[webkit-changes] [270402] trunk/Source/JavaScriptCore

[sbarati]

Title: [270402] trunk/Source/_javascript_Core

Revision

270402

Author

sbar...@apple.com

Date

2020-12-03 12:28:49 -0800 (Thu, 03 Dec 2020)

Log Message

JIT::emit_op_iterator_next fast path passes in the wrong identifier to the "done" JITGetByIdGenerator
https://bugs.webkit.org/show_bug.cgi?id=219499

Reviewed by Keith Miller.

The reason nothing was failing here is that the slow path which calls into C
code to do repatching of the IC was using the right "done" identifier. The
fast path only checks if the identifier is "length", so the code sidestepped
itself being wrong in any way. However, it's good form to use the correct
identifier.

* jit/JITCall.cpp:
(JSC::JIT::emit_op_iterator_next):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/jit/JITCall.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (270401 => 270402)

--- trunk/Source/_javascript_Core/ChangeLog	2020-12-03 19:58:07 UTC (rev 270401)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-12-03 20:28:49 UTC (rev 270402)
@@ -1,3 +1,19 @@
+2020-12-03  Saam Barati  <sbar...@apple.com>
+
+        JIT::emit_op_iterator_next fast path passes in the wrong identifier to the "done" JITGetByIdGenerator
+        https://bugs.webkit.org/show_bug.cgi?id=219499
+
+        Reviewed by Keith Miller.
+
+        The reason nothing was failing here is that the slow path which calls into C
+        code to do repatching of the IC was using the right "done" identifier. The
+        fast path only checks if the identifier is "length", so the code sidestepped
+        itself being wrong in any way. However, it's good form to use the correct
+        identifier.
+
+        * jit/JITCall.cpp:
+        (JSC::JIT::emit_op_iterator_next):
+
 2020-12-03  Lauro Moura  <lmo...@igalia.com>
 
         [WTF] Avoid JSONValue::create with raw string falling to bool overload

Modified: trunk/Source/_javascript_Core/jit/JITCall.cpp (270401 => 270402)

--- trunk/Source/_javascript_Core/jit/JITCall.cpp	2020-12-03 19:58:07 UTC (rev 270401)
+++ trunk/Source/_javascript_Core/jit/JITCall.cpp	2020-12-03 20:28:49 UTC (rev 270402)
@@ -482,7 +482,7 @@
         preservedRegs.add(valueGPR);
         JITGetByIdGenerator gen(
             m_codeBlock, CodeOrigin(m_bytecodeIndex), CallSiteIndex(BytecodeIndex(m_bytecodeIndex.offset())), preservedRegs,
-            CacheableIdentifier::createFromImmortalIdentifier(vm().propertyNames->next.impl()), JSValueRegs(iterResultGPR), JSValueRegs(doneGPR), AccessType::GetById);
+            CacheableIdentifier::createFromImmortalIdentifier(vm().propertyNames->done.impl()), JSValueRegs(iterResultGPR), JSValueRegs(doneGPR), AccessType::GetById);
         gen.generateFastPath(*this);
         addSlowCase(gen.slowPathJump());
         m_getByIds.append(gen);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes