[webkit-changes] [WebKit/WebKit] ac09d7: Null pointer dereference in JavaScriptCore llint_o...

Wed, 04 Jun 2025 13:08:03 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ac09d743b1828ad9f6e86626db9b4bd3cf00e285
      
https://github.com/WebKit/WebKit/commit/ac09d743b1828ad9f6e86626db9b4bd3cf00e285
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-06-04 (Wed, 04 Jun 2025)

  Changed paths:
    A JSTests/stress/dfg-ai-should-reduce-new-array-with-spread-structures.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Null pointer dereference in JavaScriptCore llint_op_call.
https://bugs.webkit.org/show_bug.cgi?id=288814
rdar://145826169

Reviewed by Keith Miller.

DFG AI should continuously reduce the abstract value's possibility,
otherwise the constant folding will remove some nodes based on the
previous decision. NewArrayWithSpread says that it returns CoW array
with one argument (Spread for example), but later, when it gets
converted to PhantomSpread and PhantomNewArrayBuffer with non contiguous
CoW immutable butterfly, then it starts saying that it returns non-CoW
array. It is possible that we already removed some of DFG nodes based on
the previous assumption, and changing this causes a bug that we may miss
the necessary checks. This patch makes this node return CoW contiguous
array for PhantomSpread(PhantomNewArrayBuffer) case regardless so that
we can avoid this problem.

* JSTests/stress/dfg-ai-should-reduce-new-array-with-spread-structures.js: 
Added.
(i.f11):
(i.C13):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::createContiguousImmutableButterflyFromPhantomNewArrayBuffer):
(JSC::FTL::DFG::LowerDFGToB3::createContiguousImmutableButterflyFromPhantomCreateRest):
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):

Originally-landed-as: 289651.293@safari-7621-branch (4c7737fa3c68). 
rdar://151710409
Canonical link: https://commits.webkit.org/295832@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to