Title: [200113] trunk/Source/_javascript_Core
- Revision
- 200113
- Author
- [email protected]
- Date
- 2016-04-26 16:26:19 -0700 (Tue, 26 Apr 2016)
Log Message
[JSC] GetByVal on Undecided use its children before its OSR Exit
https://bugs.webkit.org/show_bug.cgi?id=157046
Patch by Benjamin Poulain <[email protected]> on 2016-04-26
Reviewed by Mark Lam.
Very silly bug: GetByVal on Undecided uses its children before
the speculationCheck(). If we fail the speculation, we have already
lost how to recover the values.
The existing tests did not catch this because we tier up to B3
before such Exits happen. B3 has explicit liveness and did not suffer
from this bug.
The new test has a smaller warmup to exercise the OSR Exit in DFG
instead of FTL.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* tests/stress/get-by-val-on-undecided-out-of-bounds.js: Added.
(string_appeared_here.opaqueGetByValKnownArray):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (200112 => 200113)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-26 23:09:57 UTC (rev 200112)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-26 23:26:19 UTC (rev 200113)
@@ -1,3 +1,25 @@
+2016-04-26 Benjamin Poulain <[email protected]>
+
+ [JSC] GetByVal on Undecided use its children before its OSR Exit
+ https://bugs.webkit.org/show_bug.cgi?id=157046
+
+ Reviewed by Mark Lam.
+
+ Very silly bug: GetByVal on Undecided uses its children before
+ the speculationCheck(). If we fail the speculation, we have already
+ lost how to recover the values.
+
+ The existing tests did not catch this because we tier up to B3
+ before such Exits happen. B3 has explicit liveness and did not suffer
+ from this bug.
+ The new test has a smaller warmup to exercise the OSR Exit in DFG
+ instead of FTL.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * tests/stress/get-by-val-on-undecided-out-of-bounds.js: Added.
+ (string_appeared_here.opaqueGetByValKnownArray):
+
2016-04-26 Skachkov Oleksandr <[email protected]>
calling super() a second time in a constructor should throw
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (200112 => 200113)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-04-26 23:09:57 UTC (rev 200112)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-04-26 23:26:19 UTC (rev 200113)
@@ -2554,12 +2554,12 @@
GPRReg indexGPR = index.gpr();
GPRReg resultGPR = result.gpr();
+ speculationCheck(OutOfBounds, JSValueRegs(), node,
+ m_jit.branch32(MacroAssembler::LessThan, indexGPR, MacroAssembler::TrustedImm32(0)));
+
use(node->child1());
index.use();
- speculationCheck(OutOfBounds, JSValueRegs(), node,
- m_jit.branch32(MacroAssembler::LessThan, indexGPR, MacroAssembler::TrustedImm32(0)));
-
m_jit.move(MacroAssembler::TrustedImm64(ValueUndefined), resultGPR);
jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
break;
Added: trunk/Source/_javascript_Core/tests/stress/get-by-val-on-undecided-out-of-bounds.js (0 => 200113)
--- trunk/Source/_javascript_Core/tests/stress/get-by-val-on-undecided-out-of-bounds.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/get-by-val-on-undecided-out-of-bounds.js 2016-04-26 23:26:19 UTC (rev 200113)
@@ -0,0 +1,20 @@
+"use strict"
+
+function opaqueGetByValKnownArray(value)
+{
+ let array = [];
+ return array[value];
+}
+noInline(opaqueGetByValKnownArray);
+
+// Warm up without out-of-bounds access.
+for (let i = 0; i < 1e3; ++i) {
+ if (opaqueGetByValKnownArray(0) !== undefined)
+ throw "Failed opaqueGetByValKnownArray(0)";
+}
+
+// Then access out of bounds.
+for (let i = 0; i < 1e3; ++i) {
+ if (opaqueGetByValKnownArray(-1) !== undefined)
+ throw "Failed opaqueGetByValKnownArray(-1)";
+}
\ No newline at end of file
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
