Ignore:
Timestamp:
Oct 15, 2019, 9:01:18 PM (6 years ago)
Author:
[email protected]
Message:

operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
https://bugs.webkit.org/show_bug.cgi?id=202312
<rdar://problem/55782280>

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings.js: Added.
  • stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings2.js: Added.
  • stress/switch-on-char-llint-rope.js:
  • Changed this test to make a new rope string for each iterations. Otherwise, the rope will get resolved, and subsequent tiers will not be testing with a rope.

Source/JavaScriptCore:

operationSwitchCharWithUnknownKeyType() can only dispatch to a case handler
if the key string is of length 1. All other cases should dispatch to the default
handler. This patch also adds the missing OOME check.

Also fixed a bug in SpeculativeJIT::emitSwitchCharStringJump() where the slow
path rope resolution was returning after the length check. It needs to return to
the point before the length check.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):

  • jit/JITOperations.cpp:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r251106 r251178  
    1072010720    m_jit.loadPtr(MacroAssembler::Address(value, JSString::offsetOfValue()), scratch);
    1072110721    auto isRope = m_jit.branchIfRopeStringImpl(scratch);
    10722 
     10722    addSlowPathGenerator(slowPathCall(isRope, this, operationResolveRope, scratch, value));
     10723   
    1072310724    addBranch(
    1072410725        m_jit.branch32(
     
    1072710728            TrustedImm32(1)),
    1072810729        data->fallThrough.block);
    10729    
    10730     addSlowPathGenerator(slowPathCall(isRope, this, operationResolveRope, scratch, value));
    10731    
     10730
    1073210731    m_jit.loadPtr(MacroAssembler::Address(scratch, StringImpl::dataOffset()), value);
    1073310732   
Note: See TracChangeset for help on using the changeset viewer.