[webkit-changes] [WebKit/WebKit] 1352cc: Cherry-pick 267511@main (7a9106c7a56f). https://bu...

Tue, 19 Sep 2023 01:46:50 -0700 

  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: 1352cc06fa9f7f64f1b3fc5e9a47e904e6f57ba3
      
https://github.com/WebKit/WebKit/commit/1352cc06fa9f7f64f1b3fc5e9a47e904e6f57ba3
  Author: Joseph Griego <[email protected]>
  Date:   2023-09-19 (Tue, 19 Sep 2023)

  Changed paths:
    A 
JSTests/stress/typed-array-intrinsic-getter-with-conflicting-value-profile.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

  Log Message:
  -----------
  Cherry-pick 267511@main (7a9106c7a56f). 
https://bugs.webkit.org/show_bug.cgi?id=260908

    [32 bit] DFG graph generation: intrinsic getters are fallible
    https://bugs.webkit.org/show_bug.cgi?id=260908

    Reviewed by Yusuke Suzuki.

    On 32-bit, unlike 64-bit, some of the DFG intrinsic getters (really, the
    TypedArray ones) are _fallible_: if the SpeculatedType doesn't match our
    expecations (a non-strict subset of SpecInt32Only), we refuse to generate 
code. [1]

    However, DFG::ByteCodeParser::handleGetById doesn't appear to handle this 
case
    gracefully--if `handleIntrinsicGetter` fails, we attempt to generate a call 
to
    the getter, but in the case of TypedArray intrinsics, we won't have the
    necessary CallLinkStatus and while attempting to do so, we crash.

    To fix this, I've added a bit of code that handles the failure from
    handleIntrinsicGetter and emits an ordinary `GetById` node instead of 
trying to
    inline anything for this op.

    I've added a test that demonstrates the current behavior (a segfault) on 
armv7
    and passes with tihs patch.

    [1] For what it's worth, maybe this shouldn't be the case: it does seem 
like we
    should still be able to generate code in these cases anyhow, but it's 
simpler to
    just cope with the failure.

    * 
JSTests/stress/typed-array-intrinsic-getter-with-conflicting-value-profile.js: 
Added.
    (foo):
    (i.null.foo.Object.create):
    (i.42.foo):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::handleGetById):

    Canonical link: https://commits.webkit.org/267511@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to