The HasIndexedProperty node does GC.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Mar 2019 19:02:22 +0000 (19:02 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Mar 2019 19:02:22 +0000 (19:02 +0000)
https://bugs.webkit.org/show_bug.cgi?id=195559
<rdar://problem/48767923>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/HasIndexedProperty-does-gc.js: Added.

Source/JavaScriptCore:

HasIndexedProperty can call the slow path operationHasIndexedPropertyByInt(),
which can eventually call JSString::getIndex(), which can resolve a rope.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242810 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/HasIndexedProperty-does-gc.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGDoesGC.cpp

index f345dd3..b7f9581 100644 (file)
@@ -1,3 +1,13 @@
+2019-03-12  Mark Lam  <mark.lam@apple.com>
+
+        The HasIndexedProperty node does GC.
+        https://bugs.webkit.org/show_bug.cgi?id=195559
+        <rdar://problem/48767923>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/HasIndexedProperty-does-gc.js: Added.
+
 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
 
         [ESNext][BigInt] Implement "~" unary operation
diff --git a/JSTests/stress/HasIndexedProperty-does-gc.js b/JSTests/stress/HasIndexedProperty-does-gc.js
new file mode 100644 (file)
index 0000000..b11629f
--- /dev/null
@@ -0,0 +1,9 @@
+// This test should not crash.
+function foo(a) {
+    return 0 in a;
+}
+for (let i = 0; i < 100000; i++) {
+    const str = new String('asdf');
+    str[42] = 'x'; // Give it ArrayStorage
+    foo(str);
+}
index 079165f..c659a13 100644 (file)
@@ -1,3 +1,17 @@
+2019-03-12  Mark Lam  <mark.lam@apple.com>
+
+        The HasIndexedProperty node does GC.
+        https://bugs.webkit.org/show_bug.cgi?id=195559
+        <rdar://problem/48767923>
+
+        Reviewed by Yusuke Suzuki.
+
+        HasIndexedProperty can call the slow path operationHasIndexedPropertyByInt(),
+        which can eventually call JSString::getIndex(), which can resolve a rope.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
 2019-03-12  Devin Rousso  <drousso@apple.com>
 
         Web Inspector: Audit: there should be a centralized place for reusable code
index 44050f6..130edf1 100644 (file)
@@ -195,7 +195,6 @@ bool doesGC(Graph& graph, Node* node)
     case GetByOffset:
     case GetGetterSetterByOffset:
     case GetEnumerableLength:
-    case HasIndexedProperty:
     case FiatInt52:
     case BooleanToNumber:
     case CheckBadCell:
@@ -282,6 +281,7 @@ bool doesGC(Graph& graph, Node* node)
     case GetDynamicVar:
     case GetMapBucket:
     case HasGenericProperty:
+    case HasIndexedProperty:
     case HasOwnProperty:
     case HasStructureProperty:
     case InById: