[webkit-reviews] review granted: [Bug 206632] InternalField and CheckNeutered DFG nodes are not always safe to execute : [Attachment 388500] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 22 18:18:18 PST 2020
Saam Barati <sbarati at apple.com> has granted Keith Miller
<keith_miller at apple.com>'s request for review:
Bug 206632: InternalField and CheckNeutered DFG nodes are not always safe to
execute
https://bugs.webkit.org/show_bug.cgi?id=206632
Attachment 388500: Patch
https://bugs.webkit.org/attachment.cgi?id=388500&action=review
--- Comment #8 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 388500
--> https://bugs.webkit.org/attachment.cgi?id=388500
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=388500&action=review
> Source/JavaScriptCore/ChangeLog:10
> + GetInternalField, etc. rely on a a proof that the cell passed to it
is a subclass of InteralFieldObject
> + but we may hoist it past the check guarding it.
nit: sentence is a bit of a run on and can be made clearer
> Source/JavaScriptCore/ChangeLog:13
> + It's not valid to require that AI will preserve any invariant since
phases can make changes that AI doesn't
"preserve" isn't the right word here. AI won't break the program. But it might
not be able to precisely model it.
> Source/JavaScriptCore/dfg/DFGSafeToExecute.h:38
> +// not prove it is valid. Thus, it is always
you forgot to finish your comment here
More information about the webkit-reviews
mailing list