Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 52fe95e5805c735cc1fa4d6200fcaa1912efbfea
https://github.com/WebKit/WebKit/commit/52fe95e5805c735cc1fa4d6200fcaa1912efbfea
Author: Yijia Huang <[email protected]>
Date: 2023-05-10 (Wed, 10 May 2023)
Changed paths:
A JSTests/stress/heap-location-collision-dfg-clobberize.js
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp
Log Message:
-----------
EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different
heap location kinds
https://bugs.webkit.org/show_bug.cgi?id=256567
rdar://109089013
Reviewed by Yusuke Suzuki.
EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG
nodes. However,
they might introduce the same heap location kind in DFGClobberize.h which might
lead to
hash collision. We should introduce a new locationn kind for
EnumeratorNextUpdateIndexAndMode.
* JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
(foo):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
* Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::merge):
Canonical link: https://commits.webkit.org/263909@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes