Bug 192441 - speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
Summary: speculationFromCell() should speculate non-Identifier strings as SpecString i...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-12-05 17:21 PST by Mark Lam
Modified: 2018-12-05 20:34 PST (History)
8 users (show)

See Also:


Attachments
proposed patch. (3.32 KB, patch)
2018-12-05 17:36 PST, Mark Lam
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2018-12-05 17:21:42 PST
This is because a regular String (non-Identifier) can be converted into an Identifier.  During DFG/FTL compilation, AbstractValue::checkConsistency() may expect a value to be of type SpecStringVar, but the mutator thread may have converted the string into an Identifier.  This creates a race where AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when it expects the a SpecStringVar.  

The fix is to speculate non-Identifier strings as type SpecString which allows it to be SpecStringVar or SpecStringIndent.

<rdar://problem/46480355>
Comment 1 Mark Lam 2018-12-05 17:36:21 PST
Created attachment 356684 [details]
proposed patch.
Comment 2 Mark Lam 2018-12-05 20:09:03 PST
Comment on attachment 356684 [details]
proposed patch.

Thanks for the review.  Landing now.
Comment 3 WebKit Commit Bot 2018-12-05 20:34:35 PST
Comment on attachment 356684 [details]
proposed patch.

Clearing flags on attachment: 356684

Committed r238923: <https://trac.webkit.org/changeset/238923>
Comment 4 WebKit Commit Bot 2018-12-05 20:34:36 PST
All reviewed patches have been landed.  Closing bug.