[webkit-changes] [WebKit/WebKit] eaa505: [JSC] We should have accept-any-value case generat...
Yusuke Suzuki
noreply at github.com
Wed Jul 19 10:22:05 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: eaa5055b2d7c51fb00f980a69892baa69efd9dff
https://github.com/WebKit/WebKit/commit/eaa5055b2d7c51fb00f980a69892baa69efd9dff
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-07-19 (Wed, 19 Jul 2023)
Changed paths:
A JSTests/stress/proxy-get-with-complex-string.js
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
Log Message:
-----------
[JSC] We should have accept-any-value case generation for IC
https://bugs.webkit.org/show_bug.cgi?id=259327
rdar://112502090
Reviewed by Michael Saboff.
When we generate IC for get-by-val / get-by-val-with-this, we check whether each IC needs Int32 / String / Symbol checks.
And if we find some of IC case requires it, then we do this check and generating code. But we are missing that we generate
accept-any-value case in this path (which is IndexedProxyObjectLoad). This is clearly wrong, and attached script is repeatedly
compiling IC because we are not generating IndexedProxyObjectLoad case.
And if this IC site is requiring some register spills, then it leads to release-assert-crash because
1. It says doesJSCalls = true
2. But not setting spillStateForJSCall
So, we will encounter empty spillStateForJSCall.
It is actually super hard to reproduce this issue, and we cannot find a case. But anyway, this fixes the obvious issue, which is
not generating listed IC, which is tested in the attached test.
* JSTests/stress/proxy-get-with-complex-string.js: Added.
(test):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::regenerate):
Canonical link: https://commits.webkit.org/266164@main
More information about the webkit-changes
mailing list