[webkit-changes] [261603] trunk

[sbarati]

Title: [261603] trunk

Revision

261603

Author

sbar...@apple.com

Date

2020-05-13 00:24:13 -0700 (Wed, 13 May 2020)

Log Message

MovHint can see an arguments object be MovHinted to a Tmp
https://bugs.webkit.org/show_bug.cgi?id=211820
<rdar://problem/62882158>

Reviewed by Keith Miller.

JSTests:

* stress/varargs-forwarding-can-see-arguments-mov-hint-to-for-of-tmp.js: Added.
(let.iter.Symbol.iterator.return.next):
(let.iter.Symbol.iterator):

Source/_javascript_Core:

We had an assert that it wasn't possible to have a MovHint from an arguments
object to a Tmp. However, this is possible with for-of. There is nothing
about the current algorithm that is specific to only VirtualRegisters. The
algorithm also works over Tmps. So I've generalized the algorithm to just work
over Operand.

* dfg/DFGVarargsForwardingPhase.cpp:

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGVarargsForwardingPhase.cpp

Added Paths

• trunk/JSTests/stress/varargs-forwarding-can-see-arguments-mov-hint-to-for-of-tmp.js

Diff

Modified: trunk/JSTests/ChangeLog (261602 => 261603)

--- trunk/JSTests/ChangeLog	2020-05-13 07:10:51 UTC (rev 261602)
+++ trunk/JSTests/ChangeLog	2020-05-13 07:24:13 UTC (rev 261603)
@@ -1,3 +1,15 @@
+2020-05-13  Saam Barati  <sbar...@apple.com>
+
+        MovHint can see an arguments object be MovHinted to a Tmp
+        https://bugs.webkit.org/show_bug.cgi?id=211820
+        <rdar://problem/62882158>
+
+        Reviewed by Keith Miller.
+
+        * stress/varargs-forwarding-can-see-arguments-mov-hint-to-for-of-tmp.js: Added.
+        (let.iter.Symbol.iterator.return.next):
+        (let.iter.Symbol.iterator):
+
 2020-05-13  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Move @isConstructor checks from fast paths of Array.from and Array.of

Added: trunk/JSTests/stress/varargs-forwarding-can-see-arguments-mov-hint-to-for-of-tmp.js (0 => 261603)

--- trunk/JSTests/stress/varargs-forwarding-can-see-arguments-mov-hint-to-for-of-tmp.js	                        (rev 0)
+++ trunk/JSTests/stress/varargs-forwarding-can-see-arguments-mov-hint-to-for-of-tmp.js	2020-05-13 07:24:13 UTC (rev 261603)
@@ -0,0 +1,18 @@
+// This should not crash.
+
+let iter = {
+    [Symbol.iterator]: () => {
+        return { 
+            next: function () {
+                return arguments;
+            }
+        };
+    }
+}
+
+let i = 0;
+for (let x of iter) {
+    i++;
+    if (i >= 4000)
+        break;
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (261602 => 261603)

--- trunk/Source/_javascript_Core/ChangeLog	2020-05-13 07:10:51 UTC (rev 261602)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-05-13 07:24:13 UTC (rev 261603)
@@ -1,3 +1,19 @@
+2020-05-13  Saam Barati  <sbar...@apple.com>
+
+        MovHint can see an arguments object be MovHinted to a Tmp
+        https://bugs.webkit.org/show_bug.cgi?id=211820
+        <rdar://problem/62882158>
+
+        Reviewed by Keith Miller.
+
+        We had an assert that it wasn't possible to have a MovHint from an arguments
+        object to a Tmp. However, this is possible with for-of. There is nothing
+        about the current algorithm that is specific to only VirtualRegisters. The
+        algorithm also works over Tmps. So I've generalized the algorithm to just work
+        over Operand.
+
+        * dfg/DFGVarargsForwardingPhase.cpp:
+
 2020-05-13  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Move @isConstructor checks from fast paths of Array.from and Array.of

Modified: trunk/Source/_javascript_Core/dfg/DFGVarargsForwardingPhase.cpp (261602 => 261603)

--- trunk/Source/_javascript_Core/dfg/DFGVarargsForwardingPhase.cpp	2020-05-13 07:10:51 UTC (rev 261602)
+++ trunk/Source/_javascript_Core/dfg/DFGVarargsForwardingPhase.cpp	2020-05-13 07:24:13 UTC (rev 261603)
@@ -97,7 +97,7 @@
         // Find the index of the last node in this block to use the candidate, and look for escaping
         // sites.
         unsigned lastUserIndex = candidateNodeIndex;
-        Vector<VirtualRegister, 2> relevantLocals; // This is a set. We expect it to be a small set.
+        Vector<Operand, 2> relevantLocals; // This is a set. We expect it to be a small set.
         for (unsigned nodeIndex = candidateNodeIndex + 1; nodeIndex < block->size(); ++nodeIndex) {
             Node* node = block->at(nodeIndex);
 
@@ -115,10 +115,9 @@
             case MovHint:
                 if (node->child1() != candidate)
                     break;
-                ASSERT_WITH_MESSAGE(!node->unlinkedOperand().isTmp(), "We don't currently support a tmp referring to an arguments object.");
                 lastUserIndex = nodeIndex;
-                if (!relevantLocals.contains(node->unlinkedOperand().virtualRegister()))
-                    relevantLocals.append(node->unlinkedOperand().virtualRegister());
+                if (!relevantLocals.contains(node->unlinkedOperand()))
+                    relevantLocals.append(node->unlinkedOperand());
                 break;
                 
             case CheckVarargs:
@@ -245,6 +244,8 @@
                             relevantLocals[i--] = relevantLocals.last();
                             relevantLocals.removeLast();
                             lastUserIndex = nodeIndex;
+                            ASSERT(!relevantLocals.contains(operand));
+                            break;
                         }
                     }
                 });

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes