[webkit-changes] [WebKit/WebKit] 1352cc: Cherry-pick 267511 at main (7a9106c7a56f). https://bu...

jjgriego noreply at github.com
Tue Sep 19 01:46:42 PDT 2023 

  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: 1352cc06fa9f7f64f1b3fc5e9a47e904e6f57ba3
      https://github.com/WebKit/WebKit/commit/1352cc06fa9f7f64f1b3fc5e9a47e904e6f57ba3
  Author: Joseph Griego <jgriego at igalia.com>
  Date:   2023-09-19 (Tue, 19 Sep 2023)

  Changed paths:
    A JSTests/stress/typed-array-intrinsic-getter-with-conflicting-value-profile.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

  Log Message:
  -----------
  Cherry-pick 267511 at main (7a9106c7a56f). https://bugs.webkit.org/show_bug.cgi?id=260908

    [32 bit] DFG graph generation: intrinsic getters are fallible
    https://bugs.webkit.org/show_bug.cgi?id=260908

    Reviewed by Yusuke Suzuki.

    On 32-bit, unlike 64-bit, some of the DFG intrinsic getters (really, the
    TypedArray ones) are _fallible_: if the SpeculatedType doesn't match our
    expecations (a non-strict subset of SpecInt32Only), we refuse to generate code. [1]

    However, DFG::ByteCodeParser::handleGetById doesn't appear to handle this case
    gracefully--if `handleIntrinsicGetter` fails, we attempt to generate a call to
    the getter, but in the case of TypedArray intrinsics, we won't have the
    necessary CallLinkStatus and while attempting to do so, we crash.

    To fix this, I've added a bit of code that handles the failure from
    handleIntrinsicGetter and emits an ordinary `GetById` node instead of trying to
    inline anything for this op.

    I've added a test that demonstrates the current behavior (a segfault) on armv7
    and passes with tihs patch.

    [1] For what it's worth, maybe this shouldn't be the case: it does seem like we
    should still be able to generate code in these cases anyhow, but it's simpler to
    just cope with the failure.

    * JSTests/stress/typed-array-intrinsic-getter-with-conflicting-value-profile.js: Added.
    (foo):
    (i.null.foo.Object.create):
    (i.42.foo):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::handleGetById):

    Canonical link: https://commits.webkit.org/267511@main

More information about the webkit-changes mailing list