r238510 broke scopes of size zero
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Nov 2018 02:03:20 +0000 (02:03 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Nov 2018 02:03:20 +0000 (02:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192033
<rdar://problem/46281734>

Reviewed by Keith Miller.

JSTests:

* stress/r238510-bad-loop.js: Added.
(foo):

Source/JavaScriptCore:

In r238510, I wrote the loop like this:
`for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`

This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.

This patch fixes this by writing the loop as:
`for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`

* dfg/DFGObjectAllocationSinkingPhase.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238596 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/r238510-bad-loop.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

index af19aa4..c053fe3 100644 (file)
@@ -1,3 +1,14 @@
+2018-11-27  Saam barati  <sbarati@apple.com>
+
+        r238510 broke scopes of size zero
+        https://bugs.webkit.org/show_bug.cgi?id=192033
+        <rdar://problem/46281734>
+
+        Reviewed by Keith Miller.
+
+        * stress/r238510-bad-loop.js: Added.
+        (foo):
+
 2018-11-27  Mark Lam  <mark.lam@apple.com>
 
         [Re-landing] NaNs read from Wasm code needs to be be purified.
diff --git a/JSTests/stress/r238510-bad-loop.js b/JSTests/stress/r238510-bad-loop.js
new file mode 100644 (file)
index 0000000..be899b7
--- /dev/null
@@ -0,0 +1,10 @@
+function foo() {
+    return function () {
+        eval();
+    }
+}
+noInline(foo);
+
+for (let i = 0; i < 100000; ++i) {
+    foo();    
+}
index 293b2ba..330eba9 100644 (file)
@@ -1,3 +1,21 @@
+2018-11-27  Saam barati  <sbarati@apple.com>
+
+        r238510 broke scopes of size zero
+        https://bugs.webkit.org/show_bug.cgi?id=192033
+        <rdar://problem/46281734>
+
+        Reviewed by Keith Miller.
+
+        In r238510, I wrote the loop like this: 
+        `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
+        
+        This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
+        
+        This patch fixes this by writing the loop as:
+        `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
 2018-11-27  Mark Lam  <mark.lam@apple.com>
 
         ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
index 6e0b647..fd2b32f 100644 (file)
@@ -878,9 +878,9 @@ private:
             {
                 SymbolTable* symbolTable = node->castOperand<SymbolTable*>();
                 LazyNode initialValue(m_graph.freeze(node->initializationValueForActivation()));
-                for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1) {
+                for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset) {
                     writes.add(
-                        PromotedLocationDescriptor(ClosureVarPLoc, offset.offset()),
+                        PromotedLocationDescriptor(ClosureVarPLoc, offset),
                         initialValue);
                 }
             }