Crash beneath DFG JIT code @ video.disney.com
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Apr 2014 05:19:08 +0000 (05:19 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Apr 2014 05:19:08 +0000 (05:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=131447

Reviewed by Geoffrey Garen.

The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
'tag not less than Undefined' check.  The first check was incorrectly elided if we
knew that the value *was* an int32, when it should have been elided if we already
knew that the value *was not* an int32.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateMisc):
* tests/stress/test-spec-misc.js: Added test.
(getX):
(foo):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@167112 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/tests/stress/test-spec-misc.js [new file with mode: 0644]

index 53614f4..97edc58 100644 (file)
@@ -1,3 +1,22 @@
+2014-04-10  Michael Saboff  <msaboff@apple.com>
+
+        Crash beneath DFG JIT code @ video.disney.com
+        https://bugs.webkit.org/show_bug.cgi?id=131447
+
+        Reviewed by Geoffrey Garen.
+
+        The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
+        'tag not less than Undefined' check.  The first check was incorrectly elided if we
+        knew that the value *was* an int32, when it should have been elided if we already
+        knew that the value *was not* an int32.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateMisc):
+        * tests/stress/test-spec-misc.js: Added test.
+        (getX):
+        (foo):
+        (bar):
+
 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
 
         Make room for additional types in SpeculatedType.h
index e240bc1..d2a8b40 100644 (file)
@@ -4743,7 +4743,7 @@ void SpeculativeJIT::speculateMisc(Edge edge, JSValueRegs regs)
         m_jit.branch64(MacroAssembler::Above, regs.gpr(), MacroAssembler::TrustedImm64(TagBitTypeOther | TagBitBool | TagBitUndefined)));
 #else
     DFG_TYPE_CHECK(
-        regs, edge, SpecMisc | SpecInt32,
+        regs, edge, ~SpecInt32,
         m_jit.branch32(MacroAssembler::Equal, regs.tagGPR(), MacroAssembler::TrustedImm32(JSValue::Int32Tag)));
     DFG_TYPE_CHECK(
         regs, edge, SpecMisc,
diff --git a/Source/JavaScriptCore/tests/stress/test-spec-misc.js b/Source/JavaScriptCore/tests/stress/test-spec-misc.js
new file mode 100644 (file)
index 0000000..7d71505
--- /dev/null
@@ -0,0 +1,43 @@
+var a = [ "String", false, 42 ];
+var count = 0;
+
+function getX(fromDFG) {
+    if (fromDFG)
+        return 42;
+    return false;
+}
+
+noInline(getX);
+
+function foo(index) {
+    var result = false;
+    var x = getX(DFGTrue());
+
+    x * 2;
+
+    var y = a[index % a.length];
+    result = y === x;
+    count += 1;
+    return result;
+}
+
+noInline(foo);
+
+var loopCount = 10000;
+
+function bar() {
+    var result;
+
+    for (var i = 0; i < loopCount - 1; i++)
+        result = foo(i)
+
+    result = foo(0);
+
+    return result;
+}
+
+var result = bar();
+if (result != false)
+    throw "Error: bad result expected false: " + result;
+if (count != loopCount)
+    throw "Error: bad count, expected: " + loopCount + ", got: " + count;