<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200113] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200113">200113</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2016-04-26 16:26:19 -0700 (Tue, 26 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[JSC] GetByVal on Undecided use its children before its OSR Exit
https://bugs.webkit.org/show_bug.cgi?id=157046
Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-04-26
Reviewed by Mark Lam.
Very silly bug: GetByVal on Undecided uses its children before
the speculationCheck(). If we fail the speculation, we have already
lost how to recover the values.
The existing tests did not catch this because we tier up to B3
before such Exits happen. B3 has explicit liveness and did not suffer
from this bug.
The new test has a smaller warmup to exercise the OSR Exit in DFG
instead of FTL.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* tests/stress/get-by-val-on-undecided-out-of-bounds.js: Added.
(string_appeared_here.opaqueGetByValKnownArray):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstressgetbyvalonundecidedoutofboundsjs">trunk/Source/JavaScriptCore/tests/stress/get-by-val-on-undecided-out-of-bounds.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (200112 => 200113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-04-26 23:09:57 UTC (rev 200112)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-04-26 23:26:19 UTC (rev 200113)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2016-04-26 Benjamin Poulain <bpoulain@apple.com>
+
+ [JSC] GetByVal on Undecided use its children before its OSR Exit
+ https://bugs.webkit.org/show_bug.cgi?id=157046
+
+ Reviewed by Mark Lam.
+
+ Very silly bug: GetByVal on Undecided uses its children before
+ the speculationCheck(). If we fail the speculation, we have already
+ lost how to recover the values.
+
+ The existing tests did not catch this because we tier up to B3
+ before such Exits happen. B3 has explicit liveness and did not suffer
+ from this bug.
+ The new test has a smaller warmup to exercise the OSR Exit in DFG
+ instead of FTL.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * tests/stress/get-by-val-on-undecided-out-of-bounds.js: Added.
+ (string_appeared_here.opaqueGetByValKnownArray):
+
</ins><span class="cx"> 2016-04-26 Skachkov Oleksandr <gskachkov@gmail.com>
</span><span class="cx">
</span><span class="cx"> calling super() a second time in a constructor should throw
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (200112 => 200113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-04-26 23:09:57 UTC (rev 200112)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-04-26 23:26:19 UTC (rev 200113)
</span><span class="lines">@@ -2554,12 +2554,12 @@
</span><span class="cx"> GPRReg indexGPR = index.gpr();
</span><span class="cx"> GPRReg resultGPR = result.gpr();
</span><span class="cx">
</span><ins>+ speculationCheck(OutOfBounds, JSValueRegs(), node,
+ m_jit.branch32(MacroAssembler::LessThan, indexGPR, MacroAssembler::TrustedImm32(0)));
+
</ins><span class="cx"> use(node->child1());
</span><span class="cx"> index.use();
</span><span class="cx">
</span><del>- speculationCheck(OutOfBounds, JSValueRegs(), node,
- m_jit.branch32(MacroAssembler::LessThan, indexGPR, MacroAssembler::TrustedImm32(0)));
-
</del><span class="cx"> m_jit.move(MacroAssembler::TrustedImm64(ValueUndefined), resultGPR);
</span><span class="cx"> jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressgetbyvalonundecidedoutofboundsjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/get-by-val-on-undecided-out-of-bounds.js (0 => 200113)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/get-by-val-on-undecided-out-of-bounds.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/get-by-val-on-undecided-out-of-bounds.js 2016-04-26 23:26:19 UTC (rev 200113)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+"use strict"
+
+function opaqueGetByValKnownArray(value)
+{
+ let array = [];
+ return array[value];
+}
+noInline(opaqueGetByValKnownArray);
+
+// Warm up without out-of-bounds access.
+for (let i = 0; i < 1e3; ++i) {
+ if (opaqueGetByValKnownArray(0) !== undefined)
+ throw "Failed opaqueGetByValKnownArray(0)";
+}
+
+// Then access out of bounds.
+for (let i = 0; i < 1e3; ++i) {
+ if (opaqueGetByValKnownArray(-1) !== undefined)
+ throw "Failed opaqueGetByValKnownArray(-1)";
+}
</ins><span class="cx">\ No newline at end of file
</span></span></pre>
</div>
</div>
</body>
</html>