CheckNeutered needs to claim it reads JSType in clobberize.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Jan 2020 17:19:56 +0000 (17:19 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Jan 2020 17:19:56 +0000 (17:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=206136

Reviewed by Yusuke Suzuki.

JSTests:

* stress/check-neutered-clobberize-reads-jstype.js: Added.
(foo):

Source/JavaScriptCore:

CheckNeutered needs to read JSType otherwise it can get hoisted
past the TypedArray check guarding it.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254434 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/check-neutered-clobberize-reads-jstype.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGClobberize.h

index 53aeebf..02bc7ca 100644 (file)
@@ -1,3 +1,13 @@
+2020-01-11  Keith Miller  <keith_miller@apple.com>
+
+        CheckNeutered needs to claim it reads JSType in clobberize.
+        https://bugs.webkit.org/show_bug.cgi?id=206136
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/check-neutered-clobberize-reads-jstype.js: Added.
+        (foo):
+
 2020-01-12  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Use internal object field mechanism to implement JSStringIterator
diff --git a/JSTests/stress/check-neutered-clobberize-reads-jstype.js b/JSTests/stress/check-neutered-clobberize-reads-jstype.js
new file mode 100644 (file)
index 0000000..6cb417a
--- /dev/null
@@ -0,0 +1,11 @@
+//@ requireOptions("--useObjectAllocationSinking=0", "--forceEagerCompilation=1")
+
+function foo() {
+const a = new Uint8Array(25000);
+for (let i = 0; i < 10; i++) {
+for (const x of a) {
+}
+}
+}
+foo();
+foo();
index 0880783..0697290 100644 (file)
@@ -1,3 +1,18 @@
+2020-01-11  Keith Miller  <keith_miller@apple.com>
+
+        CheckNeutered needs to claim it reads JSType in clobberize.
+        https://bugs.webkit.org/show_bug.cgi?id=206136
+
+        Reviewed by Yusuke Suzuki.
+
+        CheckNeutered needs to read JSType otherwise it can get hoisted
+        past the TypedArray check guarding it.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-01-12  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Use internal object field mechanism to implement JSStringIterator
index b42b0cf..5bb278d 100644 (file)
@@ -3361,6 +3361,7 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
     }
 
     case CheckNeutered: {
+        DFG_ASSERT(m_graph, node, speculationChecked(forNode(node->child1()).m_type, SpecTypedArrayView));
         break;
     }
 
index d4ec7b7..362c478 100644 (file)
@@ -1102,6 +1102,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
         return;
 
     case CheckNeutered:
+        read(JSCell_typeInfoType);
+        read(JSCell_structureID);
         read(MiscFields);
         return;