Bug 125253

Summary:

Reveal array bounds checks in DFG IR

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, commit-queue, ggaren, gyuyoung.kim, mark.lam, mhahnenberg, msaboff, oliver, rakuco, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

125252

Bug Blocks:

125433

Attachments:

Description	Flags
it begins	none
it might work	none
the patch	none
the patch	oliver: review+

Description Filip Pizlo 2013-12-04 14:00:18 PST

Patch forthcoming.

Comment 1 Filip Pizlo 2013-12-08 15:42:45 PST

Created attachment 218718 [details]
it begins

Comment 2 Filip Pizlo 2013-12-08 17:13:23 PST

Created attachment 218720 [details]
it might work

Comment 3 Filip Pizlo 2013-12-08 19:50:37 PST

Created attachment 218721 [details]
the patch

Comment 4 Filip Pizlo 2013-12-08 19:59:15 PST

Created attachment 218722 [details]
the patch

Rebased.

Comment 5 WebKit Commit Bot 2013-12-08 20:01:13 PST

Attachment 218722 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/bytecode/ExitKind.cpp', u'Source/JavaScriptCore/bytecode/ExitKind.h', u'Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h', u'Source/JavaScriptCore/dfg/DFGArrayMode.cpp', u'Source/JavaScriptCore/dfg/DFGArrayMode.h', u'Source/JavaScriptCore/dfg/DFGClobberize.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPlan.cpp', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h', u'Source/JavaScriptCore/dfg/DFGSafeToExecute.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/ftl/FTLCapabilities.cpp', u'Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp', u'Source/JavaScriptCore/runtime/JSObject.cpp', u'Source/JavaScriptCore/runtime/JSObject.h', u'Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js', u'Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js', u'Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js', '--commit-queue']" exit_code: 1
ERROR: Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:44:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]
Total errors found: 1 in 27 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 6 Filip Pizlo 2013-12-08 20:03:15 PST

(In reply to comment #5)
> Attachment 218722 [details] did not pass style-queue:
> 
> Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/bytecode/ExitKind.cpp', u'Source/JavaScriptCore/bytecode/ExitKind.h', u'Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h', u'Source/JavaScriptCore/dfg/DFGArrayMode.cpp', u'Source/JavaScriptCore/dfg/DFGArrayMode.h', u'Source/JavaScriptCore/dfg/DFGClobberize.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPlan.cpp', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h', u'Source/JavaScriptCore/dfg/DFGSafeToExecute.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/ftl/FTLCapabilities.cpp', u'Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp', u'Source/JavaScriptCore/runtime/JSObject.cpp', u'Source/JavaScriptCore/runtime/JSObject.h', u'Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js', u'Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js', u'Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js', '--commit-queue']" exit_code: 1
> ERROR: Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:44:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]

OMG no!

> Total errors found: 1 in 27 files
> 
> 
> If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 7 Filip Pizlo 2013-12-08 20:05:44 PST

(In reply to comment #6)
> (In reply to comment #5)
> > Attachment 218722 [details] [details] did not pass style-queue:
> > 
> > Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/bytecode/ExitKind.cpp', u'Source/JavaScriptCore/bytecode/ExitKind.h', u'Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h', u'Source/JavaScriptCore/dfg/DFGArrayMode.cpp', u'Source/JavaScriptCore/dfg/DFGArrayMode.h', u'Source/JavaScriptCore/dfg/DFGClobberize.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPlan.cpp', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h', u'Source/JavaScriptCore/dfg/DFGSafeToExecute.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/ftl/FTLCapabilities.cpp', u'Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp', u'Source/JavaScriptCore/runtime/JSObject.cpp', u'Source/JavaScriptCore/runtime/JSObject.h', u'Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js', u'Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js', u'Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js', '--commit-queue']" exit_code: 1
> > ERROR: Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:44:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]
> 
> OMG no!
> 
> > Total errors found: 1 in 27 files
> > 
> > 
> > If any of these errors are false positives, please file a bug against check-webkit-style.

https://bugs.webkit.org/show_bug.cgi?id=125434

Comment 8 Filip Pizlo 2013-12-09 19:21:43 PST

Landed in http://trac.webkit.org/changeset/160347