Crash using @tryGetById in DFG
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 25 Apr 2016 20:59:39 +0000 (20:59 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 25 Apr 2016 20:59:39 +0000 (20:59 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156992

Reviewed by Filip Pizlo.

We need to spill live registers when compiling TryGetById in DFG.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileTryGetById):
* tests/stress/regress-156992.js: New test.
(tryMultipleGetByIds):
(test):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200048 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/tests/stress/regress-156992.js [new file with mode: 0644]

index 7724701..09099c7 100644 (file)
@@ -1,3 +1,18 @@
+2016-04-25  Michael Saboff  <msaboff@apple.com>
+
+        Crash using @tryGetById in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=156992
+
+        Reviewed by Filip Pizlo.
+
+        We need to spill live registers when compiling TryGetById in DFG.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileTryGetById):
+        * tests/stress/regress-156992.js: New test.
+        (tryMultipleGetByIds):
+        (test):
+
 2016-04-25  Saam barati  <sbarati@apple.com>
 
         We don't have to parse a function's parameters every time if the function is in the source provider cache
index 935ba8a..313e91a 100644 (file)
@@ -976,7 +976,7 @@ void SpeculativeJIT::compileTryGetById(Node* node)
 
         base.use();
 
-        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), DontSpill, AccessType::GetPure);
+        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), NeedToSpill, AccessType::GetPure);
 
         jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
         break;
diff --git a/Source/JavaScriptCore/tests/stress/regress-156992.js b/Source/JavaScriptCore/tests/stress/regress-156992.js
new file mode 100644 (file)
index 0000000..79d2ba2
--- /dev/null
@@ -0,0 +1,33 @@
+// Verify that DFG TryGetById nodes properly save live registers.  This test should not crash.
+
+function tryMultipleGetByIds() { return '(function (base) { return @tryGetById(base, "value1") + @tryGetById(base, "value2") + @tryGetById(base, "value3"); })'; } 
+
+
+let get = createBuiltin(tryMultipleGetByIds());
+noInline(get);
+
+function test() {
+    let obj1 = {
+        value1: "Testing, ",
+        value2: "testing, ",
+        value3: "123",
+        expected: "Testing, testing, 123"
+    };
+    let obj2 = {
+        extraFieldToMakeThisObjectDifferentThanObj1: 42,
+        value1: 20,
+        value2: 10,
+        value3: 12,
+        expected: 42
+    };
+
+    let objects = [obj1, obj2];
+
+    for (let i = 0; i < 200000; i++) {
+        let obj = objects[i % 2];
+        if (get(obj) !== obj.expected)
+            throw new Error("wrong on iteration: " + i);
+    }
+}
+
+test();