[20] [JSC] DFG object allocation sinking shouldn't insert a check when given a PutByVal
Severity: Medium | Component: JSC DFG JIT | cdfa73f
Rated Medium because the diff removes a vestigial special-case in DFG allocation sinking that emitted IR violating the current graph invariants. In --validateGraph builds it tripped a GetButterfly validator rule; in release builds the miscompiled graph may reach later phases with inconsistent exit-state metadata.
A leftover if (node->op() == PutByVal) block in ObjectAllocationSinkingPhase::run() inserted a Check on the stored value before the synthesized PutHint. The block was a fix for a now-replaced array-sinking implementation and no longer matches the surrounding code's invariants.
Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp / DFGValidate.cpp
- if (node->op() == PutByVal) {
- Edge value = m_graph.varArgChild(node, 2);
- m_insertionSet.insertNode(nodeIndex + 1, SpecNone, Check, node->origin, Edge(value.node(), value.useKind()));
- }
- case GetButterfly:
- VALIDATE((node), !node->child1()->isPhantomAllocation());
- break;
Stale optimization-phase code path emitting nodes that violate the current DFG graph invariants after a surrounding algorithm was replaced.
The GetButterfly validator rule is dropped alongside, indicating the surrounding allocation-sinking machinery now legitimately produces shapes the old validator forbade.
Aaa Aaaaaaaaaa Aaaa Aaaa a Aaaaaaa Aaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aa Aaaaaa a Aaaaaa Aaaaaaaaaaaa Aa Aa Aaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaa Aa Aaaaaaaaaa Aa Aaaaa Aa Aaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaa Aaaaaa Aaaa Aaaaaaaaaaaa Aaaa Aaa Aaaaa Aaaaaaa Aaaaa Aaaaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaa Aaaaaaaa Aaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaa Aaa Aaaaa Aa Aaaa a Aaaaa Aaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaa Aaaaa Aaaaaaa Aa Aaaaaaaaaaaa Aaa
🔒The downstream consequences of an allocation-sinking phase emitting an invariant-violating graph node — and what that implies for release-build codegen — are analyzed in depth.
Subscribe to read more
Audit directions
a Aaaaaaaaaaa Aaaaaaaaaaaaaa Aaaa Aaaa Aaaa Aaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaa Aaa Aaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaa Aaaaa Aaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aa Aaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaaaa
a Aaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaaaaaaaa Aaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa
a Aaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaa Aaaa Aaaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aa Aaaaaaaaa Aa Aa Aaaaaaaaaa Aaa Aaaaaaaa Aa Aaa Aaaaaaaaa Aaaa
🔒Multiple reusable audit patterns identified, covering vestigial phase fixes, exit-state invariants, and validator-rule hygiene across the DFG.
Subscribe to read more