Ignore:
Timestamp:
Nov 27, 2017, 4:14:07 PM (8 years ago)
Author:
[email protected]
Message:

Spread can escape when CreateRest does not
https://bugs.webkit.org/show_bug.cgi?id=180057
<rdar://problem/35676119>

Reviewed by JF Bastien.

JSTests:

  • stress/spread-escapes-but-create-rest-does-not.js: Added.

(assert):
(getProperties):
(theFunc):
(let.obj.valueOf):

Source/JavaScriptCore:

We previously did not handle Spread(PhantomCreateRest) only because I did not
think it was possible to generate this IR. I was wrong. We can generate
such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
This IR is rare to generate since we normally don't PutStack(Spread) because
the SetLocal almost always gets eliminated because of how our bytecode generates
op_spread. However, there exists a test case showing it is possible. Supporting
this IR pattern in FTLLower is trivial. This patch implements it and rewrites
the Validation rule for Spread.

  • dfg/DFGOperations.cpp:
  • dfg/DFGOperations.h:
  • dfg/DFGValidate.cpp:
  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileSpread):

  • runtime/JSFixedArray.h:

(JSC::JSFixedArray::tryCreate):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

    r225149 r225202  
    791791                }
    792792
     793                case Spread:
     794                    VALIDATE((node), !node->child1()->isPhantomAllocation() || node->child1()->op() == PhantomCreateRest);
     795                    break;
     796
    793797                case EntrySwitch:
    794798                    VALIDATE((node), node->entrySwitchData()->cases.size() == m_graph.m_numberOfEntrypoints);
Note: See TracChangeset for help on using the changeset viewer.