Skip to site navigation (Press enter)

[webkit-changes] [249317] trunk

ysuzuki Fri, 30 Aug 2019 01:14:54 -0700

Title: [249317] trunk

Revision: 249317
Author: ysuz...@apple.com
Date: 2019-08-30 01:13:15 -0700 (Fri, 30 Aug 2019)

Log Message

[JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
https://bugs.webkit.org/show_bug.cgi?id=201332


Reviewed by Mark Lam.

JSTests:

This test is very flaky, it is hard to reproduce.

* stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
(code):

Source/_javascript_Core:

When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp

Added Paths

trunk/JSTests/stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js

Diff

Modified: trunk/JSTests/ChangeLog (249316 => 249317)


--- trunk/JSTests/ChangeLog	2019-08-30 07:50:14 UTC (rev 249316)
+++ trunk/JSTests/ChangeLog	2019-08-30 08:13:15 UTC (rev 249317)
@@ -1,3 +1,15 @@
+2019-08-30  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
+        https://bugs.webkit.org/show_bug.cgi?id=201332
+
+        Reviewed by Mark Lam.
+
+        This test is very flaky, it is hard to reproduce.
+
+        * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
+        (code):
+
 2019-08-29  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] Repatch should construct CallCases and CasesValue at the same time

Added: trunk/JSTests/stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js (0 => 249317)


--- trunk/JSTests/stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js	                        (rev 0)
+++ trunk/JSTests/stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js	2019-08-30 08:13:15 UTC (rev 249317)
@@ -0,0 +1,34 @@
+//@ slow!
+//@ runDefault("--usePolymorphicCallInliningForNonStubStatus=1", "--jitPolicyScale=0")
+
+var code = `
+function foo(o, p) {
+    try {
+        o.f = null;
+    } catch (e) {
+        return;
+    }
+}
+
+for (var i = 0; i < 81; ++i) {
+    var o = {};
+    o.__defineSetter__('f', function (value) {
+        this._f = value;
+    });
+    if (i & 1) {
+        o['i' + i] = {};
+    }
+    foo(o);
+}
+
+var o = {};
+o.__defineSetter__('f', function () {
+    throw new Error();
+});
+
+foo(o);
+`;
+
+// Increasing 400 to 1e4 and spawning 100 jsc process can improve reproducibility.
+for (let i=0; i < 400; i++)
+    runString(code);

Modified: trunk/Source/_javascript_Core/ChangeLog (249316 => 249317)


--- trunk/Source/_javascript_Core/ChangeLog	2019-08-30 07:50:14 UTC (rev 249316)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-08-30 08:13:15 UTC (rev 249317)
@@ -1,3 +1,17 @@
+2019-08-30  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
+        https://bugs.webkit.org/show_bug.cgi?id=201332
+
+        Reviewed by Mark Lam.
+
+        When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
+        that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
+        does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleInlining):
+
 2019-08-29  Devin Rousso  <drou...@apple.com>
 
         Web Inspector: Debugger: async event listener stack traces should be available in Workers

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (249316 => 249317)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2019-08-30 07:50:14 UTC (rev 249316)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2019-08-30 08:13:15 UTC (rev 249317)
@@ -2104,7 +2104,8 @@
         addToGraph(Phantom, myCallTargetNode);
         emitArgumentPhantoms(registerOffset, argumentCountIncludingThis);
         
-        set(result, addToGraph(BottomValue));
+        if (result.isValid())
+            set(result, addToGraph(BottomValue));
         VERBOSE_LOG("couldTakeSlowPath was false\n");
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes