| Summary: | [JSC] Freeze JSBigInt when setting it as a constant in AI | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> | ||||
| Component: | New Bugs | Assignee: | Yusuke Suzuki <ysuzuki> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Yusuke Suzuki
2020-06-17 11:29:04 PDT
Created attachment 402137 [details]
Patch
Comment on attachment 402137 [details]
Patch
r=me
Comment on attachment 402137 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=402137&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2707 > + setConstant(node, *m_graph.freeze(childConst.asCell())); is there anywhere else in AI/constant folding we're missing this? Should setConstant assert? r=me too Comment on attachment 402137 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=402137&action=review >> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2707 >> + setConstant(node, *m_graph.freeze(childConst.asCell())); > > is there anywhere else in AI/constant folding we're missing this? > > Should setConstant assert? setConstant (specifically, setConstant's FrozenValue constructor) has assertion, and this assertion fired with the attached test. I've checked AI code and this is the only place about BigInt thing. Windows failure is fast/dom/Window/alert-with-unmatched-utf16-surrogate-should-not-crash.html, which is unrelated to this one. Committed r263180: <https://trac.webkit.org/changeset/263180> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402137 [details]. |