DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 05:43:08 +0000 (05:43 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 05:43:08 +0000 (05:43 +0000)
commit2cb49200d1c8217537de1c6bd50b7ecdecf581b4
tree400fd95f5f77ed6c5be94e0f93f9a3f0388f8d3a
parent2393370eb41b9b3d0af2dcd9c8c9c24e659d57b7
DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
https://bugs.webkit.org/show_bug.cgi?id=195721

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

There was a check in AbstractValue::validateOSREntry where it checked
if isHeapTop(), and if so, just returned true. However, this is wrong
if the value we're checking against is the empty value, since HeapTop
does not include the Empty value. Instead, this check should be
isBytecodeTop(), which does account for the empty value.

This patch also does a couple of other things:
- For our OSR entry AbstractValues, we were using HeapTop to mark
 a dead value. That is now changed to BytecodeTop. (The idea here
 is just to have validateOSREntry return early.)
- It wasn't obvious to me how I could make this fail in JS code.
 The symptom we'd end up seeing is something like a nullptr derefernece
 from forgetting to do a TDZ check. Instead, I've added a unit test.
 This unit test lives in a new test file: testdfg. testdfg is similar
 to testb3/testair/testapi.

* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::isBytecodeTop const):
(JSC::DFG::AbstractValue::validateOSREntryValue const):
* dfg/testdfg.cpp: Added.
(hiddenTruthBecauseNoReturnIsStupid):
(usage):
(JSC::DFG::testEmptyValueDoesNotValidateWithHeapTop):
(JSC::DFG::run):
(run):
(main):
* shell/CMakeLists.txt:

Tools:

* Scripts/run-javascriptcore-tests:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243278 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/bytecode/ArrayProfile.h
Source/JavaScriptCore/bytecode/SpeculatedType.h
Source/JavaScriptCore/dfg/DFGAbstractValue.h
Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h
Source/JavaScriptCore/dfg/testdfg.cpp [new file with mode: 0644]
Source/JavaScriptCore/shell/CMakeLists.txt
Tools/ChangeLog
Tools/Scripts/run-javascriptcore-tests