[webkit-changes] [234406] releases/WebKitGTK/webkit-2.20

[carlosgc]

Title: [234406] releases/WebKitGTK/webkit-2.20

Revision

234406

Author

carlo...@webkit.org

Date

2018-07-31 00:00:54 -0700 (Tue, 31 Jul 2018)

Log Message

Merge r231034 - In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=184773
<rdar://problem/37773612>

Reviewed by Filip Pizlo.

JSTests:

This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
so I decided to add it to the stress tests nonetheless.

* stress/create-rest-while-having-a-bad-time.js: Added.
(f):
(g):
(h):

Source/_javascript_Core:

We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):

Modified Paths

• releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog
• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSGlobalObject.h

Added Paths

• releases/WebKitGTK/webkit-2.20/JSTests/stress/create-rest-while-having-a-bad-time.js

Diff

Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (234405 => 234406)

--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-07-31 07:00:47 UTC (rev 234405)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-07-31 07:00:54 UTC (rev 234406)
@@ -1,3 +1,19 @@
+2018-04-25  Robin Morisset  <rmoris...@apple.com>
+
+        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=184773
+        <rdar://problem/37773612>
+
+        Reviewed by Filip Pizlo.
+
+        This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
+        so I decided to add it to the stress tests nonetheless.
+
+        * stress/create-rest-while-having-a-bad-time.js: Added.
+        (f):
+        (g):
+        (h):
+
 2018-04-24  Mark Lam  <mark....@apple.com>
 
         Gardening: test fix after r230863.

Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/create-rest-while-having-a-bad-time.js (0 => 234406)

--- releases/WebKitGTK/webkit-2.20/JSTests/stress/create-rest-while-having-a-bad-time.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/create-rest-while-having-a-bad-time.js	2018-07-31 07:00:54 UTC (rev 234406)
@@ -0,0 +1,16 @@
+"use strict";
+function f(...v) {
+  return g(v);
+}
+function g() {
+  return h();
+}
+function h() {
+}
+
+for (let i = 0; i < 10000; ++i) {
+  f(0);
+  f(0, 0);
+}
+
+Object.defineProperty(Array.prototype, "42", {});

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (234405 => 234406)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-07-31 07:00:47 UTC (rev 234405)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-07-31 07:00:54 UTC (rev 234406)
@@ -1,3 +1,20 @@
+2018-04-25  Robin Morisset  <rmoris...@apple.com>
+
+        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=184773
+        <rdar://problem/37773612>
+
+        Reviewed by Filip Pizlo.
+
+        We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
+        arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
+        This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
+        We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
+        This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+
 2018-04-17  JF Bastien  <jfbast...@apple.com>
 
         A put is not an ExistingProperty put when we transition a structure because of an attributes change

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (234405 => 234406)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-07-31 07:00:47 UTC (rev 234405)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-07-31 07:00:54 UTC (rev 234406)
@@ -5274,7 +5274,7 @@
             LValue arrayLength = lowInt32(m_node->child1());
             LBasicBlock loopStart = m_out.newBlock();
             JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
-            RegisteredStructure structure = m_graph.registerStructure(globalObject->restParameterStructure());
+            RegisteredStructure structure = m_graph.registerStructure(globalObject->originalRestParameterStructure());
             ArrayValues arrayValues = allocateUninitializedContiguousJSArray(arrayLength, structure);
             LValue array = arrayValues.array;
             LValue butterfly = arrayValues.butterfly;

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSGlobalObject.h (234405 => 234406)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSGlobalObject.h	2018-07-31 07:00:47 UTC (rev 234405)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSGlobalObject.h	2018-07-31 07:00:54 UTC (rev 234406)
@@ -667,6 +667,7 @@
     Structure* proxyRevokeStructure() const { return m_proxyRevokeStructure.get(); }
     Structure* moduleLoaderStructure() const { return m_moduleLoaderStructure.get(); }
     Structure* restParameterStructure() const { return arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous); }
+    Structure* originalRestParameterStructure() const { return originalArrayStructureForIndexingType(ArrayWithContiguous); }
 #if ENABLE(WEBASSEMBLY)
     Structure* webAssemblyModuleRecordStructure() const { return m_webAssemblyModuleRecordStructure.get(); }
     Structure* webAssemblyFunctionStructure() const { return m_webAssemblyFunctionStructure.get(); }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes