[webkit-changes] [WebKit/WebKit] ebefb9: Cherry-pick 263909 at main (52fe95e5805c). https://bu...

Thu Jun 22 14:39:04 PDT 2023

  Branch: refs/heads/webkitglib/2.40
  Home:   https://github.com/WebKit/WebKit
  Commit: ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975
      https://github.com/WebKit/WebKit/commit/ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-06-22 (Thu, 22 Jun 2023)

  Changed paths:
    A JSTests/stress/heap-location-collision-dfg-clobberize.js
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
    M Source/JavaScriptCore/dfg/DFGHeapLocation.h

  Log Message:
  -----------
  Cherry-pick 263909 at main (52fe95e5805c). https://bugs.webkit.org/show_bug.cgi?id=256567

    EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds
    https://bugs.webkit.org/show_bug.cgi?id=256567
    rdar://109089013

    Reviewed by Yusuke Suzuki.

    EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However,
    they might introduce the same heap location kind in DFGClobberize.h which might lead to
    hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode.

    * JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
    (foo):
    * Source/JavaScriptCore/dfg/DFGClobberize.h:
    (JSC::DFG::clobberize):
    * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
    (WTF::printInternal):
    * Source/JavaScriptCore/dfg/DFGHeapLocation.h:

    Canonical link: https://commits.webkit.org/263909@main

Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40