Attachment 348874 Details for Bug 189285 – proposed patch.

[patch] proposed patch.

bug-189285.patch (text/plain), 3.49 KB, created by Mark Lam on 2018-09-04 16:54:10 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Mark Lam

Created: 2018-09-04 16:54:10 PDT

Size: 3.49 KB

patch

obsolete

>Index: JSTests/ChangeLog
>===================================================================
>--- JSTests/ChangeLog	(revision 235647)
>+++ JSTests/ChangeLog	(working copy)
>@@ -1,3 +1,13 @@
>+2018-09-04  Mark Lam  <mark.lam@apple.com>
>+
>+        ASSERTION FAILED: size is 0 MarkedSpace::sizeClassToIndex().
>+        https://bugs.webkit.org/show_bug.cgi?id=189285
>+        <rdar://problem/39380095>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * stress/regress-189285.js: Added.
>+
> 2018-09-04  David Fenton  <david_fenton@apple.com>
> 
>         Skip Test on 32-bit platforms.
>Index: JSTests/stress/regress-189285.js
>===================================================================
>--- JSTests/stress/regress-189285.js	(nonexistent)
>+++ JSTests/stress/regress-189285.js	(working copy)
>@@ -0,0 +1,5 @@
>+//@ requireOptions("--useConcurrentJIT=false", "--jitPolicyScale=0");
>+
>+// This test passes if it does not crash.
>+for (let loop = 0; loop < 10000; loop++)
>+    new Float64Array(0);
>Index: Source/JavaScriptCore/ChangeLog
>===================================================================
>--- Source/JavaScriptCore/ChangeLog	(revision 235627)
>+++ Source/JavaScriptCore/ChangeLog	(working copy)
>@@ -1,3 +1,18 @@
>+2018-09-04  Mark Lam  <mark.lam@apple.com>
>+
>+        ASSERTION FAILED: size is 0 MarkedSpace::sizeClassToIndex().
>+        https://bugs.webkit.org/show_bug.cgi?id=189285
>+        <rdar://problem/39380095>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        Make FTL's compileNewTypedArray() handle a constant 0 size the same way that
>+        DFG::SpeculativeJIT::compileNewArrayWithSize() does, i.e. let the slow path
>+        handle it.
>+
>+        * ftl/FTLLowerDFGToB3.cpp:
>+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
>+
> 2018-09-04  Mark Lam  <mark.lam@apple.com>
> 
>         Make the jsc shell print, printErr, and debug functions more robust.
>Index: Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
>===================================================================
>--- Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	(revision 235627)
>+++ Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	(working copy)
>@@ -13150,17 +13150,17 @@ private:
>         if (subspace->hasIntPtr() && size->hasIntPtr()) {
>             CompleteSubspace* actualSubspace = bitwise_cast<CompleteSubspace*>(subspace->asIntPtr());
>             size_t actualSize = size->asIntPtr();
>-            
>-            Allocator actualAllocator = actualSubspace->allocatorForNonVirtual(actualSize, AllocatorForMode::AllocatorIfExists);
>-            if (!actualAllocator) {
>-                LBasicBlock continuation = m_out.newBlock();
>-                LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
>-                m_out.jump(slowPath);
>-                m_out.appendTo(continuation, lastNext);
>-                return m_out.intPtrZero;
>+            if (actualSize) {
>+                Allocator actualAllocator = actualSubspace->allocatorForNonVirtual(actualSize, AllocatorForMode::AllocatorIfExists);
>+                if (actualAllocator)
>+                    return m_out.constIntPtr(actualAllocator.localAllocator());
>             }
>-            
>-            return m_out.constIntPtr(actualAllocator.localAllocator());
>+
>+            LBasicBlock continuation = m_out.newBlock();
>+            LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
>+            m_out.jump(slowPath);
>+            m_out.appendTo(continuation, lastNext);
>+            return m_out.intPtrZero;
>         }
>         
>         unsigned stepShift = getLSBSet(MarkedSpace::sizeStep);

Actions: View | Formatted Diff | Diff

Attachments on bug 189285: 348874 | 348900