[webkit-changes] [259310] trunk/Source/JavaScriptCore

Tue, 31 Mar 2020 13:58:38 -0700

Title: [259310] trunk/Source/_javascript_Core
Revision
259310
Author
[email protected]
Date
2020-03-31 13:57:09 -0700 (Tue, 31 Mar 2020)

Log Message

REGRESSION: ASSERTION FAILED: regExpObjectNode in JSC::DFG::StrengthReductionPhase::handleNode
https://bugs.webkit.org/show_bug.cgi?id=209824

Reviewed by Mark Lam.

* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
It's true that we need to verify lastIndex even when a RegExp is neither global nor sticky,
but if DFG's already converted RegExpExec to RegExpExecNonGlobalOrSticky, that means we've thrown away
the RegExpObject node, so we shouldn't try to reverify lastIndex when we reconsider folding to constant.

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (259309 => 259310)


--- trunk/Source/_javascript_Core/ChangeLog	2020-03-31 20:38:00 UTC (rev 259309)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-03-31 20:57:09 UTC (rev 259310)
@@ -1,3 +1,16 @@
+2020-03-31  Ross Kirsling  <[email protected]>
+
+        REGRESSION: ASSERTION FAILED: regExpObjectNode in JSC::DFG::StrengthReductionPhase::handleNode
+        https://bugs.webkit.org/show_bug.cgi?id=209824
+
+        Reviewed by Mark Lam.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        It's true that we need to verify lastIndex even when a RegExp is neither global nor sticky,
+        but if DFG's already converted RegExpExec to RegExpExecNonGlobalOrSticky, that means we've thrown away
+        the RegExpObject node, so we shouldn't try to reverify lastIndex when we reconsider folding to constant.
+
 2020-03-30  Yusuke Suzuki  <[email protected]>
 
         [JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage

Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (259309 => 259310)


--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp	2020-03-31 20:38:00 UTC (rev 259309)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp	2020-03-31 20:57:09 UTC (rev 259310)
@@ -535,34 +535,36 @@
 
             ASSERT(m_node->op() != RegExpMatchFast);
 
-            // This will only work if we can prove what the value of lastIndex is. To do this
-            // safely, we need to execute the insertion set so that we see any previous strength
-            // reductions. This is needed for soundness since otherwise the effectfulness of any
-            // previous strength reductions would be invisible to us.
-            ASSERT(regExpObjectNode);
-            executeInsertionSet();
             unsigned lastIndex = UINT_MAX;
-            for (unsigned otherNodeIndex = m_nodeIndex; otherNodeIndex--;) {
-                Node* otherNode = m_block->at(otherNodeIndex);
-                if (otherNode == regExpObjectNode) {
-                    lastIndex = 0;
-                    break;
+            if (m_node->op() != RegExpExecNonGlobalOrSticky) {
+                // This will only work if we can prove what the value of lastIndex is. To do this
+                // safely, we need to execute the insertion set so that we see any previous strength
+                // reductions. This is needed for soundness since otherwise the effectfulness of any
+                // previous strength reductions would be invisible to us.
+                ASSERT(regExpObjectNode);
+                executeInsertionSet();
+                for (unsigned otherNodeIndex = m_nodeIndex; otherNodeIndex--;) {
+                    Node* otherNode = m_block->at(otherNodeIndex);
+                    if (otherNode == regExpObjectNode) {
+                        lastIndex = 0;
+                        break;
+                    }
+                    if (otherNode->op() == SetRegExpObjectLastIndex
+                        && otherNode->child1() == regExpObjectNode
+                        && otherNode->child2()->isInt32Constant()
+                        && otherNode->child2()->asInt32() >= 0) {
+                        lastIndex = otherNode->child2()->asUInt32();
+                        break;
+                    }
+                    if (writesOverlap(m_graph, otherNode, RegExpObject_lastIndex))
+                        break;
                 }
-                if (otherNode->op() == SetRegExpObjectLastIndex
-                    && otherNode->child1() == regExpObjectNode
-                    && otherNode->child2()->isInt32Constant()
-                    && otherNode->child2()->asInt32() >= 0) {
-                    lastIndex = static_cast<unsigned>(otherNode->child2()->asInt32());
+                if (lastIndex == UINT_MAX) {
+                    if (verbose)
+                        dataLog("Giving up because the last index is not known.\n");
                     break;
                 }
-                if (writesOverlap(m_graph, otherNode, RegExpObject_lastIndex))
-                    break;
             }
-            if (lastIndex == UINT_MAX) {
-                if (verbose)
-                    dataLog("Giving up because the last index is not known.\n");
-                break;
-            }
             if (!regExp->globalOrSticky())
                 lastIndex = 0;
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to