[webkit-changes] [232562] trunk

[sbarati]

Title: [232562] trunk

Revision

232562

Author

sbar...@apple.com

Date

2018-06-06 17:01:31 -0700 (Wed, 06 Jun 2018)

Log Message

generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
https://bugs.webkit.org/show_bug.cgi?id=186363

Rubber-stamped by Filip Pizlo.

JSTests:

* stress/instance-of-on-poly-proto-opc-should-not-crash.js: Added.

Source/_javascript_Core:

The code was assuming that the object it was creating an OPC for always
had a non-poly-proto structure. However, this assumption was wrong. For
example, an object in the prototype chain could be poly proto. That type
of object graph would cause a crash in this code. This patch makes it so
that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
object as we traverse the prototype chain.

* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForInstanceOf):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp

Added Paths

• trunk/JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js

Diff

Modified: trunk/JSTests/ChangeLog (232561 => 232562)

--- trunk/JSTests/ChangeLog	2018-06-06 23:46:43 UTC (rev 232561)
+++ trunk/JSTests/ChangeLog	2018-06-07 00:01:31 UTC (rev 232562)
@@ -1,3 +1,12 @@
+2018-06-06  Saam Barati  <sbar...@apple.com>
+
+        generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
+        https://bugs.webkit.org/show_bug.cgi?id=186363
+
+        Rubber-stamped by Filip Pizlo.
+
+        * stress/instance-of-on-poly-proto-opc-should-not-crash.js: Added.
+
 2018-06-05  David Fenton  <david_fen...@apple.com>
 
         Temporarily Skip JSC stress test failures that are consistently occurring.

Added: trunk/JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js (0 => 232562)

--- trunk/JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js	                        (rev 0)
+++ trunk/JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js	2018-06-07 00:01:31 UTC (rev 232562)
@@ -0,0 +1,28 @@
+function makePolyProtoObject() {
+    function foo() {
+        class C {
+            constructor() {
+                this._field = 42;
+                this.hello = 33;
+            }
+        };
+        return new C;
+    }
+    for (let i = 0; i < 15; ++i)
+        foo();
+    return foo();
+}
+
+function foo(o, c) {
+    return o instanceof c;
+}
+noInline(foo);
+
+class C { }
+
+let o = makePolyProtoObject();
+o.__proto__= new C;
+let x = {__proto__: o};
+for (let i = 0; i < 1000; ++i) {
+    foo(x, C);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (232561 => 232562)

--- trunk/Source/_javascript_Core/ChangeLog	2018-06-06 23:46:43 UTC (rev 232561)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-06-07 00:01:31 UTC (rev 232562)
@@ -1,3 +1,20 @@
+2018-06-06  Saam Barati  <sbar...@apple.com>
+
+        generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
+        https://bugs.webkit.org/show_bug.cgi?id=186363
+
+        Rubber-stamped by Filip Pizlo.
+
+        The code was assuming that the object it was creating an OPC for always
+        had a non-poly-proto structure. However, this assumption was wrong. For
+        example, an object in the prototype chain could be poly proto. That type 
+        of object graph would cause a crash in this code. This patch makes it so
+        that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
+        object as we traverse the prototype chain.
+
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForInstanceOf):
+
 2018-06-05  Brent Fulgham  <bfulg...@apple.com>
 
         Adjust compile and runtime flags to match shippable state of features

Modified: trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp (232561 => 232562)

--- trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp	2018-06-06 23:46:43 UTC (rev 232561)
+++ trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp	2018-06-07 00:01:31 UTC (rev 232562)
@@ -409,9 +409,13 @@
                 didHit = true;
                 return true;
             }
+
+            Structure* structure = object->structure(vm);
+            if (structure->hasPolyProto())
+                return false;
             conditions.append(
                 ObjectPropertyCondition::hasPrototype(
-                    vm, owner, object, object->structure(vm)->storedPrototypeObject()));
+                    vm, owner, object, structure->storedPrototypeObject()));
             return true;
         });
     if (result.isValid()) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes