Skip to site navigation (Press enter)

[webkit-changes] [254434] trunk

keith_miller Mon, 13 Jan 2020 09:21:20 -0800

Title: [254434] trunk

Revision: 254434
Author: [email protected]
Date: 2020-01-13 09:19:56 -0800 (Mon, 13 Jan 2020)

Log Message

CheckNeutered needs to claim it reads JSType in clobberize.
https://bugs.webkit.org/show_bug.cgi?id=206136


Reviewed by Yusuke Suzuki.

JSTests:

* stress/check-neutered-clobberize-reads-jstype.js: Added.
(foo):

Source/_javascript_Core:

CheckNeutered needs to read JSType otherwise it can get hoisted
past the TypedArray check guarding it.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGClobberize.h

Added Paths

trunk/JSTests/stress/check-neutered-clobberize-reads-jstype.js

Diff

Modified: trunk/JSTests/ChangeLog (254433 => 254434)


--- trunk/JSTests/ChangeLog	2020-01-13 17:14:25 UTC (rev 254433)
+++ trunk/JSTests/ChangeLog	2020-01-13 17:19:56 UTC (rev 254434)
@@ -1,3 +1,13 @@
+2020-01-11  Keith Miller  <[email protected]>
+
+        CheckNeutered needs to claim it reads JSType in clobberize.
+        https://bugs.webkit.org/show_bug.cgi?id=206136
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/check-neutered-clobberize-reads-jstype.js: Added.
+        (foo):
+
 2020-01-12  Yusuke Suzuki  <[email protected]>
 
         [JSC] Use internal object field mechanism to implement JSStringIterator

Added: trunk/JSTests/stress/check-neutered-clobberize-reads-jstype.js (0 => 254434)


--- trunk/JSTests/stress/check-neutered-clobberize-reads-jstype.js	                        (rev 0)
+++ trunk/JSTests/stress/check-neutered-clobberize-reads-jstype.js	2020-01-13 17:19:56 UTC (rev 254434)
@@ -0,0 +1,11 @@
+//@ requireOptions("--useObjectAllocationSinking=0", "--forceEagerCompilation=1")
+
+function foo() {
+const a = new Uint8Array(25000);
+for (let i = 0; i < 10; i++) {
+for (const x of a) {
+}
+}
+}
+foo();
+foo();

Modified: trunk/Source/_javascript_Core/ChangeLog (254433 => 254434)


--- trunk/Source/_javascript_Core/ChangeLog	2020-01-13 17:14:25 UTC (rev 254433)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-01-13 17:19:56 UTC (rev 254434)
@@ -1,3 +1,18 @@
+2020-01-11  Keith Miller  <[email protected]>
+
+        CheckNeutered needs to claim it reads JSType in clobberize.
+        https://bugs.webkit.org/show_bug.cgi?id=206136
+
+        Reviewed by Yusuke Suzuki.
+
+        CheckNeutered needs to read JSType otherwise it can get hoisted
+        past the TypedArray check guarding it.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-01-12  Yusuke Suzuki  <[email protected]>
 
         [JSC] Use internal object field mechanism to implement JSStringIterator

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (254433 => 254434)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2020-01-13 17:14:25 UTC (rev 254433)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2020-01-13 17:19:56 UTC (rev 254434)
@@ -3361,6 +3361,7 @@
     }
 
     case CheckNeutered: {
+        DFG_ASSERT(m_graph, node, speculationChecked(forNode(node->child1()).m_type, SpecTypedArrayView));
         break;
     }

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (254433 => 254434)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2020-01-13 17:14:25 UTC (rev 254433)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2020-01-13 17:19:56 UTC (rev 254434)
@@ -1102,6 +1102,8 @@
         return;
 
     case CheckNeutered:
+        read(JSCell_typeInfoType);
+        read(JSCell_structureID);
         read(MiscFields);
         return;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes