- Revision
- 226650
- Author
- [email protected]
- Date
- 2018-01-09 10:49:25 -0800 (Tue, 09 Jan 2018)
Log Message
ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
https://bugs.webkit.org/show_bug.cgi?id=181388
<rdar://problem/36349351>
Reviewed by Saam Barati.
JSTests:
* stress/regress-181388.js: Added.
Source/_javascript_Core:
When there are duplicate setters or getters, we may end up overwriting a getter
with a setter, or vice versa. This patch adds tracking for getters/setters that
have been overwritten with duplicates and ignore them.
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
* parser/Nodes.h:
(JSC::PropertyNode::isOverriddenByDuplicate const):
(JSC::PropertyNode::setIsOverriddenByDuplicate):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (226649 => 226650)
--- trunk/JSTests/ChangeLog 2018-01-09 18:35:58 UTC (rev 226649)
+++ trunk/JSTests/ChangeLog 2018-01-09 18:49:25 UTC (rev 226650)
@@ -1,3 +1,13 @@
+2018-01-09 Mark Lam <[email protected]>
+
+ ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
+ https://bugs.webkit.org/show_bug.cgi?id=181388
+ <rdar://problem/36349351>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-181388.js: Added.
+
2018-01-08 JF Bastien <[email protected]>
WebAssembly: mask indexed accesses to Table
Added: trunk/JSTests/stress/regress-181388.js (0 => 226650)
--- trunk/JSTests/stress/regress-181388.js (rev 0)
+++ trunk/JSTests/stress/regress-181388.js 2018-01-09 18:49:25 UTC (rev 226650)
@@ -0,0 +1,71 @@
+function assert(x) {
+ if (!x)
+ throw "FAIL";
+}
+
+(function() {
+ var trace = [];
+
+ var foo = {
+ value: 5,
+ get bar() {
+ trace.push("get");
+ return this.value;
+ },
+ set bar(x) {
+ throw "Should not be reached";
+ },
+ set bar(x) {
+ trace.push("set2");
+ this.value = x + 10000;
+ return this.value;
+ }
+ }
+
+ assert(foo.value == 5);
+ assert(trace == "");
+ assert(foo.bar == 5);
+ assert(trace == "get");
+
+ foo.bar = 20;
+ assert(trace == "get,set2");
+
+ assert(foo.value == 10020);
+ assert(trace == "get,set2");
+ assert(foo.bar == 10020);
+ assert(trace == "get,set2,get");
+})();
+
+(function() {
+ var trace = [];
+
+ var foo = {
+ value: 5,
+ set bar(x) {
+ trace.push("set");
+ this.value = x;
+ return this.value;
+ },
+ get bar() {
+ throw "Should not be reached";
+ },
+ get bar() {
+ trace.push("get2");
+ this.value += 10000;
+ return this.value;
+ },
+ }
+
+ assert(foo.value == 5);
+ assert(trace == "");
+ assert(foo.bar == 10005);
+ assert(trace == "get2");
+
+ foo.bar = 20;
+ assert(trace == "get2,set");
+
+ assert(foo.value == 20);
+ assert(trace == "get2,set");
+ assert(foo.bar == 10020);
+ assert(trace == "get2,set,get2");
+})();
Modified: trunk/Source/_javascript_Core/ChangeLog (226649 => 226650)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-09 18:35:58 UTC (rev 226649)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-09 18:49:25 UTC (rev 226650)
@@ -1,3 +1,23 @@
+2018-01-09 Mark Lam <[email protected]>
+
+ ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
+ https://bugs.webkit.org/show_bug.cgi?id=181388
+ <rdar://problem/36349351>
+
+ Reviewed by Saam Barati.
+
+ When there are duplicate setters or getters, we may end up overwriting a getter
+ with a setter, or vice versa. This patch adds tracking for getters/setters that
+ have been overwritten with duplicates and ignore them.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::PropertyListNode::emitBytecode):
+ * parser/NodeConstructors.h:
+ (JSC::PropertyNode::PropertyNode):
+ * parser/Nodes.h:
+ (JSC::PropertyNode::isOverriddenByDuplicate const):
+ (JSC::PropertyNode::setIsOverriddenByDuplicate):
+
2018-01-08 Zan Dobersek <[email protected]>
REGRESSION(r225913): about 30 JSC test failures on ARMv7
Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (226649 => 226650)
--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-01-09 18:35:58 UTC (rev 226649)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-01-09 18:49:25 UTC (rev 226650)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2002 Harri Porten ([email protected])
* Copyright (C) 2001 Peter Kelly ([email protected])
-* Copyright (C) 2003-2017 Apple Inc. All rights reserved.
+* Copyright (C) 2003-2018 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich ([email protected])
* Copyright (C) 2007 Maks Orlovich
* Copyright (C) 2007 Eric Seidel <[email protected]>
@@ -539,11 +539,16 @@
// Duplicates are possible.
GetterSetterPair pair(node, static_cast<PropertyNode*>(nullptr));
GetterSetterMap::AddResult result = map.add(node->name()->impl(), pair);
+ auto& resultPair = result.iterator->value;
if (!result.isNewEntry) {
- if (result.iterator->value.first->m_type == node->m_type)
- result.iterator->value.first = node;
- else
- result.iterator->value.second = node;
+ if (resultPair.first->m_type == node->m_type) {
+ resultPair.first->setIsOverriddenByDuplicate();
+ resultPair.first = node;
+ } else {
+ if (resultPair.second)
+ resultPair.second->setIsOverriddenByDuplicate();
+ resultPair.second = node;
+ }
}
}
@@ -595,7 +600,7 @@
GetterSetterPair& pair = it->value;
// Was this already generated as a part of its partner?
- if (pair.second == node)
+ if (pair.second == node || node->isOverriddenByDuplicate())
continue;
// Generate the paired node now.
Modified: trunk/Source/_javascript_Core/parser/NodeConstructors.h (226649 => 226650)
--- trunk/Source/_javascript_Core/parser/NodeConstructors.h 2018-01-09 18:35:58 UTC (rev 226649)
+++ trunk/Source/_javascript_Core/parser/NodeConstructors.h 2018-01-09 18:49:25 UTC (rev 226650)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -248,6 +248,7 @@
, m_needsSuperBinding(superBinding == SuperBinding::Needed)
, m_putType(putType)
, m_isClassProperty(isClassProperty)
+ , m_isOverriddenByDuplicate(false)
{
}
@@ -258,6 +259,7 @@
, m_needsSuperBinding(superBinding == SuperBinding::Needed)
, m_putType(putType)
, m_isClassProperty(isClassProperty)
+ , m_isOverriddenByDuplicate(false)
{
}
@@ -269,6 +271,7 @@
, m_needsSuperBinding(superBinding == SuperBinding::Needed)
, m_putType(putType)
, m_isClassProperty(isClassProperty)
+ , m_isOverriddenByDuplicate(false)
{
}
Modified: trunk/Source/_javascript_Core/parser/Nodes.h (226649 => 226650)
--- trunk/Source/_javascript_Core/parser/Nodes.h 2018-01-09 18:35:58 UTC (rev 226649)
+++ trunk/Source/_javascript_Core/parser/Nodes.h 2018-01-09 18:49:25 UTC (rev 226650)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2000 Harri Porten ([email protected])
* Copyright (C) 2001 Peter Kelly ([email protected])
- * Copyright (C) 2003-2009, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2018 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich ([email protected])
* Copyright (C) 2007 Maks Orlovich
* Copyright (C) 2007 Eric Seidel <[email protected]>
@@ -697,6 +697,8 @@
Type type() const { return static_cast<Type>(m_type); }
bool needsSuperBinding() const { return m_needsSuperBinding; }
bool isClassProperty() const { return m_isClassProperty; }
+ bool isOverriddenByDuplicate() const { return m_isOverriddenByDuplicate; }
+ void setIsOverriddenByDuplicate() { m_isOverriddenByDuplicate = true; }
PutType putType() const { return static_cast<PutType>(m_putType); }
private:
@@ -708,6 +710,7 @@
unsigned m_needsSuperBinding : 1;
unsigned m_putType : 1;
unsigned m_isClassProperty: 1;
+ unsigned m_isOverriddenByDuplicate: 1;
};
class PropertyListNode : public ExpressionNode {
