In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the index...
authorrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Apr 2018 23:32:58 +0000 (23:32 +0000)
committerrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Apr 2018 23:32:58 +0000 (23:32 +0000)
commiteaf115348b9f9c5d40e6a9484a8abe8514aef76c
tree19231cad83563a5d4632fa5bbcdfad8ce7da5f10
parent878ae2833349d46306aecac1e943771cb4b1fb31
In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=184773
<rdar://problem/37773612>

Reviewed by Filip Pizlo.

JSTests:

This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
so I decided to add it to the stress tests nonetheless.

* stress/create-rest-while-having-a-bad-time.js: Added.
(f):
(g):
(h):

Source/JavaScriptCore:

We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/create-rest-while-having-a-bad-time.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.h