Skip to site navigation (Press enter)

[webkit-changes] [281473] trunk

sbarati Mon, 23 Aug 2021 14:45:45 -0700

Title: [281473] trunk

Revision: 281473
Author: sbar...@apple.com
Date: 2021-08-23 14:44:19 -0700 (Mon, 23 Aug 2021)

Log Message

compileEnumeratorHasProperty uses flushRegisters incorrectly
https://bugs.webkit.org/show_bug.cgi?id=229412
<rdar://82020767>


Reviewed by Keith Miller.

JSTests:

* stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
(foo):
* stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
(a.toString):

Source/_javascript_Core:

We were calling flushRegisters() inside code that isn't always runs inside the
EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
flushRegisters() must be used, since flushRegisters() updates global register
allocation state, and therefore must run each time a node is run. To fix, we
move flushRegisters() before the code starts emitting branches.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Added Paths

trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js
trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js

Diff

Modified: trunk/JSTests/ChangeLog (281472 => 281473)


--- trunk/JSTests/ChangeLog	2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/JSTests/ChangeLog	2021-08-23 21:44:19 UTC (rev 281473)
@@ -1,3 +1,16 @@
+2021-08-23  Saam Barati  <sbar...@apple.com>
+
+        compileEnumeratorHasProperty uses flushRegisters incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=229412
+        <rdar://82020767>
+
+        Reviewed by Keith Miller.
+
+        * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
+        (foo):
+        * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
+        (a.toString):
+
 2021-08-22  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] Remove already-shipped wasm option flags

Added: trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (0 => 281473)


--- trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js	                        (rev 0)
+++ trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js	2021-08-23 21:44:19 UTC (rev 281473)
@@ -0,0 +1,11 @@
+function foo(o) {
+    for (let p in o) {
+        o.hasOwnProperty(p);
+        o.__proto__ = undefined;
+    }
+}
+
+for (let i = 0; i < 100000; ++i) {
+    foo({f:42});
+}
+

Added: trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (0 => 281473)


--- trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js	                        (rev 0)
+++ trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js	2021-08-23 21:44:19 UTC (rev 281473)
@@ -0,0 +1,13 @@
+const a = [undefined];
+a.toString = ()=>{};
+
+function foo() {
+    for (let x in a) {
+      x in a;
+      +x;
+    }
+}
+
+for (let i=0; i<10000; i++) {
+  foo();
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (281472 => 281473)


--- trunk/Source/_javascript_Core/ChangeLog	2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-08-23 21:44:19 UTC (rev 281473)
@@ -1,3 +1,20 @@
+2021-08-23  Saam Barati  <sbar...@apple.com>
+
+        compileEnumeratorHasProperty uses flushRegisters incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=229412
+        <rdar://82020767>
+
+        Reviewed by Keith Miller.
+
+        We were calling flushRegisters() inside code that isn't always runs inside the
+        EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
+        flushRegisters() must be used, since flushRegisters() updates global register
+        allocation state, and therefore must run each time a node is run. To fix, we
+        move flushRegisters() before the code starts emitting branches.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
 2021-08-23  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] emitArrayProfilingSiteWithCell should not load indexingType unnecessarily

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281472 => 281473)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-08-23 21:44:19 UTC (rev 281473)
@@ -13692,6 +13692,8 @@
         GPRReg modeGPR = mode.gpr();
         GPRReg enumeratorGPR = enumerator.gpr();
 
+        flushRegisters();
+
         JSValueRegsTemporary result(this);
         JSValueRegs resultRegs = result.regs();
 
@@ -13711,7 +13713,6 @@
 
         operationCases.link(&m_jit);
 
-        flushRegisters();
 #if USE(JSVALUE32_64)
         m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
         auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes