RESOLVED FIXED 155069
RegExpMatchesArray doesn't know how to have a bad time 
https://bugs.webkit.org/show_bug.cgi?id=155069
Summary RegExpMatchesArray doesn't know how to have a bad time
Filip Pizlo
Reported 2016-03-05 14:08:53 PST
Patch forthcoming.
Attachments
work in progress (24.98 KB, patch)
2016-03-05 19:33 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
more (39.95 KB, patch)
2016-03-05 20:44 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
possibly done (63.57 KB, patch)
2016-03-05 21:04 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
seems to work (66.10 KB, patch)
2016-03-05 21:50 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
runs some things (81.45 KB, patch)
2016-03-06 00:30 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (84.89 KB, patch)
2016-03-06 01:25 PST, Filip Pizlo 		ysuzuki: review+
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2016-03-05 19:33:44 PST
Created attachment 273119 [details] work in progress
Filip Pizlo
Comment 2 2016-03-05 20:44:04 PST
Created attachment 273122 [details] more
Filip Pizlo
Comment 3 2016-03-05 21:04:41 PST
Created attachment 273125 [details] possibly done
Filip Pizlo
Comment 4 2016-03-05 21:50:30 PST
Created attachment 273126 [details] seems to work
Filip Pizlo
Comment 5 2016-03-06 00:30:37 PST
Created attachment 273128 [details] runs some things
Filip Pizlo
Comment 6 2016-03-06 01:25:12 PST
Created attachment 273131 [details] the patch
WebKit Commit Bot
Comment 7 2016-03-06 01:27:33 PST
Attachment 273131 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1908: Place brace on its own line for function definitions. [whitespace/braces] [4] Total errors found: 1 in 38 files If any of these errors are false positives, please file a bug against check-webkit-style.
Yusuke Suzuki
Comment 8 2016-03-06 12:02:29 PST
Comment on attachment 273131 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=273131&action=review Looks great. > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2175 > + Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset))); OK, we need to insert having a bad time watchpoint checking for the RegExp.prototype.exec's global object. > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:767 > + m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get()); OK. Switching the structure to slow put one, that is used when creating a new RegExp matches array. And existing one is switched by the following path. > Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js:3 > + Array.prototype.__defineSetter__("0", function(value) { count += value; }); Yeah, let's have a bad time!
Filip Pizlo
Comment 9 2016-03-06 12:09:18 PST
(In reply to comment #8) > Comment on attachment 273131 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=273131&action=review > > Looks great. > > > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2175 > > + Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset))); > > OK, we need to insert having a bad time watchpoint checking for the > RegExp.prototype.exec's global object. Note that we will only insert the haveABadTime watchpoint if the abstract interpreter discovers what the global object is and observes that it's not having a bad time. If either of those things don't happen, RegExpExec will simply make no promises about the kind of array it returns - so the CodeBlock doesn't need any watchpoints in that case. This works partly because createRegExpMatchesArray currently always does a check for isHavingABadTime each time it is executed. > > > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:767 > > + m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get()); > > OK. Switching the structure to slow put one, that is used when creating a > new RegExp matches array. > And existing one is switched by the following path. > > > Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js:3 > > + Array.prototype.__defineSetter__("0", function(value) { count += value; }); > > Yeah, let's have a bad time!
Filip Pizlo
Comment 10 2016-03-06 12:11:32 PST
Landed in http://trac.webkit.org/changeset/197641
Note You need to log in before you can comment on or make changes to this bug.