[JSC] isRope jump in StringSlice should not jump over register allocations
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Apr 2019 00:00:24 +0000 (00:00 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Apr 2019 00:00:24 +0000 (00:00 +0000)
commit5476010213c3cbfb21b206671b52dee5354ca8b7
treeab66669c669bcb74cd8b8216762c1d78796d7e7e
parent362dfe71b87e088b21562118f87a615f8400c112
[JSC] isRope jump in StringSlice should not jump over register allocations
https://bugs.webkit.org/show_bug.cgi?id=196716

Reviewed by Saam Barati.

JSTests:

* stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
(foo.bar):
(foo):

Source/JavaScriptCore:

Jumping over the register allocation code in DFG (like the following) is wrong.

    auto jump = m_jit.branchXXX();
    {
        GPRTemporary reg(this);
        GPRReg regGPR = reg.gpr();
        ...
    }
    jump.link(&m_jit);

When GPRTemporary::gpr allocates a new register, it can flush the previous register value into the stack and make the register usable.
Jumping over this register allocation code skips the flushing code, and makes the DFG's stack and register content tracking inconsistent:
DFG thinks that the content is flushed and stored in particular stack slot even while this flushing code is skipped.
In this patch, we perform register allocations before jumping to the slow path based on `isRope` condition in StringSlice.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStringSlice):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244058 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp