Bug 213310 - [JSC] Freeze JSBigInt when setting it as a constant in AI
Summary: [JSC] Freeze JSBigInt when setting it as a constant in AI
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-17 11:29 PDT by Yusuke Suzuki
Modified: 2020-06-17 13:23 PDT (History)
7 users (show)

See Also:

Attachments
Patch (3.20 KB, patch)
2020-06-17 11:31 PDT, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2020-06-17 11:29:04 PDT 
[JSC] Freeze JSBigInt when setting it as a constant in AI
Comment 1 Yusuke Suzuki 2020-06-17 11:31:26 PDT 
Created attachment 402137 [details]
Patch
Comment 2 Yusuke Suzuki 2020-06-17 11:31:28 PDT 
<rdar://problem/64450410>
Comment 3 Mark Lam 2020-06-17 11:32:20 PDT 
Comment on attachment 402137 [details]
Patch

r=me
Comment 4 Saam Barati 2020-06-17 11:32:50 PDT 
Comment on attachment 402137 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=402137&action=review

> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2707
> +                setConstant(node, *m_graph.freeze(childConst.asCell()));

is there anywhere else in AI/constant folding we're missing this?

Should setConstant assert?
Comment 5 Saam Barati 2020-06-17 11:33:00 PDT 
r=me too
Comment 6 Yusuke Suzuki 2020-06-17 11:54:06 PDT 
Comment on attachment 402137 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=402137&action=review

>> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2707
>> +                setConstant(node, *m_graph.freeze(childConst.asCell()));
> 
> is there anywhere else in AI/constant folding we're missing this?
> 
> Should setConstant assert?

setConstant (specifically, setConstant's FrozenValue constructor) has assertion, and this assertion fired with the attached test.
I've checked AI code and this is the only place about BigInt thing.
Comment 7 Yusuke Suzuki 2020-06-17 13:01:56 PDT 
Windows failure is fast/dom/Window/alert-with-unmatched-utf16-surrogate-should-not-crash.html, which is unrelated to this one.
Comment 8 EWS 2020-06-17 13:23:21 PDT 
Committed r263180: <https://trac.webkit.org/changeset/263180>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 402137 [details].