WebKit Bugzilla
Attachment 341713 Details for
Bug 186169
: PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
c-backup.diff (text/plain), 1.86 KB, created by
Saam Barati
on 2018-05-31 17:16:21 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2018-05-31 17:16:21 PDT
Size:
1.86 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 232376) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,19 @@ >+2018-05-31 Saam Barati <sbarati@apple.com> >+ >+ PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear >+ https://bugs.webkit.org/show_bug.cgi?id=186169 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ If we don't do this, the CFA validation rule about StructureID being >+ clobbered but AI not clobbering or folding a clobber will cause us >+ to crash. Simon was running into this yesterday on arstechnica.com. >+ I couldn't come up with a test case for this, but it's obvious >+ what the issue is by looking at the IR dump at the time of the crash. >+ >+ * dfg/DFGAbstractInterpreterInlines.h: >+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): >+ > 2018-05-31 Keith Miller <keith_miller@apple.com> > > DFGArrayModes needs to know more about CoW arrays >Index: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >=================================================================== >--- Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (revision 232374) >+++ Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (working copy) >@@ -2763,6 +2763,9 @@ bool AbstractInterpreter<AbstractStateTy > clobberLimit, node->transition()->previous, node->transition()->next); > forNode(node->child1()).changeStructure(m_graph, node->transition()->next); > } >+ } else { >+ // We're going to exit before we get here, but for the sake of validation, we've folded our write to StructureID. >+ didFoldClobberStructures(); > } > break; > case GetButterfly:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=341713">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186169
: 341713