Attachment 373545 Details for Bug 199533 – proposed patch.

[patch] proposed patch.

bug-199533.patch (text/plain), 4.40 KB, created by Mark Lam on 2019-07-05 15:16:24 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Mark Lam

Created: 2019-07-05 15:16:24 PDT

Size: 4.40 KB

patch

obsolete

>Index: JSTests/ChangeLog
>===================================================================
>--- JSTests/ChangeLog	(revision 247180)
>+++ JSTests/ChangeLog	(working copy)
>@@ -1,3 +1,13 @@
>+2019-07-05  Mark Lam  <mark.lam@apple.com>
>+
>+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
>+        https://bugs.webkit.org/show_bug.cgi?id=199533
>+        <rdar://problem/52669111>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
>+
> 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
> 
>         [JSC] Clean up ArraySpeciesCreate
>Index: JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js
>===================================================================
>--- JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js	(nonexistent)
>+++ JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js	(working copy)
>@@ -0,0 +1,31 @@
>+//@ requireOptions("--thresholdForFTLOptimizeAfterWarmUp=1000")
>+
>+function __v0(__v1, ...__v2) {
>+    if (__v1)
>+        var __v1 = {
>+            9.5471568547800008: '\\p{sc=Inherited}'
>+        };
>+}
>+noInline();
>+function __v2(__v2, ...__v1) {
>+    return __v1;
>+}
>+function __v5(__v6, __v1, __v4, __v7, ...__v0) {
>+    return __v3(__v6, __v1, __v4, __v7);
>+}
>+function __v3(__v4, ...__v1) {
>+    return __v0(...[3011], 42, ...__v2());
>+}
>+[93847];
>+__v5(__v0);
>+for (let __v1 = 0; __v1 < 10000; __v1++) {
>+    let __v4 = 'Memory corruption'.normalize('NFC');
>+    __v0('I am not global'.keys === 7);
>+    ['__v6', '__v2', '__v1', '__v3', '__v4', '__v5'];
>+    __v5(__v1, __v1 + 1, __v1 + __v1, __v1 + 0, ...[3011, 3013]);
>+    __v5(...[3011, 3013], 42, ...String(...[]));
>+    __v0('I am not global'.keys === 7);
>+    __v0(__v4[4] === __v1 + 1);
>+    __v0();
>+    __v0(__v0[6] === (__v1 != 3));
>+}
>Index: Source/JavaScriptCore/ChangeLog
>===================================================================
>--- Source/JavaScriptCore/ChangeLog	(revision 247179)
>+++ Source/JavaScriptCore/ChangeLog	(working copy)
>@@ -1,3 +1,13 @@
>+2019-07-05  Mark Lam  <mark.lam@apple.com>
>+
>+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
>+        https://bugs.webkit.org/show_bug.cgi?id=199533
>+        <rdar://problem/52669111>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * dfg/DFGArgumentsEliminationPhase.cpp:
>+
> 2019-07-05  Yusuke Suzuki  <ysuzuki@apple.com>
> 
>         Unreviewed, fix build failure on ARM64_32
>Index: Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
>===================================================================
>--- Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp	(revision 247179)
>+++ Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp	(working copy)
>@@ -604,7 +604,20 @@ private:
>                         }
> 
>                         // This loop considers all nodes up to the nodeIndex, excluding the nodeIndex.
>-                        while (nodeIndex--) {
>+                        //
>+                        // Note: nodeIndex here has a double meaning. Before entering this
>+                        // while loop, it refers to the remaining number of nodes that have
>+                        // yet to be processed. Inside the look, it refers to the index
>+                        // of the current node to process (after we decrement it).
>+                        //
>+                        // If the remaining number of nodes is 0, we should not decrement nodeIndex.
>+                        // Hence, we must only decrement nodeIndex inside the while loop instead of
>+                        // in its condition statement. Note that this while loop is embedded in an
>+                        // outer for loop. If we decrement nodeIndex in the condition statement, a
>+                        // nodeIndex of 0 will become UINT_MAX, and the outer loop will wrongly
>+                        // treat this as there being UINT_MAX remaining nodes to process.
>+                        while (nodeIndex) {
>+                            --nodeIndex;
>                             Node* node = block->at(nodeIndex);
>                             if (node == candidate)
>                                 break;

Flags:

fpizlo: review+

Actions: View | Formatted Diff | Diff

Attachments on bug 199533: 373545