Bug 192441

Summary:

speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	none

Mark Lam

Reported 2018-12-05 17:21:42 PST

This is because a regular String (non-Identifier) can be converted into an Identifier. During DFG/FTL compilation, AbstractValue::checkConsistency() may expect a value to be of type SpecStringVar, but the mutator thread may have converted the string into an Identifier. This creates a race where AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when it expects the a SpecStringVar. The fix is to speculate non-Identifier strings as type SpecString which allows it to be SpecStringVar or SpecStringIndent. <rdar://problem/46480355>

Attachments
proposed patch. (3.32 KB, patch) 2018-12-05 17:36 PST, Mark Lam	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2018-12-05 17:36:21 PST

Created attachment 356684 [details] proposed patch.

Mark Lam

Comment 2 2018-12-05 20:09:03 PST

Comment on attachment 356684 [details] proposed patch. Thanks for the review. Landing now.

WebKit Commit Bot

Comment 3 2018-12-05 20:34:35 PST

Comment on attachment 356684 [details] proposed patch. Clearing flags on attachment: 356684 Committed r238923: <https://trac.webkit.org/changeset/238923>

WebKit Commit Bot

Comment 4 2018-12-05 20:34:36 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.