[webkit-changes] [283818] trunk

[sbarati]

Title: [283818] trunk

Revision

283818

Author

sbar...@apple.com

Date

2021-10-08 12:01:43 -0700 (Fri, 08 Oct 2021)

Log Message

RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
https://bugs.webkit.org/show_bug.cgi?id=231382
<rdar://83722151>

Reviewed by Mark Lam.

JSTests:

* stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js: Added.
(foo):

Source/_javascript_Core:

Because of the RegExp.prototype.compile API, we don't know if the RegExp
produced by RegExpExec will have indices or not, because that bit of
information can be reset by the RegExp.prototype.compile API. So, we
conservatively say that it can produce either structure.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Added Paths

• trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js

Diff

Modified: trunk/JSTests/ChangeLog (283817 => 283818)

--- trunk/JSTests/ChangeLog	2021-10-08 18:50:59 UTC (rev 283817)
+++ trunk/JSTests/ChangeLog	2021-10-08 19:01:43 UTC (rev 283818)
@@ -1,3 +1,14 @@
+2021-10-08  Saam Barati  <sbar...@apple.com>
+
+        RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
+        https://bugs.webkit.org/show_bug.cgi?id=231382
+        <rdar://83722151>
+
+        Reviewed by Mark Lam.
+
+        * stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js: Added.
+        (foo):
+
 2021-10-07  Philip Chimento  <pchime...@igalia.com>
 
         [JSC] Temporal tweaks to pass more test262 tests

Added: trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js (0 => 283818)

--- trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js	                        (rev 0)
+++ trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js	2021-10-08 19:01:43 UTC (rev 283818)
@@ -0,0 +1,12 @@
+// This should not crash.
+
+function foo() {
+    let r = /a/;
+    r.compile(undefined, ...'d');
+    let a = r.exec(/b/);
+    a.x;
+}
+
+for (let i = 0; i < 1000; i++) {
+    foo();
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (283817 => 283818)

--- trunk/Source/_javascript_Core/ChangeLog	2021-10-08 18:50:59 UTC (rev 283817)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-10-08 19:01:43 UTC (rev 283818)
@@ -1,3 +1,19 @@
+2021-10-08  Saam Barati  <sbar...@apple.com>
+
+        RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
+        https://bugs.webkit.org/show_bug.cgi?id=231382
+        <rdar://83722151>
+
+        Reviewed by Mark Lam.
+
+        Because of the RegExp.prototype.compile API, we don't know if the RegExp
+        produced by RegExpExec will have indices or not, because that bit of
+        information can be reset by the RegExp.prototype.compile API. So, we
+        conservatively say that it can produce either structure. 
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2021-10-07  Alexey Shvayka  <shvaikal...@gmail.com>
 
         `highWaterMark` should be a readonly WebIDL attribute of queuing strategies

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (283817 => 283818)

--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2021-10-08 18:50:59 UTC (rev 283817)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2021-10-08 19:01:43 UTC (rev 283818)
@@ -2615,24 +2615,9 @@
             if (JSGlobalObject* globalObject = jsDynamicCast<JSGlobalObject*>(m_vm, globalObjectValue)) {
                 if (!globalObject->isHavingABadTime()) {
                     m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
-
-                    RegExp* regExp = nullptr;
-                    if (node->op() == RegExpExec) {
-                        if (Node* regExpObjectNode = node->child2().node()) {
-                            if (RegExpObject* regExpObject = regExpObjectNode->dynamicCastConstant<RegExpObject*>(m_vm))
-                                regExp = regExpObject->regExp();
-                            else if (regExpObjectNode->op() == NewRegexp)
-                                regExp = regExpObjectNode->castOperand<RegExp*>();
-                        }
-                    } else if (node->op() == RegExpExecNonGlobalOrSticky)
-                        regExp = node->castOperand<RegExp*>();
-
                     RegisteredStructureSet structureSet;
-                    // If regExp is unknown, we need to put both regExp MatchesArray structure variants in our set.
-                    if (!regExp || !regExp->hasIndices())
-                        structureSet.add(m_graph.registerStructure(globalObject->regExpMatchesArrayStructure()));
-                    if (!regExp || regExp->hasIndices())
-                        structureSet.add(m_graph.registerStructure(globalObject->regExpMatchesArrayWithIndicesStructure()));
+                    structureSet.add(m_graph.registerStructure(globalObject->regExpMatchesArrayStructure()));
+                    structureSet.add(m_graph.registerStructure(globalObject->regExpMatchesArrayWithIndicesStructure()));
                     setForNode(node, structureSet);
                     forNode(node).merge(SpecOther);
                     break;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes