[JSC] Do not use FTLOutput::weakPointer directly
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Sep 2019 15:51:47 +0000 (15:51 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Sep 2019 15:51:47 +0000 (15:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=201495

Reviewed by Filip Pizlo.

JSTests:

* stress/create-promise-weak-pointer.js: Added.
(foo):

Source/JavaScriptCore:

FTLOutput::weakPointer does not register the cell as a weak pointer.
CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
For FrozenValue, we should use frozenPointer helper function.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249530 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/create-promise-weak-pointer.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

index 3746a38..e614e9f 100644 (file)
@@ -1,3 +1,13 @@
+2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Do not use FTLOutput::weakPointer directly
+        https://bugs.webkit.org/show_bug.cgi?id=201495
+
+        Reviewed by Filip Pizlo.
+
+        * stress/create-promise-weak-pointer.js: Added.
+        (foo):
+
 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Make Promise implementation faster
diff --git a/JSTests/stress/create-promise-weak-pointer.js b/JSTests/stress/create-promise-weak-pointer.js
new file mode 100644 (file)
index 0000000..29d9b8c
--- /dev/null
@@ -0,0 +1,7 @@
+const x = new Proxy(Promise, {});
+function foo() {
+    new x(()=>{});
+}
+for (let i=0; i<100000; i++) {
+    foo();
+}
index a231642..7bd7cf5 100644 (file)
@@ -1,3 +1,20 @@
+2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Do not use FTLOutput::weakPointer directly
+        https://bugs.webkit.org/show_bug.cgi?id=201495
+
+        Reviewed by Filip Pizlo.
+
+        FTLOutput::weakPointer does not register the cell as a weak pointer.
+        CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
+        While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
+        and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
+        For FrozenValue, we should use frozenPointer helper function.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
+
 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
index abe6518..6756863 100644 (file)
@@ -6300,7 +6300,7 @@ private:
         LBasicBlock continuation = m_out.newBlock();
 
         ValueFromBlock promiseStructure = m_out.anchor(weakStructure(m_graph.registerStructure(m_node->isInternalPromise() ? globalObject->internalPromiseStructure() : globalObject->promiseStructure())));
-        m_out.branch(m_out.equal(callee, m_out.weakPointer(m_graph, m_node->isInternalPromise() ? globalObject->internalPromiseConstructor() : globalObject->promiseConstructor())), unsure(fastAllocationCase), unsure(derivedCase));
+        m_out.branch(m_out.equal(callee, weakPointer(m_node->isInternalPromise() ? globalObject->internalPromiseConstructor() : globalObject->promiseConstructor())), unsure(fastAllocationCase), unsure(derivedCase));
 
         LBasicBlock lastNext = m_out.appendTo(derivedCase, isFunctionBlock);
         m_out.branch(isFunction(callee, provenType(m_node->child1())), usually(isFunctionBlock), rarely(slowCase));
@@ -6530,7 +6530,7 @@ private:
             m_out.jump(continuation);
 
             m_out.appendTo(slowPath, continuation);
-            LValue slowArray = vmCall(Int64, m_out.operation(operationNewArrayBuffer), m_callFrame, weakStructure(structure), m_out.weakPointer(m_node->cellOperand()));
+            LValue slowArray = vmCall(Int64, m_out.operation(operationNewArrayBuffer), m_callFrame, weakStructure(structure), frozenPointer(m_node->cellOperand()));
             ValueFromBlock slowResult = m_out.anchor(slowArray);
             m_out.jump(continuation);
 
@@ -6543,7 +6543,7 @@ private:
         
         setJSValue(vmCall(
             Int64, m_out.operation(operationNewArrayBuffer), m_callFrame,
-            weakStructure(structure), m_out.weakPointer(m_node->cellOperand())));
+            weakStructure(structure), frozenPointer(m_node->cellOperand())));
     }
 
     void compileNewArrayWithSize()