Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dc251dd885cd86a2b383c969c28c60f5c394a720
https://github.com/WebKit/WebKit/commit/dc251dd885cd86a2b383c969c28c60f5c394a720
Author: Yijia Huang <[email protected]>
Date: 2025-04-22 (Tue, 22 Apr 2025)
Changed paths:
M Source/JavaScriptCore/dfg/DFGLoopUnrollingPhase.cpp
Log Message:
-----------
[JSC] Fix use-before-set bug in LoopUnrollingPhase::data.loopTarget() for
debug assertion
https://bugs.webkit.org/show_bug.cgi?id=291874
rdar://149721355
Reviewed by Yusuke Suzuki.
The loop unrolling analysis was calling data.loopTarget(tail) in an assertion
before setting data.invertCondition, leading to a use-before-set issue in debug
builds:
ASSERT(tail->terminal()->op() == Branch &&
data.loopTarget(tail)->isJumpPad());
To fix this, we changed inverseCondition to std::optional<bool> invertCondition,
and introduced a shouldInvertCondition() accessor that asserts the value is
initialized.
This ensures loopTarget() and exitTarget() accessors are only used after
invertCondition is properly set, preventing assertion failures and improving
the robustness of loop analysis logic.
* Source/JavaScriptCore/dfg/DFGLoopUnrollingPhase.cpp:
(JSC::DFG::LoopUnrollingPhase::LoopData::shouldInvertCondition const):
(JSC::DFG::LoopUnrollingPhase::LoopData::loopTarget const):
(JSC::DFG::LoopUnrollingPhase::LoopData::exitTarget const):
(JSC::DFG::LoopUnrollingPhase::locateTail):
(JSC::DFG::LoopUnrollingPhase::identifyInductionVariable):
(JSC::DFG::LoopUnrollingPhase::LoopData::dump const):
(JSC::DFG::LoopUnrollingPhase::comparisonFunction):
Canonical link: https://commits.webkit.org/293970@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
