Attachment 358607 Details for Bug 193221 – Patch

[patch] Patch

bug-193221-20190108190736.patch (text/plain), 2.79 KB, created by Tadeu Zagallo on 2019-01-08 10:07:44 PST

(hide)

Description:

Filename:

MIME Type:

Creator: Tadeu Zagallo

Created: 2019-01-08 10:07:44 PST

Size: 2.79 KB

patch

obsolete

>Subversion Revision: 239704
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 3063c6d563e6c7336cdc252dbd376fb56849cbe9..a20b0b1215fb54ec76e95f151f17a5c3290690ef 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,16 @@
>+2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
>+        https://bugs.webkit.org/show_bug.cgi?id=193221
>+
>+        Reviewed by Mark Lam.
>+
>+        The flags are only 4 bytes, but were loaded with loadp. It used to work,
>+        since the flags were followed by a 4-byte padding, but it broke after the
>+        struct was compacted in r239626.
>+
>+        * llint/LowLevelInterpreter64.asm:
>+
> 2019-01-07  Devin Rousso  <drousso@apple.com>
> 
>         Web Inspector: extend XHR breakpoints to work with fetch
>diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>index 2e7ed9ecb6c4d62762565f40c20f4cea083600f7..eed2a0fb2231db565c4bbfe11d4c06c451d47faf 100644
>--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>@@ -1341,7 +1341,7 @@ llintOpWithMetadata(op_put_by_id, OpPutById, macro (size, get, dispatch, metadat
>     get(value, t1)
>     loadConstantOrVariable(size, t1, t3)
> 
>-    loadp OpPutById::Metadata::flags[t5], t1
>+    loadi OpPutById::Metadata::flags[t5], t1
> 
>     # At this point, we have:
>     # t0 -> object base
>diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
>index 12c1b7814fd12982d1b51de168fe824785acc29e..4620538efa1978f1fcca33198ffe6e3171b56d76 100644
>--- a/JSTests/ChangeLog
>+++ b/JSTests/ChangeLog
>@@ -1,3 +1,15 @@
>+2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
>+        https://bugs.webkit.org/show_bug.cgi?id=193221
>+
>+        Reviewed by Mark Lam.
>+
>+        * stress/put-by-id-flags.js: Added.
>+        (f):
>+        (g):
>+        (numberOfDFGCompiles):
>+
> 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
> 
>         Baseline version of get_by_id may corrupt metadata
>diff --git a/JSTests/stress/put-by-id-flags.js b/JSTests/stress/put-by-id-flags.js
>new file mode 100644
>index 0000000000000000000000000000000000000000..f67fe16f57d13744fa01181e3fef929b82433295
>--- /dev/null
>+++ b/JSTests/stress/put-by-id-flags.js
>@@ -0,0 +1,23 @@
>+function f(x, y) {
>+    x.y = y;
>+};
>+
>+function g(x) {
>+    return x.y + 42;
>+}
>+noInline(f);
>+noInline(g);
>+
>+var x = {};
>+var y = {};
>+f(x, 42);
>+f(y, {});
>+
>+while (!numberOfDFGCompiles(g)) {
>+    optimizeNextInvocation(g);
>+    if (typeof g(x) !== 'number')
>+        throw 'failed warming up';
>+}
>+
>+if (typeof g(y) !== 'string')
>+    throw 'failed after compilation';

Actions: View | Formatted Diff | Diff

Attachments on bug 193221: 358546 | 358607