WebKit Bugzilla
Attachment 340754 Details for
Bug 185792
: op_in should mark if it sees out of bounds accesses
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185792-20180518161217.patch (text/plain), 5.67 KB, created by
Keith Miller
on 2018-05-18 16:12:18 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-05-18 16:12:18 PDT
Size:
5.67 KB
patch
obsolete
>Subversion Revision: 231983 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 71e84aa7c02bf410fbde6b9568a5fe3773454f32..5d0a9499e923ffd72371b3ee6feda5678e5a0229 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-05-18 Keith Miller <keith_miller@apple.com> >+ >+ op_in should mark if it sees out of bounds accesses >+ https://bugs.webkit.org/show_bug.cgi?id=185792 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This would used to cause us to OSR loop since we would always speculate >+ we were in bounds in HasIndexedProperty. >+ >+ * bytecode/ArrayProfile.cpp: >+ (JSC::ArrayProfile::observeIndexedRead): >+ * bytecode/ArrayProfile.h: >+ * runtime/CommonSlowPaths.h: >+ (JSC::CommonSlowPaths::opIn): >+ > 2018-05-18 Mark Lam <mark.lam@apple.com> > > Add missing exception check. >diff --git a/Source/JavaScriptCore/bytecode/ArrayProfile.cpp b/Source/JavaScriptCore/bytecode/ArrayProfile.cpp >index cb1b7585b22ec31471f84c2f1567d6858b16848c..c1c7dbd67cccbba1098e948fedff2e41a3135390 100644 >--- a/Source/JavaScriptCore/bytecode/ArrayProfile.cpp >+++ b/Source/JavaScriptCore/bytecode/ArrayProfile.cpp >@@ -121,6 +121,23 @@ void ArrayProfile::computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock > m_usesOriginalArrayStructures = false; > } > >+void ArrayProfile::observeIndexedRead(VM& vm, JSCell* cell, unsigned index) >+{ >+ m_lastSeenStructureID = cell->structureID(); >+ >+ if (JSObject* object = jsDynamicCast<JSObject*>(vm, cell)) { >+ if (hasAnyArrayStorage(object->indexingType()) && index >= object->getVectorLength()) >+ setOutOfBounds(); >+ else if (index >= object->getArrayLength()) >+ setOutOfBounds(); >+ } >+ >+ if (JSString* string = jsDynamicCast<JSString*>(vm, cell)) { >+ if (index >= string->length()) >+ setOutOfBounds(); >+ } >+} >+ > CString ArrayProfile::briefDescription(const ConcurrentJSLocker& locker, CodeBlock* codeBlock) > { > computeUpdatedPrediction(locker, codeBlock); >diff --git a/Source/JavaScriptCore/bytecode/ArrayProfile.h b/Source/JavaScriptCore/bytecode/ArrayProfile.h >index c10c5e2c16addfcb11c6133cc09ca05c89476869..73eb88291cef1b6e0d8b55f19afb97674f51e4ce 100644 >--- a/Source/JavaScriptCore/bytecode/ArrayProfile.h >+++ b/Source/JavaScriptCore/bytecode/ArrayProfile.h >@@ -214,11 +214,13 @@ public: > { > m_lastSeenStructureID = structure->id(); > } >- >+ > void computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock*); > void computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock*, Structure* lastSeenStructure); > > void observeArrayMode(ArrayModes mode) { m_observedArrayModes |= mode; } >+ void observeIndexedRead(VM&, JSCell*, unsigned index); >+ > ArrayModes observedArrayModes(const ConcurrentJSLocker&) const { return m_observedArrayModes; } > bool mayInterceptIndexedAccesses(const ConcurrentJSLocker&) const { return m_mayInterceptIndexedAccesses; } > >diff --git a/Source/JavaScriptCore/runtime/CommonSlowPaths.h b/Source/JavaScriptCore/runtime/CommonSlowPaths.h >index db1eea95d48c3e48a95ff86c6cfbca4579b425ba..c28513567cd3a687bd03459f761dc9aff8d0007b 100644 >--- a/Source/JavaScriptCore/runtime/CommonSlowPaths.h >+++ b/Source/JavaScriptCore/runtime/CommonSlowPaths.h >@@ -100,6 +100,8 @@ inline bool opIn(ExecState* exec, JSValue baseVal, JSValue propName, ArrayProfil > > uint32_t i; > if (propName.getUInt32(i)) { >+ if (arrayProfile) >+ arrayProfile->observeIndexedRead(vm, baseObj, i); > scope.release(); > return baseObj->hasProperty(exec, i); > } >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 5983914b41d5a30fba7cc2ae37b3e1bdaa54b9be..80291366f416632ee0dfe60ec63e7efdee9736e6 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,15 @@ >+2018-05-18 Keith Miller <keith_miller@apple.com> >+ >+ op_in should mark if it sees out of bounds accesses >+ https://bugs.webkit.org/show_bug.cgi?id=185792 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/has-indexed-property-array-storage-ftl.js: >+ (test2): >+ * stress/has-indexed-property-slow-put-array-storage-ftl.js: >+ (test2): >+ > 2018-05-18 Mark Lam <mark.lam@apple.com> > > Add missing exception check. >diff --git a/JSTests/stress/has-indexed-property-array-storage-ftl.js b/JSTests/stress/has-indexed-property-array-storage-ftl.js >index b967c3d496de9293a8039deaadd6b3e5cfb4e12b..6d937d61bba611abfd9b2d75afce678b1378e899 100644 >--- a/JSTests/stress/has-indexed-property-array-storage-ftl.js >+++ b/JSTests/stress/has-indexed-property-array-storage-ftl.js >@@ -32,11 +32,11 @@ shouldBe(test1(array), false); > function test2(array) > { > didFTLCompile = ftlTrue(); >- return 2 in array; >+ return 13 in array; > } > noInline(test2); > >-var array1 = [1, 2, 3, 4]; >+var array1 = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]; > ensureArrayStorage(array1); > var array2 = [1, 2]; > ensureArrayStorage(array2); >diff --git a/JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js b/JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js >index 9fedf2da2d10f8b49285859ef0512020ab4c17a5..828afdbea32dfaeff84464c9c49c05adea2fd6d5 100644 >--- a/JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js >+++ b/JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js >@@ -43,11 +43,11 @@ shouldBe(test1(array), false); > function test2(array) > { > didFTLCompile = ftlTrue(); >- return 2 in array; >+ return 9 in array; > } > noInline(test2); > >-var array1 = [1, 2, 3, 4]; >+var array1 = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]; > array1.__proto__ = object; > ensureArrayStorage(array1); > var array2 = [1, 2];
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=340754">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
fpizlo
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185792
: 340754