Title: [268593] trunk
- Revision
- 268593
- Author
- [email protected]
- Date
- 2020-10-16 08:52:27 -0700 (Fri, 16 Oct 2020)
Log Message
Don't emit OpSpread with a constant as the destination
https://bugs.webkit.org/show_bug.cgi?id=217800
<rdar://problem/69492311>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/spread-should-not-have-a-constant-as-dst.js: Added.
(foo):
(bar):
Source/_javascript_Core:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (268592 => 268593)
--- trunk/JSTests/ChangeLog 2020-10-16 15:38:29 UTC (rev 268592)
+++ trunk/JSTests/ChangeLog 2020-10-16 15:52:27 UTC (rev 268593)
@@ -1,3 +1,15 @@
+2020-10-16 Saam Barati <[email protected]>
+
+ Don't emit OpSpread with a constant as the destination
+ https://bugs.webkit.org/show_bug.cgi?id=217800
+ <rdar://problem/69492311>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/spread-should-not-have-a-constant-as-dst.js: Added.
+ (foo):
+ (bar):
+
2020-10-15 Saam Barati <[email protected]>
Don't assign a bogus register to Load/ForwardVarargs in AvailabilityAnalysis before stack layout
Added: trunk/JSTests/stress/spread-should-not-have-a-constant-as-dst.js (0 => 268593)
--- trunk/JSTests/stress/spread-should-not-have-a-constant-as-dst.js (rev 0)
+++ trunk/JSTests/stress/spread-should-not-have-a-constant-as-dst.js 2020-10-16 15:52:27 UTC (rev 268593)
@@ -0,0 +1,17 @@
+// This should not crash.
+
+function foo() {
+ for (const v of [X(...(v>>=2))]) {}
+}
+noInline(foo);
+
+function bar() {
+ for (const v of [new X(...(v>>=2))]) {}
+}
+noInline(bar);
+
+for (let i = 0; i < 10000; ++i) {
+ try { foo(); } catch { }
+
+ try { bar(); } catch { }
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (268592 => 268593)
--- trunk/Source/_javascript_Core/ChangeLog 2020-10-16 15:38:29 UTC (rev 268592)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-10-16 15:52:27 UTC (rev 268593)
@@ -1,3 +1,15 @@
+2020-10-16 Saam Barati <[email protected]>
+
+ Don't emit OpSpread with a constant as the destination
+ https://bugs.webkit.org/show_bug.cgi?id=217800
+ <rdar://problem/69492311>
+
+ Reviewed by Yusuke Suzuki.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitCall):
+ (JSC::BytecodeGenerator::emitConstruct):
+
2020-10-16 Michael Catanzaro <[email protected]>
REGRESSION(r267727): Warning spam from JSC_DECLARE_CUSTOM_GETTER
Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (268592 => 268593)
--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2020-10-16 15:38:29 UTC (rev 268592)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2020-10-16 15:52:27 UTC (rev 268593)
@@ -3305,7 +3305,7 @@
auto* elements = static_cast<ArrayNode*>(_expression_)->elements();
if (elements && !elements->next() && elements->value()->isSpreadExpression()) {
ExpressionNode* _expression_ = static_cast<SpreadExpressionNode*>(elements->value())->_expression_();
- RefPtr<RegisterID> argumentRegister = emitNode(callArguments.argumentRegister(0), _expression_);
+ RefPtr<RegisterID> argumentRegister = tempDestination(emitNode(callArguments.argumentRegister(0), _expression_));
OpSpread::emit(this, argumentRegister.get(), argumentRegister.get());
return emitCallVarargs<typename VarArgsOp<CallOp>::type>(dst, func, callArguments.thisRegister(), argumentRegister.get(), newTemporary(), 0, divot, divotStart, divotEnd, debuggableCall);
@@ -3509,7 +3509,7 @@
auto* elements = static_cast<ArrayNode*>(_expression_)->elements();
if (elements && !elements->next() && elements->value()->isSpreadExpression()) {
ExpressionNode* _expression_ = static_cast<SpreadExpressionNode*>(elements->value())->_expression_();
- RefPtr<RegisterID> argumentRegister = emitNode(callArguments.argumentRegister(0), _expression_);
+ RefPtr<RegisterID> argumentRegister = tempDestination(emitNode(callArguments.argumentRegister(0), _expression_));
OpSpread::emit(this, argumentRegister.get(), argumentRegister.get());
move(callArguments.thisRegister(), lazyThis);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
