179594 – [DFG][FTL] Support Array::DirectArguments with OutOfBounds

RESOLVED FIXED 179594

[DFG][FTL] Support Array::DirectArguments with OutOfBounds

https://bugs.webkit.org/show_bug.cgi?id=179594

Summary [DFG][FTL] Support Array::DirectArguments with OutOfBounds

Yusuke Suzuki

Reported 2017-11-12 08:36:14 PST

[DFG][FTL] Support Array::DirectArguments with OutOfBounds

Attachments
Patch (8.46 KB, patch) 2017-11-12 08:36 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (9.52 KB, patch) 2017-11-12 08:42 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (12.81 KB, patch) 2017-11-12 10:48 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (12.66 KB, patch) 2017-11-14 07:15 PST, Yusuke Suzuki	saam: review+	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2017-11-12 08:36:32 PST

Created attachment 326713 [details] Patch WIP

Yusuke Suzuki

Comment 2 2017-11-12 08:42:30 PST

Created attachment 326714 [details] Patch WIP

Yusuke Suzuki

Comment 3 2017-11-12 10:48:34 PST

Created attachment 326720 [details] Patch

Yusuke Suzuki

Comment 4 2017-11-14 07:15:03 PST

Created attachment 326876 [details] Patch

Saam Barati

Comment 5 2017-11-14 09:20:43 PST

Comment on attachment 326876 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=326876&action=review > Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:245 > + m_graph.registerAndWatchStructureTransition(objectPrototypeStructure); Don’t you want to check OOB mode here? Or is the !prototypeChaneIsSane rare enough that we just do it unconditionally?

Yusuke Suzuki

Comment 6 2017-11-14 09:31:56 PST

Comment on attachment 326876 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=326876&action=review Thank you! >> Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:245 >> + m_graph.registerAndWatchStructureTransition(objectPrototypeStructure); > > Don’t you want to check OOB mode here? Or is the !prototypeChaneIsSane rare enough that we just do it unconditionally? Oh, nice catch. We should insert if (mode.isInBounds()) break; check before this to align it to ClonedArguments case.

Yusuke Suzuki

Comment 7 2017-11-14 09:35:42 PST

Committed r224818: <https://trac.webkit.org/changeset/224818>

Radar WebKit Bug Importer

Comment 8 2017-11-15 09:35:41 PST

<rdar://problem/35562030>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Yusuke Suzuki

Reported

2017-11-12 08:36 PST

Modified

2017-11-15 09:35 PST History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks