Skip to site navigation (Press enter)

[webkit-changes] [234407] releases/WebKitGTK/webkit-2.20

carlosgc Tue, 31 Jul 2018 00:03:02 -0700

Title: [234407] releases/WebKitGTK/webkit-2.20

Revision: 234407
Author: [email protected]
Date: 2018-07-31 00:01:00 -0700 (Tue, 31 Jul 2018)

Log Message

Merge r231145 - We don't model regexp effects properly
https://bugs.webkit.org/show_bug.cgi?id=185059
<rdar://problem/39736150>


Reviewed by Filip Pizlo.

JSTests:

* stress/regexp-exec-test-effectful-last-index.js: Added.
(assert):
(foo):
(i.regexLastIndex.toString):
(bar):

Source/_javascript_Core:

RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
the regexp is global.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Modified Paths

releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGClobberize.h

Added Paths

releases/WebKitGTK/webkit-2.20/JSTests/stress/regexp-exec-test-effectful-last-index.js

Diff

Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (234406 => 234407)


--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-07-31 07:00:54 UTC (rev 234406)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-07-31 07:01:00 UTC (rev 234407)
@@ -1,3 +1,17 @@
+2018-04-28  Saam Barati  <[email protected]>
+
+        We don't model regexp effects properly
+        https://bugs.webkit.org/show_bug.cgi?id=185059
+        <rdar://problem/39736150>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/regexp-exec-test-effectful-last-index.js: Added.
+        (assert):
+        (foo):
+        (i.regexLastIndex.toString):
+        (bar):
+
 2018-04-25  Robin Morisset  <[email protected]>
 
         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint

Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/regexp-exec-test-effectful-last-index.js (0 => 234407)


--- releases/WebKitGTK/webkit-2.20/JSTests/stress/regexp-exec-test-effectful-last-index.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/regexp-exec-test-effectful-last-index.js	2018-07-31 07:01:00 UTC (rev 234407)
@@ -0,0 +1,50 @@
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+let outer = 42;
+
+function foo(r, s) {
+    let y = outer;
+    r.test(s);
+    return y + outer;
+}
+noInline(foo);
+
+for (let i = 0; i < 10000; ++i) {
+    let r = /foo/g;
+    regexLastIndex = {};
+    regexLastIndex.toString = function() {
+        outer = 1;
+        return "1";
+    };
+
+    r.lastIndex = regexLastIndex;
+    let result = foo(r, "bar");
+    assert(result === 43);
+
+    outer = 42;
+}
+
+function bar(r, s) {
+    let y = outer;
+    r.exec(s);
+    return y + outer;
+}
+noInline(bar);
+
+for (let i = 0; i < 10000; ++i) {
+    let r = /foo/g;
+    regexLastIndex = {};
+    regexLastIndex.toString = function() {
+        outer = 1;
+        return "1";
+    };
+
+    r.lastIndex = regexLastIndex;
+    let result = bar(r, "bar");
+    assert(result === 43);
+
+    outer = 42;
+}

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (234406 => 234407)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-07-31 07:00:54 UTC (rev 234406)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-07-31 07:01:00 UTC (rev 234407)
@@ -1,3 +1,19 @@
+2018-04-28  Saam Barati  <[email protected]>
+
+        We don't model regexp effects properly
+        https://bugs.webkit.org/show_bug.cgi?id=185059
+        <rdar://problem/39736150>
+
+        Reviewed by Filip Pizlo.
+
+        RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
+        the regexp is global.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2018-04-25  Robin Morisset  <[email protected]>
 
         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (234406 => 234407)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2018-07-31 07:00:54 UTC (rev 234406)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2018-07-31 07:01:00 UTC (rev 234407)
@@ -1967,11 +1967,9 @@
     case RegExpExec:
     case RegExpExecNonGlobalOrSticky:
         if (node->op() == RegExpExec) {
-            if (node->child2().useKind() == RegExpObjectUse
-                && node->child3().useKind() == StringUse) {
-                // This doesn't clobber the world since there are no conversions to perform.
-            } else
-                clobberWorld(node->origin.semantic, clobberLimit);
+            // Even if we've proven known input types as RegExpObject and String,
+            // accessing lastIndex is effectful if it's a global regexp.
+            clobberWorld(node->origin.semantic, clobberLimit);
         }
 
         if (JSValue globalObjectValue = forNode(node->child1()).m_value) {
@@ -1991,11 +1989,9 @@
         break;
 
     case RegExpTest:
-        if (node->child2().useKind() == RegExpObjectUse
-            && node->child3().useKind() == StringUse) {
-            // This doesn't clobber the world since there are no conversions to perform.
-        } else
-            clobberWorld(node->origin.semantic, clobberLimit);
+        // Even if we've proven known input types as RegExpObject and String,
+        // accessing lastIndex is effectful if it's a global regexp.
+        clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).setType(SpecBoolean);
         break;

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGClobberize.h (234406 => 234407)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGClobberize.h	2018-07-31 07:00:54 UTC (rev 234406)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGClobberize.h	2018-07-31 07:01:00 UTC (rev 234407)
@@ -1488,19 +1488,19 @@
 
     case RegExpExec:
     case RegExpTest:
-    case RegExpMatchFast:
-        if (node->child2().useKind() == RegExpObjectUse
-            && node->child3().useKind() == StringUse) {
-            read(RegExpState);
-            read(RegExpObject_lastIndex);
-            write(RegExpState);
-            write(RegExpObject_lastIndex);
-            return;
-        }
+        // Even if we've proven known input types as RegExpObject and String,
+        // accessing lastIndex is effectful if it's a global regexp.
         read(World);
         write(Heap);
         return;
 
+    case RegExpMatchFast:
+        read(RegExpState);
+        read(RegExpObject_lastIndex);
+        write(RegExpState);
+        write(RegExpObject_lastIndex);
+        return;
+
     case RegExpExecNonGlobalOrSticky:
         read(RegExpState);
         write(RegExpState);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes