SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Apr 2019 00:39:26 +0000 (00:39 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Apr 2019 00:39:26 +0000 (00:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196945
<rdar://problem/49802750>

Reviewed by Filip Pizlo.

JSTests:

* stress/get-by-offset-should-use-correct-child.js: Added.
(foo.bar):
(foo):

Source/JavaScriptCore:

* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244314 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/get-by-offset-should-use-correct-child.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSafeToExecute.h

index a9c7fb8..e000b2f 100644 (file)
@@ -1,3 +1,15 @@
+2019-04-15  Saam barati  <sbarati@apple.com>
+
+        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+        https://bugs.webkit.org/show_bug.cgi?id=196945
+        <rdar://problem/49802750>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/get-by-offset-should-use-correct-child.js: Added.
+        (foo.bar):
+        (foo):
+
 2019-04-15  Robin Morisset  <rmorisset@apple.com>
 
         DFG should be able to constant fold Object.create() with a constant prototype operand
diff --git a/JSTests/stress/get-by-offset-should-use-correct-child.js b/JSTests/stress/get-by-offset-should-use-correct-child.js
new file mode 100644 (file)
index 0000000..27374d7
--- /dev/null
@@ -0,0 +1,25 @@
+function foo(x) {
+    for (let i = 0; i < 400; i++) {
+        for (let j = 0; j < 2; j++) {
+            for (const k of arguments) {
+            }
+            arguments.length = 0;
+            const q = {
+                z: 0
+            };
+            function bar() {
+                q;
+            }
+            for (let w = 0; w < 300; w++) {
+            }
+        }
+
+        with ({}) {
+        }
+
+        +{};
+    }
+}
+
+foo(0);
+foo(0);
index 0a1c5c8..059087f 100644 (file)
@@ -1,3 +1,14 @@
+2019-04-15  Saam barati  <sbarati@apple.com>
+
+        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+        https://bugs.webkit.org/show_bug.cgi?id=196945
+        <rdar://problem/49802750>
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+
 2019-04-15  Robin Morisset  <rmorisset@apple.com>
 
         DFG should be able to constant fold Object.create() with a constant prototype operand
index 7d7df53..472bb68 100644 (file)
@@ -545,13 +545,13 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node, bool igno
         // know anything about inferred types. But if we have a proof derived from watching a
         // structure that has a type proof, then the next case below will deal with it.
         if (state.structureClobberState() == StructuresAreWatched) {
-            if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
+            if (JSObject* knownBase = node->child2()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
                 if (graph.isSafeToLoad(knownBase, offset))
                     return true;
             }
         }
         
-        StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
+        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
         if (value.isInfinite())
             return false;
         for (unsigned i = value.size(); i--;) {