index out of bound in bytecodebasicblock
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 6 Jun 2017 18:08:17 +0000 (18:08 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 6 Jun 2017 18:08:17 +0000 (18:08 +0000)
commitf502684fc27e3a3abfda587bb3be6dd82b4069a6
treeaee950b0a66ef7f567cfac93611ba0519a8d3708
parent9905c816e71543315a250f8d998f5f3bd42f9805
index out of bound in bytecodebasicblock
https://bugs.webkit.org/show_bug.cgi?id=172963

Reviewed by Saam Barati and Mark Lam.
JSTests:

* stress/dfg-call-class-constructor.js: Added.
(Foo):
(i.catch):

Source/JavaScriptCore:

We were leaving an unterminated basic block when generating CodeForCall for a class
constructor. This was mostly benign since that unterminated block was not reachable, but it
does cause an ASSERT.

This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
this really is the cleanest and most idiomatic way to solve this problem, so even though it
makes the change bigger it's probabably worth it.

* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/Opcode.h:
(JSC::isTerminal):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::emitUnreachable):
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_unreachable):
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:

Source/WTF:

* wtf/Assertions.h:
(UNREACHABLE_FOR_PLATFORM):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@217840 268f45cc-cd09-0410-ab3c-d52691b4dbfc
20 files changed:
JSTests/ChangeLog
JSTests/stress/dfg-call-class-constructor.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/BytecodeDumper.cpp
Source/JavaScriptCore/bytecode/BytecodeList.json
Source/JavaScriptCore/bytecode/BytecodeUseDef.h
Source/JavaScriptCore/bytecode/Opcode.h
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/JIT.cpp
Source/JavaScriptCore/jit/JIT.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter.asm
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.h
Source/WTF/ChangeLog
Source/WTF/wtf/Assertions.h