Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
DFGSpeculativeJIT should not &= exitOK with mayExit(node)
https://bugs.webkit.org/show_bug.cgi?id=191897 <rdar://problem/45871998> Reviewed by Mark Lam. JSTests: * stress/exitok-is-not-the-same-as-mayExit.js: Added. (bar): (foo): Source/JavaScriptCore: exitOK is a statement about it being legal to exit. mayExit() is about being conservative and returning false only if an OSR exit *could never* happen. mayExit() tries to be as smart as possible to see if it can return false. It can't return false if a runtime exit *could* happen. However, there is code in the compiler where mayExit() returns false (because it uses data generated from AI about type checks being proved), but the code we emit in the compiler backend unconditionally generates an OSR exit, even if that exit may never execute. For example, let's say we have this IR: SomeNode(Boolean:@input) And we always emit code like this as a way of emitting a boolean type check: jump L1 if input == true jump L1 if input == false emit an OSR exit In such a program, when we generate the above OSR exit, in a validationEnabled() build, and if @input is proved to be a boolean, we'll end up crashing because we have the bogus assertion saying !exitOK. This is one reason why things are cleaner if we don't conflate mayExit() with exitOK. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Canonical link: https://commits.webkit.org/206607@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238437 268f45cc-cd09-0410-ab3c-d52691b4dbfc
- Loading branch information
Showing
with
64 additions
and 2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,19 @@ | ||
| //@ runDefault("--useAccessInlining=0") | ||
|
|
||
| function bar(ranges) { | ||
| for (const [z] of ranges) { | ||
| let ys = []; | ||
| for (y = 0; y <= 100000; y++) { | ||
| ys[y] = false; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| function foo() { | ||
| let iterator = [][Symbol.iterator](); | ||
| iterator.x = 1; | ||
| } | ||
|
|
||
| bar([ [], [], [], [], [], [], [], [], [], [], [] ]); | ||
| foo(); | ||
| bar([ [], [] ]); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters