
+}
+
+function callEveryOnArgs() {
+ for (i = 0; i < 1000; ++i) {
+ Array.prototype.every.call(args, f2, {});
+ }
+}
+
+setup();
+forOfArray();
+forOfArgs();
+callEveryOnArgs();
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (234094 => 234095)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-07-23 07:09:50 UTC (rev 234094)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-07-23 07:09:54 UTC (rev 234095)
@@ -1,3 +1,62 @@
+2018-07-23 Babak Shafiei <[email protected]>
+
+ Cherry-pick r234075. rdar://problem/42451525
+
+ DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+ https://bugs.webkit.org/show_bug.cgi?id=187827
+ rdar://problem/42146858
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ New regression tests.
+
+ * stress/direct-arguments-check-array.js: Added.
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+ * stress/scoped-arguments-check-array.js: Added.
+ (setup.foo):
+ (setup.f2):
+ (setup):
+ (forOfArray):
+ (forOfArgs):
+ (callEveryOnArgs):
+
+ Source/_javascript_Core:
+
+ When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
+ that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
+ We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
+ InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
+ putByIndex() path that doesn't change the shape.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234075 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-07-20 Michael Saboff <[email protected]>
+
+ DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+ https://bugs.webkit.org/show_bug.cgi?id=187827
+ rdar://problem/42146858
+
+ Reviewed by Saam Barati.
+
+ When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
+ that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
+ We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
+ InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
+ putByIndex() path that doesn't change the shape.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+
2018-07-20 Babak Shafiei <[email protected]>
Cherry-pick r234022. rdar://problem/42417126
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGArrayMode.h (234094 => 234095)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2018-07-23 07:09:50 UTC (rev 234094)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2018-07-23 07:09:54 UTC (rev 234095)
@@ -442,6 +442,9 @@
return arrayModesWithIndexingShape(ArrayStorageShape);
case Array::SlowPutArrayStorage:
return arrayModesWithIndexingShapes(SlowPutArrayStorageShape, ArrayStorageShape);
+ case Array::DirectArguments:
+ case Array::ScopedArguments:
+ return arrayModesWithIndexingShapes(ArrayStorageShape, NonArray);
default:
return asArrayModes(NonArray);
}
