WebKit Bugzilla
Attachment 371438 Details for
Bug 198581
: AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198581-20190605233517.patch (text/plain), 3.93 KB, created by
Tadeu Zagallo
on 2019-06-05 14:35:18 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2019-06-05 14:35:18 PDT
Size:
3.93 KB
patch
obsolete
>Subversion Revision: 246077 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 7adba70160b2634d102c633a24401e406843c903..104257894f869c10ec157df4b9246598f648b69e 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,20 @@ >+2019-06-05 Tadeu Zagallo <tzagallo@apple.com> >+ >+ AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset >+ https://bugs.webkit.org/show_bug.cgi?id=198581 >+ <rdar://problem/51099753> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ For GetGetterSetterByOffset, when the abstract interpreter fails to read the property >+ from the object, it gets the GetterSetter structure from the CodeBlock's global object. >+ However, that's not correct, since the global object for the base object might differ >+ from the CodeBlock's. Instead, we try to get the global object from the base, when it's >+ a constant object. Otherwise, we can't infer the value and only set the type. >+ >+ * dfg/DFGAbstractInterpreterInlines.h: >+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): >+ > 2019-06-04 Tadeu Zagallo <tzagallo@apple.com> > > Argument elimination should check transitive dependents for interference >diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >index e82aa192708b5b3a8c91442bf4bee9f15f34b497..f68b88b2452634de65541d9d66750c0d9a49675c 100644 >--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >@@ -3316,13 +3316,19 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi > > case GetGetterSetterByOffset: { > StorageAccessData& data = node->storageAccessData(); >- JSValue result = m_graph.tryGetConstantProperty(forNode(node->child2()), data.offset); >+ AbstractValue base = forNode(node->child2()); >+ JSValue result = m_graph.tryGetConstantProperty(base, data.offset); > if (result && jsDynamicCast<GetterSetter*>(m_vm, result)) { > setConstant(node, *m_graph.freeze(result)); > break; > } > >- setForNode(node, m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure()); >+ if (base.value() && base.value().isObject()) { >+ setForNode(node, asObject(base.value())->globalObject()->getterSetterStructure()); >+ break; >+ } >+ >+ setTypeForNode(node, SpecObjectOther); > break; > } > >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 87b3b1924b383aab67020d4fc8998c2b00786810..526037ed826b12f05bdc5a4729b723d10aaca939 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,15 @@ >+2019-06-05 Tadeu Zagallo <tzagallo@apple.com> >+ >+ AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset >+ https://bugs.webkit.org/show_bug.cgi?id=198581 >+ <rdar://problem/51099753> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/global-object-proto-getter.js: Added. >+ (f): >+ (test): >+ > 2019-06-04 Tadeu Zagallo <tzagallo@apple.com> > > Argument elimination should check transitive dependents for interference >diff --git a/JSTests/stress/global-object-proto-getter.js b/JSTests/stress/global-object-proto-getter.js >new file mode 100644 >index 0000000000000000000000000000000000000000..db0509b33838d73a66b023cf588e90b3a8e87e4d >--- /dev/null >+++ b/JSTests/stress/global-object-proto-getter.js >@@ -0,0 +1,15 @@ >+//@ requireOptions("--validateAbstractInterpreterState=true", "--validateAbstractInterpreterStateProbability=1.0", "--forceEagerCompilation=true") >+Array.__proto__ = createGlobalObject(); >+ >+function f() { const c = Array.__proto__ } >+ >+function test() { >+ with(0) { >+ f(); >+ } >+} >+noInline(test); >+ >+for (let i = 0; i < 100; i++) { >+ test(); >+}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371438">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198581
: 371438 |
371463