WebKit Bugzilla
Attachment 356684 Details for
Bug 192441
: speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-192441.patch (text/plain), 3.32 KB, created by
Mark Lam
on 2018-12-05 17:36:21 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-12-05 17:36:21 PST
Size:
3.32 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 238918) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-12-05 Mark Lam <mark.lam@apple.com> >+ >+ speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar. >+ https://bugs.webkit.org/show_bug.cgi?id=192441 >+ <rdar://problem/46480355> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-192441.js: Added. >+ > 2018-12-04 Mark Lam <mark.lam@apple.com> > > DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility. >Index: JSTests/stress/regress-192441.js >=================================================================== >--- JSTests/stress/regress-192441.js (nonexistent) >+++ JSTests/stress/regress-192441.js (working copy) >@@ -0,0 +1,12 @@ >+//@ requireOptions("--jitPolicyScale=0") >+ >+// This test passes if it does not crash. >+ >+let x = {} >+let enUS = ['en', 'US'].join('-') >+for (let i=0; i<100; i++) { >+ Intl.NumberFormat(enUS) >+} >+for (let i=0; i<10000; i++) { >+ x[enUS] >+}; >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 238916) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,24 @@ >+2018-12-05 Mark Lam <mark.lam@apple.com> >+ >+ speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar. >+ https://bugs.webkit.org/show_bug.cgi?id=192441 >+ <rdar://problem/46480355> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This is because a regular String (non-Identifier) can be converted into an >+ Identifier. During DFG/FTL compilation, AbstractValue::checkConsistency() may >+ expect a value to be of type SpecStringVar, but the mutator thread may have >+ converted the string into an Identifier. This creates a race where >+ AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when >+ it expects the a SpecStringVar. >+ >+ The fix is to speculate non-Identifier strings as type SpecString which allows it >+ to be SpecStringVar or SpecStringIndent. >+ >+ * bytecode/SpeculatedType.cpp: >+ (JSC::speculationFromCell): >+ > 2018-12-04 Mark Lam <mark.lam@apple.com> > > DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility. >Index: Source/JavaScriptCore/bytecode/SpeculatedType.cpp >=================================================================== >--- Source/JavaScriptCore/bytecode/SpeculatedType.cpp (revision 238916) >+++ Source/JavaScriptCore/bytecode/SpeculatedType.cpp (working copy) >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2011-2017 Apple Inc. All rights reserved. >+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -480,7 +480,7 @@ SpeculatedType speculationFromCell(JSCel > if (impl->isAtomic()) > return SpecStringIdent; > } >- return SpecStringVar; >+ return SpecString; > } > return speculationFromStructure(cell->structure()); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356684">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192441
: 356684