WebKit Bugzilla
Attachment 349931 Details for
Bug 189676
: We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
a-backup.diff (text/plain), 3.66 KB, created by
Saam Barati
on 2018-09-17 13:25:57 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2018-09-17 13:25:57 PDT
Size:
3.66 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 236078) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2018-09-17 Saam barati <sbarati@apple.com> >+ >+ We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure >+ https://bugs.webkit.org/show_bug.cgi?id=189676 >+ <rdar://problem/39682897> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * typeProfiler/check-structure-or-empty-in-fixup.js: Added. >+ (A): >+ (K): >+ (i.catch): >+ > 2018-09-14 Saam barati <sbarati@apple.com> > > Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed >Index: JSTests/typeProfiler/check-structure-or-empty-in-fixup.js >=================================================================== >--- JSTests/typeProfiler/check-structure-or-empty-in-fixup.js (nonexistent) >+++ JSTests/typeProfiler/check-structure-or-empty-in-fixup.js (working copy) >@@ -0,0 +1,16 @@ >+class A { >+} >+class K extends A { >+ constructor(i) { >+ if (i % 2 !== 0) >+ super(); >+ if (i % 2 === 0 && maxCount !== i) >+ super(); >+ } >+} >+let maxCount = 150000; >+for (var i = 0; i <= maxCount; i++) { >+ try { >+ new K(i); >+ } catch(e) { } >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 236078) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,22 @@ >+2018-09-17 Saam barati <sbarati@apple.com> >+ >+ We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure >+ https://bugs.webkit.org/show_bug.cgi?id=189676 >+ <rdar://problem/39682897> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Because the incoming value may be TDZ, CheckStructure may end up crashing. >+ Since the Type Profile does not currently record TDZ values in any of its >+ data structures, this is not a semantic change in how it will show you data. >+ It just fixes crashes when we emit a CheckStructure and the incoming value >+ is TDZ. >+ >+ * dfg/DFGFixupPhase.cpp: >+ (JSC::DFG::FixupPhase::fixupNode): >+ * dfg/DFGNode.h: >+ (JSC::DFG::Node::convertToCheckStructureOrEmpty): >+ > 2018-09-17 Darin Adler <darin@apple.com> > > Use OpaqueJSString rather than JSRetainPtr inside WebKit >Index: Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (revision 236078) >+++ Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (working copy) >@@ -1783,7 +1783,7 @@ private: > } > if (!set.isEmpty()) { > fixEdge<CellUse>(node->child1()); >- node->convertToCheckStructure(m_graph.addStructureSet(set)); >+ node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set)); > } > } > >Index: Source/JavaScriptCore/dfg/DFGNode.h >=================================================================== >--- Source/JavaScriptCore/dfg/DFGNode.h (revision 236078) >+++ Source/JavaScriptCore/dfg/DFGNode.h (working copy) >@@ -461,6 +461,15 @@ public: > m_opInfo = set; > } > >+ void convertToCheckStructureOrEmpty(RegisteredStructureSet* set) >+ { >+ if (SpecCellCheck & SpecEmpty) >+ setOpAndDefaultFlags(CheckStructureOrEmpty); >+ else >+ setOpAndDefaultFlags(CheckStructure); >+ m_opInfo = set; >+ } >+ > void convertCheckStructureOrEmptyToCheckStructure() > { > ASSERT(op() == CheckStructureOrEmpty);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=349931">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189676
: 349931