Skip to site navigation (Press enter)

[webkit-changes] [248271] trunk

msaboff Mon, 05 Aug 2019 13:03:34 -0700

Title: [248271] trunk

Revision: 248271
Author: msab...@apple.com
Date: 2019-08-05 13:02:51 -0700 (Mon, 05 Aug 2019)

Log Message

JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
https://bugs.webkit.org/show_bug.cgi?id=199997


Reviewed by Saam Barati.

JSTests:

New test.

* stress/typedarray-no-alreadyChecked-assert.js: Added.
(checkIntArray):
(checkFloatArray):

Source/_javascript_Core:

No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
it won't be set.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Added Paths

trunk/JSTests/stress/typedarray-no-alreadyChecked-assert.js

Diff

Modified: trunk/JSTests/ChangeLog (248270 => 248271)


--- trunk/JSTests/ChangeLog	2019-08-05 16:42:24 UTC (rev 248270)
+++ trunk/JSTests/ChangeLog	2019-08-05 20:02:51 UTC (rev 248271)
@@ -1,3 +1,16 @@
+2019-08-05  Michael Saboff  <msab...@apple.com>
+
+        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=199997
+
+        Reviewed by Saam Barati.
+
+        New test.
+
+        * stress/typedarray-no-alreadyChecked-assert.js: Added.
+        (checkIntArray):
+        (checkFloatArray):
+
 2019-08-02  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] Support WebAssembly in SamplingProfiler

Added: trunk/JSTests/stress/typedarray-no-alreadyChecked-assert.js (0 => 248271)


--- trunk/JSTests/stress/typedarray-no-alreadyChecked-assert.js	                        (rev 0)
+++ trunk/JSTests/stress/typedarray-no-alreadyChecked-assert.js	2019-08-05 20:02:51 UTC (rev 248271)
@@ -0,0 +1,26 @@
+// This test should not cause an ASSERT in Debug builds.
+
+function checkIntArray(arr) {
+    let x = arr;
+    arr instanceof Uint32Array;
+    arr[65537];
+    x[0];
+}
+
+function checkFloatArray(arr) {
+    let x = arr;
+    arr instanceof Float64Array;
+    arr[65537];
+    x[0];
+}
+
+
+var intArray = new Uint32Array(1024);
+for (let i = 0; i < 10000; i++)
+    checkIntArray(intArray);
+
+var floatArray = new Float64Array(1024);
+for (let i = 0; i < 10000; i++)
+    checkFloatArray(floatArray);
+
+

Modified: trunk/Source/_javascript_Core/ChangeLog (248270 => 248271)


--- trunk/Source/_javascript_Core/ChangeLog	2019-08-05 16:42:24 UTC (rev 248270)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-08-05 20:02:51 UTC (rev 248271)
@@ -1,3 +1,20 @@
+2019-08-05  Michael Saboff  <msab...@apple.com>
+
+        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=199997
+
+        Reviewed by Saam Barati.
+
+        No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+        and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+        CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+        and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
+        it won't be set.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+
 2019-08-03  Devin Rousso  <drou...@apple.com>
 
         Web Inspector: DOM: add a special breakpoint for "All Events"

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (248270 => 248271)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2019-08-05 16:42:24 UTC (rev 248270)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2019-08-05 20:02:51 UTC (rev 248271)
@@ -2963,8 +2963,6 @@
     GPRTemporary result(this);
     GPRReg resultReg = result.gpr();
 
-    ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))));
-
     emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
     loadFromIntTypedArray(storageReg, propertyReg, resultReg, type);
     bool canSpeculate = true;
@@ -3193,8 +3191,6 @@
     GPRReg propertyReg = property.gpr();
     GPRReg storageReg = storage.gpr();
 
-    ASSERT(node->arrayMode().alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.varArgChild(node, 0))));
-
     FPRTemporary result(this);
     FPRReg resultReg = result.fpr();
     emitTypedArrayBoundsCheck(node, baseReg, propertyReg);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes