SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using …

…the wrong child for the base https://bugs.webkit.org/show_bug.cgi?id=196945 <rdar://problem/49802750> Reviewed by Filip Pizlo. JSTests: * stress/get-by-offset-should-use-correct-child.js: Added. (foo.bar): (foo): Source/JavaScriptCore: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): Canonical link: https://commits.webkit.org/211213@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244314 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Apr 16, 2019 · 7136aa5 · 7136aa5
1 parent 7753de2
commit 7136aa5
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,15 @@
+2019-04-15  Saam barati  <sbarati@apple.com>
+
+        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+        https://bugs.webkit.org/show_bug.cgi?id=196945
+        <rdar://problem/49802750>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/get-by-offset-should-use-correct-child.js: Added.
+        (foo.bar):
+        (foo):
+
 2019-04-15  Robin Morisset  <rmorisset@apple.com>
 
         DFG should be able to constant fold Object.create() with a constant prototype operand

diff --git a/JSTests/stress/get-by-offset-should-use-correct-child.js b/JSTests/stress/get-by-offset-should-use-correct-child.js
@@ -0,0 +1,25 @@
+function foo(x) {
+    for (let i = 0; i < 400; i++) {
+        for (let j = 0; j < 2; j++) {
+            for (const k of arguments) {
+            }
+            arguments.length = 0;
+            const q = {
+                z: 0
+            };
+            function bar() {
+                q;
+            }
+            for (let w = 0; w < 300; w++) {
+            }
+        }
+
+        with ({}) {
+        }
+
+        +{};
+    }
+}
+
+foo(0);
+foo(0);
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2019-04-15  Saam barati  <sbarati@apple.com>
+
+        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
+        https://bugs.webkit.org/show_bug.cgi?id=196945
+        <rdar://problem/49802750>
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+
 2019-04-15  Robin Morisset  <rmorisset@apple.com>
 
         DFG should be able to constant fold Object.create() with a constant prototype operand

diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
@@ -545,13 +545,13 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node, bool igno
         // know anything about inferred types. But if we have a proof derived from watching a
         // structure that has a type proof, then the next case below will deal with it.
         if (state.structureClobberState() == StructuresAreWatched) {
-            if (JSObject* knownBase = node->child1()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
+            if (JSObject* knownBase = node->child2()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
                 if (graph.isSafeToLoad(knownBase, offset))
                     return true;
             }
         }
 
-        StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
+        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
         if (value.isInfinite())
             return false;
         for (unsigned i = value.size(); i--;) {