[webkit-changes] [WebKit/WebKit] 39dd6c: DFG tuples should not be queried for their state

Justin Michaud noreply at github.com
Wed Apr 26 14:35:06 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 39dd6c8334a66035cb396c8593a28dfca2b50f5e
      https://github.com/WebKit/WebKit/commit/39dd6c8334a66035cb396c8593a28dfca2b50f5e
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-04-26 (Wed, 26 Apr 2023)

  Changed paths:
    A JSTests/stress/dfg-tuple-ai.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp
    M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h
    M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h

  Log Message:
  -----------
  DFG tuples should not be queried for their state
rdar://107876378
https://bugs.webkit.org/show_bug.cgi?id=255279

Reviewed by Keith Miller.

DFG tuples don't have a type themselves, they represent a collection of
elements. We should only ask questions about the type of an element of a tuple,
never the tuple directly. Edges to a tuple should always be Untyped.

In this test case, we get garbage data when we ask for the type of EnumeratorNextUpdateIndexAndMode
from ExtractFromTuple. We remove the assert for this case and add some extra
assertions to make sure that nobody else is making the same mistake.

* JSTests/stress/dfg-tuple-ai.js: Added.
(f3.const.o7.set e):
(f3):
(const.v15.in.string_appeared_here.v16.v18.catch):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::forTupleNode):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::forNode):
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::forNode):
(JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
(JSC::DFG::AtTailAbstractState::clearForNode):
(JSC::DFG::AtTailAbstractState::setForNode):
(JSC::DFG::AtTailAbstractState::forTupleNodeWithoutFastForward):
* Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
(JSC::DFG::InPlaceAbstractState::forNode):
(JSC::DFG::InPlaceAbstractState::clearForNode):
(JSC::DFG::InPlaceAbstractState::setForNode):
(JSC::DFG::InPlaceAbstractState::setTypeForNode):
(JSC::DFG::InPlaceAbstractState::setNonCellTypeForNode):
(JSC::DFG::InPlaceAbstractState::makeBytecodeTopForNode):
(JSC::DFG::InPlaceAbstractState::makeHeapTopForNode):
(JSC::DFG::InPlaceAbstractState::forTupleNodeWithoutFastForward):

Canonical link: https://commits.webkit.org/263433@main

More information about the webkit-changes mailing list