[webkit-changes] [180505] trunk/Source/JavaScriptCore

[fpizlo]

Title: [180505] trunk/Source/_javascript_Core

Revision

180505

Author

fpi...@apple.com

Date

2015-02-23 10:03:49 -0800 (Mon, 23 Feb 2015)

Log Message

Crash in DFGFrozenValue
https://bugs.webkit.org/show_bug.cgi?id=141883

Reviewed by Benjamin Poulain.
        
If a value might be a cell, then we have to have Graph freeze it rather than trying to
create the FrozenValue directly. Creating it directly is just an optimization for when you
know for sure that it cannot be a cell.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Added Paths

• trunk/Source/_javascript_Core/tests/stress/regress-141883.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (180504 => 180505)

--- trunk/Source/_javascript_Core/ChangeLog	2015-02-23 17:42:36 UTC (rev 180504)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-02-23 18:03:49 UTC (rev 180505)
@@ -1,3 +1,18 @@
+2015-02-22  Filip Pizlo  <fpi...@apple.com>
+
+        Crash in DFGFrozenValue
+        https://bugs.webkit.org/show_bug.cgi?id=141883
+
+        Reviewed by Benjamin Poulain.
+        
+        If a value might be a cell, then we have to have Graph freeze it rather than trying to
+        create the FrozenValue directly. Creating it directly is just an optimization for when you
+        know for sure that it cannot be a cell.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
+
 2015-02-21  Joseph Pecoraro  <pecor...@apple.com>
 
         Web Inspector: Generate Previews more often for RemoteObject interaction

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (180504 => 180505)

--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-02-23 17:42:36 UTC (rev 180504)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-02-23 18:03:49 UTC (rev 180505)
@@ -278,7 +278,7 @@
             if (concreteValue.isBoolean())
                 setConstant(node, jsNumber(concreteValue.asBoolean()));
             else
-                setConstant(node, concreteValue);
+                setConstant(node, *m_graph.freeze(concreteValue));
             break;
         }
         AbstractValue& value = forNode(node);

Added: trunk/Source/_javascript_Core/tests/stress/regress-141883.js (0 => 180505)

--- trunk/Source/_javascript_Core/tests/stress/regress-141883.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-141883.js	2015-02-23 18:03:49 UTC (rev 180505)
@@ -0,0 +1,11 @@
+(function() {
+var b=!2;
+var n = 1e4;
+for(i = 0; i< n; i++) {
+b[b=this];
+for (var i = 0; i < n; i++) {
+  if (a = b*3) {
+  }
+}
+}
+})()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes