RESOLVED FIXED 213310
[JSC] Freeze JSBigInt when setting it as a constant in AI 
https://bugs.webkit.org/show_bug.cgi?id=213310
Summary [JSC] Freeze JSBigInt when setting it as a constant in AI
Yusuke Suzuki
Reported 2020-06-17 11:29:04 PDT
[JSC] Freeze JSBigInt when setting it as a constant in AI
Attachments
Patch (3.20 KB, patch)
2020-06-17 11:31 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2020-06-17 11:31:26 PDT
Created attachment 402137 [details] Patch
Yusuke Suzuki
Comment 2 2020-06-17 11:31:28 PDT
<rdar://problem/64450410>
Mark Lam
Comment 3 2020-06-17 11:32:20 PDT
Comment on attachment 402137 [details] Patch r=me
Saam Barati
Comment 4 2020-06-17 11:32:50 PDT
Comment on attachment 402137 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=402137&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2707 > + setConstant(node, *m_graph.freeze(childConst.asCell())); is there anywhere else in AI/constant folding we're missing this? Should setConstant assert?
Saam Barati
Comment 5 2020-06-17 11:33:00 PDT
r=me too
Yusuke Suzuki
Comment 6 2020-06-17 11:54:06 PDT
Comment on attachment 402137 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=402137&action=review >> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2707 >> + setConstant(node, *m_graph.freeze(childConst.asCell())); > > is there anywhere else in AI/constant folding we're missing this? > > Should setConstant assert? setConstant (specifically, setConstant's FrozenValue constructor) has assertion, and this assertion fired with the attached test. I've checked AI code and this is the only place about BigInt thing.
Yusuke Suzuki
Comment 7 2020-06-17 13:01:56 PDT
Windows failure is fast/dom/Window/alert-with-unmatched-utf16-surrogate-should-not-crash.html, which is unrelated to this one.
EWS
Comment 8 2020-06-17 13:23:21 PDT
Committed r263180: <https://trac.webkit.org/changeset/263180> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402137 [details].
Note You need to log in before you can comment on or make changes to this bug.