ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Jul 2019 23:05:56 +0000 (23:05 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Jul 2019 23:05:56 +0000 (23:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=199533
<rdar://problem/52669111>

Reviewed by Filip Pizlo.

JSTests:

* stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.

Source/JavaScriptCore:

* dfg/DFGArgumentsEliminationPhase.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247183 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp

index 470e81e..7e423d2 100644 (file)
@@ -1,3 +1,13 @@
+2019-07-05  Mark Lam  <mark.lam@apple.com>
+
+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
+        https://bugs.webkit.org/show_bug.cgi?id=199533
+        <rdar://problem/52669111>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
+
 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
 
         [JSC] Clean up ArraySpeciesCreate
diff --git a/JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js b/JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js
new file mode 100644 (file)
index 0000000..de957b7
--- /dev/null
@@ -0,0 +1,31 @@
+//@ requireOptions("--thresholdForFTLOptimizeAfterWarmUp=1000")
+
+function __v0(__v1, ...__v2) {
+    if (__v1)
+        var __v1 = {
+            9.5471568547800008: '\\p{sc=Inherited}'
+        };
+}
+noInline();
+function __v2(__v2, ...__v1) {
+    return __v1;
+}
+function __v5(__v6, __v1, __v4, __v7, ...__v0) {
+    return __v3(__v6, __v1, __v4, __v7);
+}
+function __v3(__v4, ...__v1) {
+    return __v0(...[3011], 42, ...__v2());
+}
+[93847];
+__v5(__v0);
+for (let __v1 = 0; __v1 < 10000; __v1++) {
+    let __v4 = 'Memory corruption'.normalize('NFC');
+    __v0('I am not global'.keys === 7);
+    ['__v6', '__v2', '__v1', '__v3', '__v4', '__v5'];
+    __v5(__v1, __v1 + 1, __v1 + __v1, __v1 + 0, ...[3011, 3013]);
+    __v5(...[3011, 3013], 42, ...String(...[]));
+    __v0('I am not global'.keys === 7);
+    __v0(__v4[4] === __v1 + 1);
+    __v0();
+    __v0(__v0[6] === (__v1 != 3));
+}
index 06d4c52..5b381c3 100644 (file)
@@ -1,3 +1,13 @@
+2019-07-05  Mark Lam  <mark.lam@apple.com>
+
+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
+        https://bugs.webkit.org/show_bug.cgi?id=199533
+        <rdar://problem/52669111>
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
 2019-07-05  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Unreviewed, fix build failure on ARM64_32
index 21b8291..41ff207 100644 (file)
@@ -604,7 +604,20 @@ private:
                         }
 
                         // This loop considers all nodes up to the nodeIndex, excluding the nodeIndex.
-                        while (nodeIndex--) {
+                        //
+                        // Note: nodeIndex here has a double meaning. Before entering this
+                        // while loop, it refers to the remaining number of nodes that have
+                        // yet to be processed. Inside the look, it refers to the index
+                        // of the current node to process (after we decrement it).
+                        //
+                        // If the remaining number of nodes is 0, we should not decrement nodeIndex.
+                        // Hence, we must only decrement nodeIndex inside the while loop instead of
+                        // in its condition statement. Note that this while loop is embedded in an
+                        // outer for loop. If we decrement nodeIndex in the condition statement, a
+                        // nodeIndex of 0 will become UINT_MAX, and the outer loop will wrongly
+                        // treat this as there being UINT_MAX remaining nodes to process.
+                        while (nodeIndex) {
+                            --nodeIndex;
                             Node* node = block->at(nodeIndex);
                             if (node == candidate)
                                 break;