Home Verkennen Help
Inloggen
SunnyMirror
/
ChakraCore
spiegel van https://github.com/microsoft/ChakraCore.git
2
0
Vork 0
Bestanden Issues 0 Wiki
Bladeren bron

Retain subclass valueinfo while optimizing BailOnNotObject in OptTagChecks

Fixes OS#13115740.

In OptTagCheks currently, the valueinfo is being replaced by a new valueinfo changing the valuetype turning off Bits::CanBeTaggedValue for a BailOnNotObject instruction.
The initial valueInfo can be an IntRange ranging from 0 - INT_MAX for something like an array length. If the array length symbol is the opnd of BailOnNotObject then, the valueInfo will change to INT_MIN to INT_MAX.
Avoid this by preserving the subclass info while changing the value type.

function test0() {
  var ui16 = new Uint16Array();
    for (var _strvar0 in ui16) {
      litObj1.prop0 = ui16.length; // Array Length int specialized with int range 0 - INT_MAX
      if (litObj1.prop0.prop0) { // Generates BailOnNotObject on array length and force sets the value info to INT_MIN - INT_MAX
        ui16.length; // We end up with a negative lower bound on array length, assertion is fired during typespec
      }
    }
}
Meghana Gupta 8 jaren geleden
bovenliggende
a04b23e893
commit
fd528e90b7
3 gewijzigde bestanden met toevoegingen van 28 en 1 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 3 1
      lib/Backend/GlobOpt.cpp
  2. 5 0
      test/Bugs/rlexe.xml
  3. 20 0
      test/Bugs/valueInfoLossBug.js

+ 3 - 1
lib/Backend/GlobOpt.cpp
Bestand weergeven 

@@ -2820,7 +2820,9 @@ GlobOpt::OptTagChecks(IR::Instr *instr)
 
             {
 
                 if (valueType.CanBeTaggedValue())
 
                 {
 
-                    ChangeValueType(nullptr, value, valueType.SetCanBeTaggedValue(false), false);
 
+                    // We're not adding new information to the value other than changing the value type. Preserve any existing
 
+                    // information and just change the value type.
 
+                    ChangeValueType(nullptr, value, valueType.SetCanBeTaggedValue(false), true /*preserveSubClassInfo*/);
 
                     return false;
 
                 }
 
                 if (this->byteCodeUses)

+ 5 - 0
test/Bugs/rlexe.xml
Bestand weergeven 

@@ -355,4 +355,9 @@
 
       <files>bug11026788.js</files>
 
     </default>
 
   </test>
 
+  <test>
 
+    <default>
 
+      <files>valueInfoLossBug.js</files>
 
+    </default>
 
+  </test>
 
 </regress-exe>

+ 20 - 0
test/Bugs/valueInfoLossBug.js
Bestand weergeven 

@@ -0,0 +1,20 @@
 
+//-------------------------------------------------------------------------------------------------------

+// Copyright (C) Microsoft. All rights reserved.

+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.

+//-------------------------------------------------------------------------------------------------------

+

+function test0() {

+  var ui16 = new Uint16Array();

+    for (var _strvar0 in ui16) {

+      litObj1.prop0 = ui16.length;

+      if (litObj1.prop0.prop0) {

+        ui16.length;

+      }

+    }

+}

+

+test0();

+test0();

+test0();

+WScript.Echo("PASSED");

+