Title: [235730] branches/safari-606-branch
- Revision
- 235730
- Author
- [email protected]
- Date
- 2018-09-06 01:11:57 -0700 (Thu, 06 Sep 2018)
Log Message
Cherry-pick r235715. rdar://problem/44169344
JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
https://bugs.webkit.org/show_bug.cgi?id=189124
<rdar://problem/43863605>
Reviewed by Filip Pizlo.
JSTests:
* stress/regress-189124.js: Added.
Source/_javascript_Core:
It is assumed that the Structure for the m_cachedStructureID will remain alive
while the m_cachedStructureID is in use. This prevents the structureID from being
re-used for a different Structure.
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-606-branch/JSTests/ChangeLog (235729 => 235730)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-09-06 08:11:54 UTC (rev 235729)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-09-06 08:11:57 UTC (rev 235730)
@@ -1,5 +1,42 @@
2018-09-06 Babak Shafiei <[email protected]>
+ Cherry-pick r235715. rdar://problem/44169344
+
+ JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+ https://bugs.webkit.org/show_bug.cgi?id=189124
+ <rdar://problem/43863605>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ * stress/regress-189124.js: Added.
+
+ Source/_javascript_Core:
+
+ It is assumed that the Structure for the m_cachedStructureID will remain alive
+ while the m_cachedStructureID is in use. This prevents the structureID from being
+ re-used for a different Structure.
+
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::visitChildren):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-05 Mark Lam <[email protected]>
+
+ JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+ https://bugs.webkit.org/show_bug.cgi?id=189124
+ <rdar://problem/43863605>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/regress-189124.js: Added.
+
+2018-09-06 Babak Shafiei <[email protected]>
+
Cherry-pick r235177. rdar://problem/44169333
The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
Added: branches/safari-606-branch/JSTests/stress/regress-189124.js (0 => 235730)
--- branches/safari-606-branch/JSTests/stress/regress-189124.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/regress-189124.js 2018-09-06 08:11:57 UTC (rev 235730)
@@ -0,0 +1,31 @@
+//@ runDefault("--jitPolicyScale=0")
+
+function makeTmp() {
+ let tmp = {a: 1};
+ gc();
+ tmp.__proto__ = {};
+ return tmp;
+}
+
+function foo(tmp, obj) {
+ for (let k in tmp) {
+ tmp.__proto__ = {};
+ gc();
+ obj.__proto__ = {};
+
+ var result = obj[k];
+ return result;
+ }
+}
+
+foo(makeTmp(), {});
+
+let memory = new Uint32Array(100);
+memory[0] = 0x1234;
+
+let fooResult = foo(makeTmp(), memory);
+var result = $vm.value(fooResult);
+
+if (result != "Undefined")
+ throw "FAIL";
+
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (235729 => 235730)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-06 08:11:54 UTC (rev 235729)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-06 08:11:57 UTC (rev 235730)
@@ -1,5 +1,47 @@
2018-09-06 Babak Shafiei <[email protected]>
+ Cherry-pick r235715. rdar://problem/44169344
+
+ JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+ https://bugs.webkit.org/show_bug.cgi?id=189124
+ <rdar://problem/43863605>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ * stress/regress-189124.js: Added.
+
+ Source/_javascript_Core:
+
+ It is assumed that the Structure for the m_cachedStructureID will remain alive
+ while the m_cachedStructureID is in use. This prevents the structureID from being
+ re-used for a different Structure.
+
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::visitChildren):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-05 Mark Lam <[email protected]>
+
+ JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+ https://bugs.webkit.org/show_bug.cgi?id=189124
+ <rdar://problem/43863605>
+
+ Reviewed by Filip Pizlo.
+
+ It is assumed that the Structure for the m_cachedStructureID will remain alive
+ while the m_cachedStructureID is in use. This prevents the structureID from being
+ re-used for a different Structure.
+
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::visitChildren):
+
+2018-09-06 Babak Shafiei <[email protected]>
+
Cherry-pick r235177. rdar://problem/44169333
The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp (235729 => 235730)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2018-09-06 08:11:54 UTC (rev 235729)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2018-09-06 08:11:57 UTC (rev 235730)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -93,6 +93,9 @@
for (auto& propertyName : thisObject->m_propertyNames)
visitor.append(propertyName);
visitor.append(thisObject->m_prototypeChain);
+
+ VM& vm = visitor.vm();
+ visitor.appendUnbarriered(vm.getStructure(thisObject->cachedStructureID()));
}
} // namespace JSC
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
