[webkit-changes] [271297] trunk

Fri, 08 Jan 2021 08:31:19 -0800

Title: [271297] trunk
Revision
271297
Author
[email protected]
Date
2021-01-08 08:30:35 -0800 (Fri, 08 Jan 2021)

Log Message

[JSC] DFG/FTL Atomics should assume non-typed-array input with storage-edge
https://bugs.webkit.org/show_bug.cgi?id=220451
<rdar://problem/71237065>

Reviewed by Mark Lam.

JSTests:

* stress/atomics-and-multiple-typed-arrays.js: Added.
(foo):
* stress/atomics-and-string.js: Added.
(foo):

Source/_javascript_Core:

Atomics implementation assumed that it only gets TypedArray via checkArray filter if storage-edge exists. But this is wrong.
String and the other cases can put storage-edge while it is not TypedArray. We should check whether this is one of TypedArray,
and if it is not, we should make it generic one instead of using fast TypedArray path.

* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::isOneOfTypedArrayView const):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (271296 => 271297)


--- trunk/JSTests/ChangeLog	2021-01-08 15:45:20 UTC (rev 271296)
+++ trunk/JSTests/ChangeLog	2021-01-08 16:30:35 UTC (rev 271297)
@@ -1,3 +1,16 @@
+2021-01-07  Yusuke Suzuki  <[email protected]>
+
+        [JSC] DFG/FTL Atomics should assume non-typed-array input with storage-edge
+        https://bugs.webkit.org/show_bug.cgi?id=220451
+        <rdar://problem/71237065>
+
+        Reviewed by Mark Lam.
+
+        * stress/atomics-and-multiple-typed-arrays.js: Added.
+        (foo):
+        * stress/atomics-and-string.js: Added.
+        (foo):
+
 2021-01-07  Alexey Shvayka  <[email protected]>
 
         [JSC] Simplify get*PropertyNames() methods and EnumerationMode

Added: trunk/JSTests/stress/atomics-and-multiple-typed-arrays.js (0 => 271297)


--- trunk/JSTests/stress/atomics-and-multiple-typed-arrays.js	                        (rev 0)
+++ trunk/JSTests/stress/atomics-and-multiple-typed-arrays.js	2021-01-08 16:30:35 UTC (rev 271297)
@@ -0,0 +1,12 @@
+function foo(input) {
+    return Atomics.load(input, 0);
+}
+noInline(foo);
+
+
+var a = new Uint8Array(10);
+var b = new Uint32Array(10);
+for (let i=0; i<1e4; i++) {
+    foo(a);
+    foo(b);
+}

Added: trunk/JSTests/stress/atomics-and-string.js (0 => 271297)


--- trunk/JSTests/stress/atomics-and-string.js	                        (rev 0)
+++ trunk/JSTests/stress/atomics-and-string.js	2021-01-08 16:30:35 UTC (rev 271297)
@@ -0,0 +1,12 @@
+//@ runDefault("--useRandomizingFuzzerAgent=1", "--useConcurrentJIT=0")
+
+function foo() {
+    return Atomics.load('', 0);
+}
+noInline(foo);
+
+for (let i=0; i<1e4; i++) {
+    try {
+        foo();
+    } catch { }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (271296 => 271297)


--- trunk/Source/_javascript_Core/ChangeLog	2021-01-08 15:45:20 UTC (rev 271296)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-01-08 16:30:35 UTC (rev 271297)
@@ -1,3 +1,20 @@
+2021-01-07  Yusuke Suzuki  <[email protected]>
+
+        [JSC] DFG/FTL Atomics should assume non-typed-array input with storage-edge
+        https://bugs.webkit.org/show_bug.cgi?id=220451
+        <rdar://problem/71237065>
+
+        Reviewed by Mark Lam.
+
+        Atomics implementation assumed that it only gets TypedArray via checkArray filter if storage-edge exists. But this is wrong.
+        String and the other cases can put storage-edge while it is not TypedArray. We should check whether this is one of TypedArray,
+        and if it is not, we should make it generic one instead of using fast TypedArray path.
+
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::isOneOfTypedArrayView const):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
 2021-01-07  Mark Lam  <[email protected]>
 
         Work around Clang bug in __builtin_return_address().

Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (271296 => 271297)


--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2021-01-08 15:45:20 UTC (rev 271296)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2021-01-08 16:30:35 UTC (rev 271297)
@@ -507,6 +507,13 @@
     {
         return type() == Array::AnyTypedArray || isTypedView(typedArrayType());
     }
+
+    bool isOneOfTypedArrayView() const
+    {
+        if (type() == Array::AnyTypedArray)
+            return false;
+        return isTypedView(typedArrayType());
+    }
     
     bool operator==(const ArrayMode& other) const
     {

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (271296 => 271297)


--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2021-01-08 15:45:20 UTC (rev 271296)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2021-01-08 16:30:35 UTC (rev 271297)
@@ -1335,8 +1335,10 @@
                 node->arrayMode().refine(
                     m_graph, node, base->prediction(), index->prediction()));
             
-            if (node->arrayMode().type() == Array::Generic)
+            if (!node->arrayMode().isOneOfTypedArrayView()) {
+                node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
                 break;
+            }
             
             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
                 Edge& child = m_graph.child(node, 2 + i);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to