<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[176399] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/176399">176399</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2014-11-20 09:42:58 -0800 (Thu, 20 Nov 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
<https://webkit.org/b/137642>
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
phases have already transpired. Hence, Identity nodes introduced in the
ConstantFolding phase will be left in the node graph. Subsequently, the
DFG code generator asserts that CSE phases have consumed all Identity nodes.
This turns out to not be true. Hence, the crash. We fix this by teaching
the DFG code generator to emit code for Identity nodes.
Unlike the DFG, the FTL does not have this issue. That is because the FTL
plan has GlobalCSE phases that come after ConstantFolding and any other
phases that can generate Identity nodes. Hence, for the FTL, it is true that
CSE will consume all Identity nodes, and the code generator should not see any
Identity nodes.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
LayoutTests:
* js/dfg-inline-identity-expected.txt: Added.
* js/dfg-inline-identity.html: Added.
* js/script-tests/dfg-inline-identity.js: Added.
(o.toKey):
(foo):
(test):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsdfginlineidentityexpectedtxt">trunk/LayoutTests/js/dfg-inline-identity-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdfginlineidentityhtml">trunk/LayoutTests/js/dfg-inline-identity.html</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsdfginlineidentityjs">trunk/LayoutTests/js/script-tests/dfg-inline-identity.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (176398 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/LayoutTests/ChangeLog 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2014-11-20 Mark Lam <mark.lam@apple.com>
+
+ WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
+ <https://webkit.org/b/137642>
+
+ Reviewed by Filip Pizlo.
+
+ * js/dfg-inline-identity-expected.txt: Added.
+ * js/dfg-inline-identity.html: Added.
+ * js/script-tests/dfg-inline-identity.js: Added.
+ (o.toKey):
+ (foo):
+ (test):
+
</ins><span class="cx"> 2014-11-20 Commit Queue <commit-queue@webkit.org>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r176396.
</span></span></pre></div>
<a id="trunkLayoutTestsjsdfginlineidentityexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dfg-inline-identity-expected.txt (0 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dfg-inline-identity-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dfg-inline-identity-expected.txt 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+This tests that an identity node in the inlined function does not crash the DFG's code generator.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdfginlineidentityhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dfg-inline-identity.html (0 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dfg-inline-identity.html (rev 0)
+++ trunk/LayoutTests/js/dfg-inline-identity.html 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/dfg-inline-identity.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsdfginlineidentityjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/script-tests/dfg-inline-identity.js (0 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/dfg-inline-identity.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-inline-identity.js 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+description(
+"This tests that an identity node in the inlined function does not crash the DFG's code generator."
+);
+
+var o = {
+ x1: 0,
+ x2: 0,
+ x3: 0,
+ toKey: function() {
+ return this.x1 + "," + this.x2 + "," + this.x3;
+ },
+};
+
+var a = [];
+
+var x1Adjust = 1.3;
+var x2Adjust = 2.7;
+var x3Adjust = 1.2;
+
+function foo(i) {
+ o.x1 += x1Adjust;
+ o.x2 += x2Adjust;
+ o.x3 += x3Adjust;
+
+ a[i] = o.toKey();
+}
+
+function test() {
+ for (var i = 0; i < 1000; i++)
+ foo(i);
+}
+
+test();
+
+var successfullyParsed = true;
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (176398 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2014-11-19 Mark Lam <mark.lam@apple.com>
+
+ WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
+ <https://webkit.org/b/137642>
+
+ Reviewed by Filip Pizlo.
+
+ In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
+ phases have already transpired. Hence, Identity nodes introduced in the
+ ConstantFolding phase will be left in the node graph. Subsequently, the
+ DFG code generator asserts that CSE phases have consumed all Identity nodes.
+ This turns out to not be true. Hence, the crash. We fix this by teaching
+ the DFG code generator to emit code for Identity nodes.
+
+ Unlike the DFG, the FTL does not have this issue. That is because the FTL
+ plan has GlobalCSE phases that come after ConstantFolding and any other
+ phases that can generate Identity nodes. Hence, for the FTL, it is true that
+ CSE will consume all Identity nodes, and the code generator should not see any
+ Identity nodes.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
</ins><span class="cx"> 2014-11-19 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Web Inspector: JSContext inspection Resource search does not work
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (176398 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -1692,7 +1692,26 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case Identity: {
</span><del>- RELEASE_ASSERT_NOT_REACHED();
</del><ins>+ speculate(node, node->child1());
+ switch (node->child1().useKind()) {
+ case DoubleRepUse:
+ case DoubleRepRealUse: {
+ SpeculateDoubleOperand op(this, node->child1());
+ doubleResult(op.fpr(), node);
+ break;
+ }
+ case Int52RepUse:
+ case MachineIntUse:
+ case DoubleRepMachineIntUse: {
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+ default: {
+ JSValueOperand op(this, node->child1());
+ jsValueResult(op.tagGPR(), op.payloadGPR(), node);
+ break;
+ }
+ } // switch
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (176398 => 176399)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-11-20 17:32:04 UTC (rev 176398)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-11-20 17:42:58 UTC (rev 176399)
</span><span class="lines">@@ -1793,8 +1793,26 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case Identity: {
</span><del>- // CSE should always eliminate this.
- DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
</del><ins>+ speculate(node, node->child1());
+ switch (node->child1().useKind()) {
+ case DoubleRepUse:
+ case DoubleRepRealUse:
+ case DoubleRepMachineIntUse: {
+ SpeculateDoubleOperand op(this, node->child1());
+ doubleResult(op.fpr(), node);
+ break;
+ }
+ case Int52RepUse: {
+ SpeculateInt52Operand op(this, node->child1());
+ int52Result(op.gpr(), node);
+ break;
+ }
+ default: {
+ JSValueOperand op(this, node->child1());
+ jsValueResult(op.gpr(), node);
+ break;
+ }
+ } // switch
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>