Bug 192441

Summary: speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch. none

Description Mark Lam 2018-12-05 17:21:42 PST 
This is because a regular String (non-Identifier) can be converted into an Identifier.  During DFG/FTL compilation, AbstractValue::checkConsistency() may expect a value to be of type SpecStringVar, but the mutator thread may have converted the string into an Identifier.  This creates a race where AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when it expects the a SpecStringVar.  

The fix is to speculate non-Identifier strings as type SpecString which allows it to be SpecStringVar or SpecStringIndent.

<rdar://problem/46480355>
Comment 1 Mark Lam 2018-12-05 17:36:21 PST 
Created attachment 356684 [details]
proposed patch.
Comment 2 Mark Lam 2018-12-05 20:09:03 PST 
Comment on attachment 356684 [details]
proposed patch.

Thanks for the review.  Landing now.
Comment 3 WebKit Commit Bot 2018-12-05 20:34:35 PST 
Comment on attachment 356684 [details]
proposed patch.

Clearing flags on attachment: 356684

Committed r238923: <https://trac.webkit.org/changeset/238923>
Comment 4 WebKit Commit Bot 2018-12-05 20:34:36 PST 
All reviewed patches have been landed.  Closing bug.