[webkit-changes] [WebKit/WebKit] c0ddab: Load compact ClassInfo from structure correctly in...

Fri Dec 15 21:05:06 PST 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c0ddab9c4c8f0b03d9f1f471c3883b1fd95eb7a7
      https://github.com/WebKit/WebKit/commit/c0ddab9c4c8f0b03d9f1f471c3883b1fd95eb7a7
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A JSTests/stress/ClassInfo-across-structure-transition.js
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Load compact ClassInfo from structure correctly in FTL
https://bugs.webkit.org/show_bug.cgi?id=263356
rdar://115494572

Reviewed by Mark Lam.

Currently, FTL assumes loading the m_classInfo from a structure is a
loadPtr on all platforms - this is not the case, since ClassInfo is
represented as a 32-bit CompactPtr<ClassInfo> on platforms with 36-bit
addresses. As a result, when loading the ClassInfo in some FTL nodes, it
results in a junk value with the lower bits being the unshifted ClassInfo
address, and the upper bits being taken erroneously from
m_transitionPropertyName. This patch introduces a new loadCompactPtr()
helper to FTLLowerDFGToB3 that correctly loads and shifts compact pointer
fields, which in current FTL is just Structure.m_classInfo.

* JSTests/stress/ClassInfo-across-structure-transition.js: Added.
(calling):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
(JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

Originally-landed-as: 267815.353 at safari-7617-branch (20234c667f25). rdar://119597685
Canonical link: https://commits.webkit.org/272160@main

  Commit: b600073ca93043073733879f37051cec72c99811
      https://github.com/WebKit/WebKit/commit/b600073ca93043073733879f37051cec72c99811
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt
    A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  Assertion hit under Document::dispatchPagehideEvent()
https://bugs.webkit.org/show_bug.cgi?id=263204
rdar://116715579

Reviewed by Ryosuke Niwa.

Delay the load if we're not allowed to run script right now. Scheduling a load will
cancel / stop any pending load, which may cause events to be fired and script to run.

The synchronous code path is kept when we're allowed to run script to avoid breaking
tests such as:
- imported/w3c/web-platform-tests/css/css-writing-modes/abs-pos-non-replaced-icb-vlr-*.xht
- imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/sandbox_004.htm
- imported/blink/svg/dom/viewspec-*.html
- fast/css/acid2.html

* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt: Added.
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html: Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):

Originally-landed-as: 267815.354 at safari-7617-branch (c34793cc5793). rdar://119597568
Canonical link: https://commits.webkit.org/272161@main

  Commit: 7b97f35198fd00c74cd21c039e4e56c9f5a1876f
      https://github.com/WebKit/WebKit/commit/7b97f35198fd00c74cd21c039e4e56c9f5a1876f
  Author: Dan Glastonbury <djg at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp

  Log Message:
  -----------
  [ANGLE] Clear pending program linking in Context::onDestroy
rdar://116661298

Reviewed by Kimmo Kinnunen.

When destroying Context, ANGLE resets any internal state before releasing
allocated objects, such as Programs and Shaders. When destroying a program, any
pending program linking is resolved via Program::resolveLink. This results in
trying to access the Context state that’s just been reset, leading to a nullptr
access.

To work around this, we ensure there are no pending links before resetting the
Context state.

* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::onDestroy):
* Tools/TestWebKitAPI/Tests/WebCore/cocoa/TestGraphicsContextGLCocoa.mm:
(TestWebKitAPI::TEST_F):

Originally-landed-as: 267815.356 at safari-7617-branch (d32cd290f021). rdar://119597554
Canonical link: https://commits.webkit.org/272162@main

  Commit: ecb7da686a5066eea209b6f4b2b6dcddbd0d551f
      https://github.com/WebKit/WebKit/commit/ecb7da686a5066eea209b6f4b2b6dcddbd0d551f
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A JSTests/stress/array-iterator-to-this.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp

  Log Message:
  -----------
  Array iterator creation intrinsics need ToThis
https://bugs.webkit.org/show_bug.cgi?id=263408
rdar://113898245

Reviewed by Yusuke Suzuki.

Currently, we don't ToThis the 'this' value when we intrinsicify
the various Array iterator creation functions, which we should.
This patch also changes `clobbersExitState` to say exit state
is not clobbered if a node only writes to `HeapObjectCount`.
Our previous behavior was overly conservative, which caused
assertion failures as the `ToObject` following the `ToThis`
would get converted to a `Check(Object)` when exit was invalid.

* JSTests/stress/array-iterator-to-this.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):

Originally-landed-as: 267815.357 at safari-7617-branch (ae764a813e03). rdar://119597428
Canonical link: https://commits.webkit.org/272163@main

Compare: https://github.com/WebKit/WebKit/compare/41991eb66a3b...ecb7da686a50