Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (283602 => 283603)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-06 06:14:37 UTC (rev 283602)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-06 07:15:38 UTC (rev 283603)
@@ -1,3 +1,23 @@
+2021-10-06 Mikhail R. Gadelha <[email protected]>
+
+ Fix wrong edge type from get-by-val in 32 bits
+ https://bugs.webkit.org/show_bug.cgi?id=231179
+
+ Reviewed by Yusuke Suzuki.
+
+ After https://bugs.webkit.org/show_bug.cgi?id=230801, a different type
+ can be set in DFG nodes, however, in 32 bits jsc was always setting the
+ type to Cell. This caused jsc to abort when verify the type of the edge:
+
+ DFG ASSERTION FAILED: Edge verification error: D@64->Check:Object:D@60 was expected to have type Object but has type Cell (43984760078335)
+
+ This patch changes the 32 bits version of the compileEnumeratorGetByVal
+ to manually speculate the edge if it is a Cell, since a differente Kind
+ could've been during Fixup.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
+
2021-10-05 Saam Barati <[email protected]>
Don't pass DontBuildStrings to next token after parsing an empty parameter list
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (283602 => 283603)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-10-06 06:14:37 UTC (rev 283602)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-10-06 07:15:38 UTC (rev 283603)
@@ -2538,7 +2538,7 @@
RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(globalObject, base, propertyName))));
}
-JSC_DEFINE_JIT_OPERATION(operationEnumeratorGetByValGeneric, EncodedJSValue, (JSGlobalObject* globalObject, JSCell* baseCell, EncodedJSValue propertyNameValue, uint32_t index, int32_t modeNumber, JSPropertyNameEnumerator* enumerator))
+JSC_DEFINE_JIT_OPERATION(operationEnumeratorGetByValGeneric, EncodedJSValue, (JSGlobalObject* globalObject, EncodedJSValue baseValue, EncodedJSValue propertyNameValue, uint32_t index, int32_t modeNumber, JSPropertyNameEnumerator* enumerator))
{
VM& vm = globalObject->vm();
CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
@@ -2547,7 +2547,8 @@
JSValue property = JSValue::decode(propertyNameValue);
JSPropertyNameEnumerator::Flag mode = static_cast<JSPropertyNameEnumerator::Flag>(modeNumber);
- RELEASE_AND_RETURN(scope, JSValue::encode(CommonSlowPaths::opEnumeratorGetByVal(globalObject, baseCell, property, index, mode, enumerator)));
+ JSValue base = JSValue::decode(baseValue);
+ RELEASE_AND_RETURN(scope, JSValue::encode(CommonSlowPaths::opEnumeratorGetByVal(globalObject, base, property, index, mode, enumerator)));
}
JSC_DEFINE_JIT_OPERATION(operationEnumeratorHasOwnProperty, EncodedJSValue, (JSGlobalObject* globalObject, EncodedJSValue baseValue, EncodedJSValue propertyNameValue, uint32_t index, int32_t modeNumber))
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.h (283602 => 283603)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.h 2021-10-06 06:14:37 UTC (rev 283602)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.h 2021-10-06 07:15:38 UTC (rev 283603)
@@ -112,7 +112,7 @@
JSC_DECLARE_JIT_OPERATION(operationEnumeratorInByVal, EncodedJSValue, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, uint32_t, int32_t));
JSC_DECLARE_JIT_OPERATION(operationEnumeratorHasOwnProperty, EncodedJSValue, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, uint32_t, int32_t));
JSC_DECLARE_JIT_OPERATION(operationEnumeratorRecoverNameAndGetByVal, EncodedJSValue, (JSGlobalObject*, JSCell*, uint32_t, JSPropertyNameEnumerator*));
-JSC_DECLARE_JIT_OPERATION(operationEnumeratorGetByValGeneric, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue, uint32_t, int32_t, JSPropertyNameEnumerator*));
+JSC_DECLARE_JIT_OPERATION(operationEnumeratorGetByValGeneric, EncodedJSValue, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, uint32_t, int32_t, JSPropertyNameEnumerator*));
JSC_DECLARE_JIT_OPERATION(operationNewRegexpWithLastIndex, JSCell*, (JSGlobalObject*, JSCell*, EncodedJSValue));
JSC_DECLARE_JIT_OPERATION(operationNewArray, char*, (JSGlobalObject*, Structure*, void*, size_t));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (283602 => 283603)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2021-10-06 06:14:37 UTC (rev 283602)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2021-10-06 07:15:38 UTC (rev 283603)
@@ -4487,25 +4487,39 @@
// FIXME: we are always taking the slow path here, we should be able to do the equivalent to the 64bit version if we add more available (callee-save registers) to ARMv7 and/or if we reduce the number of registers compileEnumeratorGetByVal uses. See bug #230189.
void SpeculativeJIT::compileEnumeratorGetByVal(Node* node)
{
- SpeculateCellOperand baseOperand(this, m_graph.varArgChild(node, 0));
- JSValueOperand property(this, m_graph.varArgChild(node, 1));
- SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 3));
- SpeculateStrictInt32Operand mode(this, m_graph.varArgChild(node, 4));
- SpeculateCellOperand enumerator(this, m_graph.varArgChild(node, 5));
- GPRReg baseOperandGPR = baseOperand.gpr();
- JSValueRegs propertyRegs = property.jsValueRegs();
- GPRReg indexGPR = index.gpr();
- GPRReg modeGPR = mode.gpr();
- GPRReg enumeratorGPR = enumerator.gpr();
+ Edge baseEdge = m_graph.varArgChild(node, 0);
+ auto generate = [&] (JSValueRegs baseRegs) {
+ JSValueOperand property(this, m_graph.varArgChild(node, 1), ManualOperandSpeculation);
+ SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 3));
+ SpeculateStrictInt32Operand mode(this, m_graph.varArgChild(node, 4));
+ SpeculateCellOperand enumerator(this, m_graph.varArgChild(node, 5));
+ JSValueRegs propertyRegs = property.jsValueRegs();
+ GPRReg indexGPR = index.gpr();
+ GPRReg modeGPR = mode.gpr();
+ GPRReg enumeratorGPR = enumerator.gpr();
- flushRegisters();
+ flushRegisters();
- JSValueRegsFlushedCallResult result(this);
- JSValueRegs resultRegs = result.regs();
+ JSValueRegsFlushedCallResult result(this);
+ JSValueRegs resultRegs = result.regs();
- callOperation(operationEnumeratorGetByValGeneric, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseOperandGPR, propertyRegs, indexGPR, modeGPR, enumeratorGPR);
- m_jit.exceptionCheck();
- jsValueResult(resultRegs, node);
+ if (baseRegs.tagGPR() == InvalidGPRReg)
+ callOperation(operationEnumeratorGetByValGeneric, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), CCallHelpers::CellValue(baseRegs.payloadGPR()), propertyRegs, indexGPR, modeGPR, enumeratorGPR);
+ else
+ callOperation(operationEnumeratorGetByValGeneric, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyRegs, indexGPR, modeGPR, enumeratorGPR);
+ m_jit.exceptionCheck();
+ jsValueResult(resultRegs, node);
+ };
+
+ if (isCell(baseEdge.useKind())) {
+ // Use manual operand speculation since Fixup may have picked a UseKind more restrictive than CellUse.
+ speculate(node, baseEdge);
+ SpeculateCellOperand base(this, baseEdge, ManualOperandSpeculation);
+ generate(JSValueRegs::payloadOnly(base.gpr()));
+ } else {
+ JSValueOperand base(this, baseEdge);
+ generate(base.regs());
+ }
}
#endif
