[webkit-changes] [260248] trunk

Fri, 17 Apr 2020 07:43:15 -0700

Title: [260248] trunk
Revision
260248
Author
[email protected]
Date
2020-04-17 07:41:39 -0700 (Fri, 17 Apr 2020)

Log Message

[JSC] Map/Set iterator creation functions should fail with BadType etc. before executing insertChecks
https://bugs.webkit.org/show_bug.cgi?id=210649
<rdar://problem/61925452>

Reviewed by Mark Lam.

JSTests:

* stress/map-iterator-check-before-fail.js: Added.
(test):
* stress/set-iterator-check-before-fail.js: Added.
(set new):
(set var):

Source/_javascript_Core:

Since insertChecks adds some DFG nodes, we should determine whether this intrinsic handling is OK or not before executing insertChecks.
Otherwise, we will hit an assertion with `!didInsertChecks`.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (260247 => 260248)


--- trunk/JSTests/ChangeLog	2020-04-17 14:40:09 UTC (rev 260247)
+++ trunk/JSTests/ChangeLog	2020-04-17 14:41:39 UTC (rev 260248)
@@ -1,3 +1,17 @@
+2020-04-17  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Map/Set iterator creation functions should fail with BadType etc. before executing insertChecks
+        https://bugs.webkit.org/show_bug.cgi?id=210649
+        <rdar://problem/61925452>
+
+        Reviewed by Mark Lam.
+
+        * stress/map-iterator-check-before-fail.js: Added.
+        (test):
+        * stress/set-iterator-check-before-fail.js: Added.
+        (set new):
+        (set var):
+
 2020-04-16  Ross Kirsling  <[email protected]>
 
         REGRESSION(r259480): Two new failing i18n tests

Added: trunk/JSTests/stress/map-iterator-check-before-fail.js (0 => 260248)


--- trunk/JSTests/stress/map-iterator-check-before-fail.js	                        (rev 0)
+++ trunk/JSTests/stress/map-iterator-check-before-fail.js	2020-04-17 14:41:39 UTC (rev 260248)
@@ -0,0 +1,19 @@
+var entries = Map.prototype.entries;
+
+function test(map)
+{
+    entries.call(map);
+}
+noInline(test);
+
+var map = new Map();
+for (var i = 0; i < 1e6; ++i) {
+    test(map);
+}
+var array = [];
+for (var i = 0; i < 1e3; ++i) {
+    try {
+        test(array);
+    } catch {
+    }
+}

Added: trunk/JSTests/stress/set-iterator-check-before-fail.js (0 => 260248)


--- trunk/JSTests/stress/set-iterator-check-before-fail.js	                        (rev 0)
+++ trunk/JSTests/stress/set-iterator-check-before-fail.js	2020-04-17 14:41:39 UTC (rev 260248)
@@ -0,0 +1,19 @@
+var entries = Set.prototype.entries;
+
+function test(set)
+{
+    entries.call(set);
+}
+noInline(test);
+
+var set = new Set();
+for (var i = 0; i < 1e6; ++i) {
+    test(set);
+}
+var array = [];
+for (var i = 0; i < 1e3; ++i) {
+    try {
+        test(array);
+    } catch {
+    }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (260247 => 260248)


--- trunk/Source/_javascript_Core/ChangeLog	2020-04-17 14:40:09 UTC (rev 260247)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-17 14:41:39 UTC (rev 260248)
@@ -1,3 +1,17 @@
+2020-04-17  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Map/Set iterator creation functions should fail with BadType etc. before executing insertChecks
+        https://bugs.webkit.org/show_bug.cgi?id=210649
+        <rdar://problem/61925452>
+
+        Reviewed by Mark Lam.
+
+        Since insertChecks adds some DFG nodes, we should determine whether this intrinsic handling is OK or not before executing insertChecks.
+        Otherwise, we will hit an assertion with `!didInsertChecks`.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+
 2020-04-17  Mark Lam  <[email protected]>
 
         offlineasm is generating the wrong load/store for the "orh" instruction.

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (260247 => 260248)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2020-04-17 14:40:09 UTC (rev 260247)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2020-04-17 14:41:39 UTC (rev 260248)
@@ -3188,11 +3188,11 @@
         case JSMapValuesIntrinsic:
         case JSSetEntriesIntrinsic:
         case JSSetValuesIntrinsic: {
-            insertChecks();
-
             if (m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCell) || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType))
                 return false;
 
+            insertChecks();
+
             IterationKind kind = IterationKind::Values;
             UseKind useKind = MapObjectUse;
             switch (intrinsic) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to