[webkit-changes] [146268] trunk/Source/JavaScriptCore

Tue, 19 Mar 2013 15:20:10 -0700

Title: [146268] trunk/Source/_javascript_Core
Revision
146268
Author
msab...@apple.com
Date
2013-03-19 15:22:06 -0700 (Tue, 19 Mar 2013)

Log Message

Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData
https://bugs.webkit.org/show_bug.cgi?id=112694

Reviewed by Filip Pizlo.

We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle
nodes with variable arguments.  Added code to insert a Phantom node in front of all the
live children of a var args node.  Added ASSERT not var args for convertToPhantom to
catch any other similar cases.  Added a new convertToPhantomUnchecked() for converting 
var arg nodes.

* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
* dfg/DFGNode.h:
(Node):
(JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs))
(JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked):
(JSC::DFG::Node::convertToPhantomUnchecked):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (146267 => 146268)


--- trunk/Source/_javascript_Core/ChangeLog	2013-03-19 22:16:19 UTC (rev 146267)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-03-19 22:22:06 UTC (rev 146268)
@@ -1,3 +1,24 @@
+2013-03-19  Michael Saboff  <msab...@apple.com>
+
+        Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData
+        https://bugs.webkit.org/show_bug.cgi?id=112694
+
+        Reviewed by Filip Pizlo.
+
+        We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle
+        nodes with variable arguments.  Added code to insert a Phantom node in front of all the
+        live children of a var args node.  Added ASSERT not var args for convertToPhantom to
+        catch any other similar cases.  Added a new convertToPhantomUnchecked() for converting 
+        var arg nodes.
+
+        * dfg/DFGDCEPhase.cpp:
+        (JSC::DFG::DCEPhase::run):
+        * dfg/DFGNode.h:
+        (Node):
+        (JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs))
+        (JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked):
+        (JSC::DFG::Node::convertToPhantomUnchecked):
+
 2013-03-19  Mark Hahnenberg  <mhahnenb...@apple.com>
 
         Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux

Modified: trunk/Source/_javascript_Core/dfg/DFGDCEPhase.cpp (146267 => 146268)


--- trunk/Source/_javascript_Core/dfg/DFGDCEPhase.cpp	2013-03-19 22:16:19 UTC (rev 146267)
+++ trunk/Source/_javascript_Core/dfg/DFGDCEPhase.cpp	2013-03-19 22:22:06 UTC (rev 146268)
@@ -30,6 +30,7 @@
 
 #include "DFGBasicBlockInlines.h"
 #include "DFGGraph.h"
+#include "DFGInsertionSet.h"
 #include "DFGPhase.h"
 #include "Operations.h"
 
@@ -84,6 +85,9 @@
             BasicBlock* block = m_graph.m_blocks[blockIndex].get();
             if (!block)
                 continue;
+
+            InsertionSet insertionSet(m_graph);
+
             for (unsigned indexInBlock = block->size(); indexInBlock--;) {
                 Node* node = block->at(indexInBlock);
                 if (node->shouldGenerate())
@@ -116,14 +120,32 @@
                     // Leave them as not shouldGenerate.
                     break;
                 }
-                    
+
                 default: {
+                    if (node->flags() & NodeHasVarArgs) {
+                        for (unsigned childIdx = node->firstChild(); childIdx < node->firstChild() + node->numChildren(); childIdx++) {
+                            Edge edge = m_graph.m_varArgChildren[childIdx];
+
+                            if (!edge || edge.isProved() || edge.useKind() == UntypedUse)
+                                continue;
+
+                            insertionSet.insertNode(indexInBlock, SpecNone, Phantom, node->codeOrigin, edge);
+                        }
+
+                        node->convertToPhantomUnchecked();
+                        node->children.reset();
+                        node->setRefCount(1);
+                        break;
+                    }
+
                     node->convertToPhantom();
                     eliminateIrrelevantPhantomChildren(node);
                     node->setRefCount(1);
                     break;
                 } }
             }
+
+            insertionSet.execute(block);
         }
         
         m_graph.m_refCountState = ExactRefCount;

Modified: trunk/Source/_javascript_Core/dfg/DFGNode.h (146267 => 146268)


--- trunk/Source/_javascript_Core/dfg/DFGNode.h	2013-03-19 22:16:19 UTC (rev 146267)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.h	2013-03-19 22:22:06 UTC (rev 146268)
@@ -196,18 +196,29 @@
         m_op = op;
         m_flags = defaultFlags(op);
     }
-    
+
     void setOpAndDefaultNonExitFlags(NodeType op)
     {
+        ASSERT(!(m_flags & NodeHasVarArgs));
+        setOpAndDefaultNonExitFlagsUnchecked(op);
+    }
+
+    void setOpAndDefaultNonExitFlagsUnchecked(NodeType op)
+    {
         m_op = op;
         m_flags = (defaultFlags(op) & ~NodeExitsForward) | (m_flags & NodeExitsForward);
     }
-    
+
     void convertToPhantom()
     {
         setOpAndDefaultNonExitFlags(Phantom);
     }
-    
+
+    void convertToPhantomUnchecked()
+    {
+        setOpAndDefaultNonExitFlagsUnchecked(Phantom);
+    }
+
     void convertToIdentity()
     {
         setOpAndDefaultNonExitFlags(Identity);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to