Title: [245349] branches/safari-607-branch
- Revision
- 245349
- Author
- [email protected]
- Date
- 2019-05-15 14:44:46 -0700 (Wed, 15 May 2019)
Log Message
Cherry-pick r244314. rdar://problem/50753930
SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
https://bugs.webkit.org/show_bug.cgi?id=196945
<rdar://problem/49802750>
Reviewed by Filip Pizlo.
JSTests:
* stress/get-by-offset-should-use-correct-child.js: Added.
(foo.bar):
(foo):
Source/_javascript_Core:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244314 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-607-branch/JSTests/ChangeLog (245348 => 245349)
--- branches/safari-607-branch/JSTests/ChangeLog 2019-05-15 21:44:43 UTC (rev 245348)
+++ branches/safari-607-branch/JSTests/ChangeLog 2019-05-15 21:44:46 UTC (rev 245349)
@@ -1,5 +1,41 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r244314. rdar://problem/50753930
+
+ SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+ https://bugs.webkit.org/show_bug.cgi?id=196945
+ <rdar://problem/49802750>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ * stress/get-by-offset-should-use-correct-child.js: Added.
+ (foo.bar):
+ (foo):
+
+ Source/_javascript_Core:
+
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244314 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-04-15 Saam barati <[email protected]>
+
+ SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+ https://bugs.webkit.org/show_bug.cgi?id=196945
+ <rdar://problem/49802750>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/get-by-offset-should-use-correct-child.js: Added.
+ (foo.bar):
+ (foo):
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r243948. rdar://problem/50753934
SIGSEGV in JSC::BytecodeGenerator::addStringConstant
Added: branches/safari-607-branch/JSTests/stress/get-by-offset-should-use-correct-child.js (0 => 245349)
--- branches/safari-607-branch/JSTests/stress/get-by-offset-should-use-correct-child.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/get-by-offset-should-use-correct-child.js 2019-05-15 21:44:46 UTC (rev 245349)
@@ -0,0 +1,25 @@
+function foo(x) {
+ for (let i = 0; i < 400; i++) {
+ for (let j = 0; j < 2; j++) {
+ for (const k of arguments) {
+ }
+ arguments.length = 0;
+ const q = {
+ z: 0
+ };
+ function bar() {
+ q;
+ }
+ for (let w = 0; w < 300; w++) {
+ }
+ }
+
+ with ({}) {
+ }
+
+ +{};
+ }
+}
+
+foo(0);
+foo(0);
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (245348 => 245349)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-05-15 21:44:43 UTC (rev 245348)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-05-15 21:44:46 UTC (rev 245349)
@@ -1,5 +1,40 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r244314. rdar://problem/50753930
+
+ SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+ https://bugs.webkit.org/show_bug.cgi?id=196945
+ <rdar://problem/49802750>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ * stress/get-by-offset-should-use-correct-child.js: Added.
+ (foo.bar):
+ (foo):
+
+ Source/_javascript_Core:
+
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244314 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-04-15 Saam barati <[email protected]>
+
+ SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+ https://bugs.webkit.org/show_bug.cgi?id=196945
+ <rdar://problem/49802750>
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r243948. rdar://problem/50753934
SIGSEGV in JSC::BytecodeGenerator::addStringConstant
Modified: branches/safari-607-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h (245348 => 245349)
--- branches/safari-607-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2019-05-15 21:44:43 UTC (rev 245348)
+++ branches/safari-607-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2019-05-15 21:44:46 UTC (rev 245349)
@@ -543,13 +543,13 @@
// know anything about inferred types. But if we have a proof derived from watching a
// structure that has a type proof, then the next case below will deal with it.
if (state.structureClobberState() == StructuresAreWatched) {
- if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
+ if (JSObject* knownBase = node->child2()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
if (graph.isSafeToLoad(knownBase, offset))
return true;
}
}
- StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
+ StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
if (value.isInfinite())
return false;
for (unsigned i = value.size(); i--;) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
