Skip to site navigation (Press enter)

[webkit-changes] [200048] trunk/Source/JavaScriptCore

msaboff Mon, 25 Apr 2016 14:00:07 -0700

Title: [200048] trunk/Source/_javascript_Core

Revision: 200048
Author: [email protected]
Date: 2016-04-25 13:59:39 -0700 (Mon, 25 Apr 2016)

Log Message

Crash using @tryGetById in DFG
https://bugs.webkit.org/show_bug.cgi?id=156992


Reviewed by Filip Pizlo.

We need to spill live registers when compiling TryGetById in DFG.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileTryGetById):
* tests/stress/regress-156992.js: New test.
(tryMultipleGetByIds):
(test):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Added Paths

trunk/Source/_javascript_Core/tests/stress/regress-156992.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (200047 => 200048)


--- trunk/Source/_javascript_Core/ChangeLog	2016-04-25 20:56:47 UTC (rev 200047)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-04-25 20:59:39 UTC (rev 200048)
@@ -1,3 +1,18 @@
+2016-04-25  Michael Saboff  <[email protected]>
+
+        Crash using @tryGetById in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=156992
+
+        Reviewed by Filip Pizlo.
+
+        We need to spill live registers when compiling TryGetById in DFG.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileTryGetById):
+        * tests/stress/regress-156992.js: New test.
+        (tryMultipleGetByIds):
+        (test):
+
 2016-04-25  Saam barati  <[email protected]>
 
         We don't have to parse a function's parameters every time if the function is in the source provider cache

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (200047 => 200048)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2016-04-25 20:56:47 UTC (rev 200047)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2016-04-25 20:59:39 UTC (rev 200048)
@@ -976,7 +976,7 @@
 
         base.use();
 
-        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), DontSpill, AccessType::GetPure);
+        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), NeedToSpill, AccessType::GetPure);
 
         jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
         break;

Added: trunk/Source/_javascript_Core/tests/stress/regress-156992.js (0 => 200048)


--- trunk/Source/_javascript_Core/tests/stress/regress-156992.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-156992.js	2016-04-25 20:59:39 UTC (rev 200048)
@@ -0,0 +1,33 @@
+// Verify that DFG TryGetById nodes properly save live registers.  This test should not crash.
+
+function tryMultipleGetByIds() { return '(function (base) { return @tryGetById(base, "value1") + @tryGetById(base, "value2") + @tryGetById(base, "value3"); })'; } 
+
+
+let get = createBuiltin(tryMultipleGetByIds());
+noInline(get);
+
+function test() {
+    let obj1 = {
+        value1: "Testing, ",
+        value2: "testing, ",
+        value3: "123",
+        expected: "Testing, testing, 123"
+    };
+    let obj2 = {
+        extraFieldToMakeThisObjectDifferentThanObj1: 42,
+        value1: 20,
+        value2: 10,
+        value3: 12,
+        expected: 42
+    };
+
+    let objects = [obj1, obj2];
+
+    for (let i = 0; i < 200000; i++) {
+        let obj = objects[i % 2];
+        if (get(obj) !== obj.expected)
+            throw new Error("wrong on iteration: " + i);
+    }
+}
+
+test();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes