WebKit Bugzilla
Attachment 359853 Details for
Bug 193709
: REGRESSION(r239612) Crash at runtime due to broken DFG assumption
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-193709-20190122215223.patch (text/plain), 38.55 KB, created by
Yusuke Suzuki
on 2019-01-22 21:52:24 PST
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2019-01-22 21:52:24 PST
Size:
38.55 KB
patch
obsolete
>Subversion Revision: 240325 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 7f4e88ab8b7d55ad9fc606956f8fd2149e81609f..4d468ef94484eb8a15edc46f1fa3275cbc6ef77b 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,53 @@ >+2019-01-22 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ REGRESSION(r239612) Crash at runtime due to broken DFG assumption >+ https://bugs.webkit.org/show_bug.cgi?id=193709 >+ <rdar://problem/47363838> >+ >+ Unreviewed, rollout to watch the tests. >+ >+ * JavaScriptCore.xcodeproj/project.pbxproj: >+ * dfg/DFGAbstractInterpreterInlines.h: >+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): >+ * dfg/DFGByteCodeParser.cpp: >+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall): >+ * dfg/DFGClobberize.h: >+ (JSC::DFG::clobberize): >+ * dfg/DFGDoesGC.cpp: >+ (JSC::DFG::doesGC): >+ * dfg/DFGFixupPhase.cpp: >+ (JSC::DFG::FixupPhase::fixupNode): >+ (JSC::DFG::FixupPhase::fixupObjectToString): Deleted. >+ * dfg/DFGNodeType.h: >+ * dfg/DFGOperations.cpp: >+ * dfg/DFGOperations.h: >+ * dfg/DFGPredictionPropagationPhase.cpp: >+ * dfg/DFGSafeToExecute.h: >+ (JSC::DFG::safeToExecute): >+ * dfg/DFGSpeculativeJIT.cpp: >+ (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted. >+ * dfg/DFGSpeculativeJIT.h: >+ * dfg/DFGSpeculativeJIT32_64.cpp: >+ (JSC::DFG::SpeculativeJIT::compile): >+ * dfg/DFGSpeculativeJIT64.cpp: >+ (JSC::DFG::SpeculativeJIT::compile): >+ * ftl/FTLAbstractHeapRepository.h: >+ * ftl/FTLCapabilities.cpp: >+ (JSC::FTL::canCompile): >+ * ftl/FTLLowerDFGToB3.cpp: >+ (JSC::FTL::DFG::LowerDFGToB3::compileNode): >+ (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): >+ (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted. >+ * runtime/Intrinsic.cpp: >+ (JSC::intrinsicName): >+ * runtime/Intrinsic.h: >+ * runtime/ObjectPrototype.cpp: >+ (JSC::ObjectPrototype::finishCreation): >+ (JSC::objectProtoFuncToString): >+ * runtime/ObjectPrototype.h: >+ * runtime/ObjectPrototypeInlines.h: Removed. >+ * runtime/StructureRareData.h: >+ > 2019-01-22 Devin Rousso <drousso@apple.com> > > Web Inspector: expose Audit and Recording versions to the frontend >diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj >index 852cc04e9403d9506530e619c7f6187119addacb..40ada2a2f534ec86d691a6fb3b636cabe215b779 100644 >--- a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj >+++ b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj >@@ -7014,7 +7014,6 @@ > E3C295DC1ED2CBAA00D3016F /* ObjectPropertyChangeAdaptiveWatchpoint.h */, > BC2680C80E16D4E900A06E92 /* ObjectPrototype.cpp */, > BC2680C90E16D4E900A06E92 /* ObjectPrototype.h */, >- 6D0CC9E1CBC149AB8F403434 /* ObjectPrototypeInlines.h */, > F692A8770255597D01FF60F7 /* Operations.cpp */, > F692A8780255597D01FF60F7 /* Operations.h */, > 0FE228EA1436AB2300196C48 /* Options.cpp */, >@@ -9463,7 +9462,6 @@ > 0FD3E40A1B618B6600C80E1E /* ObjectPropertyCondition.h in Headers */, > 0FD3E40C1B618B6600C80E1E /* ObjectPropertyConditionSet.h in Headers */, > BC18C4460E16F5CD00B34460 /* ObjectPrototype.h in Headers */, >- 5E158AC350BC4EC7877DC0F4 /* ObjectPrototypeInlines.h in Headers */, > E124A8F70E555775003091F1 /* OpaqueJSString.h in Headers */, > 14F79F70216EAFD200046D39 /* Opcode.h in Headers */, > FE64872E2141D04800AB0D3E /* OpcodeInlines.h in Headers */, >diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >index b966adcbf7a50e1fd07d836118eb81088ef8b58e..7581a1a7746e9870e79f92e2178fbd2c9759226d 100644 >--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >@@ -2635,24 +2635,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi > break; > } > >- case ObjectToString: { >- AbstractValue& source = forNode(node->child1()); >- bool clobbering = node->child1().useKind() != OtherUse; >- if (JSValue sourceValue = source.m_value) { >- if (sourceValue.isUndefinedOrNull()) { >- if (clobbering) >- didFoldClobberWorld(); >- setConstant(node, *m_graph.freeze(sourceValue.isUndefined() ? m_vm.smallStrings.undefinedObjectString() : m_vm.smallStrings.nullObjectString())); >- break; >- } >- } >- >- if (clobbering) >- clobberWorld(); >- setTypeForNode(node, SpecString); >- break; >- } >- > case ToObject: > case CallObjectConstructor: { > AbstractValue& source = forNode(node->child1()); >diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >index 78ca65f833f18c83b6d8707b4c6f9568805415f5..b1dc25b1b878f0b5d4f4d41d41df1fdad92362a4 100644 >--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >@@ -2710,13 +2710,6 @@ bool ByteCodeParser::handleIntrinsicCall(Node* callee, VirtualRegister result, I > return true; > } > >- case ObjectPrototypeToStringIntrinsic: { >- insertChecks(); >- Node* value = get(virtualRegisterForArgument(0, registerOffset)); >- setResult(addToGraph(ObjectToString, value)); >- return true; >- } >- > case ReflectGetPrototypeOfIntrinsic: { > if (argumentCountIncludingThis != 2) > return false; >diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h >index 9c2707332c5e75acf05881bd8841a16852c715bc..7e9b0d8969aceaa0fca1039b0bcc746beb7b9533 100644 >--- a/Source/JavaScriptCore/dfg/DFGClobberize.h >+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h >@@ -678,20 +678,6 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu > write(Heap); > return; > >- case ObjectToString: >- switch (node->child1().useKind()) { >- case OtherUse: >- def(PureValue(node)); >- return; >- case UntypedUse: >- read(World); >- write(Heap); >- return; >- default: >- RELEASE_ASSERT_NOT_REACHED(); >- return; >- } >- > case AtomicsAdd: > case AtomicsAnd: > case AtomicsCompareExchange: >diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >index 33a20e539a6fd2c26ef114277ac7c69f17c87866..5418127a228e307aa9dd0ca063afde43c529dc2f 100644 >--- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >+++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >@@ -366,7 +366,6 @@ bool doesGC(Graph& graph, Node* node) > case StringReplaceRegExp: > case StringSlice: > case StringValueOf: >- case ObjectToString: > case CreateRest: > case ToLowerCase: > case CallDOMGetter: >diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >index f49b97d237affbbe2d6f219c5e043e91277f88e0..d2d4fbfb44b35715358ca71e46f1ed20c68e2be2 100644 >--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >@@ -2150,11 +2150,6 @@ class FixupPhase : public Phase { > break; > } > >- case ObjectToString: { >- fixupObjectToString(node); >- break; >- } >- > case StringSlice: { > fixEdge<StringUse>(node->child1()); > fixEdge<Int32Use>(node->child2()); >@@ -2947,15 +2942,6 @@ class FixupPhase : public Phase { > } > } > >- void fixupObjectToString(Node* node) >- { >- if (node->child1()->shouldSpeculateOther()) { >- fixEdge<OtherUse>(node->child1()); >- node->clearFlags(NodeMustGenerate); >- return; >- } >- } >- > bool attemptToMakeFastStringAdd(Node* node) > { > bool goodToGo = true; >diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h >index ded0e2680b8e82018c3d4868335b4d03e4ac8fd2..bd3bfe2fd40d2d0bd3b1d307a43a122935284e43 100644 >--- a/Source/JavaScriptCore/dfg/DFGNodeType.h >+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h >@@ -266,7 +266,6 @@ namespace JSC { namespace DFG { > macro(GetPrototypeOf, NodeMustGenerate | NodeResultJS) \ > macro(ObjectCreate, NodeMustGenerate | NodeResultJS) \ > macro(ObjectKeys, NodeMustGenerate | NodeResultJS) \ >- macro(ObjectToString, NodeMustGenerate | NodeResultJS) \ > \ > /* Atomics object functions. */\ > macro(AtomicsAdd, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \ >diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp >index 6075ea327ceb92b0b9cbb726d2af6707c4abcdcd..d4a0a7aeee88bee483cb4af518097108535a1338 100644 >--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp >+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp >@@ -63,7 +63,6 @@ > #include "JSWeakSet.h" > #include "NumberConstructor.h" > #include "ObjectConstructor.h" >-#include "ObjectPrototypeInlines.h" > #include "Operations.h" > #include "ParseInt.h" > #include "RegExpConstructor.h" >@@ -72,7 +71,6 @@ > #include "Repatch.h" > #include "ScopedArguments.h" > #include "StringConstructor.h" >-#include "StructureRareDataInlines.h" > #include "SuperSampler.h" > #include "Symbol.h" > #include "TypeProfilerLog.h" >@@ -2156,13 +2154,6 @@ JSString* JIT_OPERATION operationStringValueOf(ExecState* exec, EncodedJSValue e > return nullptr; > } > >-JSString* JIT_OPERATION operationObjectToString(ExecState* exec, EncodedJSValue source) >-{ >- VM& vm = exec->vm(); >- NativeCallFrameTracer tracer(&vm, exec); >- return objectToString(exec, JSValue::decode(source)); >-} >- > JSCell* JIT_OPERATION operationStringSubstr(ExecState* exec, JSCell* cell, int32_t from, int32_t span) > { > VM& vm = exec->vm(); >diff --git a/Source/JavaScriptCore/dfg/DFGOperations.h b/Source/JavaScriptCore/dfg/DFGOperations.h >index 8b76f4d6bf37401de2c4a97c1c3205527cc63951..38c116a54f91a615b81c15112148f25f94adb1ef 100644 >--- a/Source/JavaScriptCore/dfg/DFGOperations.h >+++ b/Source/JavaScriptCore/dfg/DFGOperations.h >@@ -205,7 +205,6 @@ JSString* JIT_OPERATION operationSingleCharacterString(ExecState*, int32_t); > JSCell* JIT_OPERATION operationStringSubstr(ExecState*, JSCell*, int32_t, int32_t); > JSString* JIT_OPERATION operationStringValueOf(ExecState*, EncodedJSValue); > JSString* JIT_OPERATION operationToLowerCase(ExecState*, JSString*, uint32_t); >-JSString* JIT_OPERATION operationObjectToString(ExecState*, EncodedJSValue); > > char* JIT_OPERATION operationInt32ToString(ExecState*, int32_t, int32_t); > char* JIT_OPERATION operationInt52ToString(ExecState*, int64_t, int32_t); >diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >index b0d49e08539baafadd215df51c784938cddee2f4..c2afe5b378add7ae4d1e9bd4fd8320ae27687065 100644 >--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >@@ -879,7 +879,6 @@ class PredictionPropagationPhase : public Phase { > case StringValueOf: > case StringSlice: > case ToLowerCase: >- case ObjectToString: > setPrediction(SpecString); > break; > >diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >index c4e566cb6c6ba121336b6c2e28bf70d951857fe1..883f79988bd6a4a4c2735173bc5c598c5a77666d 100644 >--- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >+++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >@@ -453,7 +453,6 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node, bool igno > case StringValueOf: > case StringSlice: > case ToLowerCase: >- case ObjectToString: > case GetMapBucket: > case GetMapBucketHead: > case GetMapBucketNext: >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index 948bb979c8e65429f4bc620a24672ece294b50ac..2e8663a3315b9422cb9d19d470069b8064502940 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -12440,63 +12440,6 @@ void SpeculativeJIT::compileObjectKeys(Node* node) > } > } > >-void SpeculativeJIT::compileObjectToString(Node* node) >-{ >- switch (node->child1().useKind()) { >- case OtherUse: { >- JSValueOperand source(this, node->child1(), ManualOperandSpeculation); >- GPRTemporary result(this); >- >- JSValueRegs sourceRegs = source.jsValueRegs(); >- GPRReg resultGPR = result.gpr(); >- >- speculateOther(node->child1(), sourceRegs); >- >- auto isUndefined = m_jit.branchIfUndefined(sourceRegs); >- m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->smallStrings.nullObjectString()), resultGPR); >- auto done = m_jit.jump(); >- isUndefined.link(&m_jit); >- m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->smallStrings.undefinedObjectString()), resultGPR); >- done.link(&m_jit); >- >- cellResult(resultGPR, node); >- return; >- } >- case UntypedUse: { >- JSValueOperand source(this, node->child1()); >- >- JSValueRegs sourceRegs = source.jsValueRegs(); >- >- GPRTemporary structure(this); >- GPRTemporary scratch(this); >- >- GPRReg structureGPR = structure.gpr(); >- GPRReg scratchGPR = scratch.gpr(); >- >- CCallHelpers::JumpList slowCases; >- slowCases.append(m_jit.branchIfNotCell(sourceRegs)); >- slowCases.append(m_jit.branchIfNotObject(sourceRegs.payloadGPR())); >- >- m_jit.emitLoadStructure(*m_jit.vm(), sourceRegs.payloadGPR(), structureGPR, scratchGPR); >- m_jit.loadPtr(CCallHelpers::Address(structureGPR, Structure::previousOrRareDataOffset()), scratchGPR); >- >- slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR)); >- slowCases.append(m_jit.branch32(CCallHelpers::Equal, CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), TrustedImm32(bitwise_cast<int32_t>(m_jit.vm()->structureStructure->structureID())))); >- >- m_jit.loadPtr(CCallHelpers::Address(scratchGPR, StructureRareData::offsetOfObjectToStringValue()), scratchGPR); >- slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR)); >- >- addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectToString, scratchGPR, sourceRegs)); >- >- cellResult(scratchGPR, node); >- return; >- } >- default: >- DFG_CRASH(m_graph, node, "Bad use kind"); >- return; >- } >-} >- > void SpeculativeJIT::compileObjectCreate(Node* node) > { > switch (node->child1().useKind()) { >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >index a2ad6bed487cb34d687d7bedb51b5540d6befd8a..8ed85f6311f14a940530e2f146288ab612b10b3d 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >@@ -1480,7 +1480,6 @@ class SpeculativeJIT { > void compileNewTypedArray(Node*); > void compileToThis(Node*); > void compileObjectKeys(Node*); >- void compileObjectToString(Node*); > void compileObjectCreate(Node*); > void compileCreateThis(Node*); > void compileNewObject(Node*); >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >index c299bccd61322c2ebbe8136447f34d15f6b97545..4dfe9c92321d753d178148f4ed35f8973f3e6f52 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >@@ -3105,11 +3105,6 @@ void SpeculativeJIT::compile(Node* node) > compileToStringOrCallStringConstructorOrStringValueOf(node); > break; > } >- >- case ObjectToString: { >- compileObjectToString(node); >- break; >- } > > case NewStringObject: { > compileNewStringObject(node); >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >index 32e08c99f465f006c19731bd2bb0a02b4c1488ba..7f9e381b755d264ca75e3e7dcaca80c8741dde66 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >@@ -3347,11 +3347,6 @@ void SpeculativeJIT::compile(Node* node) > compileToStringOrCallStringConstructorOrStringValueOf(node); > break; > } >- >- case ObjectToString: { >- compileObjectToString(node); >- break; >- } > > case NewStringObject: { > compileNewStringObject(node); >diff --git a/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h b/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h >index b7e99844695119b83f39a93e80dc04c85c2b9e45..9f3aa2fe7dc3ecfeb0c870b81a87cbc11f288051 100644 >--- a/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h >+++ b/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h >@@ -120,7 +120,6 @@ namespace JSC { namespace FTL { > macro(Structure_prototype, Structure::prototypeOffset()) \ > macro(Structure_structureID, Structure::structureIDOffset()) \ > macro(StructureRareData_cachedOwnKeys, StructureRareData::offsetOfCachedOwnKeys()) \ >- macro(StructureRareData_objectToStringValue, StructureRareData::offsetOfObjectToStringValue()) \ > macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \ > macro(HashMapImpl_buffer, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \ > macro(HashMapImpl_head, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfHead()) \ >diff --git a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >index 7db5b56d326ddad666ec69cfa4d8d186d224ff4a..1ff0c337da8c95ce94c56f8ebe3a9b6a4e4dab15 100644 >--- a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >+++ b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >@@ -334,7 +334,6 @@ inline CapabilityLevel canCompile(Node* node) > case StringValueOf: > case StringSlice: > case ToLowerCase: >- case ObjectToString: > case NumberToStringWithRadix: > case NumberToStringWithValidRadixConstant: > case CheckSubClass: >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index edc6f0d3bc283510e5879b6ae4efa370f9aff671..ae1fa909136f74647c4cea289da0a8fa6d3faa04 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -937,9 +937,6 @@ class LowerDFGToB3 { > case StringFromCharCode: > compileStringFromCharCode(); > break; >- case ObjectToString: >- compileObjectToString(); >- break; > case GetByOffset: > case GetGetterSetterByOffset: > compileGetByOffset(); >@@ -6425,61 +6422,6 @@ class LowerDFGToB3 { > break; > } > } >- >- void compileObjectToString() >- { >- switch (m_node->child1().useKind()) { >- case OtherUse: { >- speculate(m_node->child1()); >- LValue source = lowJSValue(m_node->child1(), ManualOperandSpeculation); >- LValue result = m_out.select(m_out.equal(source, m_out.constInt64(ValueUndefined)), >- weakPointer(vm().smallStrings.undefinedObjectString()), weakPointer(vm().smallStrings.nullObjectString())); >- setJSValue(result); >- return; >- } >- case UntypedUse: { >- LBasicBlock cellCase = m_out.newBlock(); >- LBasicBlock objectCase = m_out.newBlock(); >- LBasicBlock notNullCase = m_out.newBlock(); >- LBasicBlock rareDataCase = m_out.newBlock(); >- LBasicBlock slowCase = m_out.newBlock(); >- LBasicBlock continuation = m_out.newBlock(); >- >- LValue source = lowJSValue(m_node->child1()); >- m_out.branch(isCell(source, provenType(m_node->child1())), unsure(cellCase), unsure(slowCase)); >- >- LBasicBlock lastNext = m_out.appendTo(cellCase, objectCase); >- m_out.branch(isObject(source, provenType(m_node->child1()) & SpecCell), unsure(objectCase), unsure(slowCase)); >- >- m_out.appendTo(objectCase, notNullCase); >- LValue structure = loadStructure(source); >- LValue previousOrRareData = m_out.loadPtr(structure, m_heaps.Structure_previousOrRareData); >- m_out.branch(m_out.notNull(previousOrRareData), unsure(notNullCase), unsure(slowCase)); >- >- m_out.appendTo(notNullCase, rareDataCase); >- m_out.branch( >- m_out.notEqual(m_out.load32(previousOrRareData, m_heaps.JSCell_structureID), m_out.constInt32(m_graph.m_vm.structureStructure->structureID())), >- unsure(rareDataCase), unsure(slowCase)); >- >- m_out.appendTo(rareDataCase, slowCase); >- LValue objectToStringValue = m_out.loadPtr(previousOrRareData, m_heaps.StructureRareData_objectToStringValue); >- ValueFromBlock fastResult = m_out.anchor(objectToStringValue); >- m_out.branch(m_out.isNull(objectToStringValue), unsure(slowCase), unsure(continuation)); >- >- m_out.appendTo(slowCase, continuation); >- LValue slowResultValue = vmCall(pointerType(), m_out.operation(operationObjectToString), m_callFrame, source); >- ValueFromBlock slowResult = m_out.anchor(slowResultValue); >- m_out.jump(continuation); >- >- m_out.appendTo(continuation, lastNext); >- setJSValue(m_out.phi(pointerType(), fastResult, slowResult)); >- return; >- } >- default: >- DFG_CRASH(m_graph, m_node, "Bad use kind"); >- return; >- } >- } > > void compileToPrimitive() > { >diff --git a/Source/JavaScriptCore/runtime/Intrinsic.cpp b/Source/JavaScriptCore/runtime/Intrinsic.cpp >index f3db584349abe12237e5db58e9e5074e91d6d6e8..fbc4ef3cd8f2ec62da9300da271b1023397434fc 100644 >--- a/Source/JavaScriptCore/runtime/Intrinsic.cpp >+++ b/Source/JavaScriptCore/runtime/Intrinsic.cpp >@@ -121,8 +121,6 @@ const char* intrinsicName(Intrinsic intrinsic) > return "ObjectIsIntrinsic"; > case ObjectKeysIntrinsic: > return "ObjectKeysIntrinsic"; >- case ObjectPrototypeToStringIntrinsic: >- return "ObjectPrototypeToStringIntrinsic"; > case ReflectGetPrototypeOfIntrinsic: > return "ReflectGetPrototypeOfIntrinsic"; > case StringPrototypeValueOfIntrinsic: >diff --git a/Source/JavaScriptCore/runtime/Intrinsic.h b/Source/JavaScriptCore/runtime/Intrinsic.h >index 15eab26bac6a562c8e2f24e35cd82e2ef4b24d05..b47f46d9e4de0013de8346e82e6816f5fd02f746 100644 >--- a/Source/JavaScriptCore/runtime/Intrinsic.h >+++ b/Source/JavaScriptCore/runtime/Intrinsic.h >@@ -73,7 +73,6 @@ enum Intrinsic { > ObjectGetPrototypeOfIntrinsic, > ObjectIsIntrinsic, > ObjectKeysIntrinsic, >- ObjectPrototypeToStringIntrinsic, > ReflectGetPrototypeOfIntrinsic, > StringPrototypeValueOfIntrinsic, > StringPrototypeReplaceIntrinsic, >diff --git a/Source/JavaScriptCore/runtime/ObjectPrototype.cpp b/Source/JavaScriptCore/runtime/ObjectPrototype.cpp >index 052eb2120d3df9ba7d313302bd9fea9df127ebbb..1bd8930834fd680204d3bb86cee2cad0d0c59d46 100644 >--- a/Source/JavaScriptCore/runtime/ObjectPrototype.cpp >+++ b/Source/JavaScriptCore/runtime/ObjectPrototype.cpp >@@ -27,7 +27,6 @@ > #include "JSFunction.h" > #include "JSString.h" > #include "JSCInlines.h" >-#include "ObjectPrototypeInlines.h" > #include "PropertySlot.h" > #include "StructureInlines.h" > #include "StructureRareDataInlines.h" >@@ -43,7 +42,6 @@ static EncodedJSValue JSC_HOST_CALL objectProtoFuncLookupGetter(ExecState*); > static EncodedJSValue JSC_HOST_CALL objectProtoFuncLookupSetter(ExecState*); > static EncodedJSValue JSC_HOST_CALL objectProtoFuncPropertyIsEnumerable(ExecState*); > static EncodedJSValue JSC_HOST_CALL objectProtoFuncToLocaleString(ExecState*); >-static EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState*); > > STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(ObjectPrototype); > >@@ -60,7 +58,7 @@ void ObjectPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject) > ASSERT(inherits(vm, info())); > didBecomePrototype(); > >- JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, objectProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0, ObjectPrototypeToStringIntrinsic); >+ JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, objectProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0); > JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toLocaleString, objectProtoFuncToLocaleString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0); > JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->valueOf, objectProtoFuncValueOf, static_cast<unsigned>(PropertyAttribute::DontEnum), 0); > JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->hasOwnProperty, objectProtoFuncHasOwnProperty, static_cast<unsigned>(PropertyAttribute::DontEnum), 1, HasOwnPropertyIntrinsic); >@@ -313,8 +311,50 @@ EncodedJSValue JSC_HOST_CALL objectProtoFuncToLocaleString(ExecState* exec) > > EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState* exec) > { >+ VM& vm = exec->vm(); >+ auto scope = DECLARE_THROW_SCOPE(vm); >+ > JSValue thisValue = exec->thisValue().toThis(exec, StrictMode); >- return JSValue::encode(objectToString(exec, thisValue)); >+ if (thisValue.isUndefinedOrNull()) >+ return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString()); >+ JSObject* thisObject = thisValue.toObject(exec); >+ EXCEPTION_ASSERT(!!scope.exception() == !thisObject); >+ if (!thisObject) >+ return JSValue::encode(jsUndefined()); >+ >+ auto result = thisObject->structure(vm)->objectToStringValue(); >+ if (result) >+ return JSValue::encode(result); >+ >+ PropertyName toStringTagSymbol = vm.propertyNames->toStringTagSymbol; >+ RELEASE_AND_RETURN(scope, JSValue::encode(thisObject->getPropertySlot(exec, toStringTagSymbol, [&] (bool found, PropertySlot& toStringTagSlot) -> JSValue { >+ if (found) { >+ JSValue stringTag = toStringTagSlot.getValue(exec, toStringTagSymbol); >+ RETURN_IF_EXCEPTION(scope, { }); >+ if (stringTag.isString()) { >+ JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(vm); >+ ropeBuilder.append(vm.smallStrings.objectStringStart()); >+ ropeBuilder.append(asString(stringTag)); >+ ropeBuilder.append(vm.smallStrings.singleCharacterString(']')); >+ if (ropeBuilder.hasOverflowed()) >+ return throwOutOfMemoryError(exec, scope); >+ >+ JSString* result = ropeBuilder.release(); >+ thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot); >+ return result; >+ } >+ } >+ >+ String tag = thisObject->methodTable(vm)->toStringName(thisObject, exec); >+ RETURN_IF_EXCEPTION(scope, { }); >+ String newString = tryMakeString("[object ", WTFMove(tag), "]"); >+ if (!newString) >+ return throwOutOfMemoryError(exec, scope); >+ >+ auto result = jsNontrivialString(&vm, newString); >+ thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot); >+ return result; >+ }))); > } > > } // namespace JSC >diff --git a/Source/JavaScriptCore/runtime/ObjectPrototype.h b/Source/JavaScriptCore/runtime/ObjectPrototype.h >index 602b13dde8a0939f59d274fdd625c9792fe556c1..b70a86580540f0cbc1214d044b0eebe17f8a3b95 100644 >--- a/Source/JavaScriptCore/runtime/ObjectPrototype.h >+++ b/Source/JavaScriptCore/runtime/ObjectPrototype.h >@@ -45,4 +45,6 @@ class ObjectPrototype final : public JSNonFinalObject { > ObjectPrototype(VM&, Structure*); > }; > >+JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState*); >+ > } // namespace JSC >diff --git a/Source/JavaScriptCore/runtime/ObjectPrototypeInlines.h b/Source/JavaScriptCore/runtime/ObjectPrototypeInlines.h >deleted file mode 100644 >index 331991fbbe7f11260b047db9c4c772570321f401..0000000000000000000000000000000000000000 >--- a/Source/JavaScriptCore/runtime/ObjectPrototypeInlines.h >+++ /dev/null >@@ -1,112 +0,0 @@ >-/* >- * Copyright (C) 1999-2000 Harri Porten (porten@kde.org) >- * Copyright (C) 2008-2017 Apple Inc. All rights reserved. >- * >- * This library is free software; you can redistribute it and/or >- * modify it under the terms of the GNU Lesser General Public >- * License as published by the Free Software Foundation; either >- * version 2 of the License, or (at your option) any later version. >- * >- * This library is distributed in the hope that it will be useful, >- * but WITHOUT ANY WARRANTY; without even the implied warranty of >- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >- * Lesser General Public License for more details. >- * >- * You should have received a copy of the GNU Lesser General Public >- * License along with this library; if not, write to the Free Software >- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA >- * >- */ >- >-#pragma once >- >-#include "JSCInlines.h" >-#include "JSObject.h" >-#include "JSString.h" >-#include "ObjectPrototype.h" >-#include "PropertySlot.h" >-#include "StructureInlines.h" >-#include "StructureRareDataInlines.h" >- >-namespace JSC { >- >-inline Structure* structureForPrimitiveValue(JSGlobalObject* globalObject, JSValue value) >-{ >- if (value.isCell()) { >- if (value.isString()) >- return globalObject->stringObjectStructure(); >- if (value.isBigInt()) >- return globalObject->bigIntObjectStructure(); >- ASSERT(value.isSymbol()); >- return globalObject->symbolObjectStructure(); >- } >- >- if (value.isNumber()) >- return globalObject->numberObjectStructure(); >- if (value.isBoolean()) >- return globalObject->booleanObjectStructure(); >- >- ASSERT(value.isUndefinedOrNull()); >- return nullptr; >-} >- >-ALWAYS_INLINE JSString* objectToString(ExecState* exec, JSValue thisValue) >-{ >- VM& vm = exec->vm(); >- auto scope = DECLARE_THROW_SCOPE(vm); >- >- JSObject* thisObject = nullptr; >- if (thisValue.isObject()) { >- thisObject = jsCast<JSObject*>(thisValue); >- if (auto* result = thisObject->structure(vm)->objectToStringValue()) >- return result; >- } else { >- if (thisValue.isUndefinedOrNull()) >- return thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString(); >- >- auto* structure = structureForPrimitiveValue(exec->lexicalGlobalObject(), thisValue); >- ASSERT(structure); >- if (auto* result = structure->objectToStringValue()) >- return result; >- thisObject = thisValue.toObject(exec); >- EXCEPTION_ASSERT(!!scope.exception() == !thisObject); >- if (!thisObject) >- return nullptr; >- } >- >- RELEASE_AND_RETURN(scope, thisObject->getPropertySlot(exec, vm.propertyNames->toStringTagSymbol, [&] (bool found, PropertySlot& toStringTagSlot) -> JSString* { >- auto scope = DECLARE_THROW_SCOPE(vm); >- if (found) { >- JSValue stringTag = toStringTagSlot.getValue(exec, vm.propertyNames->toStringTagSymbol); >- RETURN_IF_EXCEPTION(scope, { }); >- if (stringTag.isString()) { >- JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(vm); >- ropeBuilder.append(vm.smallStrings.objectStringStart()); >- ropeBuilder.append(asString(stringTag)); >- ropeBuilder.append(vm.smallStrings.singleCharacterString(']')); >- if (ropeBuilder.hasOverflowed()) { >- throwOutOfMemoryError(exec, scope); >- return nullptr; >- } >- >- JSString* result = ropeBuilder.release(); >- thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot); >- return result; >- } >- } >- >- String tag = thisObject->methodTable(vm)->toStringName(thisObject, exec); >- RETURN_IF_EXCEPTION(scope, { }); >- String newString = tryMakeString("[object ", WTFMove(tag), "]"); >- if (!newString) { >- throwOutOfMemoryError(exec, scope); >- return nullptr; >- } >- >- auto result = jsNontrivialString(&vm, WTFMove(newString)); >- thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot); >- return result; >- })); >-} >- >-} // namespace JSC >diff --git a/Source/JavaScriptCore/runtime/StructureRareData.h b/Source/JavaScriptCore/runtime/StructureRareData.h >index 179aa824fb50b7c34c60b73b562e69244d2746e7..336732d11d873d42f20f9910871e28c270f6a885 100644 >--- a/Source/JavaScriptCore/runtime/StructureRareData.h >+++ b/Source/JavaScriptCore/runtime/StructureRareData.h >@@ -81,11 +81,6 @@ class StructureRareData final : public JSCell { > void setSharedPolyProtoWatchpoint(Box<InlineWatchpointSet>&& sharedPolyProtoWatchpoint) { m_polyProtoWatchpoint = WTFMove(sharedPolyProtoWatchpoint); } > bool hasSharedPolyProtoWatchpoint() const { return static_cast<bool>(m_polyProtoWatchpoint); } > >- static ptrdiff_t offsetOfObjectToStringValue() >- { >- return OBJECT_OFFSETOF(StructureRareData, m_objectToStringValue); >- } >- > static JSImmutableButterfly* cachedOwnKeysSentinel() { return bitwise_cast<JSImmutableButterfly*>(static_cast<uintptr_t>(1)); } > > static ptrdiff_t offsetOfCachedOwnKeys() >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index d855bd472dafbaace71fd7ec2216c2e119d52cc3..2bf0d187f24486fdb8b15f44ef60c28c4316fe46 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,17 @@ >+2019-01-22 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ REGRESSION(r239612) Crash at runtime due to broken DFG assumption >+ https://bugs.webkit.org/show_bug.cgi?id=193709 >+ <rdar://problem/47363838> >+ >+ Unreviewed, rollout to watch the tests. >+ >+ * stress/object-tostring-changed-proto.js: Removed. >+ * stress/object-tostring-changed.js: Removed. >+ * stress/object-tostring-misc.js: Removed. >+ * stress/object-tostring-other.js: Removed. >+ * stress/object-tostring-untyped.js: Removed. >+ > 2019-01-22 Saam Barati <sbarati@apple.com> > > Unreviewed. Rollout r240223. It regressed JetStream2 by 1%. >diff --git a/JSTests/stress/object-tostring-changed-proto.js b/JSTests/stress/object-tostring-changed-proto.js >deleted file mode 100644 >index 9a1a22b56e00d1ea2959ebb71380a6050cc98e7f..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-tostring-changed-proto.js >+++ /dev/null >@@ -1,18 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >-noInline(shouldBe); >- >-function test(value) >-{ >- return Object.prototype.toString.call(value); >-} >-noInline(test); >- >-var object = {}; >-for (var i = 0; i < 1e5; ++i) >- shouldBe(test(object), `[object Object]`); >-Object.prototype[Symbol.toStringTag] = "Hello"; >-shouldBe(test(object), `[object Hello]`); >diff --git a/JSTests/stress/object-tostring-changed.js b/JSTests/stress/object-tostring-changed.js >deleted file mode 100644 >index b4f7275d23b69b125dd2f0bb2e2188105858b4dd..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-tostring-changed.js >+++ /dev/null >@@ -1,18 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >-noInline(shouldBe); >- >-function test(value) >-{ >- return Object.prototype.toString.call(value); >-} >-noInline(test); >- >-var object = {}; >-for (var i = 0; i < 1e5; ++i) >- shouldBe(test(object), `[object Object]`); >-object[Symbol.toStringTag] = "Hello"; >-shouldBe(test(object), `[object Hello]`); >diff --git a/JSTests/stress/object-tostring-misc.js b/JSTests/stress/object-tostring-misc.js >deleted file mode 100644 >index 1b00aeb26bbd188d1b7a66a1b3d7339804b26a3d..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-tostring-misc.js >+++ /dev/null >@@ -1,26 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >-noInline(shouldBe); >- >-function test(value) >-{ >- return Object.prototype.toString.call(value); >-} >-noInline(test); >- >-for (var i = 0; i < 1e6; ++i) { >- switch (i % 3) { >- case 0: >- shouldBe(test(null), `[object Null]`); >- break; >- case 1: >- shouldBe(test(undefined), `[object Undefined]`); >- break; >- case 2: >- shouldBe(test(true), `[object Boolean]`); >- break; >- } >-} >diff --git a/JSTests/stress/object-tostring-other.js b/JSTests/stress/object-tostring-other.js >deleted file mode 100644 >index 657fbafca332eaa60d2ed5e4a4141432f3a0f0b8..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-tostring-other.js >+++ /dev/null >@@ -1,19 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >-noInline(shouldBe); >- >-function test(value) >-{ >- return Object.prototype.toString.call(value); >-} >-noInline(test); >- >-for (var i = 0; i < 1e6; ++i) { >- if (i & 0x1) >- shouldBe(test(null), `[object Null]`); >- else >- shouldBe(test(undefined), `[object Undefined]`); >-} >diff --git a/JSTests/stress/object-tostring-untyped.js b/JSTests/stress/object-tostring-untyped.js >deleted file mode 100644 >index f77cdd0c6e751ea694d8754ca51aabeeca968496..0000000000000000000000000000000000000000 >--- a/JSTests/stress/object-tostring-untyped.js >+++ /dev/null >@@ -1,50 +0,0 @@ >-function shouldBe(actual, expected) >-{ >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >-noInline(shouldBe); >- >-function test(value) >-{ >- return Object.prototype.toString.call(value); >-} >-noInline(test); >- >-var value0 = {}; >-var value1 = { [Symbol.toStringTag]: "Hello" }; >-var value2 = new Date(); >-var value3 = "Hello"; >-var value4 = 42; >-var value5 = Symbol("Cocoa"); >-var value6 = 42.195; >-var value7 = false; >- >-for (var i = 0; i < 1e6; ++i) { >- switch (i % 8) { >- case 0: >- shouldBe(test(value0), `[object Object]`); >- break; >- case 1: >- shouldBe(test(value1), `[object Hello]`); >- break; >- case 2: >- shouldBe(test(value2), `[object Date]`); >- break; >- case 3: >- shouldBe(test(value3), `[object String]`); >- break; >- case 4: >- shouldBe(test(value4), `[object Number]`); >- break; >- case 5: >- shouldBe(test(value5), `[object Symbol]`); >- break; >- case 6: >- shouldBe(test(value6), `[object Number]`); >- break; >- case 7: >- shouldBe(test(value7), `[object Boolean]`); >- break; >- } >-}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=359853">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193709
: 359853