REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Oct 2015 16:03:22 +0000 (16:03 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Oct 2015 16:03:22 +0000 (16:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=149965

Reviewed by Geoffrey Garen.

Edge filtering for CheckIdent ensures that a given value is either Symbol or StringIdent.
However, this filtering is not applied to CheckIdent when propagating a constant value in
the constant folding phase. As a result, it is not guaranteeed that a constant value
propagated in constant folding is Symbol or StringIdent.

* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@190991 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

index 2074019..74ac8d5 100644 (file)
@@ -1,3 +1,18 @@
+2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com
+        https://bugs.webkit.org/show_bug.cgi?id=149965
+
+        Reviewed by Geoffrey Garen.
+
+        Edge filtering for CheckIdent ensures that a given value is either Symbol or StringIdent.
+        However, this filtering is not applied to CheckIdent when propagating a constant value in
+        the constant folding phase. As a result, it is not guaranteeed that a constant value
+        propagated in constant folding is Symbol or StringIdent.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         Unreviewed, register symbol structure to fix Debug build
index 5c83603..3a56e35 100644 (file)
@@ -247,19 +247,22 @@ private:
 
             case CheckIdent: {
                 UniquedStringImpl* uid = node->uidOperand();
-                JSValue childConstant = m_state.forNode(node->child1()).value();
                 const UniquedStringImpl* constantUid = nullptr;
+
+                JSValue childConstant = m_state.forNode(node->child1()).value();
                 if (childConstant) {
                     if (uid->isSymbol()) {
                         if (childConstant.isSymbol())
                             constantUid = asSymbol(childConstant)->privateName().uid();
                     } else {
                         if (childConstant.isString()) {
-                            // Since we already filtered the value with StringIdentUse,
-                            // the held impl is always atomic.
                             if (const auto* impl = asString(childConstant)->tryGetValueImpl()) {
-                                ASSERT(impl->isAtomic());
-                                constantUid = static_cast<const UniquedStringImpl*>(impl);
+                                // Edge filtering requires that a value here should be StringIdent.
+                                // However, a constant value propagated in DFG is not filtered.
+                                // So here, we check the propagated value is actually an atomic string.
+                                // And if it's not, we just ignore.
+                                if (impl->isAtomic())
+                                    constantUid = static_cast<const UniquedStringImpl*>(impl);
                             }
                         }
                     }