Changeset 183825 in webkit for trunk/Source/JavaScriptCore/bytecode/CallVariant.cpp

Timestamp:

May 5, 2015, 1:42:44 PM (10 years ago)

Author:

[email protected]

Message:

FTL SwitchString slow case creates duplicate switch cases
​https://bugs.webkit.org/show_bug.cgi?id=144634

Reviewed by Geoffrey Garen.

The problem of duplicate switches is sufficiently annoying that I fixed the issue and also
added mostly-debug-only asserts to catch such issues earlier.

• bytecode/CallVariant.cpp:

(JSC::variantListWithVariant): Assertion to prevent similar bugs.

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::switchStringRecurse): Assertion to prevent similar bugs.
(JSC::FTL::LowerDFGToLLVM::switchStringSlow): This is the bug.

• jit/BinarySwitch.cpp:

(JSC::BinarySwitch::BinarySwitch): Assertion to prevent similar bugs.

• jit/Repatch.cpp:

(JSC::linkPolymorphicCall): Assertion to prevent similar bugs.

• tests/stress/ftl-switch-string-slow-duplicate-cases.js: Added. This tests the FTL SwitchString bug. It was previously crashing every time.

(foo):
(cat):

File:

• trunk/Source/JavaScriptCore/bytecode/CallVariant.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/bytecode/CallVariant.cpp

@@ -28 +28 @@
 
 #include "JSCInlines.h"
+#include <wtf/ListDump.h>
 
 namespace JSC {
@@ -69 +70 @@
     if (!!variantToAdd)
         result.append(variantToAdd);
+    
+    if (!ASSERT_DISABLED) {
+        for (unsigned i = 0; i < result.size(); ++i) {
+            for (unsigned j = i + 1; j < result.size(); ++j) {
+                if (result[i] != result[j])
+                    continue;
+                
+                dataLog("variantListWithVariant(", listDump(list), ", ", variantToAdd, ") failed: got duplicates in result: ", listDump(result), "\n");
+                RELEASE_ASSERT_NOT_REACHED();
+            }
+        }
+    }
+    
     return result;
 }