Title: [233278] trunk/Source/_javascript_Core
- Revision
- 233278
- Author
- [email protected]
- Date
- 2018-06-27 14:26:46 -0700 (Wed, 27 Jun 2018)
Log Message
Add logging to try to diagnose where we get a null structure.
https://bugs.webkit.org/show_bug.cgi?id=187106
Reviewed by Mark Lam.
Add a logging to JSObject::toPrimitive to help diagnose a nullptr
structure crash.
This code should be removed when we fix <rdar://problem/33451840>
* runtime/JSObject.cpp:
(JSC::callToPrimitiveFunction):
* runtime/JSObject.h:
(JSC::JSObject::getPropertySlot):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (233277 => 233278)
--- trunk/Source/_javascript_Core/ChangeLog 2018-06-27 21:15:23 UTC (rev 233277)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-06-27 21:26:46 UTC (rev 233278)
@@ -1,3 +1,20 @@
+2018-06-27 Keith Miller <[email protected]>
+
+ Add logging to try to diagnose where we get a null structure.
+ https://bugs.webkit.org/show_bug.cgi?id=187106
+
+ Reviewed by Mark Lam.
+
+ Add a logging to JSObject::toPrimitive to help diagnose a nullptr
+ structure crash.
+
+ This code should be removed when we fix <rdar://problem/33451840>
+
+ * runtime/JSObject.cpp:
+ (JSC::callToPrimitiveFunction):
+ * runtime/JSObject.h:
+ (JSC::JSObject::getPropertySlot):
+
2018-06-27 Mark Lam <[email protected]>
DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (233277 => 233278)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-06-27 21:15:23 UTC (rev 233277)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-06-27 21:26:46 UTC (rev 233278)
@@ -2010,8 +2010,14 @@
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- JSValue function = object->get(exec, propertyName);
+ PropertySlot slot(object, PropertySlot::InternalMethodType::Get);
+ // FIXME: Remove this when we have fixed: rdar://problem/33451840
+ // https://bugs.webkit.org/show_bug.cgi?id=187109.
+ constexpr bool debugNullStructure = mode == TypeHintMode::TakesHint;
+ bool hasProperty = const_cast<JSObject*>(object)->getPropertySlot<debugNullStructure>(exec, propertyName, slot);
RETURN_IF_EXCEPTION(scope, scope.exception());
+ JSValue function = hasProperty ? slot.getValue(exec, propertyName) : jsUndefined();
+ RETURN_IF_EXCEPTION(scope, scope.exception());
if (function.isUndefinedOrNull() && mode == TypeHintMode::TakesHint)
return JSValue();
CallData callData;
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (233277 => 233278)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2018-06-27 21:15:23 UTC (rev 233277)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2018-06-27 21:26:46 UTC (rev 233278)
@@ -167,6 +167,7 @@
JSValue get(ExecState*, PropertyName) const;
JSValue get(ExecState*, unsigned propertyName) const;
+ template<bool checkNullStructure = false>
bool getPropertySlot(ExecState*, PropertyName, PropertySlot&);
bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);
template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, CallbackWhenNoException) const;
@@ -1402,6 +1403,7 @@
// It may seem crazy to inline a function this large but it makes a big difference
// since this is function very hot in variable lookup
+template<bool checkNullStructure>
ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
VM& vm = exec->vm();
@@ -1421,6 +1423,10 @@
}
ASSERT(object->type() != ProxyObjectType);
Structure* structure = structureIDTable.get(object->structureID());
+#if USE(JSVALUE64)
+ if (checkNullStructure && UNLIKELY(!structure))
+ CRASH_WITH_INFO(object->type(), object->structureID(), structureIDTable.size());
+#endif
if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
return true;
// FIXME: This doesn't look like it's following the specification:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
