[JSC] DFG should respect node's strict flag
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Apr 2019 03:23:15 +0000 (03:23 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Apr 2019 03:23:15 +0000 (03:23 +0000)
commite24f0635ed291489e2ba629bfe50529e750cf899
tree4dbdc1e332f005a2ecf4dd97ed67df48d50ec72d
parent862f9fb1f8977ec2af5120d1c683ec4ca8f68851
[JSC] DFG should respect node's strict flag
https://bugs.webkit.org/show_bug.cgi?id=196617

Reviewed by Saam Barati.

JSTests:

* stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
(shouldEqual):
(makeUnwriteableUnconfigurableObject):
(runTest):
* stress/put-dynamic-var-strict-and-sloppy.js: Added.
(shouldBe):
(shouldThrow):
(with.result):
(with.putValueStrict):
(with.putValueSloppy):

Source/JavaScriptCore:

We accidentally use codeBlock->isStrictMode() directly in DFG and FTL. But this is wrong since this CodeBlock is the top level DFG/FTL CodeBlock,
and this code does not respect the isStrictMode flag for the inlined CodeBlocks. In this patch, we start using isStrictModeFor(CodeOrigin) consistently
in DFG and FTL to get the right isStrictMode flag for the DFG node.
And we also split compilePutDynamicVar into compilePutDynamicVarStrict and compilePutDynamicVarNonStrict since (1) it is cleaner than accessing inlined
callframe in the operation function, and (2) it is aligned to the other functions like operationPutByValDirectNonStrict etc.
This bug is discovered by RandomizingFuzzerAgent by expanding the DFG coverage.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupToThis):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
(JSC::DFG::SpeculativeJIT::compileToThis):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244067 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
JSTests/ChangeLog
JSTests/stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js [new file with mode: 0644]
JSTests/stress/put-dynamic-var-strict-and-sloppy.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp